Whilst every marketing person will talk about the latest and greatest tech innovation and product, how much does that reflect the reality of technology deployed in the world? Everyone is running Windows 11 and Windows Server 2022 right?! They also don’t use computers, because everything is cloud and mobile first right! and security, well everyone has that down as well! Great… let’s just go and check those statements out… oh wait…. no maybe err.. let’s take a look with our friends at shodan.ioRead more “Technology in the Wild”
When forming a strategy you must realise for starts that people view the word strategy differently. However, the general view is STRATEGY AS A PLAN. Without a PLAN a strategy is a DREAM.
The plan must be supported by a rang of factors, it must also be managed. It should be something which helps you go from where you are (CURRENT STATE) to where you want to be (FUTURE STATE) and should have a roadmap (TRANSITION PLAN/ROADMP) of how you will get there.
When we talk about can I see your strategy, you will need to have it documented, a strategy without a document isn’t a strategy that can be shared and communicated. As to what “THE STRATEGY” document must be… well there is no such thing as a MUST, but there’s some component that are largely and widely recognised to be useful.Read more “Strategy”
I’ve been working with all kinds of different organisations over the years, and I keep running into similar scenarios. The current state of the majority of organisations security postures are simply (as a broad-brush statement) far riskier than they need to be.
Conversely there are a range of common challenges I find in almost every org:Read more “The Cyber Acid Test”
A winning cyber security strategy should have several key components.
First, it should involve a thorough assessment of your organization’s current security posture, including identifying any potential vulnerabilities or weaknesses. This assessment should be ongoing, with regular updates to ensure that your security measures are keeping pace with the evolving threat landscape.Read more “What is a “Winning Cyber Security Strategy”?”
I’ve got 99 vulnerabilities but log4j ain’t one!
Most organisations have hundreds to thousands of vulnerabilities. They range across the spectrum from:
The challenge comes in trying to determine how to prioritise. Which ways could we go?
Where do we start?Read more “Vulnerability Prioritisation”
Have you every tried to understand the risk level of a service? Ever wanted to provide assurance to someone that “it’s been well designed, is secure from common threats, likely risk scenarios and is securely operated” etc.? have you ever tried to conduct testing against a service that is relatively unknown? Ever needed to actually do more than throw some packets at the front door? Guess what, I have. Most orgs don’t have a decent level of documentation on service architecture and security controls. And as the NSA nicely put, the way they get into networks is to know them better than you do! So in my travels I see lots of different orgs and largely there’s one common similarity, most of them aren’t well documented (docs are boring right!) and if we then make another huge sweeping generalisation, about 90% of orgs have security postures you wouldn’t want to have to defend as a blue teamer, but you might fancy if you were a nation state actor or cyber criminal!Read more “Service Security Architecture and Assurance”
A mRr3b00t Adventure
Join me on an adventure of rambling and exploring the idea that you can in fact not lose the security leadership game! This blog is WIP, it’s just my brain wondering around the question of: can we win the in the face of a seemingly insurmountable force? What do we do as a security leader to protect ourselves and the organisation? How do we start?Read more “How to not lose your job as a CISO”
I am not a legal export! Haha get used to saying that a lot if you work in cyber and are not in fact a legal expert! I wanted to put together a list of common laws that people should be aware of when doing business in the UK, it’s just a starter for 10 and there are likely others, but this should get people started for their security awareness and security policy documentation:Read more: UK laws and cyber security considerations for business
- Data Protection Act 2018
- Freedom of Information Act
- Communications Act
- Computer Misuse Act 1990
- Investigatory Power Act 2016 (IPA)
- Theft Act 1990
- Terrorism Act 2000
- The General Data Protection Regulation (GDPR)
- The Privacy and Electronic Communications Regulations 2003 (PECR)
- The Regulation of Investigatory privacy Act 2000 (RIPA)
- Official Secrets Act 1989 (OSA)
- Companies Act 2006
- Copyright and Design patents Act 198
- Trademarks Act 1994
- The Malicious Communication Act 1988
- Forgery and Counterfeiting Act 1981
- Police and Criminal Evidence Act 1984
- Contracts (Rights of Third Parties) Act 1999
- Fraud Act 2006
- Network and Information Systems Regulations 2018 (NIS)
- Telecommunications (Security) Act 2021
- The Bribery Act 2010
- Freedom of Information Act 2000
- Defence of the Realm Act 1914
can you think of any others that I should add?
Thanks Gary and Kevin and the other AVIS I can’t name for inputting!
How an organization approaches the challenge of technology and security management, well that’s the difference between leveraging technology to deliver value efficiently and effectively vs technical debt and inefficient deployment of technology which may hinder the organisation in its pursuit of its mission.
When we consider how technology is managed, we need to look at it from multiple viewpoints with different views:Read more “Organisational Approach to Technology and Security”
“You will respect my authority” … is a sure fast way to be ignored in the business world!
Much like gatekeeping, excessive focus on policies, lack of engagement with the audience and generally mandating security policies and procedures that are not practical will likely not end with a robust, resilient security posture. Read more “Cyber Security in a business environment”