Friday, November 09, 2012

Conference planning for 2013

Having a look at conferences, as I have spoken at quite a few over the past couple of years, including AppSecEU, eSecurity Scotland Summit, Institute of Internal Auditors, ISACA and IISP events.

Top of my list for the year is the grass-roots security conference: B-Sides London, which I got to in 2011, but unfortunately missed this year. It's in the calendar, and I may propose a talk if I can get time before the CfP closes at the end of November. It coincides with Infosec, which is much more vendor focused, but the pair of them offer some excellent networking opportunities. is another one I'm looking at. I haven't been, but the Abertay guys are a good bunch, and this is just an hour up the road for me.

Will have to liaise with the team to see if I can take along some Security.StackExchange swag - T-shirts, pens, torches, stickers etc.

Any other thoughts on which conferences I should get to?

Thursday, November 01, 2012

And the Evening...

Now my IIA conference piece is finished, I can focus on tomorrow evening - Metaltech is one of the headline acts at the Alba Underground Scottish Industrial Music Festival.

We have been working hard to plan a session of hard rock, lasers, glowsticks, techno, fire-breathing guitars, audience based pyrotechnics and bubbles. Yes - bubbles. If Ozzy can use them, so can we!

Timing seems perfect, ISACA Now just published this article on my double life - and I hear from more and more people in security who have a deep interest in rock, metal and similar genres of music.

If you can make it - come and say hi. If not, enjoy a little number called Sell Your Soul, which harks back to some of our influences:

The Day Job

Was invited to talk to the Chartered Institute of Internal Auditors today, at their annual even. This was hosted at the Hilton in Dunblane (lovely setting, by the way - I recommend it!)

The theme of the event was around the auditor being a 'critical friend' which supports a large proportion of the work I do with audit, IT, security, risk, compliance and governance teams, namely:

Leveraging the skill sets of these teams and communicating will help you understand risks in your organisation!

With the rate of change of technological advances, and the associated new risks, your audit team are not in an ideal position to know about the new security risks a particular technology brings. But your security team may well know all about them already. So they should talk to each other.

In the echo chamber that is the security industry we harp on about this a lot - we understand security and often seem puzzled why others don't 'get it' but it is because we have our own peculiar jargon, terms, ratings etc.

The focus of my talk was on communication - being able to translate this jargon into business language. This goes for all specialist teams, to be honest - you all need to be able to get your information across to the FD, the COO, the business unit lead or whoever, in their terms, otherwise you will be ignored!

It was perhaps a challenge, being placed right after lunch, and right before Karl Snowden's political awareness talk, but I enjoyed myself, and I had enough people come to talk to me about the subject that it must have resonated with a few of the attendees.

Many thanks for inviting me, hosting an excellent event, and I must congratulate the venue on the awesome chocolate chip cookies!

(My only problem now is that with KPMG sponsoring this event, I now have an EY umbrella and a KMPG umbrella - and with my OCD I'm going to have to complete the Big-4 set!)

Friday, June 15, 2012

e-Crime Scotland Summit

On the 21st of May I presented a short talk at the inaugural e-Crime Scotland Summit, hosted by RBS at their excellent conference centre in Gogarburn. This event was introduced by Kenny MacAskill, Minister for Justice and boasted a wide range of high profile security professionals from the Police, consultancy, financial services, retail, penetration testers, audit and CISOs. Some talks were quite technical, and some at very high level - such as Richard Hollis' "Zen and the art of Threat and Risk assessment"

280 attendees registered for the event, which was reported in local and national news, and the feedback is incredibly positive - the aims of e-Crime Scotland are to equip Scottish businesses with the knowledge and tools to be "aware, vigilant, informed and ultimately safe from the destructive effects of e-crime in all its forms."

There were core themes running through the event - the key threats from organised crime, the technological capabilities of attackers and defenders, and the value of awareness training for all staff.

I spoke on Scams, Phishing and Malware - and the majority of my talk was aimed at describing just how reliant the majority of attacks are on people. While there are technical controls which can mitigate risks - which are used by many organisations - getting the people side right is critical!

I also used some of the results from PwC's biannual Information Security Breach survey to demonstrate why this should be of interest to all the attendees, who included heads of security, CISO's, CIO's, auditors, FD's, police officers and others.

The report includes some interesting numbers in the executive summary:
  • 93% of large companies had at least one breach last year
  • The median number of attacks last year was 54 for large companies
  • The cost of the biggest breach averaged between £110,000 and £250,000
  • 45% of large companies had breached data protection laws in the last year (one in ten of these said it happened at least once a day)
  • 73% of large companies outsource business processes, but carrying out checks of providers has not kept pace
Have a read - some very interesting summaries in there, and along with the Verizon DBIR gives a good overall picture.