The foundation of the Zero Trust architecture

Zero Trust is a relatively new term for a concept that’s been around for a while. The shift to remote working and wider adoption of cloud services has accelerated the transition away from the traditional well understood and controlled network perimeter.

Security professionals should help organisations balance the productivity of their employees with appropriate security measures to manage cyber security risks arising from the new ways of working.

When people talk about Zero Trust, however, they might refer to new technologies marketed by security vendors. But in my opinion, it is as much (if not more) about the communication and foundational IT controls. Effective implementation of the Zero Trust model depends on close cross departmental collaboration between IT, Security, Risk, HR and Procurement when it comes to access control, joiner-mover-leaver process, managing identities, detecting threats and more.

Device management is the foundation of an effective Zero Trust implementation. Asset inventory in this model is no longer just a compliance requirement but a prerequisite for managing access to corporate applications. Security professionals should work closely with procurement and IT teams to keep this inventory up-to-date. Controlling the lifecycle of the device from procuring and uniquely identifying it through tracking and managing changes, to decommissioning should be closely linked with user identities.

People change roles within the company, new employees join and some leave. Collaborating with HR to establish processes for maintaining the connection between device management and employee identities, roles and associated permissions is key to success.

As an example, check out Google’s implementation of the Zero Trust model in their BeyondCorp initiative.


Threat modelling 101

Using abstractions to think about risks is a useful technique to identify the ways an attacker could compromise a system.

There are various approaches to perform threat modelling but at the core, it’s about understanding what we are building, what can go wrong with it and what we should do about it.

Here is a good video by SAFECode introducing the concept:


Webinar: A CISO panel on weaving security into the business strategy

I had a lot of fun participating in a panel discussion with fellow CISOs exploring the link between cyber security and business strategy. It’s a subject that is very close to my heart and I don’t think it gets enough attention.

In the course of the debate we covered a number of topics, ranging from leveraging KPIs and metrics to aligning with the Board’s risk appetite. We didn’t always agree on everything but I believe that made the conversation more interesting.

As an added bonus, my book The Psychology of Information Security was highlighted as an example of things to consider while tackling this challenge and to improve communication.

You can watch the recording on BrightTalk.


I’ve made it to the Unsung Hero Award: DevSecOps Trailblazer shortlist

I have been nominated for the 2020 Security Serious Unsung Hero award in the DevSecOps Trailblazer category!

Ensuring security is embedded in the development lifecycle of software, from start to finish, is pivotal in creating a more cyber secure world. This award recognises individuals who are spearheading this initiative so that the creation of applications can continue to be dynamic, without sacrificing cybersecurity.

I’m excited to make the shortlist and wish best of luck to all the contenders!


Chief Information Security Officer Workshop Training

Digital transformation

Chief Information Security Officer Workshop is a collection of on-demand videos and slide decks from Microsoft aimed to help CISOs defend a hybrid enterprise (that now includes cloud platforms) from increasingly sophisticated attacks.


I’ve been named a finalist for the 2020 Cyber Security Awards

Finalist logo 2020

I’ve been named a finalist for the 2020 Cyber Security Awards

I’m excited to make the shortlist for the Personality of the Year category. The award recognises thought leadership, commitment to developing others and raising the profile of cyber security among businesses.


Learn how cybersecurity professionals have been adapting their practices

eBook2

I had a chance to contribute to a free eBook by Cisco on adapting to the challenges presented by the Covid-19 pandemic. Check it out for advice on securing your remote workforce, improving security culture,  adjusting your processes and more.


Software and Security Engineering

Cambridge

The Software and Security Engineering course taught at the University of Cambridge is available for free online. It includes video lectures, slide decks, reading materials and more.

Whether you are new to information security or a seasoned professional, this course will help you build solid foundations.

Lecture 9 covering critical systems is my favourite. It bring together previous discussions on psychology, usability and software engineering in the context of safety. It adds to the array of the case studies from Lecture 6, focusing on software failures and what we can learn from them. It also offers a fascinating analysis of the Therac-25 accidents and Boeing 737 Max crashes.


AWS Machine Learning course

Coursera ML certificate

I recently completed this AWS Machine Learning course on Coursera (it’s free!). Besides covering basic theory behind machine learning, it discusses common use cases and how AWS services can be applied to them. Overall, it’s quite quick, interesting and doesn’t require deep technical skills.


Small business resilience toolkit

Resilience.png

Developing a resilient business is about identifying what your business can’t afford to lose and planning for how to prevent loss should a disaster occur. While this may seem a daunting task, determining your business’s resiliency strategy is more straightforward than you might think.

This resilience toolkit developed by Facebook provides a framework for small businesses that may not have the time or resources to create an extensive plan to recover from business interruptions.

You don’t have to use Facebook’s crisis response features for this approach to be effective – the value comes from the taking the time to assess the risks and plan you response strategy.

Download the Small business resilience toolkit