Why Information Security Should Be Important To All Of Us

Oops why information security should be important to us all but first I'm going to give you a bit of my background I started off as an accountant I'm not in the wrong place I then um worked in auditing for a while I then um moved into Computing I did my Hardware did my software did my operational CIS admin did my CIS admin and finally I went into information security and I did my MC at Royal Holloway which I passed many years ago um I'm a certified Unix engineer started off in Solaris and red hat back in the day when Solaris ruled um and I've started my own information security company which I'm CEO of so why is information security or why

should information security be important to us all I love this quote um most people don't realize that their digital data is important to other people there's a value on it most people walk around with their phones or they give out their phone numbers online or they in information easily because they don't realize that information Warfare has already begun and if you try to talk to someone about this you you get that glaze I don't know if you've had it but when I S put my girlfriends down and try to talk to them about Computing information security it's kind of like that and that's because for them it doesn't really matter until it affects them until their child World their bank

account their life has been compromised so the aim of this talk is to show you why information security should be important to us all I will identify the threat Paradox I will also try to identify ramification of poorly implemented security policy finally I'll suggest some solutions now if you've been to Universe you've read a computer book an information security book it always starts with the CIA confidentiality Integrity availability we all know that back to FR you know we can tell you what Cipher text is the best which one's your favorite blah blah blah um some of us can even do idium algorithm by hand um then you get the Integrity you know some people understand um you know we have

our favorite forms of integrity and availability that's how we talk about information security but try talking to the average person anyone about information security in this way and once again they're gone they glaze over because to the real world information security is about the state it's about the individual it's about the Enterprise it's about how it affects them and they see it with respect to their threat Paradox how does it affect them what are they trying to protect themselves from and if you want to talk to normal people about information security you need to leave the university in the books behind and you need to talk to how it impacts their lives um and for for the state

information security is about trying to hear the chatter they need to know what's going on they don't really care about you and me they care about society as a whole um I'm going to say Heartbleed a couple of weeks ago don't know if you know this there was this um exploit going around heart bed um and I heard and I'm not sure this is true that the NSA had been aware of the Heart Bleed exploit two years ago but they chose to kind of say nothing because it was good for them more chatter and you cannot kind of understand why they do that because they're trying to find out when the next attack on their

infrastructure on the society is going to come about but by doing that they leave us susceptible to individual threats and that's a threat Paradox what's good for them is not necessarily good for us and you've got the corporate the enterpris most people when they start a business apart from me don't start the business because they want to be really good at information security they start the business because they want to make money they don't care about information security they'll get ISO 271 or two just to say they've got it a tick boox exercise what they want is to make money they'll get the health and safety a tick box they'll pay that a tick box but they don't really want to

do any of that they want to make money and therefore they will compromise all of that in particular they will compromise information security just to make money and by compromising their information security they're compromising all of our information security and then you've got the individual information security for them generally not always does not exist and in many ways you can understand because they've got an overload they've got their mobile phone I mean people don't realize what their mobile phone is it's their ident identity it's their life and it's so easily compromised you've got walk by mugging where people can actually access your mobile phone while walking by now because of the technology you got your

pin your PIN to access I saw um I worked for a uh IT company and I was at the table with my boss and I saw her enter a pin and she used a four-digit number for a pin and it related to family members which I knew and that was a in an IT company believeing that was a secure pin most people don't understand most people don't realize or maybe they do now that when you collect your messages if you don't pin protect that you're leaving yourself vulnerable online shopping I don't think anyone understood what a secure socket layer was until 2 weeks ago an awful lot of people would go online and shop without

a secure socket layer now kind of I can see why and online banking continually people are suggest subjected to Ways and Means at which they can be attacked and it's so vast and they're so badly equipped to deal with it but information security is their problem because when it goes wrong it really is their problem because there is nobody there and we've got all these um different bodies who are seemingly working and doing information security in our society youve got the M mod gchq all of them are there a flatline system but when something goes wrong when your child is subjected to cyber bullying I don't know when you are being cyberstalk which one of these

groups is going to be there to help you no one because it's your problem so what's the solution well the first solution is within a security environment there should always be one single point of contact and we don't have that at this moment if I was attacked and I rang the police would I need to identify was it sexually physical or racial no I would not I would ring 999 and they would be there in information security we don't have that also another solution is people should be qualified I'm going to give you an example I went to a really um high power sort of um dinner and I was sitting at the table with a guy who's in

charge of um information security for one of the major utilities and I'm kind of into cyberx and so I I cyhex excuse me so I started to talk about cyhex and he didn't know what it was so I had to break it down I had to explain what ASI was to start with you see where I'm going he's in charge of information security for utilities then when I got to aski I had to explain how to transfer base 10 to base two yeah he didn't even know what base two was then I tried to explain my favorite algorithm which is idium he was lost I kind of thought to myself at that point if if you mention

hashm to that guy you probably think you're talking about rainco he does not understand and that's the problem in our industry unlike any other profession anyone can claim to understand information security and be promoted up through the ranks and that's unacceptable if if you want to be in charge of an accountancy or an account group you need to be an accountant if you want to be in charge of information security you should need to be qualified our industry needs to get professional we need to step up up we need to qualify ourselves become qualified cuz we're the ones we're the community with the knowledge with the love but if we don't get qualified then we leave it to those that are creating

the system we have and obviously Gates should R the world um fundamentally because we have the knowledge we need to be there I don't know if I've dashed through this really quickly I think I have so what's the conclusion for me the conclusion is quite simple the state needs to understand the individual is important we need a a correct structure of first point of contact when your child is being bullied when you are being cyber stalk someone need to take that serious not just you but everyone there should be a point of contact the individual I I heard I went to a talk earlier on about crypto parties they sound great my sort of party cryptography and parties um and we

need to do more of that we need to go out there we need to educate you know wine and Cipher Tex it works we need to bring people to the fold people need to understand that they are responsible because when it goes wrong they're the only one who's going to help themselves an Enterprise my past career wasn't as an an accountant so I understand the profit motive but the enterpr Enterprise needs to understand the bottom line presently only 6% of GDP is being achieved on the internet but that's an exponential number and it will increase so 250 billion pounds has been made on the internet but as that increases Enterprises will understand that there will be an equal increase in cyber

attacks in cyber fraud and if they don't get that act together now in future you may find Enterprises companies fail not because of their product but because of their lousy information systems and we as Community need to walk away from companies who don't implement the correct passwords where they want a character and a number sorry an alpha and a number but they won't use all the character sets we need to walk away from companies like this CU they're compromising our industry and they're compromising us all the say I mean at University they love to say this because if one of us fail be IT industry be it the government be the individual fail an information

security world we all fail so we have to work together so I'm going to conclude with my favorite quote I read um a book by Dorothy denin um it was about eight or nine years ago I just got into information security and I read her book and it was it was part of my course and I thought she was totally waxed I didn't get her I really didn't know where she was coming from but as I've kind of gone along and gone along I realized she was a Visionary because this is the way we are living what we are subjected to every day so why should information security be important to us all because information Warfare has already

begun thank you for listening any questions no bye