Enterprise Cyber Security – post-event notes

Written on 23 September 2018, 04:22pm

Tagged with: , , ,

Some notes following the Enterprise Cyber Security Europe event, 19 September 2018, Amsterdam.

  • @ThomLangford: When trying to hire, look for passion. Technical skills can be taught later on. Also, look for the people who care about what they do, who are full of energy, who are constantly pushing their limits and who are filled with passion. 
  • Humans are indeed the weakest link in any security system, because brains are hard to upgrade and because emotional manipulation is easy. 
  • So how do you deal with the human risk? 3 possible avenues:
    • throw technology at it
    • improve your internal processes (ex: out of band validation)
    • or develop a continuous and adaptive security awareness program, where people at Terranova seem to know what they are doing. 
  • Awareness is for everybody, training is for similar groups of people (ex. a department), education is for the ones who genuinely want to learn
  • The story of the women codebreakers at Bletchley Park is fascinating
  • Total cyber crime revenues: in the region of $1.5 trillion annually
  • Time to detect a data breach: between 99 and 197 days depending on who you ask. Either way, it feels like an eternity
  • You can actually turn a data breach into a positive development for your organisation if you manage to be humble, transparent and willing to improve things
  • Booking.com is having an interesting ‘everything is a test‘ culture (over 1000 experiments going live at any given time). The company brands itself as a ‘developer-first enterprise’. You must make an effort to find a compromise solution between security and usability
  • Preparing for the GDPR should have been easy as long as you have a user-oriented mindset. Don’t forget about the tools for user data export and user data deletion.
Over Amstel, close to the venue

Understanding security controls

Written on 23 September 2018, 03:39pm

Tagged with: , , , ,

How can you better understand the types of security controls than putting them into an example? Home security in this case.

Deterrent controls: a sticker on the front window saying that the house is linked to a security center.  Or a dog house. 

Preventive controls: locks on the access doors and windows. And a big dog. PS: defense in depth is critical.

Detective controls: security cameras calling up the monitoring center and/or the owner smartphone. Or a dog who never sleeps and who barks really loud. PS: detective controls imply that an attack has begun.

Corrective controls: a loud, indoor siren and a system that blinks the house lights when an intrusion is detected. Or a dog that can bring more bad dogs to save the day. PS: corrective controls react to an attack

Compensating controls: motion sensors on the outside of the building and on all the floors, on top of the ones installed on the ground floor. Or a second dog. PS: compensating controls are added after identifying deficiencies in existing controls

Image: https://www.tomalsojerry.com/tom-jerry-solid-serenade/

A few thoughts on entrepreneurship

Written on 23 September 2018, 02:55pm

Tagged with: , ,

Some thoughts about succeeding with your start-up:

  • It’s the idea that matters, not the money. Money is relatively easy to get, what’s more difficult to have is a brilliant idea for your startup. 
  • But to get money you need a business case. This forces you to analyse and validate your idea. Of course, more than 99% of the ideas will be either not feasible or simply rubbish. Nobody will give you money for free, and going through the analysis required by a business case increases the chances that the money are well spent. 
  • Risk management is essential. After your idea takes contour and you have the necessary funding, it’s all about managing the risks. Start with identifying your assets, look at their vulnerabilities and the possible threats. Then perform a proper risk assessment (likelihood and impact) and manage the risks (mitigate, transfer, avoid, accept). Keep looking at the risks and the implemented controls periodically; it’s likely that you will play in an always evolving environment where the risk landscape always changes.
  • Always be better. Just because you have something out there (a product or a service) doesn’t mean that it will necessarily bring profit. Keep asking yourself what needs does it fill, and how these needs will evolve. Keep asking yourself if your product or service still brings value. You need to adapt to survive.  

A discussion from my first year of university (2000) stuck with me until now. I was chatting to one of the older students who was already leading his own business and was doing the university more out of curiosity. I understood the value of an idea when he told me that he is ready to go with me to the bank and get money, as long as I am coming up with a business idea that can be implemented. Needless to say, after a few tries we both concluded that there’s no need to bother the bank, and for the following years I kept thinking about good business ideas that never came.

Fast forward to 2012, and I was involved with a couple of friends into my first and only startup so far. We had an idea and we had the energy to build it ourselves. And we did it, and then we launched it. And boy, it was working! But soon, everything fell apart. As soon as the software product was built, we needed sales people to move things forward. We were engineers trying to solve a sales problem and not realizing that all we needed was to go to the bank and ask for money.

So in the end, doing the 4 things above offers no guarantee that you will succeed. Doing the right things at the right time takes practice. And that only comes after repeated failures.