There is often a lot happening in the world of cyber security: new threats, new exploits and new products. Don’t get us wrong, there is a lot of cool technology, and we appreciate that. But, at least on the surface, a lot of the defensive advances look to be very bottom up and technology focused. It is easy to lose sight of the context, what matters to us that we want to protect, and yes even enable.
Join us as we get together for unscripted conversations about a broad range of topics and relate them to cyber security. We’ll draw on various disciplines, and our own experiences, as we discuss ideas and practical approaches to tailored information security. We won’t be afraid to challenge one size fits all and best practice norms, or the misapprehension that bespoke security frameworks are infeasible for all but the biggest of enterprises. Be prepared to reimagine what an effective cyber security program can look like when it is engaged with and aligned to the business.
Supply Chain Risk (with Vincent Thiele)
News of business impacts from the realisation of cyber risks is all around us. Many of the largest breaches in recent years have involved one or more suppliers in some way. Few will be unaware of Sunburst/Solorigate, and many will have been directly impacted or know people that have been. But it is not just your direct suppliers, or your technology supply chain, that can suffer from a cyber attack that impacts you, as is clear to many following the Colonial Pipeline attack. Do you know who your suppliers suppliers are? Are you gaining any assurance of the cyber security of your non-technology suppliers? Are you assessing during on-boarding only or monitoring over time?
In this episode Martin and Maurice are joined by Vincent Thiele to discuss Supply Chain Risk. How can you identify threats and manage risks originating from the whole graph of your suppliers, their suppliers, ...? Where should you concentrate your efforts and what can you do to meaningfully measure the security posture of suppliers?
Privacy: Security's New Clothes?
The desire for privacy is nothing new, but societal expectations have certainly come a long way since the middle ages. Over the last two decades many have seen additional rights enshrined in law. Businesses increasingly face sanctions for not respecting the privacy of those they associate with.
Businesses have privacy related risks, they are required to protect personal data. But they also have security risks - are the approaches to mange these not broad enough to cover privacy, or could they not be readily expanded to do so?
If you were asked to draw a Venn diagram of security and privacy on the back of a beer mat (remember those?), what would it look like? Is privacy a subset of security? Is there a large intersection, a small intersection, or maybe even none?
In this episode Martin and Maurice discuss privacy and how it relates to security. Is privacy materially different to risk-driven security? Do you need different teams with different frameworks to deliver privacy and security?
Certifications - Value or Vanity
The information security field is awash with certifications. To an outsider many job adverts, in what is increasingly a sellers market, are full of impenetrable acronyms. But who do all these https://pauljerimy.com/security-certification-roadmap/ (certifications) serve? Is the content relevant and do they effectively demonstrate knowledge, capability, and desire to learn? Are they a part of the supposed skills gap rather than its solution?
In this episode Martin and Maurice discuss the value of certifications and different ways in which we can assess and discover knowledge, skills and practitioner capability in our industry.
Risk & Risk Appetite (with Jaco Jacobs)
Enlightened risk management frameworks say we should manage risks to the business within the risk appetite. But what is the risk appetite? Can anyone in the organisation articulate it beyond vague statements such as “medium risk appetite”, “prudent basis” or “risk adverse basis”? Risk appetite is dynamic, and we need to be able to change it and identify the impacts on our risk management this has when we do.
Armed with an understanding of our risk appetite, what risk management challenges are we better equipped to address. Can we leverage it to identify areas where we might actually want to consciously take more risk? Can we improve risk decisions?
In this episode regular hosts Martin and Maurice are joined by COSAC regular Jaco Jacobs to discuss cyber risk appetite.
Zero Trust - Revolutionary, Evolutionary or Snake Oil? (with Chris Blunt)
Do you trust your network? Did you resist the lure of cloud services and network virtualisation, content with your on premise network security, only to suffer from attackers or malware able to move laterally at will? Did you have a perimeter based, network-centric security model when the COVID-19 pandemic hit and realise that your already porous perimeter was preventing your staff from being able to work from where they were forced to be?
The traditional physical network cannot provide the security services we need. The shift from network-centric security to something more application and user focused is not new, but is growing in pace. Zero Trust enables you to remove binary access decisions based on being on the corporate network and instead lets you build confidence in devices, users and applications that enable risk based authorisation and access.
Join us as we discuss Zero Trust with our guest Chris Blunt, who as a consulting enterprise security architect has first hand experience of guiding clients in their transformation and implementation of Zero Trust.
SWOT - Context, Capability, Challenge & Course
What threats does your project, or business, face? What opportunities have you identified that you could pursue? What strengths do you have that you can leverage to achieve your goals? What weaknesses might hold you back or cause you to fail? Underlying all of these questions, is your situation and the external factors in play. The answers influence the direction you should take.
In this episode Martin and Maurice explore the elements of SWOT analysis, provide some pointers to help you differentiate the different factors, and highlight why this is important in the planning and execution of the course you take. Informally they discuss: the context you're operating within; the capabilities you have, and those you don't have; and the challenges thrust upon you and those you choose to undertake. Only by understanding these can you set your course with confidence.