As part of my new role, one of my first tasks has been to develop a cybersecurity strategy for the Health and Social Care sector. I was recently asked: “How do you write a cybersecurity strategy for something so big and complex?” I’ve learnt a few lessons here and in previous roles about writing strategies with immense scopes that cross organisational boundaries, and I think they apply as easily to a cyber strategy for any large organisation. Still, the size and complexity of Health and Social Care made these even more important lessons to bear in mind this time. Don’t start from failure The ..read more

I’ve moved from the private sector back into the public sector, focusing on Health & Social Care. During my work, I am regularly reminded of the government security doctrine that was in effect when I last worked in the public sector many years ago; its influence remains even as it has now been retired and superseded. The older Information Assurance (IA) doctrine has been replaced by a combination of Information Governance (IG) and Cybersecurity. IG now has a much stronger focus on data protection, privacy and rights. Cybersecurity appears to be doing the activities that information securit ..read more

I had cause recently to participate in a workshop considering identity across an enterprise and I wanted to share some of my thinking which was unexpectedly useful. Identity is a slippery thing, it has real world hooks but in the digital world it can be many-faceted and complex. Both real world and digital identities are heavily context-dependent and in both domains there is a temptation to simplify for ease of administration as well as reuse across contexts without considering the implications both for the subject of the identity and for transactions then conducted with that identity by the o ..read more

Probability times Impact Graphs (PIGs), sometimes called a risk matrix, are endemic in security risk assessment and management. They were adopted decades ago and embedded within standards and practices. They’re still there and extensively used across the discipline despite the academic work since they were introduced which has shown that they make decision making worse. The problem is they are easy, easy to read and easy to make in non-specialist software which makes them hard to dislodge and they attract passionate defence from practitioners due to their ease ignoring the harm they do. Figure ..read more

Security culture remains an elusive amorphous ‘thing’ that we all aspire to improve but don’t really understand why or how. This is not unusual in organisations and institutions who try to understand why the interactions and communication between the people who make the goals of the group happen take on a particular ‘flavour’ and why some organisation or institutions embody flavours that we deem to be good or bad depending on our own moral compass, professional needs and perspective. Simon Wardley writes eloquently on what culture in an organisation may mean. I have often been frustrated or un ..read more

Previously I wrote about how I had implemented the simple quantitative analysis from Doug Hubbard’s book ‘How to measure anything in cybersecurity’ into javascript. When I wrote that code for Monte Carlo simulation I was working with percentage probabilities derived from expected rates of occurrence which I spoke about here. This was a bit clunky and really fell down with high rates of occurrence (2 or more times in the period under analysis). I briefly swapped messages with Doug later last year and he suggested that the Poisson distribution was likely what I needed, either that or reduce the ..read more

This was a busy week but once again the Open Security Summit proved why it is one of my favourite events on the security calendar. There is now a huge list of content recorded at the the summit and during the training sessions available for free, I will be returning to this over the next few months. I let Dinis Cruz talk me into doing way too much But I enjoyed the process and was made to look a lot better than I am by Robin Oldham, Alan Jenkins and Mario Platt among others. I had some great conversations and made some new contacts with similar interests. My first presentation with Robin was ..read more

In these remote-first times I recently took part in a zoom conversation led by Henry Harrison at Garrison on the growing similarities between commercial and government cyber security. I was joined by Russell Kempley, James Chappell and Bernard Parsons MBE. We ranged from the constraints of high-threat club government security to digital transformation and the evolution of threat intelligence. A fun chat ..read more

I was speaking with a peer recently about the value of bow-tie diagrams and how they allow you to separate controls from mitigations and it became obvious I was using these terms in a way that needed to be explained. Barrier model risk methods developed in the safety and reliability world where a hazard was defined either as a source of danger to an asset we want to protect or a trigger of an undesirable event or accident we want to avoid. The barriers could be technical, operational or organisational and should be independent of each other. The barriers are either proactive or reactive depend ..read more

I was recently asked to present in a remote session at the ISC2 Thames Valley Chapter on Modern Security Risk. I’ve not presented remotely like this before but while it was unusual not having the audience visible to see their reactions it seemed to go very well. There were a few requests for the slides which have gone out to the chapter via email and I’m posting the PDF here for the non-members that attended. Modern Security Risk Presentation 30th April 2020 ..read more