Thursday, 22 December 2016

Who wants to be an Enterprise Resilience Manager?

I had a plan and so far it’s worked…

My career in business continuity has been very kind to me so far. In the last 6 or 7 years I’ve become an award-winning published thought leader and I’ve been able to meet some truly great individuals from around the world and I’ve also worked on some pretty interesting projects as well. Although I think it’s fair to that the vast majority of the interest in my blogs, book, articles and presentations is because of my brutally honest style. I’m also one of the very few “junior” professionals who provide this regular type of insight. So, as I come to the end of another year and I am about to embark on my next challenge I wanted to capture my thoughts and share them with other fellow like-minded peers and colleagues.

So, what happened?

It was BCI World 2015 that was the turning point for me. It had been a year since I’d won my global best newcomer award and I was trying to figure out what direction to take next.

I had a podcast interview around the same time with Ken Simpson and we discussed “that difficult second album” and I knew then that I had to have a plan for the future. Once I took the decision to move into Cyber Security I was often asked:

"If you just received a global award from your profession, why would you move out of it and start again in a completely different field?”

It’s a valid question and it’s easy to see why individuals were curious. I was doing well in BC and I was moving into a more junior role after years of building up my experience. I even took a pay cut to do so. However, my decision wasn’t because I wanted to leave business continuity, it was because I wanted to be better at what I do.

Stick with me on this and I’ll explain…

The Enterprise Resilience Manager

The theme for the conference back in 2015 was “organisational resilience” and there had been a number of discussions and white papers regarding what this meant for the profession. Many folks were left scratching their heads trying to figure out how to become this new hybrid role. The message was clear in my mind… I had to diversify. I needed to be an enterprise resilience expert but what did this look like? It was at this point I came to a few conclusions:

· I didn’t know nearly enough about technology or the rising theme of “Cyber

· I didn’t know nearly enough about real risk management processes in business

Looking back (if I was patient enough) I probably could have stayed in my BC role and engineered my workload around gaining that exposure but the path wasn’t clear. I decided I needed a plan. I wanted to become an Enterprise Resilience Manager but that particular role is still maturing and only a few businesses are buying into it at the time.

The plan was simple… I would find a Cyber/Info Security role and kill two birds with one stone. I would spend a year or so (while completing my part-time Masters in Risk) learning all about the buzz words that “experts” try to dazzle you with and also get my head around innovations in business technology. I figured this would give me a much better handle of both information security and risk management themes. A year on and this has proven to be one of the best career decisions I have ever made.

A Mountain of a Learning Curve

The learning curve this year has been totally immense and many nights after work, particularly in the early days, I would go home feeling like the class dunce with my mind completely frazzled but it was totally worth it. I wanted to cut my teeth with security and technology and that’s exactly what happened. I was thrown into a whole new world of networks and infrastructure and before I knew it I was looking at things like trust certificates, SFTP, firewalls, reserved IPs, access control lists and pen tests among many other far more technical things. I spent my days absorbing this knowledge and my evenings studying risk management and my mind was about to explode! It was totally worth it though because I am now becoming a stronger professional for the experience.

I’m also a big believer in combining academic and vocational learning because they both offer different perspectives in their own right. I took the opportunity to attend the CompTIA Security course and also get my hands on the CSX Cyber Security Fundamentals study guide simply to enrich my front-line learning. I would highly recommend the CompTIA training to any resilience practitioners touching on technology as I found it really helped me to understand the associated risks and threats. I also took some training in CRISC to help me better understand the frameworks like COBIT 5, ISO 27001, ISO 30001 for tech risk management and governance.

In Summary

So, as I come to the end of a year in Cyber Security, and as I finalise my Masters in Risk, the next step for me is to move into the enterprise risk management space to help me reach the next stage in my development and that’s exactly what is happening in 2017. The next adventure is going to help me work through the risk management life cycle where I can combine all of my acquired skills to become the resilience manager that I want to be. In contrast to technology, where everything is black and white, risk management is a dark art. It’s subjective, requires a good knowledge of the business and it’s something that you cannot appreciate until you experience the full life span of a risk. I fully expect this journey to be far longer than the previous but equally as fruitful.

Tuesday, 8 November 2016

The Business Continuity Institute's World Conference 2016

Changing it up...

So before heading off to London I always thought it was going to be difficult to top last year efforts because it was SO good. Thankfully there was no opportunity for comparison because everything was different. 

It was actually quite fitting that the conference theme was "preparing for a changing landscape". The venue, the speakers, the theme (even the audience was made up of what looked like 50 % first timers from show of hands) had all changed from last years fun. 

BCI Team - committed planners 

I'd like to point out that when I arrived on Monday night, the BCI's new event manager Ruth was sat on her hands and knees putting up signs for the next day and it's credit to her (and the wider bci team) that it ended up running so smoothly so well done to all.  

Key Note Irony

The first keynote speaker was Michelle Wucker, who expanded on her concept (and book) about Grey Rhinos. Credit to her because it's quite difficult I imagine to spin up an honest discussion about the blindingly obvious risks that we deliberately try to ignore...because we ignore them. But her book looks fantastic. I read the sample on amazon and I loved the statement "Perverse incentives and calculated self-interest can turbocharge our natural impulse for denial” true poetry in our world of risk avoidance! Well done her, thoroughly enjoyed it and recommend her. 

A difficult act to follow though and poor Tim Astley from Zurich was given the task of making risk research look interesting but to my surprise something caught my eye! It seems this was a hefty piece of research which covered multiple disciplines across the globe and rather oddly (to me at least) it reported that IT risk and cyber security were reducing in profile over recent years which even he said was "baffling"! I did hear one audience member mumble "well that's because everyone is sick of hearing about it" and to be honest they are probably right to an extent! Nevertheless I was astounded to see that on a global scale that this space had been reduced as a threat. In my world this is exploding and there are countless examples in recent years of how cyber is in fact the "grey rhino" what with Talk Talk, Tesco Bank, Bangladeshi Bank etc. Up until recently many businesses were trying to ignore the nerdy guy talking about firewalls. I found this quite ironic after hearing the previous speaker. I was like , am I the only person in the room thinking this? 

My talk, my paper, my session me me me! 

I wanted to be bold and honest...( well as honest as I could be without any legal firms knocking my door) about how embedding resilience in the project management world is not without its challenges because it's amazing how stupid they can be! I gave research results, anecdotal own goals and some tips to help people better understand the challenge. I'm looking to put some solid research in to this space in the next year and hopefully the bci will let me come back to present what I find! 

I loved Dr Robert MacFarlane's talk on how we performance measure resilience. He spoke really well and gave some valuable insight suggesting there is "room for improvement". 

Supply Chain Stuff

This session, strictly speaking was not change related but I will let them off! Also, if there was a contest for the driest subject in resilience this would score some big points so credit to the gents from AIG , Zurich and M & S for trying hard to educate the attendees because everyone else seemed to be packed in to the session next door on incident management, the more "sexier" of the subjects. But even without attending the alternative session I can confidently say that they missed out, particularly with John Frost's vendor assessment case study. One of the best sessions I've seen from a practitioner on a related topic in years! Well done sir. Just a shame only a few folk got to see it. You must take it on tour! 

Anyway, I've only been able to attend one day this year due to work commitments but this concludes my experience of the conference for 2016.   It's been a lot of  fun and I've learned a few things along the way. Only complaint is I would have liked to have seen more IT related sessions but I see that some were available on Day 2. 

Wednesday, 26 October 2016

My Technical Learning Curve – Working with IT Professionals in Crisis

“Don’t get me wrong, building is a highly complex technical job…which is exactly why I think builders shouldn’t do it!”

A one liner from the comic Jack Dee which I often think of during challenging discussions with IT staff!

A short disclaimer before you read ahead... I have worked with a number of highly capable and willing IT professionals but my observations are of patterns/trends that I’ve spotted over the last 5-10 years.

Brute honesty to start with…In my experience I struggle to trust the judgement and decision making of many IT professionals, particularly during crucial times like during a major incident or business-critical project. I’ve found myself in situations with desktop teams, technical architects, DBAs etc. when the individuals can’t (or won’t) articulate in simple terms what the issue is or even worse refuse to accept there is an issue. It can be so frustrating.

The dynamic, communicative, relationship building resilience professional who works across the entire business regularly meets all kinds of people. In my opinion there is none more frustrating than the IT Department! The rigid, compartmentalised thinking of many teams within IT sometimes make it impossible to develop a good standard of resilience.

As a non-tech apologist I have spent years trying to understand the character types and dynamics within the IT crowds of various businesses because let's face it… virtually all incident management, business continuity, resilience employees all have an interface/relationship with a technology department and it’s important to understand what to expect.

If I’m not a total expert…I’m not helping

First of all, the IT employee tends to know exactly what it is they do and seldom deviate into uncharted territory. This is a challenge because you can watch them instantly become more guarded, dismissive of your questions and quickly become frustrated particularly if you don’t have a grasp of what it is they do. If you want achieve outside the box thinking to for example complete a BIA …. find another box!

The IT “role” in its many forms is very task-orientated with set screens, set code, set parameters etc. and while all seemingly very complex to the untrained eye, the employee in that position will have often trained exclusively in that domain for a majority of their career, taking exams and certifications along the way. In short they know their stuff. Many won’t have ventured beyond their field so wider discussions on technology are usually met with a blank stare because they won’t consider themselves an expert so why contribute? This is odd to me because in the wider business there are hundreds of uninformed none-experts bluffing…. talk about one extreme to another.

Sorry I’m “not technical”

In hindsight, I now see it’s not all IT’s fault! Having worked within an IT department facing out to the business as a service, I now see the weight of expectation and sheer ignorance of business staff (myself included). I cannot count how many times I have heard senior managers say “sorry I’m not technical”, a term which prior to working in IT seemed a fair comment. I now see that for many it is a lazy cop out for trying to not trying understand something. They just want it boiled down to its simplest terms, which is fair enough if it’s complex, but I’ve seen it before many times where managers use this comment to actually get out of ownership or contributing to a project. They will pull this card to avoid any expectation on them to own or understand an issue or risk. This is quite frustrating from an IT point of view. See we are just as bad!

The Lead Singer isn’t the Band!

Many IT departments tend to sit under the radar away from everything else. They typically have a front man in the form of an IT manager/Director/CTO but after the management meeting they go back to the IT crowd (who you never tend to see or hear from unless you have a help desk call). I think this is quite misleading because these individuals are not a fair representative of the character types within IT. It appears to me that many IT staff like to stick to what they know and are extremely reluctant to step off the tools as it were. I don’t see great deals of rapid career climbing (well not at the rate you see elsewhere). Instead, those that seem to progress at a faster pace are those with the soft skills who are highly communicative with the business but they often tend not to be anywhere near as technical having stepped off the tools years before. The gap between the management and the technical operational staff can lead to many a misunderstanding.


IT departments are often fronted by the most charismatic of their group who is typically far less technical than the average engineer often creating a significant gap in real operational understanding. They are usually not a fair representative of the department beneath them but even if you did get a chance to work with the operational staff, they tend to stick to what they know, will avoid any deviation and will get incredibly frustrated if you don’t understand…but it’s okay because
“we’re not technical”

Friday, 17 June 2016

The Car Salesman to the Mechanic.

So I made the big brave move into a cyber security specific role....

The rationale behind this was simple. Far too often in my world of business continuity did I encounter some CTO who was trying to pull the wool over my eyes when discussing IT risk. They would throw out a few technical terms I’d never heard of and I had no choice but to assume they knew what they were talking about. This needed to change so I decided to throw myself into IT and see what all the fuss was about.

Prior to making the move I genuinely thought my experience of delivering disaster recovery and work are recovery projects meant that I had a pretty good grounding on the subject. However, looking back I'd have to say I was definitely ignorant to what I didn't know. It occurred to me that in recent years I was the car salesmen to the mechanic. But as a security professional did I really need to fully understand the likes of networks, environments and infrastructure?

As part of my technical learning curve for my new role I started to research what training courses I could take to give me a good grounding but not make me an expert in a particular IT discipline (and trust me there are so many!). Most IT courses offer specific training but seldom offer an enterprise-wide view of IT in business. I initially looked at the ITIL courses because they cover service delivery in IT and that would give me an idea but I was working in security now and I needed something with a bit more context and meaning. This is when I arrived at the CompTia Security + course.

Well done. You can memorise stuff. Have a certificate!

I'm rather cynical about these intensive training packages. In my experience I tend to walk away having passed an exam (well done me) but never actually being that much better at my job come Monday. I have enough certificates to get me job interviews now. I wanted a course that would actually make me better at my job!

CompTia Security + Course

Let me start by saying that overall I liked this course. However, the first thing that initially put me off was the documented "24 months of networking experience" perquisite (on the fact that I didn’t have that!). Also, virtually none of the security jobs advertisements I had considered before made any reference to needing this course in the first place. It always mentioned CISM, CISA, CRISK and CISSP. So why bother? Well this is probably the first intensive course I have ever been on where I have walked away feeling more competent than I was before.

Disclaimer: all courses and content are delivered differently through different providers and instructors so my version is by no means gospel!

The Course:

The CompTia courses offer a range of sub-disciplines mostly to the benefit of network engineers and alike. Of course a key benefit of understanding networks is that you gain a full picture of the end to end IT set up (mostly). The Security + course focuses in on the likely vulnerabilities and threats you might encounter across the spectrum from mobile devices to databases and beyond. The instructor covered subjects such as cryptography, digital signatures, public key infrastructure etc. It’s provided me with some useful foundations to build upon.

There is an exam at the end of the course of which there are about 100 questions and the marking scheme which is weighted so I can’t give you at a specific pass level. I got the feeling it was like most tests at 75%.
While I would recommend this course to anyone working in the resilience sector (business continuity, disaster recovery, IT risk) I think some pre reading is definitely required to fully benefit from the time sat in the classroom. My first port of call was a fantastic resource call Cybrary. This free resource (once signed up) provided online courses from beginner up in networks. It did take a while but it really enhanced my overall learning. The instructor often made references to port numbers, IP ranges, subnetting etc. so I would highly recommend reading up beforehand!

But this is just my tip for a course I enjoyed and really benefited from as a beginner.

Thursday, 28 April 2016

My Technical Learning Curve: Encryption

Resilience professionals, particularly those from a non IT background, really need to step up and develop their overall understanding of technology, especially focusing on how we all communicate with one another in the modern age. I mean, how else are you going to be able to fully appreciate the magnitude of risks potentially facing your business?

I hear you say “my IT guy will tell me” but even then beyond the tech descriptions you’re only ever getting their individual perspective. How confident are you of their awareness of the business process that’s using the technology? or the impact to customer experience? Or how it might affect the long term leadership strategy as to why you have that technology in the first place? In my experience, very technical employees are often very skilled in one particular area of focus and tend to think in a very linear way. I therefore think it’s vital that resilience professionals who face off to senior management and leadership need to have a basic understanding of how some of it actually works.

Oh and by the way I’m not just talking about all the buzzwords you see coming out from half-baked vendor blogs repeatedly referencing cool words like “Brute Force”, “Spear Phishing” or “Whaling” or “Social Engineering”.

I’m talking about things like:

- When I send confidential information online – how is it actually secured?
- What is the security model around how my business and customer data is stored?
- How can I trust any online resource I access?
- How is data actually stored?
- What tools can I use defend against unwanted incoming traffic into my network?

There are countless others but these are some of the fundamentals that we need to start getting our head around.

So after wondering in which direction to take my blog I’ve decided that moving forward I will start to post experiences from my own tech learning curve to help share an understanding among my peers in the resilience community, many of whom I know are equally as limited in their own IT knowledge!

Disclaimer! I’m not saying it’s going to be totally accurate and I invite others to contribute below to clear up any duff steer that I give. That’s the beauty of sharing!

My first experience comes from the world of encryption and keys, something that has taken me a while to get my head around and I hope it helps…

Asymmetric and Symmetric Keys

Starting with a very basic example that helped me to understand the concept:

Let’s say you wanted to send Person X a package but you know the courier is a bit dodgy and is likely to open anything unsecured that you send. Therefore, you’re going to need to lock it up with a padlock!

However, if you go ahead and send the package with the padlock, Person X won’t be able to open it because they don’t have the key! Also, even if you sent the key separately the courier will take it before it gets to them. So how do you send it across securely but so they can still open it? (Don’t say use a combination lock and text them the code! It’s a padlock and key that you have!).

Solution: You send your package with your padlock on it and no key. Person X doesn't open the package when they receive it but instead return it back to you adding their own padlock. Then you take off your padlock and once again send it back across leaving them to unlock their own remaining padlock.

Easy right? Hmmmm

Okay well it doesn't get any easier! Here is an example given to me recently of how encryption might work between two parties:

John wants to send Stuart a highly confidential file.

So John encrypts the file being sent to Stuart using a key that he generates from his encryption software but doesn't send the key itself across with the file.

Stuart receives the encrypted payload (i.e. the file), He already has the algorithm in his encryption software to mathematically decrypt it but he doesn't have the key generated by John to actually do so. This will be sent differently.

John then uses Stuart's available public key (this is an encryption that only Stuart can decrypt) to encrypt the required key before sending it across to Stuart.

Stuart can then use his private key to decrypt the key sent by John.

Stuart then uses the key that John generated to decrypt the original file to see the confidential material.

Told you...easy...

Let me know if anyone sees it differently or has a better way of explaining it!

On to the next curve…

Tuesday, 22 March 2016

Information Security Department: How is it set up?

Now before I start I just want to say that I’m sure there are a thousand ways in which to design an info sec department structure. I’m just going to cover off an example of how it might be set up.

I'm writing this because at one point in my life I assumed that having a single information security manager in a business was enough (or even if it was just bolted on to another job it would do!). This is clearly not the case. I now see some of the complexities involved and I wanted to share it with those who might be equally as oblivious as I was!

None Shall Pass!

First up is the IAM (Identity Access Management) team. The focus on IAM is predominantly about receiving updates from the business to ensure that the appropriate access is available or restricted on key business applications at all times. For example, information about joiners, movers, leavers etc. which typically gets pulled from HR forms to the analyst for review. Equally, this team can be pulled on to new projects which require new access or to help identify any related risks. I’m told that for large organisations it’s totally normal to generate at least tens of thousands of access requests per quarter which sounds like a tremendous amount of work if you ask me. Also, the risk of mistakes and oversight must be incredible. This appears to be one of the many facets of information security which go along quietly in the background unless something is flagged up…or even missed!

What's that coming over hill?

Next up is the threat intelligence team. Again this to me looks like a fairly big task. The team are set up to receive updates on current and potential IT threats from a vast array of internal and external sources. This team must be pretty dynamic! I mean to spend their days constantly risk and impact assessing against the possibility of what is essentially a 24/7 conveyor belt of uncovered threats. The wider business often receive a regular brief on the biggest threats and how it could affect the business which I think is a great awareness raising tool.

Stick to the rules!

Then there was the security governance team. These guys write policy for the entire business to adhere to internal security principles. This covers everything from clear desk policy to security design principles in new technology. The doctrine is crossed reference with best practice and emerging regulations and where appropriate it gets updated and re-circulated. I’m often struck by how difficult this team’s remit must be. I mean to be custodian of a constantly changing rule book and trying to socialise the detail and educate employees every time must be a challenging role. I think most people will agree that more often than not unless something is glaringly different about the policy (or if someone messed up really bad) operators tend not to pay much attention. From my own experience, trying to get them to read a single page can be a real struggle!

The Engine!

The word that gets bounded around a lot is the "SOC" (that’s the Security Operations Centre). These are the guys and girls that run the security control and analysis tools for their business. Firstly you have the incident response guys who take ownership of information security incidents that impact on the organisation and progress any remedial activity e.g. lessons learned. Then you have the guys who build, configure, support and maintain the businesses security infrastructure. These guys and girls are the security guards of the IT world and manage the everyday controls such as SIEM and Firewalls etc. to protect the business and the users.


Many businesses often have a number of projects ongoing and if the business is big enough you may also have an information security change consultant to advise on any potential risks. These consultants advise on data protection and other information security risks on each project to control/mitigate the impact of any changes.

No one size fits all...

Depending on the size of your business, many of these departments could be folded in to one very busy role! Alternative there could be a different structure or other departments I haven't mentioned but I wanted to share what a large InfoSec department might actually look like. Please feel free to contribute any other departments I might have missed!

Thursday, 25 February 2016