Education
Everyone these days seems to rush towards “the solution”, well as someone who now has few years under their belt, I’d advise people slow down a little and think about their business requirements, outcomes, current state, and constraints. Significantly as well think about how a service will run over a period, not just how to buy it and “fling it into production”.
Read more “Stop rushing for “the solution”!”
Architecture
I’ve travelled all over the internet, I’ve worked with logs of organisations from banks through to small ISVs and one thing I would say is fairly universally true. What can be isn’t what is.
There’s a lot of different operating models and technologies in the world. There’s logs of differen’t specifics. This diagram here is not mean’t as a refrence architecture but more as an indicator.
There is also a massive reality people must understand, cyber good most definatley costs more at the point of deployment than cyber bad. Cyber bad’s ROI is truly variable and in mind mind is too hard to measure. For one org with cyber bad can experiance a significant breach (and cost) and another may have lady luck on their side.
Read more “The difference between what can be vs what often is – Cyber Architecture”
Defense
That is quite the catchy title don’t you agree? Ok so that needs some work and when we think about cloud security, we need to realise that Computing as a Service isn’t a silver bullet.
Ok so the cloud was promised as the saviour of IT and Cyber security but the promise vs the reality. Well, let’s be frank, they don’t really match up. But have no fear – secure cloud design is here (omg cringe)! Ok now we have that out of my system let’s look at some basic cloud security considerations to make when thinking about cloud services.
Ok so the world doesn’t work with a checklist however, if you are like me you will want to use lists and aides to jog the little grey cells into action. Let’s think about cloud services and security: Read more “Cloud Security – 26 Foundational Security Practises and Capabilities Checklist”
Guides
To conduct a solution review we need to consider multiple perspectives. Cyber security can be described as (from the NCSC):
“Cyber security’s core function is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access – both online and at work – from theft or damage. It’s also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.”
Cyber Security is concerned with risks, threats, vulnerabilities, and controls. This really means the breadth and depth of cyber security is vastly wide and terribly deep. Read more “Cyber Security Design Review”
Leadership
I remember (now it was a long time ago) when I worked in a support role and my dream job was being a technical architect, back in the warm and fuzzy days of no host-based firewalls, IPsec being something only MCPs knew about other than the networking team and when cybercrime was a shadow of how it is today.
It wasn’t until I had a few more notches under my belt when I realised that architecture in technology has different viewpoints, not only that but even the industry can’t agree on what things are or are not. That aside the reality is, is that architecture has different domains, specialisms, views, and viewpoints. I often find myself working across a whole range of areas, that is driven largely by specific customer requirements and scenarios (this is why I have a cool lab and lots of kit!)
When we consider a business technology system it has risk and by nature cyber security in that view. To think of this not being the case would be odd because ultimately “business” is the highest abstraction, and let’s think about what makes up a business: Read more “Cyber Security Architecture”
Leadership
What does “good” cyber security look like? Sure, we can run a maturity assessment and see what good indicators are and we can create a baseline of our current state to establish where we are and what gaps we have (honestly in real terms this isn’t something to consider you should be doing this!) but how do we measure success in cyber security? Is every success an invisible outcome? Because one question that often comes to mind here is, just because we don’t see something, does that mean everything is ok? In the fast-paced world of cyber security, measuring success isn’t as easy as you would think. I’ll give an example of this, let’s say we don’t monitor, we get breached, but the threat actor just performs crypto mining (let’s say this is on premises) and we never really notice in the grand scheme of the world that our energy consumption costs have increased, if we didn’t know this had occurred, we might think our security is good. Read more “Measuring Cyber Defence Success”
Defense
Ok so you might think I’m mad with the title but bear with me!
So, the world is in an interesting place, we’ve got a pandemic, we’ve got prolific cyber crime and we have all kinds of different views on how we should tackle this problem.
Now I love a framework and there’s ton’s of them. But the truth is they are complex, detailed, nuanced and generally require a level of nerd that a lot of organistaions do not have.
In 2020 during the pandemic I decided to try and write something to simplify this position, whilst I didn’t want to be too narrow, I wanted to try and capture the breadth of cyber security that is relevent to the general purpose organistaion. I came up with a set of 140 questions which I believe are a good take on things to consider and ask when conducting a security review at a high level. (yes 140 questions is a high level view, this stuff is complex as hell at the detailed end of things, and the devil is in the detail).
Read more “Cyber Security Assesments for Normal People”
Guides
I’ve worked in technology a long time now (relatively for me). It’s now over 20 years professionally and when I was a kid, I used to remove malware from small business’s etc. I’ve travelled to some funky places and done some cool things, but I learn new things every day. I do however come across some repeating patterns in my adventures as a consultant. There is a hidden truth that many are scared to admit…
Most organisations are not very good at service design, let alone secure service design!
Ok so there it is, I hope that this blog doesn’t age very well, but I’m 20 years in and I chat with my dad about his past life in the corporate world and we both see the same things being repeated. So, what can we do about it? Well sharing is caring, so here’s some things to think about when planning and designing a new service. I’m going to focus on the technology and security aspects, clearly, I am not saying ignore the business and value alignment but for the purposes of this post I’m assuming that the functional service capabilities and alignment are in effect. I’m also assuming that business case is solid because you know, without £ it’s a bit hard to create an operate a service (that’s a whole new post!). Read more “Secure Service Design: Practical Solution Architecture”