Anyone that knows me, knows I love maturity assessments and tools (I’ve built a few, and run LOADS more) so this morning when I saw this on LinkedIn I had to start to get some understanding! I’ve not even had a cup of tea, but let’s see what this looks like!Read more “Cloud Adoption Security Review”
I’ve been working with all kinds of different organisations over the years, and I keep running into similar scenarios. The current state of the majority of organisations security postures are simply (as a broad-brush statement) far riskier than they need to be.
Conversely there are a range of common challenges I find in almost every org:Read more “The Cyber Acid Test”
A winning cyber security strategy should have several key components.
First, it should involve a thorough assessment of your organization’s current security posture, including identifying any potential vulnerabilities or weaknesses. This assessment should be ongoing, with regular updates to ensure that your security measures are keeping pace with the evolving threat landscape.Read more “What is a “Winning Cyber Security Strategy”?”
A mRr3b00t Adventure
Join me on an adventure of rambling and exploring the idea that you can in fact not lose the security leadership game! This blog is WIP, it’s just my brain wondering around the question of: can we win the in the face of a seemingly insurmountable force? What do we do as a security leader to protect ourselves and the organisation? How do we start?Read more “How to not lose your job as a CISO”
I am not a legal export! Haha get used to saying that a lot if you work in cyber and are not in fact a legal expert! I wanted to put together a list of common laws that people should be aware of when doing business in the UK, it’s just a starter for 10 and there are likely others, but this should get people started for their security awareness and security policy documentation:Read more: UK laws and cyber security considerations for business
- Data Protection Act 2018
- Freedom of Information Act
- Communications Act
- Computer Misuse Act 1990
- Investigatory Power Act 2016 (IPA)
- Theft Act 1990
- Terrorism Act 2000
- The General Data Protection Regulation (GDPR)
- The Privacy and Electronic Communications Regulations 2003 (PECR)
- The Regulation of Investigatory privacy Act 2000 (RIPA)
- Official Secrets Act 1989 (OSA)
- Companies Act 2006
- Copyright and Design patents Act 198
- Trademarks Act 1994
- The Malicious Communication Act 1988
- Forgery and Counterfeiting Act 1981
- Police and Criminal Evidence Act 1984
- Contracts (Rights of Third Parties) Act 1999
- Fraud Act 2006
- Network and Information Systems Regulations 2018 (NIS)
- Telecommunications (Security) Act 2021
- The Bribery Act 2010
- Freedom of Information Act 2000
- Defence of the Realm Act 1914
can you think of any others that I should add?
Thanks Gary and Kevin and the other AVIS I can’t name for inputting!
How an organization approaches the challenge of technology and security management, well that’s the difference between leveraging technology to deliver value efficiently and effectively vs technical debt and inefficient deployment of technology which may hinder the organisation in its pursuit of its mission.
When we consider how technology is managed, we need to look at it from multiple viewpoints with different views:Read more “Organisational Approach to Technology and Security”
“You will respect my authority” … is a sure fast way to be ignored in the business world!
Much like gatekeeping, excessive focus on policies, lack of engagement with the audience and generally mandating security policies and procedures that are not practical will likely not end with a robust, resilient security posture. Read more “Cyber Security in a business environment”
Do they replace the need for OSINT and Supplier engagement?
I’ve been conducting sales and assurance-based activities for some while (I’m not counting it will make me feel old!) and I have started looked at a range of supplier management tools which leverage tool-based OSINT, attack surface mapping and manual data inputs and I have to say this:
Have you ever thought about what kind of data/intelligence you may need with regards to vulnerability management? It tends to vary at levels of abstraction based on the audiance, but don’t think the person doing the patching may not be considernig upwards or that someone in a C level position won’t care about the zeros and ones (life doesn’t work that way!)
Anyway I was talking to a friend and came up with these so thought I’d share them with the world. Have I done a decent job? can you think of others? How do you measure and report? What are your concerns?
Let’s take a look at what I came up with (this wasn’t a very long time in the making 😉 )Read more “Vulnerability Management Concerns by Role Type”
CISO Tabletop Scenario Intro
I thought it would be fun to explore what people do with regards to Cyber Securityleadeship, budgets, contraints and realities of business change. So here’s a blog post to supliment my thread on twitter:
please note: the list below is based on experiance, it’s also a list I made whilst drinking about half a cup of tea so it’s not complete or “the answer” it’s just some observations about an approach I advocate.Read more “Tabletop: “you have 400 servers; 800 users and your cyber security budget is 100K…. what do you do?””