Leadership

Why do “we” suck so badly at digital security…

Everything is fine until it’s not

I’ve been travelling to different organisations and visiting different networks for a while and whilst each organisation is unique (they really are) their operating models, technology challenges and weak security postures generally aren’t as unique as the organisational itself.

One thing that does spring to mind however is that there is a massively common pattern we find with organisations.

  • Those that invest well have better postures, better technology experiences and an improved security posture.
  • Those that don’t historically invest well, well they have quite the opposite:
    • They don’t train staff
    • They have very weak postures
    • They carry an extraordinary volume of business risk

One thing that is common though, is that all of this tends to link to financial investments, so executives and boards usually have some idea if they are spending or not in this space, what they commonly don’t have a good view on is they getting what they “thought they were buying”. Sadly, too often what they assumed was “in the box” with the “IT provision” with regards to quality and cyber security just simply isn’t the case. Everything is fine, until you look… then it’s less than fine! So, what can we do about it?

Read more “Why do “we” suck so badly at digital security ?”
Leadership

Cyber Realities: Impacts of Cyber to Business

Introduction

This post stated out as a technical post about commonalities found in the field that vary based on business operating model, IT capability and vectors used by threat actors. Whilst writing this it led more into business leadership, governance and investment risks. How do these two subjects’ interface? Well to be honest they are the same thing from a different lens.

In this post we are going to look at:

  • Common Technology Deployment Models and the associated threats/risks/vulnerabilities
  • Common challenges I find in organisations
  • And finally, a question… is this the business outcome that you want
Read more “Cyber Realities: Impacts of Cyber to Business”
Architecture

The difference between what can be vs what often…

I’ve travelled all over the internet, I’ve worked with logs of organisations from banks through to small ISVs and one thing I would say is fairly universally true. What can be isn’t what is.

There’s a lot of different operating models and technologies in the world. There’s logs of differen’t specifics. This diagram here is not mean’t as a refrence architecture but more as an indicator.

There is also a massive reality people must understand, cyber good most definatley costs more at the point of deployment than cyber bad. Cyber bad’s ROI is truly variable and in mind mind is too hard to measure. For one org with cyber bad can experiance a significant breach (and cost) and another may have lady luck on their side.

Read more “The difference between what can be vs what often is – Cyber Architecture”
Defense

I’m the CEO, why should I care about Cyber…

Introduction

First and foremost, I’m going to start by saying if I include any cliché quotes it’s probably in an ironic context or used to show how they aren’t practically useful. Why are we here? Well, based on the title, it’s because you are either a CEO/MD or you are in a leadership position and want to learn a little more about cyber security.

I’m sure you have read the news, I’m sure you have seen vendor adverts explaining something like:

  • Zero Trust
  • The Security Skills Gap
  • How phishing can be solved through security awareness training (pro tip: it can’t)

And I’m sure someone on your LinkedIn feed you have seen people exclaim all kinds of crazy things like:

  • TLS Weaknesses Lead to Ransomware
  • Security is Simple (it, I’m afraid, is not)
  • Managed Security Service Providers ensure security

Read more “I’m the CEO, why should I care about Cyber Security?”

Leadership

The Security Challenges of 2021

The gaps between strategic security improvement and keeping the wolves out, today!

The Cyber Realities in 2021

Most organisations today honestly don’t have great cyber security postures. Cyber security has improved since the 80’s and 90s’s but still common gaps can be found in the same old areas.

So, whilst security possibilities and technical capabilities for defence have greatly improved, this hasn’t really translated into the level of change we would like to see on the ground inside organisations.

I’m writing this post after giving a talk today about the challenges I see in cyber security across different organisations but also after watching a talk by Dave Kennedy which from my perspective emulates my experiences and largely my views. Read more “The Security Challenges of 2021”

Defense

Phishing your own people – path to eroding trust…

Introduction

“Security education and awareness darling, it’s all the rage! It’s simply to hot right now.” Ok stop, let’s take a minute to get some context. It’s the year 2021, organisations are taking a battering round the globe from cyber criminals who are deploying ransomware, extortion, and fraud via a range of methods but one you can’t not have heard of is phishing.

In this post today, I’m going to look at realities of initial access, phishing and some questions I think people should be asking themselves about the idea of phishing their own userbase. I try and look at this from multiple perspectives because I think it’s a complex subject. Let’s start with initial access methods!

Common Patterns of Access

If we look at the world of technology and cyber security, you will see logs of references to frameworks and language that is enough to send even the committed to sleep! However, let’s abstract from our TTPs, our MITRE ATT&CK frameworks and our “threat actors” and let’s talk in normal English. Read more “Phishing your own people – path to eroding trust or a useful tool?”

Leadership

The problem with gatekeeping in the cyber security industry

Stark Realities

Imagine having an industry where you can’t be in it without already being an expert in all fields, imagine having to be able to command policy and drive strategy but not having anyone having ever helped you learn how to do this, imagine that if you did all the activities involved with secure service and yet people say you aren’t part of the industry because your job title doesn’t have the word “security” in it and imagine if that you are told you aren’t part of the cyber security industry because you also have to worry about budgets, sales, marketing, new business initiatives, IT services and well anything else!

What would happen if we had this as our cyber security industry principles… well that’s simple?

Read more “The problem with gatekeeping in the cyber security industry”

Leadership

The Art of Cyber

Cyber Security is an intersection of different activities, processes and capabilities. It uses skills from multiple traditional roles. As such the definition of it, often seems to lie in the reader. I did a poll the other day on twitter where ~30% of people thought a scenario I described wasn’t cyber because basically an “IT” person did the activity or they made assumptions that the IT person was told to do it (they were not). This led me to try and describe what Cyber means to me:

Read more “The Art of Cyber”
Defense

Cloud Security – 26 Foundational Security Practises and Capabilities…

That is quite the catchy title don’t you agree? Ok so that needs some work and when we think about cloud security, we need to realise that Computing as a Service isn’t a silver bullet.

One Cloud to Rule them all and in the darkness bind them

Ok so the cloud was promised as the saviour of IT and Cyber security but the promise vs the reality. Well, let’s be frank, they don’t really match up. But have no fear – secure cloud design is here (omg cringe)! Ok now we have that out of my system let’s look at some basic cloud security considerations to make when thinking about cloud services.

Checklist

Ok so the world doesn’t work with a checklist however, if you are like me you will want to use lists and aides to jog the little grey cells into action. Let’s think about cloud services and security: Read more “Cloud Security – 26 Foundational Security Practises and Capabilities Checklist”

Leadership

Measuring Cyber Defence Success

What does “good” cyber security look like? Sure, we can run a maturity assessment and see what good indicators are and we can create a baseline of our current state to establish where we are and what gaps we have (honestly in real terms this isn’t something to consider you should be doing this!) but how do we measure success in cyber security? Is every success an invisible outcome? Because one question that often comes to mind here is, just because we don’t see something, does that mean everything is ok? In the fast-paced world of cyber security, measuring success isn’t as easy as you would think. I’ll give an example of this, let’s say we don’t monitor, we get breached, but the threat actor just performs crypto mining (let’s say this is on premises) and we never really notice in the grand scheme of the world that our energy consumption costs have increased, if we didn’t know this had occurred, we might think our security is good. Read more “Measuring Cyber Defence Success”

Copyright (c) Xservus Limited