Cyber Security Leadership

Cyber Insurance: Managing the Risk

Cyber insurance is a hot topic of many debates today. It is believed to be the long-awaited cure for high-impact security risks, especially in light of constantly evolving privacy legislation and disclosure obligations. But what actually is it?

Simply put, cyber insurance is a tool intended to mitigate the loss from information security incidents. The decision to use it, however, should be based on rigorous risk management. Firstly, a company performs a risk assessment, during which information security risks are identified and logged. This can help the business to prioritise from a cost-benefit perspective. The company can then choose a risk treatment option: it can decide to accept, mitigate, avoid or transfer the risk.

Mitigation and acceptance are quite common approaches in the information security domain. Security professionals can implement a countermeasure to reduce the likelihood and impact of the threat. However, if it is not feasible to do so for economic reasons then the risk can be accepted. In the case of avoidance, businesses can decide not to perform the activity that exposes them to the risk. Lastly, information security risk can be transferred to a third party. This is where cyber insurance can be useful.

The ownership of risk, however, can’t be transferred fully. In the case of cyber insurance, it is more about risk sharing. Both parties should understand their accountability, liability and risk allocation.

Cyber insurance should be cost-effective. But how can one calculate the cost of such product? To understand this, we might want to look how insurance brokers work in more traditional areas. Insurance companies rely heavily on historical data, demographics and averages. The car insurance industry, for example, has evolved over many years to collate accurate statistics of the frequency of accidents per driver based on age, season, car type, country etc. in order to predict the likelihood and cost impact on a case by case basis.

For cyber insurance, however, historical data is not always readily available. Understanding the business becomes key to determining the cost. There are many parameters which can define the premium: size, territory, type of business, human errors and other unknown factors can all contribute to the price. Premiums rely on the maturity of the information security programme.

But is it possible to reduce this cost?

Yes, there are many ways to achieve cost reduction. In general, it is required for the business to demonstrate that some measures have already been taken to reduce the likelihood and impact of a potential cyber security incident. Certifications, such as ISO 27001 can be one of the ways to do so. Or for instance, having an incident response team can drive the premium down. Otherwise the insurer would have to provide its own service, hence charge the client extra. In a nutshell, premiums are never fixed. It has to be a dialogue between the company and the insurance broker. If a company adequately understands its risk, the insurance premium can and should be negotiated.

It is important to mention the importance of a holistic approach to risk treatment. Implementing controls to prevent security incidents and purchasing cyber insurance are not mutually exclusive strategies. If cost-effective, risk management and treatment should be a combination of both methods. Consider health and safety policies as an example. Safety coordinators invest in fire extinguishers minimise the impact of fire. Just like information security professionals deploy firewalls to keep malicious intruders out of the company’s network. Additionally, the building is also almost always insured. Maybe it is time to consider a similar approach to information systems.

Image courtesy of Stuart Miles / FreeDigitalPhotos.net

Giving a lecture at the Royal Holloway University of London

I was invited by the RHUL Computing Society to give a lecture on human aspects of security.

After my presentation, I gave the students an exercise to help them understand the different perspectives on information security policies. As a result, they learned the importance of the role of information security in an organisation and it’s important enabling function.

It was really nice to get such an active participation on their behalf. After the talk we had an interesting conversations on current security research trends and opportunities.

A trip to Bletchley Park

For everyone interested in history of information security I highly recommend visiting Bletchley Park. Among other things, visitors can explore legendary British WW2 Codebreaking Huts, learn more about the cryptography and the Enigma machine in particular.

There is even a computer simulation available that explains in simple terms the basic principles behind the device.

Some interesting facts about Alan Turing and more modern exhibitions definitely sparkle the curiosity of any visitor.

Knowledge Management

ID-100231391

A knowledge management system is an integral part of a modern organisation. It involves processes, people and technology that make sure information is not only kept in the individuals’ heads but is shared with the whole department. It is usually implemented in the form of an intranet portal which requires processes to maintain it and people to support it.

Because I believe having the right information at hand is crucial in making effective business decisions, I volunteered to take on the role of a knowledge management champion in my department. A knowledge management champion is the person who oversees the adequate operation of the system. In this case, to lead the project that would re-launch the system that wasn’t being fully used.

In my company, the knowledge management system is mainly intended to support the bid management process, where we respond with proposals to fulfill specific requests from our current or prospective clients. It is also used to assist project delivery when a piece of work is won.

As a first step, I managed a team of four to analyse the current state of the system and to gather feedback from the users to understand the limitations they felt they encountered. We discovered that the portal was hardly being used because some users were unaware of its existence, and many others found the navigation not very user friendly. This meant that the information stored in it was out-dated.I then developed a strategic plan to promote easy access to static information such as templates, proposals and engagement created data for the department. Several design changes were introduced based on feedback from the users.

Because the portal is only useful if it actually contains data that can be easily searched for, the next step was to collect as much information as possible from the department. We held multiple interviews with engagement managers to gather case studies and relevant data to add to the system. To ensure that the quality of the data collected was constant, we created a case study template consisting of three main parts:

The client’s challenge: the problem the current or prospective client needs addressing.
The approach: how the problem was tackled and solved
Benefit to the client : the specific and measurable positive outcomes

When the design changes were implemented, the outdated data was removed and a sufficient amount of information was collected, everything was ready for the system’s re-launch. This re-launch was important enough to be given a presentation slot at the quarterly departmental meeting, where we talked about the improvements, encouraged the users to use the system and requested further feedback.

Though this successful project, as all projects, had a defined desired outcome due by a specific date, knowledge management never finishes and requires continuous improvement. It is now in the operational “run-and-maintain” state. New information is being uploaded to the portal and processes are in place to make sure it is maintained and information remains up-to-date.

I also organise regularly and participate in knowledge sharing events. I believe participating in such events and communicating lessons learnt to the rest of the team can help everyone to avoid mistakes we’ve made in our projects and improve the quality of deliverables.

Image courtesy of cooldesign/ FreeDigitalPhotos.net

Presenting at the ISACA London Chapter event

I shared some research findings with the ISACA London Chapter members at the November event. We discussed resolving conflicts between security compliance and human behaviour. The talk was followed by a panel discussion with other presenters, where I answered questions regarding human aspects of information security.

During the networking session after the presentation I’ve had many other interesting conversations with the participants. People were sharing their stories and experiences implementing and auditing security controls.

The video of the talk is available on the ISACA London Chapter website.

Poker and Security

Good poker players are known to perform well under pressure. They play their cards based on rigorous probability analysis and impact assessment. Sounds very much like the sort of skills a security professional might benefit from when managing information security risks.

What can security professionals learn from a game of cards? It turns out, quite a bit. Skilled poker players are very good at making educated guesses about opponents’ cards and predicting their next moves. Security professionals are also required to be on the forefront of emerging threats and discovered vulnerabilities to see what the attackers’ next move might be.

At the beginning of a traditional Texas hold’em poker match, players are only dealt two cards (a hand). Based on this limited information, they have to try to evaluate the odds of winning and act accordingly. Players can either decide to stay in the game – in this case they have to pay a fee which contributes to the overall pot – or give up (fold). Security professionals also usually make decisions under a high degree of uncertainty. There are many ways they can treat risk: they can mitigate it by implementing necessary controls, avoid, transfer or accept it. Costs of such decisions vary as well.

Not all cards, however, are worth playing. Similarly, not all security countermeasures should be implemented. Sometimes it is more effective to fold your cards and accept the risk rather than pay for an expensive control. When the odds are right a security professional can start a project to implement a security change to increase the security posture of a company.

When the game progresses and the first round of betting is over, the players are presented with a new piece of information. The poker term flop is used for the three additional cards that the dealer places on the table. These cards can be used to create a winning combination with each player’s hand. When the cards are revealed, the player has the opportunity to re-assess the situation and make a decision. This is exactly the way in which the changing market conditions or business requirements provide an instant to re-evaluate the business case for implementing a security countermeasure.

There is nothing wrong with terminating a security project. If a poker player had a strong hand in the beginning, but the flop shows that there is no point in continuing, it means that conditions have changed. Maybe engaging key stakeholders revealed that a certain risk is not that critical and the implementation costs might be too high. Feel free to pass. It is much better to cancel a security project rather than end up with a solution that is ineffective and costly.

However, if poker players are sure that they are right, they have to be ready to defend their hand. In terms of security, it might mean convincing the board of the importance of the countermeasure based on the rigorous cost-benefit analysis. Security professionals can still lose the game and the company might get breached, but at least they did everything in their power to proactively mitigate that.

It doesn’t matter if poker players win or lose a particular hand as long as they make sound decisions that bring desired long-term results. Even the best poker player can’t win every hand. Similarly, security professionals can’t mitigate every security risk and implement all the possible countermeasures. To stay in the game, it is important to develop and follow a security strategy that will help to protect against ever-evolving threats in a cost-effective way.

Images courtesy of Mister GC / FreeDigitalPhotos.net

Developing your team through coaching

We discussed improving team productivity previously. I received a few comments regarding this topic, which I decided to address here. I would like to cover the question of developing your team members through coaching.

I remember attending a workshop once, where the participants were divided into two teams and were presented with a rather peculiar exercise. The facilitator announced that the goal of this competition was to use newspaper and tape to construct a giraffe. The teams would be judged on the height of the animal: the team who will manage to build the tallest one wins.

There are many variations of this exercise, but they all boil down to the same principle. The real aim is to understand how people work together. How they plan, assign roles and responsibilities, execute the task, etc.

In the end, everyone had a chance to discuss the experience. Participants were also presented with feedback on their performance. But can people’s performance be improved? And if yes, what could have been done in order to achieve positive and lasting change?

The answer to these questions can be found in coaching.

Coaching is all about engaging people in an authentic way. There might be different opinions on the same problem, which doesn’t necessarily mean that there is only one universal truth. How much do you appreciate and respect what other people think?

Coaching, however, is not about knowing all the answers, but about listening, empathising and understanding others. Here are some example questions you can use:

What is happening in your life and career?
What’s going well?
Where do you want to be?
What do you need to do to get there?
What is the first step you would take today?

The last thought I would like to mention here is about giving people time to reflect. Some silent and alone time can yield unexpected results. Our brain is bombarded with enormous amounts of information on a daily basis. Finding time to quiet your mind and slow down can help you to listen to your inner voice of intuition. This can help you come up with innovative solutions to seemingly unsolvable problems.

Project Planning

What is the difference between two photos below?

Yes, you are right – without the mist we can see the building more clearly. Something similar is happening with our projects: early in the initiation stage, there is a lot of uncertainty. It is really hard to estimate time and cost requirements, especially when the scope of work is not clearly defined.

However, it is still important to come up with an estimate, even if it is very high-level. Ideally, we have to define a way to manage the scope, schedule, requirements, financials, quality, resources, change, risks, stakeholders, communications, etc. Later in the project we can progressively elaborate on the plan to make it more accurate.

As far as an initial estimate for a timelines goes, even creating a list of activities and understanding dependencies can dramatically reduce the fog.

Try engaging your team members: ask them how long they think certain work packages might take to complete. Organise a workshop to discuss and capture the dependencies and risks. Make sure you have buy-in from your team and everyone is aware of the critical path

Yes, things can and will change, but having a plan helps you to become more aware of the potential impact of this change on budget, scope or quality. Ultimately, a good plan can help project managers put things into perspective and monitor and control projects more effectively.

The Analogies Project

I’m passionate about helping people understand security better. In my experience, using analogies has proved to be one of the best tools to help them learn. People have a far better and long-lasting understanding when they can relate to an experience that illustrates the concept they are to comprehend. Describing situations and possible outcomes can be just as easily done by telling stories: They are not only pleasant to read, hear or imagine, but they also transfer knowledge in the most effective way.

That’s why I decided to contribute to The Analogies Project.

Here’s what their website say about about the project:

Mission
The aim of the Analogies Project is to help spread the message of information security, and its importance in the modern world.
By drawing parallels between what people already know, or find interesting (such as politics, art, history, theatre, sport, science, music and every day life experiences) and how these relates to information security, we can increase understanding and support across the whole of society.

Why use analogies?
Many aspects of information security are highly technical and require a deep specialist knowledge. However, we know that all security depends ultimately on the awareness and preparedness of non-specialists.
Information security professionals cannot rely solely on technology to protect their organisations. They must engage with senior management and users in a way that their message is understood, fully appreciated and implemented. In this way they can drive changes in attitude and behaviour that will make the organisation more secure.
To do that, they must find a new language to get their points across to the non-specialist. And this is where the Analogies Project comes in….
Our past is littered with examples of how the prosperity or decline of individuals, enterprises, governments and nation states has depended to a greater or lesser extent, on the confidentiality, integrity and availability of information. By using storytelling, analogies and metaphor we can transform these real life events into powerful tools for engagement.

Please feel free to check out my profile and read my analogies.

Discussing Ethical Hacking at the University of Bradford

I was invited to deliver a lecture on ethical hacking to the graduate students at the University of Bradford. We started off by discussing basic principles and approaches and concluded covering specific tools and techniques.

The students, with various backgrounds ranging from mobile application development, to communications and networks actively participated in the discussion. I was also very happy to share some case studies and real-world examples around vulnerability, threat and risk management.