In my previous post I discussed free online courses in information security. Here I would like to share a few more resources.
Category Archives: Information Security
Cake and Security
There is no doubt that security is necessary, but why is it so unpleasant to follow a security policy? Reminding yourself to stick to the rules feels like your partner telling you…. to eat your salad. You know they are right, but anticipating that bland taste and mindless chewing that awaits you simply puts you off. You decide to leave it for tomorrow, so much so that you never get to it.
Cakes, on the other hand, are yummy and require no effort whatsoever to indulge in our cravings for them. Nobody needs to force us to eat a piece.
In our day-to-day lives we prefer to do “cake” tasks without giving it a second’s thought. Things like storing confidential files on Dropbox or emailing them to our personal accounts…. you know, taking a little bite here and there. It’s “only for today”, “no biggie”… This one-time thing is so harmless, it’s like a comfort snack. We might later feel guilty that we bypassed a few “salad” controls. Maybe we used our personal USB drive instead of a company-issued encrypted one, but at the end of the day… who cares? Who will notice? As long as there is no dramatic impact on our health, a bite here or a bite there won’t cause any harm.
And one day we realise that it’s not all rosy. The result of our laziness or lack of willpower eventually rears its ugly head when the doctor makes us stand on the scales and has a look at our blood pressure. So to add to your partner’s words of wisdom, is the doctor’s warning of an unhealthy present and a bleak future; something that would sound very similar during the company’s security audit.
“You have got to eat more salad and lay off the cakes!”
To make matters worse, even with our best intentions to have the salad at the office cafeteria, we discover that the one available is practically inedible. Pretty much like finding that the company’s secure shared drive doesn’t have the necessary space to store our files or that the encrypted pen drive is not compatible with the client’s Mac.
So if there are chefs coming up with ways to make salads more appealing, what can security professionals do to help us, the employees, maintain our “security diet”?
They could aim at making security more like a cake – effortless, even attractive, but still keep it as healthy as a salad. Sound simple? Perhaps not so much, but they should invest in usability studies to make sure that the secure solution is the easiest to use. It might involve discovering an entirely new culinary art on how to make a cake-tasting salad altogether. But if they fail to realise just how unpalatable the salads are to begin with, we should let them know. Security professionals need employees’ support.
Organisations are like families: everyone has to stay healthy, otherwise when a single member gets sick, the whole family is at risk of getting sick as well, whether it be catching an infectious disease or adopting an unhealthy lifestyle. It’s like having the slimmest, fittest family member refrain from adding biscuits to the grocery list in order not to tempt the couch-potatoes. It’s a team effort. In order for a company to stay healthy, everyone has to keep a healthy lifestyle of eating salad regularly, even when it is not that pleasant.
The whole company needs to know that security is important for achieving its goals -not as something that gets in the way-, just as we should all know that having a healthy diet of greens will guarantee a sound body. Employees contribute to the efficient operation of the business when they comply with security policies. Not only does security ensure confidentiality and the integrity of information, but it also guarantees that the resources are available for employees to complete their primary tasks.
We need to realise that we contribute to security; and we can inflict serious damage on a company when we don’t comply with security policies, no matter how insignificant or harmless they may seem. As employees, we are individually responsible for the organisation’s exposure to security risks just as we are responsible for exposing ourselves to illness. Our behaviour and daily regime significantly shape our quality of life, and our practices shape the quality of our business.
The health of the company is everyone’s business. Let’s all eat our salad while helping the security specialists to come up with better tasting ones.
The Changing Face of Cyber Security – NextSec event
I was very happy to open our NextSec event in collaboration with EY. We had some great presentations followed by a well-facilitated discussion panel which offered a wonderful knowledge sharing session for everyone who attended.
The main themes of the evening were the changing threat landscape and widening the skills gap. The participants learned about the future of malware from Sian John, a security futurologist from Symantec, and how to address it by developing a security strategy with the help of Robert Coles, GSK. Elena Cinquegrana shared her perspective on being a consultant while Freddie Hult from CyberResilience Ltd. discussed the role of a CISO. Lucy Chaplin from KPMG concluded with a talk on privacy issues in the modern world.
The Internet of Things
Imagine a fridge that can tell when the food inside it is going off, or an oven that can cook food automatically. A world of everyday items, all smart, all connected – that’s the Internet of Things.
But is this a force for good – or for evil? Do the sacrifices we’ll have to make in terms of privacy and security outweigh the potential benefits?
I shared my view in the KPMG SLAT video
A trip to Bletchley Park
For everyone interested in history of information security I highly recommend visiting Bletchley Park. Among other things, visitors can explore legendary British WW2 Codebreaking Huts, learn more about the cryptography and the Enigma machine in particular.
There is even a computer simulation available that explains in simple terms the basic principles behind the device.
Some interesting facts about Alan Turing and more modern exhibitions definitely sparkle the curiosity of any visitor.
The Analogies Project
I’m passionate about helping people understand security better. In my experience, using analogies has proved to be one of the best tools to help them learn. People have a far better and long-lasting understanding when they can relate to an experience that illustrates the concept they are to comprehend. Describing situations and possible outcomes can be just as easily done by telling stories: They are not only pleasant to read, hear or imagine, but they also transfer knowledge in the most effective way.
That’s why I decided to contribute to The Analogies Project.
Here’s what their website say about about the project:
Mission
The aim of the Analogies Project is to help spread the message of information security, and its importance in the modern world.
By drawing parallels between what people already know, or find interesting (such as politics, art, history, theatre, sport, science, music and every day life experiences) and how these relates to information security, we can increase understanding and support across the whole of society.
Why use analogies?
Many aspects of information security are highly technical and require a deep specialist knowledge. However, we know that all security depends ultimately on the awareness and preparedness of non-specialists.
Information security professionals cannot rely solely on technology to protect their organisations. They must engage with senior management and users in a way that their message is understood, fully appreciated and implemented. In this way they can drive changes in attitude and behaviour that will make the organisation more secure.
To do that, they must find a new language to get their points across to the non-specialist. And this is where the Analogies Project comes in….
Our past is littered with examples of how the prosperity or decline of individuals, enterprises, governments and nation states has depended to a greater or lesser extent, on the confidentiality, integrity and availability of information. By using storytelling, analogies and metaphor we can transform these real life events into powerful tools for engagement.
Please feel free to check out my profile and read my analogies.
Discussing Ethical Hacking at the University of Bradford
I was invited to deliver a lecture on ethical hacking to the graduate students at the University of Bradford. We started off by discussing basic principles and approaches and concluded covering specific tools and techniques.
The students, with various backgrounds ranging from mobile application development, to communications and networks actively participated in the discussion. I was also very happy to share some case studies and real-world examples around vulnerability, threat and risk management.
Back to School
This week I was really happy to be back at the University College London where I got a degree in Information Security from. I was invited to the Technology & Entrepreneurial Start Ups Insight session organised by the Management Science & Innovation Department. I met many bright students interested in technology, including current MSc Information Security students. It was very interesting to find out how the curriculum changed to address modern industry trends and needs.
The day after I was proud to represent KPMG at the UCL IT and Technology Careers Fair. It comes as no surprise that there were many students interested in starting a career in the information security field. I was happy to help out with some suggestions, especially remembering that I attended the very same event some years ago.
NextSec Conference: The Changing Face of Cyber Security
I am delighted to invite you to the NextSec Cyber Security Conference ‘The Changing Face of Cyber Security’ on 11 December 2014 at EY, 1 More London Place, SE1 2AF, London.
The conference will provide an opportunity for you to hear senior cyber security leaders, from a range of industries, share their cyber security experiences and insights through presentations following three main themes:
1) the changing cyber threat landscape,
2) the diverse techniques that have been adopted in response to the threat, and
3) the range of cyber security roles across different sectors.
The second half of the conference will address the changing dynamics required for leadership in cyber security including gender diversity and inclusiveness.
An open Q&A panel discussion will close the conference sessions.
Event Details:
- Date: 11 December 2014
- Time: 5.00pm – 8.30pm followed by networking and drinks
- Location: Mulberry Restaurant, EY, More London Place
Chairs
- Cheryl Martin, Partner, EY
- Leron Zinatullin, NextSec Committee Member and Information Security Advisor, KPMG
Confirmed speakers and panellists:
- Cheryl Martin, Partner, EY
- Sian John, Security Futurologist, Symantec
- Robert Coles, Chief Information Security Officer, GlaxoSmithKline
- Elena Cinquegrana, Associate Director, Navigant
- Lucy Chaplin, Assistant Manager, KPMG
- Freddie Hult, Senior Cyber Resilience Adviser, Cyber Resilience Ltd
Please visit the website to register for free.
NextSec is a networking group of young professionals working in cyber security and information risk management in the UK. The group exists since January 2012 and currently has over 290 members. These 290 members work for over 59 organisations in the UK. We have a diverse representation of young professionals working in financial services, oil and gas industry, industrial goods and retail, marketing, telecommunications, software, technology, professional services, and public sector. For more information about NextSec, please visit our website and LinkedIn group.
Cyber Security EXPO
During the 8th and 9th of October 2014, I attended the Cyber Security EXPO in London. It was co-located with IP EXPO Europe and presented the participants with an opportunity to partake in knowledge sharing discussions, various talks, trade stands and many more.
(ISC)² London chapter were running their regular community meeting. Everyone could also participate in the RANT event
The selection of presentations was great, ranging from fairly technical to business-oriented.
Bruce Schneier also took part in the event delivering a talk on incident response. It was an interesting discussion on economics and psychology of information security in the context of modern trends.
Finally, it was a great opportunity to finally catch up with my friends, including Javvad Malik, Jitender Arora, Mo Amin and many others.
Cyber Security Leadership 