A practical approach
I’ve been invited to talk about human aspects of security at the CyberSecurity Talks & Networking event. The venue and the format allowed the audience to participate and ask questions and we had insightful discussions at the end of my talk. It’s always interesting to hear what challenges people face in various organisations and how a few simple improvements can change the security culture for the better.
Over the past year I’ve worked as a core part of the KPMG’s Global Cyber Strategic Growth Initiative as the lead for service development activities, with a focus on working with member firms to deploy capabilities in order to ensure consistent delivery and quality across key growth areas.
I was responsible for the roll-out of cyber security services that included developing sales and delivery accelerators, accreditation requirements, learning pathways, vendor ecosystem and quality and risk management principles across EMEA, APAC and Americas.
To achieve this, I created a service development framework and worked with numerous stakeholders across the firm’s network: global deployment, service development leads, acquisition leads, risk management and key member firm cyber representatives and regional leads.
I also developed a method for the in-country adoption of deployed capabilities and supported both global and in-country risk team members in the evaluation of risk when taking services for client use.
I ensured the sustainability of deployed capabilities through the implementation and use of delivery frameworks and tools, and assigned ownership for the upkeep of deployed capabilities. I worked with member firms to promote the adoption of prioritised services; developed adoption timelines and targets for deployed service.
One of the existing aspects of the role was alliance, acquisition and investment integration support where I collaborated with the relevant stakeholders to deploy and embed offerings obtained through alliances to member firms while monitoring progress against agreed budgets, milestones, deliverables and benefits for capabilities being deployed.
By the end of the programme, I deployed Cyber Maturity Assessment, Identity and Access Management, Industrial Internet of Things Cyber Security, Privacy and Cyber Incident Response services to 19 countries around the world.
This resulted in achieving significant revenue and market share growth for cyber security services of my firm globally. KPMG International was also named a leader in information security consulting services in 2016 and 2017 according to Forrester Research.
When determining the level of maturity of a security function, I focus on the following areas and try to answer these questions:
Business alignment
Governance
Operating model
Aligning OWASP Application Security Verification Standard and SABSA Architecture framework.
OWASP Application Security Verification Standard (Standard) is used at one of my clients to help develop and maintain secure applications. It has been used it as blueprint create a secure coding checklist specific to the organisation and applications used.
Below is an excerpt from the Standard related to the authentication verification requirements:
The Standard provides guidance on specific security requirements corresponding to the Physical layer of the SABSA architecture.
Just received some great news from my publisher. My book has been accepted for use on a course at Augusta University. Here’s some feedback from the course director:
Augusta University’s Cyber Institute adopted the book “The Psychology of Information Security” as part of our Masters in Information Security Management program because we feel that the human factor plays an important role in securing and defending an organisation. Understanding behavioural aspects of the human element is important for many information security managerial functions, such as developing security policies and awareness training. Therefore, we want our students to not only understand technical and managerial aspects of security, but psychological aspects as well.
My book has been nominated for the Cybersecurity Cannon, a list of must-read books for all cybersecurity practitioners.
Review by Guest Contributor Nicola Burr, Cybersecurity Consultant
It’s been a pleasure delivering a talk on the psychology of information security culture at the SANS European Security Awareness Summit 2016. It was the first time for me to attend and present at this event, I certainly hope it’s not going to be the last.
The summit has a great community feel to it and Lance Spitzner did a great job organising and bringing people together. It was an opportunity for me not only to share my knowledge, but also to learn from others during a number of interactive sessions and workshops. The participants were keen to share tips and tricks to improve security awareness in their companies, as well as sharing war stories of what worked and what didn’t.
It was humbling to find out that my book was quite popular in this community and I even managed to sign a couple of copies.
All speakers’ presentation slides (including from past and future events) can be accessed here.
I’ve been invited to talk to Masters students at the California State University, Long Beach about starting a career in cyber security. My guest lecture at the Fundamentals of Security class was well received. Here’s the feedback I received from the Professor:
Leron, thank you so much for talking to my students. We had a great session and everybody was feeling very energised afterwards. It always helps students to interact with industry practitioners and you did a fantastic job inspiring the class. I will be teaching this class next semester, too. Let’s keep in touch and see if you will be available to do a similar session with the next cohort. Again, thank you very much for your time – I wish we could have more time available to talk!
Here’s a collection of courses designed to further your knowledge in user experience design. Happy learning!
Cyber Security Leadership 