Cyber Security Leadership

Managing Stakeholders and Communication on Security-related Projects

Enterprises across the world are becoming more and more aware of security-related issues and their impact on the business, making them increasingly willing to address them. Although they are open to listening to the security professionals’ advice, the language the business speaks is different.

It is important for security specialists to understand the business requirements and communicate the value of security accordingly. Managing stakeholders and communication is therefore becoming one of the essential skills of the modern security professional.

One should understand that the earlier people are involved in a security project, the easier it is to get their buy-in. It is useful to spend some time on planning the communication prior to a project kick-off.

As a first step to such planning, a stakeholder register could be created capturing the contact information, expectations about the project, level of influence, and other characteristics, as in the table below.

As soon as the stakeholders are identified, a communication management plan should be created. One can engage the stakeholders to identify the best way of communication, its frequency, responsibility and a reason for sending.

While managing a project, a security professional spends almost all his / her time communicating in various ways. Proper stakeholder engagement and communication planning can make the security-related projects run much smoother. At the end of the day, security professionals are there to help people to make the business more secure. This task can be achieved more easily when people are cooperating with the security professionals rather than trying to sabotage the project.

Security in the Energy Sector

Another successful event organised by NextSec and hosted by KPMG.

Great speakers and fantastic networking opportunities for junior security professionals.

I feel very proud to be a NextSec committee member.

Yousef Syed: Most people understand security from the real world

Interview with Yousef Syed – Enterprise Security Architect at Bayvision Limited

Syed

Let’s start with the basics. How did you start your journey in information security?

Back in 1998 I graduated with a BSc in Computer Science and chose to focus on Object Oriented Analysis & Design and Java. In September 1999 I started contracting in the telecom industry in Netherlands. It was a unique, pre-dotcom-crash situation. A brand new multi-billion-dollar joint venture between two telecom groups – loads of money, starting from scratch with next to no infrastructure – really brilliant place for a relatively new graduate to come in to. A start-up with loads of money! While, officially regarded as a “Web Developer”, since they had no developer PCs, no servers, no DEV/TEST/Prod, no source-control, no standards, no policies, no DMZ; I ended up being involved in everything – and it was great! Set up policies, set up development standards, and specifying and ordering the PCs and software for the developers; specifying the servers for the website/database, and then being in meetings with the networking people to define what the firewall rules were going to be, and what we needed to do. Basically, doing everything!

A year later, I began a contract in Munich working as a secure Java developer using the new JAAS (Java Authentication and Authorisation Service) API in an Agile/Extreme programming team. So back in 2000 I was exposed to security and ever since I’ve kind of been in-and-out, either just doing application development or some other branch of security.

Then, in 2005 while I was working permanently with Accenture and I was exposed to identity management as a specific field –Thor Xellerate (later to become Oracle Identity Manager). Working on various client sites, I found identity management very interesting because it cut across every part of the business. Everybody in the business needs access to multiple, different systems, and the IDM provisions and de-provisions the users with the appropriate level of access, for all users.

Very interesting. What are you working at the moment?

In January, I was contacted by a cloud-based accountancy firm regarding a cyber-security voucher that the government was funding to encourage Small and Medium sized firms and Sole-traders to improve their cyber security stance.

It was one of the more enjoyable projects I’ve been involved in. Compared to working in a large faceless organisation, or government department, where you might disappear in amongst thousands of other small cogs, and your influences is small; here, you get to make an impact. When you are working in a smaller organisation of about 50 people or up to 200 people; your influence and impact is clear to see and is appreciated by the client. More over, since I’m communicating directly with the business leaders, the security serves the business needs instead of just an individual department’s needs.

Why do you think this is important? What is the main difference between working for a small company compared to a big one?

I believe you are going to understand their business better, so you can give genuinely relevant advice. You don’t need to worry about keeping your consultancy/employer or specific business-unit happy. You just need to focus on the business, and on giving them the best advice for them.

I hope to keep doing this for the foreseeable future, because it is easy to get bored of working in big companies. I mean, big organisations are nice because you get exposed to good technology, complex problems and huge projects etc., but as far as getting return for your work where you actually see results there and then; then you can’t beat the immediacy of an SME. You don’t need permission/sign-off from a dozen different stakeholders before you update that policy document. You change that policy or that you give them a piece of advice that has changed their focus to create a secure coding development platform; how to improve testing on that; you’ve given them access to resources they didn’t even know about, and you’ve given them new ideas and new perspectives.

And you’ve also shown them how they can actually improve themselves. So if they go for ISO 27001, that might be a differentiator between themselves and their competitors, and it’s also something that they can tell their customers: “We value your data privacy seriously, we have these standards in place, and we’re looking after you.”

When you work in security, you take a lot of things for granted. But then you go to some small or medium-sized companies, and they’ve been so focused on building their small business and delivering new functions, security is way back in their list of priorities. Now you get to raise that up and show them that it not only benefits them on the compliance side of things, but that the benefit also lies in their knowing where their data is, who has access to their data, they know when they have access to it. And you can put all sorts of different levels of controls onto things and give them a far greater peace of mind about how they are dealing with things internally to their company and how they are dealing with things with regards to their product. So delivering this cyber-security voucher to SMEs is something that I’m pursue with a lot more zeal at the moment, because I never knew about it before, and I know it can make a big difference to all of them. £5K is pretty meaningless to your average Fortune 500 company, but to an SME it is a pretty big deal.

What in your opinion is the main obstacle in implementing a similar approach in large corporations?

One of the problems with large corporations, and the same thing in government, is that each separate individual department has a budget. And they need to work to that budget, and they need to ensure that they are doing enough so that they get the same budget or more next year. And it gives a very narrow view to what they are doing. For me the best security (and IT investment in general) is when it is applied at the enterprise-level, across all of the various business units, and considers how we can make all of these people work well together. There is no point in having a really strong security in your finance department, when another department isn’t even talking to them, and they are doing similar work but on different platforms. On the one hand, you are wasting money, because they are duplicating work, they are duplicating data, they are duplicating the risks involved: in fact they are not even duplicating, they are making the risks much wider, because they may not be tracking where the data is going, and on another platform; its going all over the place.

[So if one department has Oracle DB, another is running Sybase and another small team has MS Access; a) You have the cost of the separate platforms; b) separate licensing for same task; c) you need to harden each platform separately; d) you need define a mechanism to share the data across the systems to maintain the integrity of the data; e) you need to support and patch separate systems etc. Conversely, the enterprise could have defined a single Database platform that all departments to use thus saving a world of pain.]

And while the ISO 27001 and various other standards out there will give you a kind of check-box compliance, “yes, we did this, we did this,” it doesn’t give you the kind of thing to say, “I feel comfortable about this.” Yes, you might feel comfortable about it if the legal department comes and questions you about it, but do you feel comfortable enough about it to be able to say that we have done a good job here, and we have delivered something to the client that actually works for them?

What about the security culture?

Yes, one of the things that I kept on stressing to one of my clients was: “you have a culture here that works for you. You have a very nice environment because everybody knows what’s going on here. If you are a developer, you know everybody in marketing, you know everybody in sales, and everybody knows you. And you have very free-flowing information going on, and it helps a great deal in how you operate. So when you are adding security controls, you don’t want to break what’s already working. You want to make sure it becomes better”.

Can security awareness training help to resolve this?

There is a problem with awareness training and educating users. If you are like me, I come from a technical background, you become very narrow-minded thinking: well I find technology very easy, why can’t you work it out? “Well, because I work in marketing!”

I don’t know anything about marketing so why should they know anything about technology?

There is a certain level of arrogance that we in technology developed about other people: in fact, there is a massive amount of arrogance, you come up with all kinds of deprecating or dismissive terms like “problem exists between keyboard and chair (PEBKAC)” or other phrases, just because they just don’t understand. Why don’t they understand? Because they are qualified for something completely different, something which you don’t understand.

So one should stop being so arrogant, step into their shoes, and understand them or try to find a way to translate what you do into terms that they will understand.

So what is the solution?

For me, I always go back to real world examples. Most people understand security from the real world. We are used to carrying five or six different keys for different things. But on the Internet, people only use one key; they only use one password. And they use it everywhere. So when it gets lost, people have access to everything that they own.

In the real world, I have a separate key for my car, a separate key for my home, a separate key for the main door vs. a separate key for my own apartment, and we are used to this kind of thing. But trying to explain to a user why it is that we use a password manager, we have to explain it to them in terms that they will actually understand, and actually take time for them to join the dots within their brain. “So that’s why I should have a different password. That’s why I should make my password really difficult.” Until they put two and two together, they are going to go for whatever is easiest.

So there are a lot of places where not only security people, but technology people in general need to learn to meet the end user halfway and make security transparent and ubiquitous: make security a layer that they don’t necessarily need to think about so much. But from our side, we need to make our code secure, we need to make our cloud system interactions secure, and we need to make our data policies and the implementation of our data policies secure.

Can you elaborate on security policies? Do you see any problems with them?

There’s no point in writing something in your policy that everyone is ignoring. There was a company a few years ago with the policy that nobody was allowed to use Microsoft Messenger. Everyone was using Microsoft Messenger! Your policy says this, and everyone is doing something different. So why is it written in your policy? Either train your people to not use it, and give them a valid, relevant, genuine alternative that they can use, or don’t put it in your policy.

And there are loads of things in the policy documents to please the auditors and to please the compliance team. But that is not how you do security. It in fact makes security worse because it gives the illusion to management that all these things are in place, when all the while the users are bypassing or ignoring it.

How security professionals can help the management in this case?

You need to give them the tools that help. If they are carrying client-data upon which they need to write reports, they need to do some data classification, state who should have access to it and how valuable things are. So if you have classified data, how should you encrypt it, how should you store it, how should you transfer it. So, for argument’s sake, buy a set of encrypted USB keys. If you know that people are working off of their laptops, get something like TrueCrypt or something else that encrypts their laptop, so that their laptop is encrypted if their laptop goes missing or something, you’re safe. Institute Two-Factor-Authentication. And, educate the user: you make sure they understand.

Are there any problems with implementation of such solutions?

Big corporations get these things, they throw loads of money at it, but they don’t look at it from the perspective of how does a business actually use this.

So one of the things which I was saying was that yes you can buy a really cool firewall and IPS system, but you can also do a simple hardening of your database, of your OS, of your application server, close down all of the open ports, close down all of the services that shouldn’t be on, and lets do some monitoring on some user behaviour, on how people are accessing your system. That will give you, for much cheaper, a whole load of control and peace of mind.

What the possible solution might be then?

From the technology and security side, you need to be aware of the business, and what are the drivers of this business, where do they make their money, where is the “data gold”, and what do they need to protect, and how they are going to protect that, and remain operational. You’ve got data which is very valuable to the company because it’s being used. If they can’t use that data, it’s worthless to them. So if you lock it down too much, or you prevent it from moving around to certain people, then you’re preventing the company from doing business. So until you actually understand that, you can’t put in the relevant controls to allow them to use their data and have a level of security.

You’re never going to be 100% secure, so trying to dream that you are going to be 100% secure is a waste of time, trying to do it by way of fear and scaring your client into doing things is a completely wrong way of doing things, because when you are in a state of fear, your judgment is so far off the mark, that it’s ridiculous. Whereas in the case of “I understand what I’m doing over here. Yes, there are some dangers in this. But we understand it.“

Can you give an example?

It is all about risk management – don’t be afraid of them; simply understand them and manage accordingly.

I’m a snowboarder, and last winter I did an avalanche skills training certification course. The way they manage risk is very similar to how we in security do many things (In many respects they are better because lives depend on it). They have to look at a lot of different things that can trigger an avalanche –current weather conditions, weather over the preceding weeks, terrain, different types of snow; which places you are in danger of being in an avalanche, and there are various trigger points and safety concerns (yes, it gets complicated). You don’t live in fear of avalanches because you saw something in some crappy disaster movie. Instead you live in awareness of it and manage your safety. It’s called awareness training, as opposed to a “you’ll magically be safe from an avalanche by doing this.” It’s a case of saying: right, these are different factors that can trigger an avalanche and these are different things that can make you safer from an avalanche.

So if you have had a lot of snowfall in the preceding days followed by a rapid thaw, then it is very likely that some areas on the mountains will have avalanches. So under those circumstances, you don’t go out into very steep slopes, you stay on the slopes that are shallower, or in the treeline. Yes, you may not have as much fun, but you live to play another day.

Before you go out, there are a few things that you are supposed to do. You’re supposed to notify people that this the zone that we are going to, you define a leader of the group, you take all the various precautions that you have all the avalanche transceivers, probes and shovels, and all these kind of things so that, if the worst happens, you are prepared to dig someone out, and that kind of stuff.

Are there any issues applying the same principles to security?

When you go to have your tyres changed, you don’t need to tell the mechanic to make sure to pump up the tires to the correct pressure. They do it automatically. But for us in IT, we need to stipulate this bunch of standard documents and requirements, and we have this non-functional sets that put these standards in place, “you will make sure that you are using this framework” to prevent SQLi attacks. People should be doing this automatically in our industry (it should be part of our quality process), but we don’t do it.

And there is a lot on our side to blame, because we don’t communicate properly, we don’t talk to the right people. And we also have a tendency to think: I told you once, how come you haven’t changed it?

We want it instantly, or at the latest, tomorrow. No, it’s going to take them time to learn, it’s going to take them time to step up their game to the correct level. And you need to be appreciative of this.

What is your approach?

There’s no one magic bullet that will solve this problem, since it is spread across so many systems and every business is different.

For a previous client, following initial meetings, I setup multiple security roadmaps for them in the three areas that we chose to focus on: business continuity planning; software development and data privacy.

How was this to be achieved? What steps must we take in the next week, month, quarter and where do we expect to be in six months from now. The steps we take must be measureable to some degree. This allowed us to apply a maturity model to it.

It involved some technology, some education, and a lot of communication across business domains and teams to ensure we were serving the business. It also involved the flexibility to acknowledge what isn’t working and change accordingly.

So we have a way of setting these things up so that we can track how well are we doing and where we are, and then you’ve got the ways for them, for the technical team to give feedback back to management, to say that “we’ve added this, and this has given us this additional benefit”.

Thank you Yousef. A few final words of wisdom, please.

You need to be honest with your customer. Sometimes they are not going to listen and you are going to have to do what they want you to do, and that’s part of the business. But you need to understand what the business is, and not just the department that you are being called into. You need to explore what is going on at an enterprise level.

Giving a talk at the University of Greenwich

I was invited to the University of Greenwich to discuss career opportunities in the information security field. We had a productive discussion with the young people who are finishing their degree in Computer Security and Forensics. After the presentation I was introduced to several PhD students who are currently researching various issues around privacy and social media. I’m very happy that people are becoming more interested in solving information security and privacy issues.

NextSec Information Security Conference 2014

Join us on our first 2014 conference focused on sharing knowledge of cyber security for the energy sector. We have a mixture of senior security leaders and NextSec members delivering a rich content to help you on your professional development

Attend this event, to meet and talk with technical experts, and network with like minded professionals from several industries

Information Security – Who is accountable?
Emma Leith BP IST CISO.
This session will discuss the role of Information Security teams in managing information security risks and who is truly accountable for the risks. It will cover some real-life example from BP in how they approached this whilst providing an insight into how they are starting to achieve their goal to ‘make security part of everyone’s job’.

The Importance & Limitations of Cross-Company Collaboration in the Infosec Industry
Adam Wood, National Grid and Michael Ramella, AstraZeneca.
This talk is aimed at covering what it means to truly collaborate within the Infosec industry. Expanding on lessons learned, guidance for successful collaboration will be presented, allowing the audience members to leave with next steps: The ability to understand and clarify their individual and their team levels of collaboration, and how to increase said levels if they so choose.

Securing Industrial Control Networks
Ian Henderson, BP Lead PCN Security Architect.
Ian will introduce Industrial Automation systems explaining how these critical systems have become a security issue. He will explain what can be done to secure these systems and highlight approaches that work. He will also explore the cultural and human aspects related to securing these systems and the perceived divide between the IT security and Engineering communities.

Securing data flows in the Energy sector with an API Gateway
Mark O’Neill, VP Innovation and Antoine Rizk, VP Vertical Markets, Axway.
The energy sector faces new challenges in governing all types of data flows with un-precedent volumes and security requirements. These data flows include; mobile device access for employees and field personnel, customer access for smart meter monitoring and bill payment, public access for locating charging stations and smart grid data exchanges. The speaker will illustrate technical security features and case studies of work with the energy sector.

The impact of major data losses on corporations and individuals
Yiannis Chrysanthou, Cyber Security Analyst.
The recent Adobe data breach exposed account information for 153 million users. This session will describe the means by which an attacker can leverage the Adobe leaked information to launch attacks against corporations and individuals.

Time & Date: 7th March, 2014 15:15 to 19:45
Location: KPMG – Canary Wharf, London

To sign up please complete the form.

Image courtesy of kongsky / FreeDigitalPhotos.net

Research Proposal: People and Security

Purpose: The study aims to develop a model to support security managers’ decision-making process when implementing security policies in their organisations and incorporates users into the system in a way that mitigates the negative impact of users’ behaviour on security controls

Background: Security managers in companies lack a clear process to implement security controls in order to ensure compliance with various regulations and standards. The company can be formally compliant but still inefficient in performing its revenue-generating activities.
Security managers may take ISO 27001 standard as a framework and then make a decision on any particular implementation based on their experience. Such implementations run the risk of creating collisions with users’ business activities and result in violation of security policies in the company, because they introduce friction with the business process. Users try to avoid such friction. It is important, however, to differentiate between malicious non-compliance and cases when security policy obstructs business processes leading to workarounds. There is a mismatch between users’ and security managers’ perception of workload, introduced by security tasks

Method: To achieve the goal of the study, a combination of quantitative and qualitative methods is applied to research the perception of information security by both users and security managers.

Research benefits. The model points a security manager in the direction of a better understanding of the users in his company. It provides the means to gain an insight into users’ core business activities and reflect on how they relate to the security tasks. This can help security managers to come up with more usable security policies and reduce the number of potential complaints, and instances of violation of security policy.
Moreover, this model can help the security manager to understand how much time users in his company spend on various security activities. This information can be used to make better investment decisions, and help in security policy optimisation. Additionally understanding that the security manager’s decisions affect the whole organisation may result in cost savings from pre-implementation security analysis and its relation to main business processes of the company

Giving a seminar at the University of East London

This morning I delivered a seminar for a group of graduate students at the University of East London. An enriched mix of participants from various degrees, including information security, forensics, and IT law made the classroom discussions very interesting.

I was very glad to see that students were very eager to learn more about the subject and were willing to share their ideas and experience. We were even able to managed to identify new research opportunities in the field of economics of information security.

After the presentation, I facilitated a workshop which was designed based on a case study around USB drive encryption. This exercise helped the students to understand the perspective of both a security manager and an end-user on the same problem.

Image courtesy of Stuart Miles / FreeDigitalPhotos.net

Tracking the Progress of an Information Security Related Project

A project is, by definition, a goal-driven activity to be completed by a specific deadline. Although many security professionals dedicate most of their time to daily operational tasks, some of the most valuable contributions they can deliver to a company are in the form of security projects. Such projects may include enterprise-wide security solutions implementations, security reviews or risk assessment.

The success of such an exercise will highly depend on the skills and experience of the individual who manages the project. The reasons for which a security project may fail can be countless, but one of the most common ones is the lack of proper tracking.

Let’s imagine, for a second, that all the necessary planning was done, a charter was signed, and a sponsor fully supports the project. How can the project manager know if everything is going according to the plan?

A simple answer is by tracking the progress. There are several measurable indicators a project manager can keep track of, but a crucial one is the schedule.

Tracking the progress according to a schedule helps to identify possible risks and take timely preventive actions, such assigning more resources to the tasks or undertaking some of the activities in parallel.

Project management was never about tools and software, though they may be very helpful. A sample spreadsheet was developed for project tracking which you can use to track the activities on your project. It was created for infrastructure / application hardening programmes and perfectly fits projects with clearly defined scopes of similar tasks.

Download a sample tracker

Improve Your Team’s Productivity

Today’s security professionals must know how to design and implement security transformation programmes on an enterprise-wide scale. In order to be successful at this, not only must they be technically savvy, but they should know how to build, lead and manage a team effectively for this purpose.

When dealing with teams, many people mistakenly assume that some team roles are more important than others, when in reality, all participants are equally essential. The diversity of skills makes a team versatile and is reinforced by the active involvement from all parties. Each role, trade or character type has its own strengths and weaknesses, which should be identified, harnessed and optimized (or reduced, in the latter case) in order to enhance the team’s overall performance. There are several existing resources for thoroughly exploring these complex human dynamics. One of the strongest ones available is the Belbin Model.

Dr. Meredith Belbin designed a personality test, known as the Belbin Team Inventory, in which he defines nine team roles that are necessary for a team’s optimal performance.

Through a 360-degree feedback mechanism (which includes the individual’s as well as the observers’ evaluation, mutually contrasted with one another), this test is designed to identify an individual’s personal behavioural traits and interpersonal strengths. It is not uncommon to see, however, that many people score strong tendencies towards multiple roles.

Based on the assessment of the individual’s behaviour within a team environment, Belbin sorted these nine roles into three main categories which include the action oriented roles, the people oriented roles and the thought oriented roles.

The action oriented roles and their strengths are the following:

Shaper: outgoing and dynamic people who help the team improve by finding the best problem-solving methodologies. The Shaper is responsible for keeping track of all the possibilities while avoiding the team’s complacency. Shapers usually welcome complications and unexpected outcomes as challenging opportunities that could lead to great outcomes: they have the courage to take them on when others feel like quitting.
Implementer: assumes the role that translates the team’s concepts and ideas into practical action plans. Because implementers are very disciplined, well-organized and work systematically in an efficient way: they are the team member who everyone counts on to get the job done.
Completer-Finisher: makes sure that deadlines are met and checks for omissions and errors. Because they tend to be orderly, conscientious perfectionists, they will pay attention to every single detail and ensure the job is completed on time.

The people oriented roles and their assets comprise:

Coordinator: who usually assumes the role of the chairman or traditional team-leader. Because they tend to be excellent listeners, they intuitively recognise the intrinsic value each team member can contribute to the group. With this personal strength, along with their calm and good nature, they are able to delegate tasks efficiently and guide the team to what they observe are the main objectives.
Team Worker: is the member who takes over the role of the negotiator within the team while providing support and ensuring a productive environment in which everybody may work together effectively. Team workers tend to be charismatic and therefore popular and outgoing, which makes them very capable in facilitating team cohesion while encouraging people to get along.
Resource Investigator: assumes the role of identifying and working with external stakeholders in order to enable the team to accomplish its objectives. Resource investigators are typically enthusiastic, extroverted and outgoing making others receptive to their ideas. Because they tend to be curious and innovative, they can easily establish contacts, explore available options and negotiate for resources on behalf of the team.

Finally, the thought oriented roles and their potency characteristics include:

Plant: the person who comes up with innovative ideas and methodologies. He/she is usually introverted and might prefer to work in a separate environment from the rest of the team. Plants do, however, thrive on praise and find difficulties in dealing with criticism.
Monitor–Evaluator: is the objective member every team needs for analysing and evaluating the ideas that other people (usually Plants) come up with. They can easily weigh pros and cons of all the available options before arriving to a decision.
Specialists: these are the individuals who possess a specialised knowledge and experience that is required to get the job done. Their contribution to a team-work environment is reserved as the expert in the field, and they are usually fully committed to the area of their expertise. Their priority lies in maintaining their professional status, and they take great pride in their abilities and skills.

One of the core foundations of the Belbin Team Inventory is that a team can be considered well-balanced when all nine roles are present and participate actively. When we recognise our individual role within a given team, we can further develop our strengths and manage our weaknesses in order to improve our contribution to the team.

If several members within a given team have similar behavioural styles or team roles, the team becomes unbalanced and doesn’t function up to its full potential. The underlying cause for this is that similar behaviours imply overlapping strengths, which can foster interpersonal competition rather than cohesion or mutual collaboration. Additionally, similar behaviours mean similar weaknesses, which can be extrapolated as a general weakness of the entire team. Belbin’s nine role definition also includes the identification of the characteristic weaknesses that tend to accompany each team role. These “allowable” weaknesses should be recognised in order to allow for improvement.

The weaknesses of action oriented roles typically include:

Shaper: might not always be considerate of other people’s feelings and be argumentative.
Implementer: could be rigid and have a hard time changing.
Completer-Finisher: might have difficulties in delegating and suffer from unnecessary worry and anxiety.

The weaknesses associated to the people oriented roles are usually the following:

Coordinator: may tend to be manipulative in nature and might delegate too much of his/her personal responsibilities away.
Team Worker: might struggle to maintain uncommitted positions during decision-making processes or discussions, and have a tendency to be indecisive.
Resource Investigator: might me overly optimistic and can quickly lose enthusiasm.

The drawbacks of the thought oriented roles include:

Plant: because of their unconventional ideas and suggestions, these may be seen by the rest of the team as impractical. The introverted nature of the Plants can make them poor communicators and might tend to overlook given constraints or parameters.
Monitor–Evaluator: because they are strategic in their methodologies, as well as critical thinkers, they are usually regarded as unemotional or detached. They might be poor motivators who react to a given circumstance instead of instigating it.
Specialist: because their contribution is limited to the field of their expertise, their participation is restricted, which may lead to technicalities and concerns at the expense of a wider scope.

After many years of studying teamwork, Belbin broadly defined a team role as “a tendency to behave, contribute and interrelate with others in a particular way”: a tendency that people normally adopt when they assume a particular team-role. The individual and interpersonal behaviours might, however, depend to some extent on the situation, since it is not only related to one’s own natural style of working, but to the interaction with others and the actual work itself. This means that each one of us may behave and interact quite differently according to the nature of the team members and/or the work we are exposed to.

How to use the Belbin Team Inventory as a tool

The Belbin Team Inventory is a rather handy tool, and can be used in different ways, like in managing interpersonal differences within a given team, for example, or in considering how to construct a balanced team properly before a project starts, or in developing oneself as a team member.

The Belbin model can be used to analyse an existing team, as well as a helpful guide to develop the team’s strengths, and manage its weaknesses. The following tool can be very helpful in analysing team membership, checking for potential strengths and weaknesses within the team:

1. Observe the individual members of your team over a period of time, to see how they perform individually, contribute and how they conduct themselves within the team.

2. Make a list of the team members which includes their observable characteristics: both key strengths and weaknesses.

3. Make a comparison between each team member’s strengths and weakness with the descriptions provided by the Belbin Model. What team role would you say best describes each person more accurately?

4. Once you feel you have identified each individual’s corresponding role, answer the following questions:

o Are there any roles missing from the team? Which ones? If so, which are the strengths that are most likely to be missing from the team overall?

o Is there are prevalent team role that many of the team members share?

When there are teams of people who perform the same job, there will be specific predominant team roles. In a team of business consultants, for example, there might be numerous Shapers and Team Workers, as opposed to a research department which will mainly consist of Plants and Specialists. These are perfect examples of unbalanced teams, which might be lacking key approaches and outlooks.

If the team is considered to be unbalanced, the first step is to identify the overall weakness that results from the team. The following step would be to recognise areas of potential conflict. An example would be an excess of Shapers that might weaken a team if each one wishes to drive the team in different directions.

5. Once potential weaknesses, areas of conflict and missing strengths have been identified, identify the options you have to improve and change this. Consider:

o Whether one or more team members could develop or adapt how they work together and with others in order to avoid potential conflict of their natural styles.

o If an existing team member could compensate by adopting different a team role. Through awareness and intention, this is sometimes possible.

o Whether new skills need to brought onto the team to compensate for the weaknesses.

The Belbin Team Roles model may introduce more coherence into the team.

It is important to mention, however, that although the Belbin model can be very useful, it should mainly be regarded as a good guide for building a team. One shouldn’t mistake this for depending too heavily on it in order to strive for perfection, which might restrict other potential strengths a team and its members may have. It is basically up to the team leader’s professional intuition to evaluate and decide for him/herself what would be the greatest overall benefit. Perhaps the main concept to learn here today is that in order to have a very high performing team, “the key is BALANCE”.

Resources:

http://www.belbin.com/

http://www.mindtools.com/pages/article/newLDR_83.htm

Images courtesy of digitalart and jannoon028 / FreeDigitalPhotos.net

An Introduction to Industrial Control Systems Security Part III: Auditing the Environment

In order to ensure the security of a system sometimes it is not enough to follow the general advice outlined in the Overview of Protection Strategies and one may chose to perform a penetration test.

Security assessments of this highly sensitive environment should be conducted with extreme care. It requires not only basic network security skills but also knowledge of the equipment, SCADA-specific protocols and vulnerabilities.

On the photo you can see different types of PLC and RTU devices, discussed in the Overview of Industrial Control Systems:

Modicon Momentum PLC
Rockwell Automation MicroLogix 1100 PLC
Siemens S7 1200 PLC
Small embedded RTU device

The original SCADA protocols (vendor-specific protocols include ModbusRTU, DF1, Conitel, and Profibus) were serial-based, meaning that the master station initiated the communication with the controllers. Nowadays, almost all SCADA protocols are encapsulated in TCP/IP and can be operated over Ethernet.

To get a better understanding, one can use Modscan32 to connect to the PLC and view register data by entering the IP address and TCP port number in the tool.

If there is no live PLC available to work with, one can always use the ModbusTCP simulator to practice capturing traffic with Wireshark, configuring the OPC server and building human-machine interfaces.