How is the AI helping in fighting the virus?

It is 15th March 2020, the headlines everywhere I can help to notice how the corona virus (COVID-19) is causing havoc to human first and business second, or the other way around, depending on your take. Yes, the businesses have been hit hard, from the travel industries to cyber security consulting (seeing some well known consulting firms share prices drop by 20% in a couple of weeks time! The situation is getting worse.

While we know on the good day, AI gets the praise and the good promises that it will help the mankind, I was wondering, maybe many of you are, how has the AI so far helped to fight this soon to be called pandemic, is there any way that AI can come to rescue?

Will it make a difference if we do security for business sake?

The security departments and the business always crash when comes to justify security expenses in the context of business justification (why did you buy that NAC device for?)
My idea is basically in everything that security department do, should be prefixed with the word business e.g. business cybersecurity , business security incident management , business penetration test (you get the idea). By doing this then the mindset shift from doing security for the security sake and becomes doing security for the business ( not in the business of information security).
My simplify model below reflects this SABSA thinking and I will expand it more in the later date.

Can you start building a security architecture without a foundation?

Ideally constructing a building (e.g. house), you start from 0 to 100, i.e. build a foundation, erect the structure then fit the windows, roof and finish off with the cosmetic tasks like painting, plumbing etc. While this kind of building up is ideally and feasible for physical construction of things like e.g. a house, aeroplane etc, might not be so ideally for building business information security programmes, given that information security for years, have been an afterthought practise e.g. systems were developed and then security folks been asked to add-on security controls or a layer of the security on top of insecure system, and this was not security by design or security by default.

While for the most organisations I have had an honour to visit or assess, they may have a formalised security programme or information security management system (ISMS) where they coordinate the information security activities coherently, or some of them may have not have a formalised security programme at all. The question(s) I have been asking myself, can someone start from the middle or put together whatever you have to have a completed business information security architecture? 

YES – I think is the answer to this question according to me and what I have seen so far. In the next post, I will expand more on how the organisation can start in the middle and complete their business security architecture.

Cybersecurity Resilience, the 3-dimensional approach Technology, People and Processes (TPP)

Sony, Target, Equifax, Facebook, Kaspersky, Iran Nuclear Plant , do these names ring a bell?

You might noticed them from the newspaper headlines (or a blog post somewhere like dark-reading, theregister). What they have in common is that there are big organisations, and all have been breached at one point in their business lifetime. The question is not whether you are going to get breached, it is matter of when? and the question to ask yourself, is do you have enough resilient controls to make your business sustain these attacks and continue serve your customers or the public?

If the reality hasn’t sunk in yet, I think it is the right time to review your Incident Response Plans and your infrastructure and processes resilience (and dont forget your PEOPLE, their resilience matters the most).

In preparation to build the resilience needed to respond to attack, it is better to start at the grassroots level with the following questions:

  • Why most organisations are not prepared to respond to security attacks?
  • What is the reasonable resilience look like from three dimensional of Technology, People and process (TPP)

On the next post, I will expand these two questions, for now let’s leave it here

Mind the Burnout Security Appliance.

Imagine this, as a Qualified Security Assessor, below is close resemblance of typical year scheduler for conducting assessment

  • January – March Service Provider Assessment (25 days)
  • April – May : Data Centre Assessment (15 days)
  • May – October: Retail Supermarket Assessment (60 days)
  • November – December: Service Provider Assessment (25 days)

A typical assessment average between 10 days to 100 days.

For the days that you are on the bench, these are typically compensated with 5 to 10 days short engagement such as conducting one of the below:

  • PCI scoping exercise
  • PCI Gap Analysis
  • Define a PCI Program for a client
  • SAQ assessment
  • ISO 27001 Scoping / Gap Analysis or Internal Audit. .

With this busy schedule, a consultant usual end up meeting or far exceeding the utilisation target, which for most consultancy is set to either 65% or 85%, in plain english it means out of 20 working days, you end up do all the 20 days.

In the security industry or at least from my personal experience, security consultants put in a lot of hours days in and out, which in the long run benefits the company as well as personal career growth, but what we fail to take into consideration, how you manage yourself physically and emotionally, so to minimise the burnout.

In order to minimise the burnout, it is important to make sure you have the right work/life balance. Whilst this is easy said that done, you have to create your own program (dont wait for the company do to this for yourself), where you make sure you have the time to exercise and engage yourself to do something outside of the cyber world.

For myself, I have manage to create a schedule where I can do physical activities during the week e.g. running, swimming, playing basketball and cycling. I also tend to read something outside of the cyber security world, which at least put my mind at easy, and mostly important my weekends are purely reserved for my family, during which I don’t check work emails or work on any report or sale pitch preparation. The trick, is to start small with a few routines, e.g. 10 mins walk/ running during lunch time and build from there. In order to perform higher and stay sharp, remember to take care well of your body and mind, DON’T BE A SECURITY BURNOUT APPLIANCE.