In your opinion, what are 3 key elements to succeed in a positive security culture, and what tips can you provide to implement change, successfully?
To place this question into a quantifiable stack amounting to just three critical elements may be considered a difficult challenge within the complex world of what we now refer to as cyber. But that said, let us pick on the three cornerstones of our security table, acknowledging that our fourth corner should represent common sense (which of course should be re-branded “rare sense”).
Element Number 1 is without doubt to rid our total reliance on convention, all the while becoming more proficient in seeking out the unknown unknowns and developing our capacity to be predictive. In other words, we should not limit our purview to that which we know; we must look closer, wider, deeper, and higher to gain a glimpse of what may be coming at us in the future.
Number 2 in the element stack is that of main board support. We hear it all of the time, but sadly, in a majority of cases, this is hot-gas that is spouted in order to present a better case to the shareholder, media, or other externally interested parties. If such support is in place and you do decide to mention it, assure it is realistic and engaged.
And then at Number 3 we have that old topic of skill. Do not for one moment think that if someone can roll out words like pen testing, the ISO, obfuscation, or data privacy, it makes then a valuable candidate for looking after your cyber trinkets. This person has so far only proven themselves to be a good salesman and possibly an exceptional social engineer. So when you are looking to enhance the security team by bringing on capable people, make sure your new employees understand your team’s functions and duties at a level which will augment your productivity and not hinder the organization’s overall security with meaningless or even dangerous lip-service.
To close, I recall some years ago a question that was posed to a CTO on TV. When asked “Are we winning the battle against the hackers and bad guys?” the CTO responded “Yes, I rest my case on this testament to self-promoted arrogance to pay lip service to fact.”
John is the Principle at Shadow-Intelligence (Si), partnering with PALISCOPE, BreachAware and iStorage. He is a Visiting Professor at the School of Science and Technology, Nottingham, Trent University (NTU) and holds the appointment of Editor in Chief for the International Journal of Cyber Forensics and Advanced Threat Investigations (CFATI). For the last decade he has delivered training courses in the Middle, and Far East to Commercial, Industrial, the Financial Services Sector, and Military Agencies, including the UAE, US, Pakistan, Saudi Arabia, Malaysia (KL), Singapore, Argentina, and Sao Paulo
He served in the Royal Air Force 22 years’, specialising in Counterintelligence, working with UK Agencies such as GCHQ/CESG, and others in the fields of SIGINT, COMINT and Satellite Communications, holding appointments such as System ITSO for a CIA SCIF.
In the commercials sectors of IT/Cyber he has worked for/with Logica, Bae, T5, GM, Experian, Betfair, Palace of Westminster, House of Lords/Commons, TSol (Treasury Solicitors) and provided Consultancy to the Saudi Arabian MOD, TRA (Telecommunications Authority (Dubai) and the Military Academy of Malaysia (KL) on SOC, CSIRT, Digital Forensics and OSINT. Within the last 5 years he has focused on Geopolitics, with global expertise around the UAE and Russia, Anti-Terrorist Operations (ATO), Cyber-Warfare, Dezinformatsiya (Disinformation) and Maskirovka (Military Deception).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.