From high-level security approaches to practical advice, Irisscon 2017 had an overarching theme of doing things better. Some presentations took a philosophical tack by discussing the need for changes in perspective and behaviour. Others covered more systematic tips on responding to incidents, hiring practices or improving physical security. Talk of fear and threats was noticeably absent. Instead, a sense of security maturing as an industry pervaded many of the talks.
As flagged in our event preview, finding work in the security industry was a recurring subject throughout Irisscon. Publicis Groupe chief information security officer [CISO] Thom Langford called on employers not to reject candidates because they lack technical qualifications. “I can’t teach values, I can’t teach motivation. I can teach technical skills. That’s the easiest part of being an employer,” he said. Maria Hyland of IBM spoke of the challenge involved in upskilling people to a high degree, and then maintaining or enhancing those skills. Her team at IBM tackled this through gamification “because people learn from doing. People are more likely to retain new information and gain new skills if they’re learning and enjoying it,” she said.
Thom Langford co-presented with Lee Munson, and lamented how someone with Lee’s passion and enthusiasm almost walked away from the industry because of restrictive hiring practices. Lee Munson, who maintained the BH Consulting blog for many years, has a background in retail before moving into security. Their comments at Irisscon were also reported in The Register.
Another speaker at Irisscon, Chris Boyd, has a degree in fine art. His presentation, with the intriguing title ‘Makhra ni Orroz’, drew some of the best reactions of the day. It’s a tale of his start in security research, with a twist that drew gasps from the audience. The reveal is too good to spoil here, but the video is worth watching.
Dr Jessica Barker of Redacted Firm brings a sociologist’s perspective to security, and her talk looked at human nature and decision making. She explained the principle of heuristics – a combination of mental shortcuts and personal biases – that people use to guide their actions. Knowing this, security professionals should reframe how they deliver awareness training, she said. Talking about people in a positive way and empowering them is more effective than saying they are the weakest link.
Her talk was well received: the following day, infosec analyst Andy Cooke wrote on Twitter:
In work I just used a lesson learned from @drjessicabarker‘s #IRISSCON talk yesterday and got immediate positive results! Unfortunately that probably says a lot about my previous approach to dealing with people.
— Andy Cooke (@cooke_andy) November 24, 2017
Her colleague at Redacted Firm, FC, tests physical security on behalf of clients. His talk looked back at ways he had been able to evade barriers intended to keep bad guys out. The anecdotes and war stories drew plenty of laughs, but the message was serious. “I want you to go and enable your staff to do security in a way that helps your organisation. Make security a priority, not the last thing you add on. You have to design your building to be secure. Then, the culture becomes more secure because you interact with this environment every day,” he said.
Brian Honan called on security professionals to do things differently. Instead of blaming victims, the security industry needs to follow the lead of the aviation sector, he said. By working together methodically, airline crash investigators reduced the rate of fatal accidents per 1 million flights from four in the 1970s to less than one today. Brian encouraged security professionals to share information and collaborate more, so they can understand risks and defend systems better. The Register’s John Leyden filed a report on the main points from Brian’s presentation.
Continuing the theme of change later in the day, Dr Bob Jamieson of Mallinckrodt agreed that the security industry doesn’t collaborate well. Jamieson said current strategies aren’t working and he argued for offensive countermeasures to deter attackers. That’s not the same as hacking back, which is problematic because it’s difficult to attribute attacks correctly. Instead, he suggested that organisations could use honeynets to identify malicious activity. Another way is to tell attackers there are traps waiting in the form of ‘warning banners’ in digital infrastructure, Jamieson added.
Evolution of the CISO
Change of a different sort was a theme in the talk from Quentyn Taylor, chief information security officer with Canon Europe. Whereas the old-style CISO focused on technology and risk, today’s CISO needs to focus on ideas and profit. The role now calls for someone with communications skills who can influence colleagues in the business, he added. Nevertheless, Taylor said it’s important to have a technical background before making that evolutionary step.
Incident response featured in two presentations at Irisscon. Most organisations’ default response is ‘it will be all right on the night’, but David Stubley, CEO at 7 Elements, had this warning: “In the majority of cases, there are no coherent plans; where there is a plan, there’s a lack of detail. And no testing of the plan.”
Dr Ciaran McMahon, co-founder at the Institute of Cyber Security, drew inspiration from the Analogies Project for his talk. While on honeymoon this summer, McMahon and his wife were caught up in a 6.7 scale earthquake. The experience taught him lessons that companies can apply to incident response. These were: 1. have a survival plan; 2. brace for aftershocks; 3. if no-one is leading, it soon becomes a free-for-all; 4. have a communications plan; 5. corporate culture is critical. While responses can be trained, personal relationships are essential to ensuring the business keeps its reputation during the crisis.
Honourable mention for Linda NiChualladh, general counsel at An Post, who endured a projector failure during her presentation. Undeterred, she continued without slides and talked in detail about preparing for GDPR in practical terms.
With 11 speakers across the day-long conference, there was something for everyone in the audience, to coin a phrase. Videos for most of the presentations are available on the Irisscert YouTube channel. On Twitter, you can find commentary from the presentations and feedback from delegates under the hashtag #irisscon.