Launch of Jersey Cyber Security Centre In 2021 I took a new role as Director of Jersey's newly formed cyber response unit. We've come a long way from an initial concept as CERT to a full operational capability as Jersey Cyber Security Centre. And I suppose that's a good place to start. But it's just not going to work unless we change it up. Why is Jersey different? In recent year organisations have adopted new technologies and systems faster than ever before. That's even more the case in an innovative digital island such as Jersey - and in doing so, they’ve opened up new opportunities that ha ..read more

How Boards can clear the path for effective cyber risk management. You don’t have to be an expert to ask the right questions. In just a few years, cyber has transformed from the nerd in the corner into the Kim Kardashian of risk. Everyone, it seems, has an opinion on the issue. That’s because it’s serious — businesses can be built on, and destroyed by, cyber risk. The World Economic Forum’s Global Risks Report has consistently ranked cyber attacks among the top seven risks facing the planet in terms of likelihood and impact, while high-profile CEOs including Warren Buffett of Berkshire Hath ..read more

Telling the board about cyber security problems and plans can help a company be ready for and deal with cyber attacks. Reporting cyber security to the board involves a delicate balance. Cyber security technical details need to be turned into strategic plans that match the organization's risk tolerance and business goals. Cyber security board reports take time and effort to get right - but what can go wrong? Is your cyber security reporting hard for board members to understand? The simple truth is that most cyber security board reporting fails due to a consistent set of issues. Using too much ..read more

Will moving to the cloud improve cyber security, or are cloud services an unnecessary cyber risk? The transition to cloud computing is an evolution that many organisations are still undertaking to improve efficiency, scalability, and flexibility in their operations. Cloud services offer recognised advantages, such as moving IT infrastructure costs to operating expenditure rather than capital expenditure, enhanced governance, and better collaboration, however they also introduce specific security considerations that need to be addressed to protect systems and data from compromise, and to maint ..read more

To experts, the business case for cyber security change programmes can seem clear as day — it can be hard to understand why rational business leaders may say no to investment. Yet they do. Here’s how to get a yes. Winning board support for cyber security projects is a critical challenge for security leaders and Chief Information Security Officers. Recently I was asked by a CISO (let’s call him Robert) why his Risk Committee pitch was not being heard. This was not an issue of slide content: the topic was important and the case for change was clear, but the committee simply did not seem engaged ..read more

On September 12, 2023, MGM Resorts International experienced a cyber attack that resulted in them shutting down their systems. The investigation is ongoing, but crime groups Scattered Spider and APLHV are believed to have used social engineering to hack into the company. What do we know now? And what can companies do to avoid being the victim of such scenarios? The MGM system shut down MGM tweeted September 12 about a “cybersecurity issue affecting some of the company’s systems.” They had to shut them down to protect customer data and their entire infrastructure. However, the issue persi ..read more

The challenge of IT Project Assurance Project assurance can be a challenge; change programmes are notoriously complicated with many dependent parts contributing to an overall goal. Project managers often have a different view of success to their sponsors. Processes, governance, control and approach vary wildly. Controlling projects through effective change management and governance increases delivery cost, and should reduce delivery risk accordingly. But sometimes it just increases cost, and it all goes wrong anyway. If you’re auditing projects, you may not have run major projects. So it’s imp ..read more

Information risk and security is an infinite field of work and study. You can spend your whole life trying to gain the width or depth of knowledge necessary to do the job competently, and every day feel you know a little less than the day before. At the same time, it’s one of the least mature professions you can find. It has been borne from a computing industry less than a century old, yet in many ways has grown beyond it. It’s often unclear whether it is a technical field or a management one, with passionate advocates arguing both that there are too many policy wonks and it’s time to get back ..read more

The focus of CISSP is purely Information Security. Having said that, its a very big field. CISSP’s reputation as a certification is for being ‘a mile wide and an inch deep’. In fact it’s so wide that rather like the Great Wall of China, you can probably see it from space. That, and not technical depth, is what makes it hard. That’s a limitation too - CISSP means you understand something, but not that you know how to do it. And that does make sense, because it is extremely wide and you can’t possibly be an expert in everything. However, it is not an auditor-specific qualification so it is compl ..read more

The Certified Information Systems Manager (CISM) qualification is provided by ISACA, and roughly on a par with it’s CISA IT audit qualification. It is a certification for IT security managers, and like CISA tries to strike a balance between technical IT knowledge and business understanding, with a focus on information risk management, information security governance, incident management, and developing and managing an information security program. It  requires a four hour multiple choice exam and five years relevant experience in an information security management role, although part of t ..read more