Time for something new

IMG-6141

After six years with KPMG’s Cyber Security practice I decided it was time to take on a new challenge. It was a great pleasure helping clients from various industry sectors solve their security issues and I certainly learned a lot and met many fantastic people.

A digital venture incubation firm has partnered with a world leader in visas and identity management to found a new London-based venture that is creating a frictionless travel experience. 

I joined this tech startup as the Head of Information Security and couldn’t pass on this opportunity to be one of the early members of the leadership team. 

I’ll be driving the security and compliance agenda, adjusting to the needs of the dynamic and growing business. I can’t wait to put the skills I learned in consulting into practice and contribute to this company.

I’ll have an opportunity to help create a trusted, seamless, user centred visa application process for consumers and businesses alike, through automation and a cutting edge technology. And that’s exciting!


ISACA young professionals

I’ve been interviewed for the launch of the ISACA Young Professionals portal that contains a wealth of information for starting and accelerating your career in IT audit and cybersecurity.

I decided to contribute because ISACA played a role in my career development too.

I started attending ISACA London chapter events while I was studying for my Master’s degree in London. Although the university provided a great theoretical foundation on information security, I wanted to know about the real-world challenges that practitioners in the industry were facing.

At the time I had just finished writing my thesis after doing some great research at the university and I wanted to share my findings and the research of my colleagues with the community. The organisers were supportive, so we agreed a day and I delivered a talk on resolving conflicts between security compliance and human behaviour.

It was a rewarding experience as the participants provided some valuable insights and feedback; they helped to bridge the gap between academia and real practical experience. I already had a solid foundation from my postgraduate degree but I was missing was some anecdotes and real life stories about how this could apply in practice. This laid the foundation for my book The Psychology of Information Security.

It worked out for me, but should you get involved in broader activities beyond developing your technical skills? I would say yes.

The value of technical skills and knowledge can’t be overestimated. But there’s another side to this story. Prospective employers are not only looking for technical experts, they want people who are good team players, who can collaborate and communicate effectively with others, who can organise and get things done, who can lead. Getting involved with the community and volunteering gives you the chance to develop and demonstrate these non-technical skills and grow your professional network.

Regardless of where you are on your journey, ISACA provides great opportunities to advance your career through courses, networking and certification programmes, so I highly recommend getting involved!

Read my story on ISACA Blog.


Developing an information security strategy

I wrote previously on how to assess your threat landscape and what your priorities should be when you start developing a security programme in a new company.

In this blog, I would like to dig deeper and talk about how you actually develop a security strategy with some illustrative examples. You can then use these to further refine your security architecture.

As always, we would start with a Why. Why is security important for your business? Well, you will need to help your stakeholders understand that security can help build customer trust and become a brand differentiator.

And how can this be achieved? To keep this simple, let’s zoom in on three priorities:

  • Support the business. Embed security into the business by ensuring alignment to business strategy
  • Risk-based approach. Pragmatic and prioritised security controls, advice, guidance and information security expertise for the business
  • Focus. Centre on protecting the most important assets and understanding the threats

The aim could be to arrive to a state where security underpins all products and services to offer customers a frictionless experience.

Talking to your business stakeholders will help you understand your company’s wider goals and strategy. Let’s imagine for a second that these conversations revealed that your organisation, like many others, ultimately want to grow their revenue. They also identified that the way they are going to grow their revenue is through increasing sales, building customer trust, improving products and services and scaling operations to better meet customers’ needs.

Vulnerable product, misconfigured infrastructure, insecure operations, inadequate compliance regime and inability to withstand incidents all prevent the business from achieving its objectives.

Strategy

You can now prioritise your security activities to align with these objectives, for example by grouping them into product, infrastructure and people security, as well as wider compliance and resilience objectives.

Timeline

Remember, the above is just an indicative timeline. The reality will very much depend on your organisation’s priorities, maturity and resource availability.