Cyber Security Leadership

PCI Data Security Standards Rock

The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.

The PCI Security Standards Council also develops and manages a number of programs to build awareness and to train, test, and qualify organizations and individuals to assess and validate adherence to PCI Security Standards.

They put together a short video explaining the basic principles.

Cake and Security

There is no doubt that security is necessary, but why is it so unpleasant to follow a security policy? Reminding yourself to stick to the rules feels like your partner telling you…. to eat your salad. You know they are right, but anticipating that bland taste and mindless chewing that awaits you simply puts you off. You decide to leave it for tomorrow, so much so that you never get to it.

Cakes, on the other hand, are yummy and require no effort whatsoever to indulge in our cravings for them. Nobody needs to force us to eat a piece.

In our day-to-day lives we prefer to do “cake” tasks without giving it a second’s thought. Things like storing confidential files on Dropbox or emailing them to our personal accounts…. you know, taking a little bite here and there. It’s “only for today”, “no biggie”… This one-time thing is so harmless, it’s like a comfort snack. We might later feel guilty that we bypassed a few “salad” controls. Maybe we used our personal USB drive instead of a company-issued encrypted one, but at the end of the day… who cares? Who will notice? As long as there is no dramatic impact on our health, a bite here or a bite there won’t cause any harm.

reward

And one day we realise that it’s not all rosy. The result of our laziness or lack of willpower eventually rears its ugly head when the doctor makes us stand on the scales and has a look at our blood pressure. So to add to your partner’s words of wisdom, is the doctor’s warning of an unhealthy present and a bleak future; something that would sound very similar during the company’s security audit.

“You have got to eat more salad and lay off the cakes!”

To make matters worse, even with our best intentions to have the salad at the office cafeteria, we discover that the one available is practically inedible. Pretty much like finding that the company’s secure shared drive doesn’t have the necessary space to store our files or that the encrypted pen drive is not compatible with the client’s Mac.

So if there are chefs coming up with ways to make salads more appealing, what can security professionals do to help us, the employees, maintain our “security diet”?

They could aim at making security more like a cake – effortless, even attractive, but still keep it as healthy as a salad. Sound simple? Perhaps not so much, but they should invest in usability studies to make sure that the secure solution is the easiest to use. It might involve discovering an entirely new culinary art on how to make a cake-tasting salad altogether. But if they fail to realise just how unpalatable the salads are to begin with, we should let them know. Security professionals need employees’ support.

Organisations are like families: everyone has to stay healthy, otherwise when a single member gets sick, the whole family is at risk of getting sick as well, whether it be catching an infectious disease or adopting an unhealthy lifestyle. It’s like having the slimmest, fittest family member refrain from adding biscuits to the grocery list in order not to tempt the couch-potatoes. It’s a team effort. In order for a company to stay healthy, everyone has to keep a healthy lifestyle of eating salad regularly, even when it is not that pleasant.

unpleasant but necessary measures

The whole company needs to know that security is important for achieving its goals -not as something that gets in the way-, just as we should all know that having a healthy diet of greens will guarantee a sound body. Employees contribute to the efficient operation of the business when they comply with security policies. Not only does security ensure confidentiality and the integrity of information, but it also guarantees that the resources are available for employees to complete their primary tasks.

We need to realise that we contribute to security; and we can inflict serious damage on a company when we don’t comply with security policies, no matter how insignificant or harmless they may seem. As employees, we are individually responsible for the organisation’s exposure to security risks just as we are responsible for exposing ourselves to illness. Our behaviour and daily regime significantly shape our quality of life, and our practices shape the quality of our business.

The health of the company is everyone’s business. Let’s all eat our salad while helping the security specialists to come up with better tasting ones.

Training offshore teams

I just returned from my trip to Bangalore, India, where I was asked to deliver a series of training activities to the KPMG offshore teams. Spending a week there came with lots of wonderful insights.

First of all, India is a beautiful country. I didn’t really have a lot of time to travel around, but I still had a chance to visit the Bangalore Palace, drive up and down the Mahatma Gandhi Road, see the Parliament and many beautiful parks.

Moreover, apart from delivering training sessions myself, the local leadership organised a presentation for the UK team, where we were described the services they offer globally. I was impressed by the level of innovation and standardisation, which clearly demonstrate the rapid technological growth in India.

I’ve had a chance to work with some of the marvelous members of our offshore team before, and it was very valuable to finally meet them in person. I had an opportunity to interview a few people for a position in my programme and we are already on-boarding the successful candidate.

Not only I was able to share my knowledge and meet some lovely people, but I could enjoy a brief but wonderful taste of India and its warm hospitality. I’m sure the effectiveness of our communications and project work will increase substantially in going forward.

The Changing Face of Cyber Security – NextSec event

I was very happy to open our NextSec event in collaboration with EY. We had some great presentations followed by a well-facilitated discussion panel which offered a wonderful knowledge sharing session for everyone who attended.

The main themes of the evening were the changing threat landscape and widening the skills gap. The participants learned about the future of malware from Sian John, a security futurologist from Symantec, and how to address it by developing a security strategy with the help of Robert Coles, GSK. Elena Cinquegrana shared her perspective on being a consultant while Freddie Hult from CyberResilience Ltd. discussed the role of a CISO. Lucy Chaplin from KPMG concluded with a talk on privacy issues in the modern world.

I would like to say a special thanks to Chinwe and Annabel from EY for their contribution.

The Internet of Things

Imagine a fridge that can tell when the food inside it is going off, or an oven that can cook food automatically. A world of everyday items, all smart, all connected – that’s the Internet of Things.

But is this a force for good – or for evil? Do the sacrifices we’ll have to make in terms of privacy and security outweigh the potential benefits?

I shared my view in the KPMG SLAT video

Giving a talk on information security

I delivered a talk at the London Metropolitan University today where I was invited to share my story and participate in the university’s mentoring scheme. Although there were many students from different fields present, I focused on the computer science and information security area.

I elaborated on the possible and the transferable skills that young students can develop and apply during their undergraduate and postgraduate programmes. We also talked about job search, the general application process and the various career paths available to students in the information security and computer science areas.

Active listening

Imagine the following situation. A father with his son are driving to the camping site for the weekend. The deer was crossing the road and the car hit it. The father dies in the accident and the son is badly injured. He was swiftly brought to the emergency room and requires surgery. A surgeon enters the room, sees the boy and exclaims: “I can’t operate – this is my son!”.

How is it possible?

Think about it for a few moments…

Didn’t his father die in the accident? The answer is really simple.

Cyber Insurance: Managing the Risk

Cyber insurance is a hot topic of many debates today. It is believed to be the long-awaited cure for high-impact security risks, especially in light of constantly evolving privacy legislation and disclosure obligations. But what actually is it?

Simply put, cyber insurance is a tool intended to mitigate the loss from information security incidents. The decision to use it, however, should be based on rigorous risk management. Firstly, a company performs a risk assessment, during which information security risks are identified and logged. This can help the business to prioritise from a cost-benefit perspective. The company can then choose a risk treatment option: it can decide to accept, mitigate, avoid or transfer the risk.

Mitigation and acceptance are quite common approaches in the information security domain. Security professionals can implement a countermeasure to reduce the likelihood and impact of the threat. However, if it is not feasible to do so for economic reasons then the risk can be accepted. In the case of avoidance, businesses can decide not to perform the activity that exposes them to the risk. Lastly, information security risk can be transferred to a third party. This is where cyber insurance can be useful.

The ownership of risk, however, can’t be transferred fully. In the case of cyber insurance, it is more about risk sharing. Both parties should understand their accountability, liability and risk allocation.

Cyber insurance should be cost-effective. But how can one calculate the cost of such product? To understand this, we might want to look how insurance brokers work in more traditional areas. Insurance companies rely heavily on historical data, demographics and averages. The car insurance industry, for example, has evolved over many years to collate accurate statistics of the frequency of accidents per driver based on age, season, car type, country etc. in order to predict the likelihood and cost impact on a case by case basis.

For cyber insurance, however, historical data is not always readily available. Understanding the business becomes key to determining the cost. There are many parameters which can define the premium: size, territory, type of business, human errors and other unknown factors can all contribute to the price. Premiums rely on the maturity of the information security programme.

But is it possible to reduce this cost?

Yes, there are many ways to achieve cost reduction. In general, it is required for the business to demonstrate that some measures have already been taken to reduce the likelihood and impact of a potential cyber security incident. Certifications, such as ISO 27001 can be one of the ways to do so. Or for instance, having an incident response team can drive the premium down. Otherwise the insurer would have to provide its own service, hence charge the client extra. In a nutshell, premiums are never fixed. It has to be a dialogue between the company and the insurance broker. If a company adequately understands its risk, the insurance premium can and should be negotiated.

It is important to mention the importance of a holistic approach to risk treatment. Implementing controls to prevent security incidents and purchasing cyber insurance are not mutually exclusive strategies. If cost-effective, risk management and treatment should be a combination of both methods. Consider health and safety policies as an example. Safety coordinators invest in fire extinguishers minimise the impact of fire. Just like information security professionals deploy firewalls to keep malicious intruders out of the company’s network. Additionally, the building is also almost always insured. Maybe it is time to consider a similar approach to information systems.

Image courtesy of Stuart Miles / FreeDigitalPhotos.net

Giving a lecture at the Royal Holloway University of London

I was invited by the RHUL Computing Society to give a lecture on human aspects of security.

After my presentation, I gave the students an exercise to help them understand the different perspectives on information security policies. As a result, they learned the importance of the role of information security in an organisation and it’s important enabling function.

It was really nice to get such an active participation on their behalf. After the talk we had an interesting conversations on current security research trends and opportunities.

A trip to Bletchley Park

For everyone interested in history of information security I highly recommend visiting Bletchley Park. Among other things, visitors can explore legendary British WW2 Codebreaking Huts, learn more about the cryptography and the Enigma machine in particular.

There is even a computer simulation available that explains in simple terms the basic principles behind the device.

Some interesting facts about Alan Turing and more modern exhibitions definitely sparkle the curiosity of any visitor.