Supporting the Cyber Leadership Challenge

Earlier this year I had the honour of supporting the Cyber Leadership Challenge as a judge at the BT Tower! I’ve been a judge at Cyber 912 previously but I’ve always been doing that virtually, so it was great to be able to goto the event not via a webcam! The Cyber Leadership challenge is a national cyber emergency competition for UK university students. The students work in teams through an evolving national major cyber incident, so they will likely be thinking through areas many don’t give two seconds thought to, such as:

Leadership

Using cyber security investments as a business enabler

Making security both an organisational support capability but also enabling business is not easy. Lots of the security activity is for obvious reasons not totally transparent. However one thing I want to show people is how you might want to tell existing and prospective customers about the way you approach security within your organisation. One way to do this is to show people how you align to the NCSC 14 Cloud Security Provider Principles.

Leadership

Cyber Leadership – Real Life Incidents over the years!

Introduction

I’ve been around a bit now, I started ‘playing’ with technology very young as a kid! Wolf 3D/Doom era etc (ok even before that but whatever) …

In my professional career I’ve worked with literally hundreds of companies, from mega to small, from household names that sell games consoles through to orgs that sell you yummy food! I’ve worked across loads of industries from government through to manufacturing. I’ve dealt with major incidents for the finance sector, healthcare but also, I’ve been inside a range of networks for some time.

Leadership

The business ‘value’ of Cyber Investments

A massively common analogy I see in security is the idea that security is like paying for insurance incase something goes wrong. I think this is great if you have 3 seconds only to describe security, but that’s not really how I have conversations with people. A sound bite isn’t reality, and to be honest I personally find that rather meaningless. I also know that many people don’t like or even pay for a range of insurance so when we look at how we try and improve digital security from a whole of society perspective, I think this phrase doesn’t work, it’s too narrow…

Leadership

Technology in the Wild

Whilst every marketing person will talk about the latest and greatest tech innovation and product, how much does that reflect the reality of technology deployed in the world? Everyone is running Windows 11 and Windows Server 2022 right?! They also don’t use computers, because everything is cloud and mobile first right! and security, well everyone has that down as well! Great… let’s just go and check those statements out… oh wait…. no maybe err.. let’s take a look with our friends at shodan.io

Strategy

When forming a strategy you must realise for starts that people view the word strategy differently. However, the general view is STRATEGY AS A PLAN. Without a PLAN a strategy is a DREAM.

The plan must be supported by a rang of factors, it must also be managed. It should be something which helps you go from where you are (CURRENT STATE) to where you want to be (FUTURE STATE) and should have a roadmap (TRANSITION PLAN/ROADMP) of how you will get there.

When we talk about can I see your strategy, you will need to have it documented, a strategy without a document isn’t a strategy that can be shared and communicated. As to what “THE STRATEGY” document must be… well there is no such thing as a MUST, but there’s some component that are largely and widely recognised to be useful.

Leadership

The Cyber Acid Test

I’ve been working with all kinds of different organisations over the years, and I keep running into similar scenarios. The current state of the majority of organisations security postures are simply (as a broad-brush statement) far riskier than they need to be.

Conversely there are a range of common challenges I find in almost every org:

Leadership

What is a “Winning Cyber Security Strategy”?

A winning cyber security strategy should have several key components.

First, it should involve a thorough assessment of your organization’s current security posture, including identifying any potential vulnerabilities or weaknesses. This assessment should be ongoing, with regular updates to ensure that your security measures are keeping pace with the evolving threat landscape.

Education

Vulnerability Prioritisation

I’ve got 99 vulnerabilities but log4j ain’t one!

Most organisations have hundreds to thousands of vulnerabilities. They range across the spectrum from:

CRITICAL
HIGH
MEDIUM
LOW
INFORMATIONAL

The challenge comes in trying to determine how to prioritise. Which ways could we go?

Where do we start?

Guides

Service Security Architecture and Assurance

Have you every tried to understand the risk level of a service? Ever wanted to provide assurance to someone that “it’s been well designed, is secure from common threats, likely risk scenarios and is securely operated” etc.? have you ever tried to conduct testing against a service that is relatively unknown? Ever needed to actually do more than throw some packets at the front door? Guess what, I have. Most orgs don’t have a decent level of documentation on service architecture and security controls. And as the NSA nicely put, the way they get into networks is to know them better than you do! So in my travels I see lots of different orgs and largely there’s one common similarity, most of them aren’t well documented (docs are boring right!) and if we then make another huge sweeping generalisation, about 90% of orgs have security postures you wouldn’t want to have to defend as a blue teamer, but you might fancy if you were a nation state actor or cyber criminal!