Home  |  Sarah  |  Services  |  Blog  Contact

Tuesday, 08 Sep , 2015

Security Knowledge Curveballs & The Pro-Am Challenge

Share this article

Sense checking our own security nous and a challenge to pick an amateur and make them a savvy super evangelist

The problem causing the dip in my often prolific blog posting is my arrival at a particular point on the security (or anything) knowledge and confidence curve. Rather than deep navel gazing (emphasis there on the gazing not the navel) I’ll illustrate via the pictures and words of funny and smart folk: Jtwg0qf
In other words I’m sandwiched somewhere between Denning Kruger and Bertrand Russell.
While being super busy doing security lately, I’ve been casting a critical eye over what I produce and the conversations I have.
The compact and bijou public profile I’ve acquired is a novel thing and phrases like ‘great thinker’ have been bandied about…it’s a dangerous place to be.
Am I Too Stupid To Spot That I am Being Stupid?
The answer (I am pretty confident) is no. I checked carefully and asked lots of folk much smarter than me. So on to the secondary question; Is the doubt I feel about the stuff I write valid? A tougher one. Is it mainly an interpretation of common sense…yup. Does it feel bleeding obvious to me most of the time and so potentially simplistic and echo-chambery to others…perhaps. Can I possibly have a handle on all the information pertinent to the point I’m making…nae chance.
Allowing for all of that I’ve decided, on balance, I’m on another fun learning curve rather than vociferously and blissfully clueless.
On the other hand, the people paying so little attention to people risk ….and people who’ve given up on educating users…11571342_l
You get where I was going with that.
Hopeless & Clueless or Hard Done By?
So, in a fundamental review of where I am, where I can go to add most value (and ways not to go loopy), it looks like a people risk, training, and awareness focus is in my nearish future. Starting, rather excitingly, with access to some movers and shakers in BIG corporates who are supporting effort to create a security awareness maturity model. Nothing publishable may come of it. It’s just for a group to mutually benchmark, validate and build upon what they do now, but aren’t we dying for that in our industry?
Yes all the piecemeal, narrowly focused, generic stuff imposed on users isn’t working. But please let’s keep our nihilistic powder dry until some good stuff (informed by hard lessons learned in other related disciplines), has been given space, time and financial support to roll for a while.
Then, by all means, ride back in on your “negate user stupidity with tools” tank…
…or perhaps turn to the person next to you and stop judging their luser ignorance long enough to give them tips and solutions in a personally meaningful context. Maybe also take a long hard look at why they gleefully swerve controls and ignore advice (are your tools and processes really fit for daily business and home computing reality?).
The Pro-Am Security Challenge – A Gauntlet Chucked At The InfoSec Crew
Education isn’t the preserve of the young. Heck I’ve been getting schooled a bunch lately. Not least at Shmoocon, and by friends indulging my desire to hack and code a bit. And let’s face it, security is both incredibly cool and spectacularly hot right now. You are guaranteed to have a subset of non-specialists who’d snatch your arm off for a non-judgemental leg up to do better. Or, in other words, some Pro-Am security mentoring.
Builders building a pyramid with the help of a crane
How’s about that for a start for all of us – pick a user and teach them skillz. Ideally someone from the middle management ranks who briefs the big guys and influences down and out from where they sit in your world. How often have you wished they had even half a clue how much effort goes into the security day job? Yeah, me to. So lets get off our backsides and do something about it.
Implement a shadowing scheme. Relate what you do to their concerns about their own and their children’s safety. Show them how that local effort grows exponentially in a business context. Bring them to the next con, a con we could petition to put on a Pro-Am Capture The Flag, social engineering challenge or other such fixture. Make it a point of pride if you have the best non-specialist body under your wing. Win a Pro-Am challenge. Stick it on your CV and trumpet it as both an expertise and communications skills win. Get them to feed back on what they think could help mature security. Plug their fresh and different perspective into our frequently jaded, often siloed and sometimes arrogant world.
Pyramids were built one block at a time, and many slaves were killed in the process. Shoving boulders about on logs is roughly analogous to what we’re doing to ourselves and staff right now. Sure, you don’t get spectacular results without sacrifice, time and heavy lifting. But why not chuck some monster machines at this (in terms of expertise, time and sponsorship) and throw up a monolith that proves the doubters wrong?

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...