Guides

Bolting on security does not work

In my travels I have found it matters more how you do IT securely than how you ‘do security’. What I mean by this is, the prevailing themes of orgs recently is to bolt on SOCs/MDR and other services to a low maturity/low capability IT organisations with the hope that its magic’s all the security problems away. This sounds lovely, the salespeople will almost certainly productise your security improvement journey and make it sound like a dream.

Read more “Bolting on security does not work”
Education

Supporting the Cyber Leadership Challenge

Earlier this year I had the honour of supporting the Cyber Leadership Challenge as a judge at the BT Tower! I’ve been a judge at Cyber 912 previously but I’ve always been doing that virtually, so it was great to be able to goto the event not via a webcam! The Cyber Leadership challenge is a national cyber emergency competition for UK university students. The students work in teams through an evolving national major cyber incident, so they will likely be thinking through areas many don’t give two seconds thought to, such as:

Read more “Supporting the Cyber Leadership Challenge”
Leadership

Using cyber security investments as a business enabler

Making security both an organisational support capability but also enabling business is not easy. Lots of the security activity is for obvious reasons not totally transparent. However one thing I want to show people is how you might want to tell existing and prospective customers about the way you approach security within your organisation. One way to do this is to show people how you align to the NCSC 14 Cloud Security Provider Principles.

Read more “Using cyber security investments as a business enabler”
Leadership

Cyber Leadership – Real Life Incidents over the years!

Introduction

I’ve been around a bit now, I started ‘playing’ with technology very young as a kid! Wolf 3D/Doom era etc (ok even before that but whatever) …

In my professional career I’ve worked with literally hundreds of companies, from mega to small, from household names that sell games consoles through to orgs that sell you yummy food! I’ve worked across loads of industries from government through to manufacturing. I’ve dealt with major incidents for the finance sector, healthcare but also, I’ve been inside a range of networks for some time.

Read more “Cyber Leadership – Real Life Incidents over the years!”
Leadership

The business ‘value’ of Cyber Investments

A massively common analogy I see in security is the idea that security is like paying for insurance incase something goes wrong. I think this is great if you have 3 seconds only to describe security, but that’s not really how I have conversations with people. A sound bite isn’t reality, and to be honest I personally find that rather meaningless. I also know that many people don’t like or even pay for a range of insurance so when we look at how we try and improve digital security from a whole of society perspective, I think this phrase doesn’t work, it’s too narrow…

Read more “The business ‘value’ of Cyber Investments”
Leadership

Technology in the Wild

Whilst every marketing person will talk about the latest and greatest tech innovation and product, how much does that reflect the reality of technology deployed in the world? Everyone is running Windows 11 and Windows Server 2022 right?! They also don’t use computers, because everything is cloud and mobile first right! and security, well everyone has that down as well! Great… let’s just go and check those statements out… oh wait…. no maybe err.. let’s take a look with our friends at shodan.io

Read more “Technology in the Wild”
Strategy

Strategy

When forming a strategy you must realise for starts that people view the word strategy differently. However, the general view is STRATEGY AS A PLAN. Without a PLAN a strategy is a DREAM.

The plan must be supported by a rang of factors, it must also be managed. It should be something which helps you go from where you are (CURRENT STATE) to where you want to be (FUTURE STATE) and should have a roadmap (TRANSITION PLAN/ROADMP) of how you will get there.

When we talk about can I see your strategy, you will need to have it documented, a strategy without a document isn’t a strategy that can be shared and communicated. As to what “THE STRATEGY” document must be… well there is no such thing as a MUST, but there’s some component that are largely and widely recognised to be useful.

Read more “Strategy”
Leadership

The Cyber Acid Test

I’ve been working with all kinds of different organisations over the years, and I keep running into similar scenarios.  The current state of the majority of organisations security postures are simply (as a broad-brush statement) far riskier than they need to be.

Conversely there are a range of common challenges I find in almost every org:

Read more “The Cyber Acid Test”
Leadership

What is a “Winning Cyber Security Strategy”?

A winning cyber security strategy should have several key components.

First, it should involve a thorough assessment of your organization’s current security posture, including identifying any potential vulnerabilities or weaknesses. This assessment should be ongoing, with regular updates to ensure that your security measures are keeping pace with the evolving threat landscape.

Read more “What is a “Winning Cyber Security Strategy”?”
Copyright (c) Xservus Limited