Recently in Managing the Human Dimension Category

Special skills for special security problems

| No Comments | No TrackBacks
| More

I was pleased to read in the Sunday Telegraph that GCHQ values the security skills of dyslexic young people, employing over 100 dyslexic and dyspraxic neuro-diverse analysts. I fully support this idea. Unfortunately most professional development schemes fail to recognize these abilities, generally promoting dull management capabilities rather than sharp analysis skills.

Eventually this will change, though the transition will be slow. There are however a few catalysts. My book "Managing the Human Factor in Information Security" hinted at these skills but failed to lead a revolution. It was however one of the first security books to point out the importance of cognitive skills, such as problem solving, attention to detail, curiosity, pattern recognition, and systems thinking.

Vinod Patel, a father of two boys with autism, has been more successful. He advocates the use of graduates with high functioning Autism or Asperger's to look for patterns and anomalies in big data and use their excellent memory and procedural capabilities to remediate security threats. 

He has already developed a ready workforce of appropriately skilled practitioners, as well as a source of additional resources through the National Autistic Society, with the support of Professor Baron-Cohen of the Autism Research Centre at Cambridge. Vinod has found some success in persuading security companies to exploit their talents.  Just check out this remarkable video.

Isn't that a great security story? 

Security in a Land Down Under

| No Comments | No TrackBacks
| More

For most of this month I've been touring Australia with the excellent CSO Perspectives Roadshow, presenting on the subject of the future of cyber security. It's been a great opportunity to meet hundreds of local security managers, vendors and government advisers. And what a super community it is.

Australia might lack the scale and technology leadership of the US, and it might be little behind the UK in bringing together the government, industry and academic sectors. But there is a higher level of enthusiasm and openness to innovation, as well as a willingness to learn from the early mistakes of others.

Frank speaking and reporting are a breath of fresh air in a subject area that has become bogged down in compliance. It's no surprise that I managed to attract some controversial media coverage. Perhaps Australia can help lead the journey towards a better way of managing cyber security.

As Keynes once observed "The difficulty lies not in the new ideas, but in escaping from the old ones. We need a pioneering spirit to escape the shackles of the past.

Enhanced by Zemanta

Life beyond consultancy

| No Comments | No TrackBacks
| More

Donn Parker just copied me in on his critique of Harry de Maio's new book. For those of you who might be more Gen Y than Baby boomer I should explain that Donn and Harry were old-school, cyber security pioneers. By that I mean that they figured out solutions from first principles, a breath of fresh air in the context of today's over-regulated business security environment.

Harry has certainly moved on to more esoteric activities. It's refreshing to see a former Deloitte senior executive writing alternative mystery books for adult animal lovers. Definitely a plus for the brand and essential reading for Deloitte's consultants, as well as any cyber security professional who wants to believe there's life beyond regulatory compliance.

Enhanced by Zemanta

Farewell Barnaby Jack

| No Comments | No TrackBacks
| More

I was deeply shocked and saddened to hear about the death of Barnaby Jack, one of the most brilliant and effective security researchers I have ever encountered. He researched vulnerabilities in everyday devices such as ATMs with an extraordinary level of flair and imagination. Unlike other researchers, Barnaby always created an immediate impact because of his compelling presentations. He will be sadly missed by the whole of the security community.

PS - It's good to see that the Daily Telegraph saw fit to publish a formal obituary for Barnaby, an honour they reserve for the "the good, the bad and the simply famous".

Enhanced by Zemanta

A poem for Christmas and New Year

| No Comments | No TrackBacks
| More

Every year Alan Stockey, a well known London banking security professional, sends me a Christmas poem with a security theme. It's a little late for Christmas Day, but then so is the snow. 

Day Zero, Day Zero, Day Zero!

Network traffic outside is frightful

But the firewall's so insightful

Check the patches are all just so

Call CISO, Call CISO, Call CISO!

 

DDOS doesn't show signs of stoppin'

Hope the firewall keeps on blockin'

Websites have all gone slow

Day Zero, Day Zero, Day Zero!

 

When we finally see daylight

They've hit so many ports in the storm

Saving others from similar plight

There'll be others that you can now warn

 

But if the firewall's slowly dying

Not sure what you'll next be buying?

Just as long as you keep the code

Buy Escrow, Buy Escrow, Buy Escrow!


From a performance perspective I'd suggest a concert pitch of F for ease of singing. Try to get a bit of a swing feel to avoid annoying the neighbours.


Media Trends in Cyber Security

| 1 Comment | No TrackBacks
| More

I'm now back blogging after an extended break of several weeks. Unsurprisingly, nothing much has changed in the world of cyber security, except for the media coverage, which has grown in quantity, scope and sophistication.

This trend is clear from the number of daily emails churned out by specialist briefing services, such as Team Cymru's excellent Dragon News Bytes, which seems to have at least doubled in size over the past year. It's also quite apparent that the subjects addressed are now much more sophisticated, encompassing cryptic threats such as State-sponsored espionage, as well as abstract risks such as intellectual property rights. Such coverage would have been unthinkable a decade ago.

But it's not unexpected. In fact it's quite predictable, as press, politicians and pundits gradually catch up with long lasting, subtle trends that are becoming increasingly apparent to a much wider audience. Esoteric subjects such as espionage, operating system vulnerabilities and cryptography are now regularly discussed in newspaper columns. The Internet probably publishes more classified government secrets than can be found in any intelligence agency synopsis.

So what are the trends that are currently catching the imagination of the media? Here's three to kick off with.

Firstly there have been a number of high-profile catastrophes. For the purposes of this posting, by "catastrophe" I don't mean regular disasters such as fires or floods - though they can cause massive damage. And I don't mean "hacking" which is both unrelenting and damaging. What I'm really getting at are the digital glitches caused by inadequate software testing or bad change management. The sort of things we generally consider "cock-ups" rather than "conspiracies, if you get my meaning.

Secondly there's the gradual realisation by military observers that cyber warfare is very, very important, though few people have any idea what it's really about. Let me rephrase that:  I mean lots of people can easily articulate the problem space, but few people understand the underlying root causes or the changes needed to correct them. Hardly a day goes by without a government agency or lobbyist calling for more research and development, regardless of the thin results that have emerged from previous decades of academic and industry studies.

And thirdly there's the growing speculation that China is becoming a little too dominant in the cyber security field. Whether it's the absolute control of the routing technology or the perceived level of offensive capability, many people seem concerned. This is rather interesting, as the cyber battle space appears (at least to me) to be a relatively level playing field, characterised by a handful of bright individuals drawing on a relatively similar set of tools and techniques. It's certainly not an arms race of the kind we have experienced in the nuclear space. Nevertheless there are lots of reporters and TV producers exploring this area and even a few conferences dedicated exclusively to this subject. (Who can justify attending those?)  

Over the next few blogs I'll explore some of these trends and suggest what the longer term implications - as opposed to the short term media interest - might be. Many people in business focused roles might wonder what on earth the relevance might be to their everyday programmes, but, believe me, press coverage and the resultant citizen perception have vastly more influence on employee behaviour than industrial strength awareness campaigns. 

Enhanced by Zemanta

Impressions from the East

| No Comments | No TrackBacks
| More

I'm just back from a week in the Far East where I was opening the 13th Info-Security Project Conference in Hong Kong. It's a couple of years since I last spoken at this conference so it was interesting to observe the trends and progress in the region.

This year's conference was longer and well attended. Key themes included infrastructure, consumerization and mobility. There's no doubt that bring-your-own-device is this year's hot topic though it's been creeping up for a while. Cloud security is also a hot topic.

I left with an impression that this region is learning fast. Discussions with local security managers revealed a high level of maturity, as well as a healthy degree of openness to new ideas and change. Unlike the US and Europe, compliance has yet to blunt the enthusiasm of security managers.  

Of course there's little new under the sun. You see the same techniques and technologies in action but often with a regional twist. One leading company I spoke to, for example, had implemented risk assessment with anonymous voting, rather than open discussion, to avoid staff being unduly influenced from the views of their bosses.

The thing I found most fascinating however is to observe how networking varies around the world. In the US, breakfast meetings work best. In London it's dinner or perhaps after-work drinks. But Hong Kong remains one of the last bastions of the business lunch.  

Death by a thousand facts

| No Comments | No TrackBacks
| More

Death by a thousand facts is the title of a recently published academic paper by Geordie Stewart and me. It sets out to examine why mainstream information security awareness techniques have failed to evolve at the same rate as automated technical security controls and to suggest improvements based on psychology and safety science.

Awareness programmes should not simply broadcast facts to an audience in the hope that behaviour might improve. They can be substantially improved with a little analysis and an understanding of the learning points from more mature fields such as safety.  

It's an excellent paper though I have to admit it's largely Geordie's work. He has an excellent knowledge of the application of psychology to analyse and solve security problems in industry. Unfortunately you have to buy it to read it.  

Enhanced by Zemanta

Trust and Society

| No Comments | No TrackBacks
| More

I used to think that Bruce Schneier was out of touch with industry CISOs, but now I think that they are out of touch with him. He's come on tremendously in recent years. I saw him present to the United Nations last year and he was awesome, reflecting a lot of research and deep thinking about important issues such as trust, risk, surveillance and cyber warfare.  

I shall be ordering a copy of his new book "Liars and Outliers". It's about trust, a subject I find both relevant and fascinating. Trust is a phenomenon that few security researchers seem to understand. The problem is that it's a means to an end, and makes little sense when studied in isolation from its purpose.

The nature of trust is also changing as we move from an industrial-age dominated business landscape to the information age.  I find this paradigm shift is neatly captured by two Russian proverbs. The first, ascribed to both Stalin and Lenin, is "Trust is good, control is better", which encapsulates industrial-age thinking for vertically integrated enterprises and societies. The second, made famous by Ronald Reagan, is "Trust, but verify", which reflects our best endeavours for managing situations in a modern, diverse supply chain that is increasingly beyond our direct control.   

Enhanced by Zemanta

Communicating information quickly and efficiently

| No Comments | No TrackBacks
| More

Information security practitioners have long been poor at developing awareness materials. Partly this is because misguided governance systems focus on legalistic policies and procedures that no one ever reads. (When was the last time you read an instruction manual?) It's also because security professionals are not trained in the art of designing effective communications materials. We need to tackle both of these weaknesses.

Unfortunately, the growing wave of regulatory compliance means that there is little prospect of the governance side being improved, as established security standards are rooted in an outdated, paper-based, quality model, designed more for churning out identical widgets rather than inspiring people to safeguard intellectual assets.  

Progress with the human aspects is likely to be show more promise. At least the problem is  recognised, though the interventions leave much to be desired. (The UK strategy appears to be to leave everything to a single underfunded web site, Get Safe Online.)

On the bright side, however, more and more academic courses are including human factor considerations. It's a big subject and expertise is thin on the ground. Lessons can however be learnt from other fields. Safety is one. A good place to start is to study the art of designing road signs. The BBC News website has an interesting feature on this, which makes some excellent points.

It also raises the obvious question of why we don't have universally recognised warning signs for information security risks. Now that would be a good idea, though it's unlikely to be taken up by a community that believes that hundreds of pages of policy guidance are the answer.  

Postscript:

Many thanks to Andrew Yeomans for pointing out there is an excellent example of the use of warning signs in the SPIDER project by Pete Burnap, Jeremy Hilton and Anas Tawileh.

Enhanced by Zemanta

About this Entry

This page contains a single entry by David Lacey published on September 22, 2014 7:39 PM.

We need to speed up security was the previous entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Archives

 

-- Advertisement --