Cyber Security Leadership

Project Planning

What is the difference between two photos below?

Yes, you are right – without the mist we can see the building more clearly. Something similar is happening with our projects: early in the initiation stage, there is a lot of uncertainty. It is really hard to estimate time and cost requirements, especially when the scope of work is not clearly defined.

However, it is still important to come up with an estimate, even if it is very high-level. Ideally, we have to define a way to manage the scope, schedule, requirements, financials, quality, resources, change, risks, stakeholders, communications, etc. Later in the project we can progressively elaborate on the plan to make it more accurate.

As far as an initial estimate for a timelines goes, even creating a list of activities and understanding dependencies can dramatically reduce the fog.

Try engaging your team members: ask them how long they think certain work packages might take to complete. Organise a workshop to discuss and capture the dependencies and risks. Make sure you have buy-in from your team and everyone is aware of the critical path

Yes, things can and will change, but having a plan helps you to become more aware of the potential impact of this change on budget, scope or quality. Ultimately, a good plan can help project managers put things into perspective and monitor and control projects more effectively.

The Analogies Project

I’m passionate about helping people understand security better. In my experience, using analogies has proved to be one of the best tools to help them learn. People have a far better and long-lasting understanding when they can relate to an experience that illustrates the concept they are to comprehend. Describing situations and possible outcomes can be just as easily done by telling stories: They are not only pleasant to read, hear or imagine, but they also transfer knowledge in the most effective way.

That’s why I decided to contribute to The Analogies Project.

Here’s what their website say about about the project:

Mission
The aim of the Analogies Project is to help spread the message of information security, and its importance in the modern world.
By drawing parallels between what people already know, or find interesting (such as politics, art, history, theatre, sport, science, music and every day life experiences) and how these relates to information security, we can increase understanding and support across the whole of society.

Why use analogies?
Many aspects of information security are highly technical and require a deep specialist knowledge. However, we know that all security depends ultimately on the awareness and preparedness of non-specialists.
Information security professionals cannot rely solely on technology to protect their organisations. They must engage with senior management and users in a way that their message is understood, fully appreciated and implemented. In this way they can drive changes in attitude and behaviour that will make the organisation more secure.
To do that, they must find a new language to get their points across to the non-specialist. And this is where the Analogies Project comes in….
Our past is littered with examples of how the prosperity or decline of individuals, enterprises, governments and nation states has depended to a greater or lesser extent, on the confidentiality, integrity and availability of information. By using storytelling, analogies and metaphor we can transform these real life events into powerful tools for engagement.

Please feel free to check out my profile and read my analogies.

Discussing Ethical Hacking at the University of Bradford

I was invited to deliver a lecture on ethical hacking to the graduate students at the University of Bradford. We started off by discussing basic principles and approaches and concluded covering specific tools and techniques.

The students, with various backgrounds ranging from mobile application development, to communications and networks actively participated in the discussion. I was also very happy to share some case studies and real-world examples around vulnerability, threat and risk management.

Find out how security controls affect productivity in your company

To expand on my research on the human aspect of security, I created a simplified model to highlight the relationship between productivity and security. The main hypothesis, is that there is a productivity cost associated with the security controls.

The interactive simulation was created to allow users to implement their own security policies and observe the relationship between risk reduction and impact on productivity cost. Easy to understand visual feedback is available immediately for the users. This helps to understand security managers’ perspective when implementing security controls in a company.

The creation of the model was inspired by research conducted by Angela Sasse and her colleagues at the University College London.

Please get in touch if you have any feedback or would like to discuss the underlying research findings.

Back to School

This week I was really happy to be back at the University College London where I got a degree in Information Security from. I was invited to the Technology & Entrepreneurial Start Ups Insight session organised by the Management Science & Innovation Department. I met many bright students interested in technology, including current MSc Information Security students. It was very interesting to find out how the curriculum changed to address modern industry trends and needs.

UCL

The day after I was proud to represent KPMG at the UCL IT and Technology Careers Fair. It comes as no surprise that there were many students interested in starting a career in the information security field. I was happy to help out with some suggestions, especially remembering that I attended the very same event some years ago.

NextSec Conference: The Changing Face of Cyber Security

I am delighted to invite you to the NextSec Cyber Security Conference ‘The Changing Face of Cyber Security’ on 11 December 2014 at EY, 1 More London Place, SE1 2AF, London.

The conference will provide an opportunity for you to hear senior cyber security leaders, from a range of industries, share their cyber security experiences and insights through presentations following three main themes:
1) the changing cyber threat landscape,
2) the diverse techniques that have been adopted in response to the threat, and
3) the range of cyber security roles across different sectors.

The second half of the conference will address the changing dynamics required for leadership in cyber security including gender diversity and inclusiveness.

An open Q&A panel discussion will close the conference sessions.

Event Details:

Date: 11 December 2014
Time: 5.00pm – 8.30pm followed by networking and drinks
Location: Mulberry Restaurant, EY, More London Place

Chairs

Cheryl Martin, Partner, EY
Leron Zinatullin, NextSec Committee Member and Information Security Advisor, KPMG

Confirmed speakers and panellists:

Cheryl Martin, Partner, EY
Sian John, Security Futurologist, Symantec
Robert Coles, Chief Information Security Officer, GlaxoSmithKline
Elena Cinquegrana, Associate Director, Navigant
Lucy Chaplin, Assistant Manager, KPMG
Freddie Hult, Senior Cyber Resilience Adviser, Cyber Resilience Ltd

Please visit the website to register for free.

NextSec is a networking group of young professionals working in cyber security and information risk management in the UK. The group exists since January 2012 and currently has over 290 members. These 290 members work for over 59 organisations in the UK. We have a diverse representation of young professionals working in financial services, oil and gas industry, industrial goods and retail, marketing, telecommunications, software, technology, professional services, and public sector. For more information about NextSec, please visit our website and LinkedIn group.

Cyber Security EXPO

During the 8th and 9th of October 2014, I attended the Cyber Security EXPO in London. It was co-located with IP EXPO Europe and presented the participants with an opportunity to partake in knowledge sharing discussions, various talks, trade stands and many more.

(ISC)² London chapter were running their regular community meeting. Everyone could also participate in the RANT event

The selection of presentations was great, ranging from fairly technical to business-oriented.

Bruce Schneier also took part in the event delivering a talk on incident response. It was an interesting discussion on economics and psychology of information security in the context of modern trends.

Finally, it was a great opportunity to finally catch up with my friends, including Javvad Malik, Jitender Arora, Mo Amin and many others.

How to plan and deliver benefits on an information security project

Major changes frequently introduced by security projects might be seen as necessary evils without delivering value to the business. To change this perspective, a project manager should proactively manage benefits and make sure they are achievable and verifiable.

The key objectives of benefits management is to ensure that benefits are identified, defined, and linked to the company’s business strategy.

Realistic planning of benefits is the first step to achieve project success. It is, however, an ongoing activity and requires many iterations. In order to drive the realisation of benefits, the following template can be used to capture potential benefits and measure its impact on the organisation

Benefit	Expected benefit outcome	Benefit Type	Where will the benefit occur?	Who will be affected?

Image courtesy of ddpavumba / FreeDigitalPhotos.net

NextSec 2014 Cyber Security and Technology Careers Fair

The 2014 Cyber Careers Fair event registration is now open.

If you are thinking about a Career in Cyber Security or Technology then why not come along and meet prospective employers and training providers. This is a great opportunity for you to find out what employers are looking for in the graduate market, ask questions in a relaxed environment to HR and junior professionals recently hired by these employers, and to grow your network!

Exhibitors confirmed: KPMG, PWC, Citi Group, Morgan Stanley, Lloyds Banking Group, BP, Microsoft, HP, BAE Systems, Royal Signals – British Army, Cyber Security Challenge and (ISC)2.

Exhibitors invited and to be confirmed soon: EY, Goldman Sachs, AXA, Shell, Royal Bank of Scotland, BT, Lockheed Martin UK, HMGCC, and GCHQ.

Date: 30 October 2014 from 10:30 to 16:30 (GMT)

Location: University of Westminster, 115 New Cavendish St, London W1W 6UW

Visit our website www.nextsec.org and watch a short video of last year’s event.

Please use the link below to register for a free ticket to attend and meet employers and HR teams from the participating organisations.

How will technology transform future business?

In what ways are you personally using technology to advance your business sector?

I am an information security specialist: Technology is at the very core of my business sector with innovation as its driving force. I help companies manage their constantly changing IT risks. I enable organisations to do business securely while protecting their assets from cyber threats.

It is important to bring innovative technology products and services that are secure enough to use in today’s interconnected world.

In what ways are you personally using technology to create positive social change?

I am promoting an information security culture regardless of a person’s age or occupation.
Just as people know how to protect themselves, their belongings and information in the real world, they must know how to do the same in the virtual world.

I’m teaching people to extrapolate their secure practices from the physical world into cyberspace to ensure that everyone can live free of fear that they or their children might be the prey of a cyber criminal.

How do you envision your work impacting the world over the next ten years?

I envision a future where my bathroom scale sends my weight to the doctor, my refrigerator tells the store when I’m low on milk, my car notifies my house when I’m away so that it saves energy, etc. My life is interconnected and doesn’t put me at risk of a break-in or identity theft.

In promoting a security culture and technology innovation, I see a community that lives comfortably and does business to its fullest capacity, knowing that they are secure.