Peerlyst: Essentials of Cybersecurity

PEERLYST e-book: “Essentials of Cybersecurity”

In almost 4 years, and over 250 blogs, I have only promoted something  – other than myself of course – once: The Analogies Project.

I find myself doing the same thing for PEERLYST for much the same reasons; 1) it’s purpose is to educate, not sell, 2) it’s members are incredibly generous with their time, and 3) it’s free. I recommend that anyone already in, or WANTS to be in the field of cybersecurity, to not only join, but actively participate.

To me, an important measure of any of these forums is the output. I’m not looking to promote myself or my business – that’s LinkedIn, I’m not looking to vent – that’s Facebook, and I’m not looking to be as pointless as Donald Trump – that’s Twitter. Therefore, a forum that allows me to share my knowledge to anyone desperate enough to listen, as well as support me in the countless instances where I need guidance, will get my attention.

As for output, PEERLYST recently published a new e-book – their second – free to all members; “Essentials of Cybersecurity[The link will only work if you’re already a member]. It consisted of 10 Chapters, the first of which I was given the honour of writing:

  1. Starting at the Beginning: Why You Should Have a Security Program by me
  2. Understanding the Underlying Theories of Cybersecurity by Dean Webb
  3. Driving Effective Security with Metrics by Anthony Noblett
  4. A Security Compromise Lexicon by Nicole Lamoureux
  5. Building a Corporate Security Culture by Dawid Balut
  6. Why People Are Your Most Important Security Asset by Darrell Drystek
  7. Basic Security Hygiene Controls and Mitigations by Joe Gray
  8. Understanding Central Areas of Enterprise Defense by Brad Voris
  9. Telecom Security 101: What You Need to Know by Eric Klein
  10. Strengthen Your Security Arsenal by Fine-Tuning Enterprise Tools by Puneet Mehta

Some of these folks not only donated significant amounts of their time on this e-book, but have already signed themselves up for one of the THREE new e-books already in the works! THIS is the kind of forum with which I want to be associated.

Go take a look, hope to see you there.

[If you liked this article, please share! Want more like it, subscribe!]

What Will Brexit Mean for Cybersecurity?

No idea.

But let’s be honest, everyone will be making wild speculations at this point, just as ‘experts’ in every other field will be. The only thing for certain, is that the UNcertainty will be used by security vendors to try to scare UK companies into buying something.

This one is unrelated, but is actually very good and you should read it first; Brexit: The Implications for the Insurance Industry.

Two of the pending EU laws in the pipeline that will be most cited are the Payment Services Directive 2 (PSD2) and the General Data Protection Regulation (GDPR). While both of these do not relate to information security per se, security is an enormously important component of each, and penalties will be commensurate with the egregiousness of the data misuse/loss.

The UK would have had to make these law within the next 2 -3 years, but now what? If we’re not IN the EU, do we have to follow the EU rules? Can’t we just do our own thing, like the US?

Well yes, we could, all we’d have to do is adopt something like Safe Harbor and all EU countries would be more than happy to do business with us. Right?

I don’t think so somehow.

Clearly the UK would never put itself in that position [praying silently], and seeing as both PSD2 and GDPR are fully supported by the UK, I would very much doubt any UK-only law would be markedly different. But ANY difference will still complicate things for UK businesses. It will likely require UK organisations to be far more pro-active in the demonstration of their compliance than would otherwise be necessary.

And if there’s one thing that no organisation I have ever come across is good at, it’s the demonstration of good security practices.

Not one.

Luckily for us, there is absolutely nothing in ANY regulation of which I am aware that requires anything more than ‘appropriate’ controls. From the GDPR for example; “Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

This is the greatest thing about my chosen career; Information security cares nothing for law, regulation, compliance, geography, or politics, it’s about a piece of data, on a computer, that someone wants to steal. Everything else is just reporting.

However, getting to the point where the demonstration of compliance is business as usual, is extremely difficult. Not complicated, just difficult. It’s actually very simple, all you have to do is get the CEO/BoD to care about it and it will happen. Easy, right?

UK organisations had 2 years from May 25th to demonstrate compliance with the GDPR, now [potentially] they have to demonstrate their equivalent compliance to every EU business with whom they want to transact. And you thought answering RFPs was bad now!

Nothing will change anytime soon, but in the meantime, just do what you know you should have doing all along, but start now.

Don’t know how, ask.

Why I Offer a ‘CEO Discount’

A CEO discount is when I offer an organisation a 10% reduction on my consultancy day-rate if they can arrange for a 30 minute, 1-on-1, face-to-face, meeting with the CEO.

Sound like a gimmick? Well, it is partially, I’m trying to run a business, but it’s also extremely beneficial to both sides. Not only that, addresses the most fundamental of all security challenges; management buy-in/support. Continue reading

Manager or Leader? I’ll Take The Third Option Please

Have you ever noticed that a lot of organisations purporting to embrace change and innovation end up hiring the same type of people who are the majority cause of their current challenges?

‘Talent acquisition’ is much like the famous [mis]quote by Henry Ford; “If I’d asked my customers what they wanted, they’d have said a faster horse.”. By sticking to standard job descriptions and not looking for PEOPLE to fulfill the leadership’s vision, companies will get what they ask for, and not what they need.

I’ve never seen a job description yet (that wasn’t written by me, FOR me) that did not set me up for failure before I even began. There are people much better at certain things than me, and who may actually enjoy doing them, why would you give those things to me?

Worst of all, above a certain level of seniority, you wind up being lumped into one of two categories, and if you’re REALLY unlucky, both; Leader and/or Manager.

What if you’re neither?

Here’s a little experiment I conducted:

I typed; “books on leadership” into Google and got >271,000,000 hits. If even 0.1% of those are ACTUAL books, that’s 271,000 books on leadership, some of which may even have been written by a true leader. Possible, but unlikely.

Then I typed “books on being a manager” and got >170,000,000 hits If I apply the same criteria as above, that’s another 170,000 books to plough through.

Finally, I typed “books for neither a manager or a leader” and these are the top 5 hits;

  1. 3 Things That Separate Leaders From Managers – Business Insider
  2. Managers and Leaders: Are They Different? – Harvard Business Review
  3. Why All Managers Must Be Leaders – Forbes
  4. Leaders and managers, leadership and management … – CIPD Courses
  5. Why Managers Can’t Lead and Leaders Can’t Manage

OK, so I’ve completely tipped this in favour of the point I’m trying to make, but not ONE article on the first 5 pages of hits gets close to what I’m saying, which is;

People who are very good at what they do don’t need to be a Leader or a Manager, they need a great leader in whom to believe, and great managers to get the right people on board.

My favourite phrase on leadership is on www.despair.com; “Leaders are like eagles, we don’t have either of them here.”. The same could be said for managers, both leadership and managing people are talents not skills, and the really good ones are equally rare.

What if the skills you need, even temporarily, are actually in someone who’s neither?

A good leader has specific attributes that VERY few people have (hence LEADer I suppose), and I truly believe leadership is not something you can learn.

A good manager is, to me, someone who can recognise the talents and skills you HAVE, not the ones they either a) think you might have, or b) want you to have, or c) need you to have for the job at hand.

Focusing on these 2 senior-level talents ignores the vast array of other talents that require neither of these attributes to provide enormous benefit. Call them subject matter experts, gurus, trusted advisors, or a whole host of meaninglessly clichéd names, what you get is the same; someone who can take the leader’s vision, and translate it into something the managers can act upon. Leaders usually can’t manage, managers should rarely lead, and neither has the necessary talents / skills / knowledge to bring the vision to life.

So if you have failed at fulfilling either of these roles (as I have many times), maybe they are not for you. But what you DO have could be of equal importance, if you know what it is.

No one likes to think they’re not a good fit for a senior position, but there’s little reason to extrapolate one or two bad ‘corporate’ fits into the rejection of an entire line of opportunities. Just make damned sure you ask the right questions up front. No you can’t guarantee an honest answer, but hopefully you’ll know pretty quickly if they sold you down the river.

[If you liked this article, please share! Want more like it, subscribe!]

Agile + Lean + No Vision = ?

In the digital age, the need to transform your business in the face of competition is only going to become more important, and more difficult. Start-ups can build all of this in from the beginning, and have a whole host of success and horror stories from which to choose their inspiration. Large organisations that have developed slowly over time do not have this luxury, but the fear of ‘disruption’ has them mad-scrambling looking for a way forward.

Increasingly, they are turning to Agile and Lean as ways to kickstart their business transformation efforts.

Let me be clear, I have nothing against either of these tools, but that is all they are; tools. They are a means to the end, not the end itself, and over-reliance ON the tools will eventually lead you astray. Unless the business goals drive the tool choice, and NEVER the other around, all the action items in the world won’t get you where you need to be.

This requires a Vision.

And not just one vision, you need a vision per department. There’s no point trying to promote change when your HR department still hires people in exactly the same way, and are looking for the exactly same ‘corporate fit’. What you’ve always had got you here, only something else will get you somewhere different.

IN security for example, an example of a vision statement goes something like; “We will provide world-class defence for all information assets to enable and optimise all corporate goals and exceed client expectations.”

There are millions of these vision STATEMENTS out there, but three things that a lot of organisation who tout them seem to lack are; a) an understanding of what “defence for information assets” actually entails, b) what the most important things are to the foundation of such an effort, and c) the ability to execute that plan at the right level.

For example; Everyone who’s been in security for more than 5 minutes should know that without a policy framework, you have nothing to build your security program on. You then work out very quickly that any policy framework not signed and evangelised from the highest levels of an organisation will be basically ignored. An information security policy framework (ISPF) signed by the CSO is unlikely to followed wholeheartedly by the the other C-levels, an ISPF signed by the CEO will.

Quick Advice: If you’re a security expert, never work for someone who is not prepared to at least ask the CEO to sign something, especially policies, it’s just not worth it.

It is very easy to bandy words like Agile and Lean around, especially if you’re the one doing the delegating, but it’s very difficult to LEAD a team when you yourself either haven’t defined what your vision looks like, or worse, you don’t have one and you simply regurgitate things you’ve just read in a book.

Frantic energy expended on a series of action items [Agile] assigned to a few key people [Lean] is one thing, doing this with a vision of what SHOULD be is quite another.