Royal Holloway University of London adopts my book for their MSc Information Security programme

Photo by lizsmith

One of the UK’s leading research-intensive universities has selected The Psychology of Information Security to be included in their flagship Information Security programme as part of their ongoing collaboration with industry professionals.

Royal Holloway University of London’s MSc in Information Security was the first of its kind in the world. It is certified by GCHQ, the UK Government Communications Headquarters, and taught by academics and industrial partners in one of the largest and most established Information Security Groups in the world. It is a UK Academic Centre of Excellence for cyber security research, and an Engineering and Physical Sciences Research Council (EPSRC) Centre for Doctoral Training in cyber security.

Researching and teaching behaviours, risk perception and decision-making in security is one of the key components of the programme and my book is one of the resources made available to students.

“We adopted The Psychology of Information Security book for our MSc in Information Security and have been using it for two years now. Our students appreciate the insights from the book and it is on the recommended reading list for the Human Aspects of Security and Privacy module. The feedback from students has been very positive as it brings the world of academia and industry closer together.”

Dr Konstantinos Mersinas,
Director of Distance Learning Programme and MSc Information Security Lecturer.

The foundation of the Zero Trust architecture

Zero Trust is a relatively new term for a concept that’s been around for a while. The shift to remote working and wider adoption of cloud services has accelerated the transition away from the traditional well understood and controlled network perimeter.

Security professionals should help organisations balance the productivity of their employees with appropriate security measures to manage cyber security risks arising from the new ways of working.

When people talk about Zero Trust, however, they might refer to new technologies marketed by security vendors. But in my opinion, it is as much (if not more) about the communication and foundational IT controls. Effective implementation of the Zero Trust model depends on close cross departmental collaboration between IT, Security, Risk, HR and Procurement when it comes to access control, joiner-mover-leaver process, managing identities, detecting threats and more.

Device management is the foundation of an effective Zero Trust implementation. Asset inventory in this model is no longer just a compliance requirement but a prerequisite for managing access to corporate applications. Security professionals should work closely with procurement and IT teams to keep this inventory up-to-date. Controlling the lifecycle of the device from procuring and uniquely identifying it through tracking and managing changes, to decommissioning should be closely linked with user identities.

People change roles within the company, new employees join and some leave. Collaborating with HR to establish processes for maintaining the connection between device management and employee identities, roles and associated permissions is key to success.

As an example, check out Google’s implementation of the Zero Trust model in their BeyondCorp initiative.

Threat modelling 101

Using abstractions to think about risks is a useful technique to identify the ways an attacker could compromise a system.

There are various approaches to perform threat modelling but at the core, it’s about understanding what we are building, what can go wrong with it and what we should do about it.

Here is a good video by SAFECode introducing the concept:

Webinar: A CISO panel on weaving security into the business strategy

I had a lot of fun participating in a panel discussion with fellow CISOs exploring the link between cyber security and business strategy. It’s a subject that is very close to my heart and I don’t think it gets enough attention.

In the course of the debate we covered a number of topics, ranging from leveraging KPIs and metrics to aligning with the Board’s risk appetite. We didn’t always agree on everything but I believe that made the conversation more interesting.

As an added bonus, my book The Psychology of Information Security was highlighted as an example of things to consider while tackling this challenge and to improve communication.

You can watch the recording on BrightTalk.

I’ve made it to the Unsung Hero Award: DevSecOps Trailblazer shortlist

I have been nominated for the 2020 Security Serious Unsung Hero award in the DevSecOps Trailblazer category!

Ensuring security is embedded in the development lifecycle of software, from start to finish, is pivotal in creating a more cyber secure world. This award recognises individuals who are spearheading this initiative so that the creation of applications can continue to be dynamic, without sacrificing cybersecurity.

I’m excited to make the shortlist and wish best of luck to all the contenders!

How to secure a business in decline

Many business have felt the economic impact of the Covid pandemic. Depending on the industry, some managed to adapt and pivot to new models and ways of working, but not all were successful.

As a result, some companies were unable to continue to operate profitably and entered administration. The cause of financial troubles, however, doesn’t have to be pandemic-related to pose new security challenges.

In this blog I would like to share some of the priority areas for a security leader in a business in, sometimes rapid, decline.

As the business is failing, the leadership might not treat cyber security as their top priority. However, the organisation still has obligations to its customers who entrusted the company with their data and comply with relevant laws and regulations. It goes without saying that previously identified cyber security threats and risks are unlikely to disappear either.

If there is a chance of survival, a poorly managed security incident can be the last straw.

How should security teams adapt? What should they focus on?

Broadly speaking, there are two main areas a CISO can support the business: securing a potential rescue deal and managing the decline.

There are investors specialising in distressed businesses and part of the administration process might involve looking for a capital injection or an acquisition of a failing company.

Potential investors would understandably need to know what they might be buying which normally involves conducting due diligence on the target. Although circumstances are different, the process itself is very similar to an M&A scenario or a startup acquisition.

As a security leader, it’s your job to provide transparency on the matters related to data protection, past breaches and existing security controls and processes. If done right, it presents the business in a favourable light as a well-governed enterprise, increasing investors’ confidence and therefore chances of a successful rescue deal.

In many ways, this is comparable to overseeing a divestment. A lot of such conversations are confidential, so raising awareness of what can and can’t be shared externally (including on social media), and maintaining appropriate need-to-know access controls is paramount.

Some things, however, are outside of our control and sometimes all we can do is to make the best out of a bad situation.

There are a few key areas to pay attention to when it comes to embedding security for a business in downturn.

People. There will naturally be a lot of leavers, so having a robust joiner-mover-leaver process is key. All access permissions should be timely revoked when no longer required. In addition, data loss prevention controls and broader insider risks should be considered as the morale in the company worsens. On a positive note, people and a culture of security can significantly contribute to the company’s security posture, especially in the conditions of scarce resources (see next point).

Resources. Investment in security is going to understandably diminish. Some of the top talent will leave, so you will have to learn to do more with less. If your desired control to mitigate a particular risk is no longer affordable, what is the next best thing? Can this be done cheaper, or better still, for free? Business leadership should be made aware of the potential consequences of risk acceptances, and there will likely be a higher than usual number of these.

Data. There also might not be enough money to pay for non business critical systems and services. These should be decommissioned in the way that ensures that sensitive (including personal) data is destroyed securely in line with company’s retention policies. Having data maps and asset inventories is invaluable to maintain visibility.

Sustaining operational resilience in the face of cost pressure is challenging but not impossible. For many, it’s a unique learning experience regardless of the outcome.

Cyber incident readiness

As many organisations are recognising and experiencing first-hand, cyber-attacks are no longer a matter of if, but when. Recent cyber breaches at major corporations highlight the increasing sophistication, stealth, and persistence of cyber-attacks that organisations are facing today. These breaches are resulting in increased regulatory and business impact.

More