Everything You Know Is Wrong

I thought it was a really good idea to start by insulting the audience just to sort of wake us all up and I was asked to do this talk a few months ago and I spent like anybody's asked to do a talk the last few months figuring out what to talk about and then sort of wrote it last week and what I what I want to do really is sort of talk about things I've learnt over the last two years but first I think like anything these are really the two questions I asked myself pretty much every morning when I when I wake up Who am I so it's so what I want to talk

about as I said it's kind of the things I've learned for those last two years prior to that I was a pen tester I sort of ran pentose businesses that sort of thing why am I here I'm here to tell you about that I've been doing security for 25 years and I thought with this talk I could do something technical and pretend I'm still technical but I'm not so that wouldn't work in front of this audience so I'm trying to give you the benefit of what I've learnt in the last two years and it kind of turned out that most of what I knew in terms of doing security on the inside if that makes sense

was fairly wrong so this is what we're trying to explain the things that I've been I've been up see I'm a see so in in a retailer and I think it's fair to say that that two years ago security wasn't really a thing so the first thing I had to figure out how to do was how to actually make it be excuse me be a thing the second kind of key lesson that I've learned over the last two years is actually getting stuff done is really quite hard in fact I'm a lot grayer now than I was two years ago it is it is staggeringly hard sometimes to get things done and perception is fact I

mean you can sort of debate this in the world we live in at the moment what digital I think has done and this is much broader than just my job is is actually turn perception really truly into fact you hear stories of fake news and so on and I think what's happened is people's sorry people are confusing opinion with fact and if something said enough times online it sort of becomes true and this is creating I think a really really interesting atmosphere in which we try and do our work so lesson number one that I've learned maybe 70% of it is how to make security be a thing doing the security stuff I think was in

inverted commas easy because I like to think after sort of 20 years I have at least some knowledge about what what security means but sort of making it be a thing in a large corporate is quite difficult because for something to be a thing and this is going to sound slightly bizarre it sort of has to exist and there has to be a difference between what is security and what isn't security so you sort of have to carve out a space for it to exist in and in order to do that there's a few key things and these look like blindingly obvious statements and in fact they are blindingly obvious statements but quite often the

blindingly obvious is completely overlooked and certainly when I was on the pen testing and consulting side of the fence they were overlooked certainly by me you need a budget that's fairly self-evident if you're going to do anything in any organization you need the money to do it with so the first thing you got to figure out is how much money does one need in order to do what one wants to do which means you got to figure out what you want to do and then you've got to figure out how much it costs and then you gotta persuade the business to give you the money to do what you want to do but the problem is you've got to explain

to the business what it is you're trying to do and when it comes to security that's quite hard so what you do you sit in front of the board and say give me all this money and we won't have a breach that'd be a really bad thing to say because I suspect the vast majority of these audience could probably breach most companies if you sat down for long enough so that's the state that's not really gonna get you the money or certainly might get you the money in the short term but you'll fail eventually so you have to try and figure out a way of explaining to the business why it costs approximately ten times

more than they thought it would to get anywhere near to what they want you to do and even that's not the end of it so that's kind of problem number one and specifically when I when I started where I am now a large part of that what is now the security budget that sits under me sat in I T so as effectively having to rob IT of money in order to secure their systems so that creates shall we say the wrong kind of friction between the security team and IT because they don't want their budget to be robbed because it's being compressed anyway so that's tricky some of the other budget was managed through a project management

office so they would manage my capital budget for me they provide project managers for me they'd give me far too many project managers and not enough security geeks to get the job done so that was another problem so I spent the last six months trying to get all this budget consolidating into one place so I can actually manage it and we've sort of achieved that and that's a good thing the second thing having got a budget and again this is a blindingly obvious statement and this is going to be 40 minutes of blindingly obvious statements you need to buy stuff with that budget this is this is particularly difficult and again do you think this must be

really easy because I guess a lot of you guys are in doing pen tests and things like that all the time and you don't see what's going on behind the scenes procurement departments in companies there KP ID on reducing cost now surely as security people we know that reducing cost increases risk so this is almost entirely counter to what we're trying to achieve as a security team so we go to procurement and that they're good people they do a good job this is this is not a criticism of them of any of my colleagues but they want to run a tender process because it's what they do and they want to get competition because it's what they do and they want

to find the right price because that's what they do fair play how if I want to buy a certain specific piece of technology from a small startup company that doesn't have any competitors in the market having procurement spend three months looking for a competitor is a bit of a waste of time but they have to follow the process anyway a lot of this stuff I think it's fair to say was not entirely visible to me initially and I'd wonder why things weren't getting bought quick enough so I'd say to my guys what's happening and they're sort of chasing the procurement process around the business frankly like it's sort of wrapped wrapped in a maze trying to figure out why it's being

blocked I describe it as kind of wrestling matches between procurement people who are tasked with reducing cost and security people who I'm tasking with get this stuff in as quick as we possibly can so that was interesting so what we've what we've done is we've had to build or are in the process of building a security specific procurement process so that we can not necessarily bypass the controls because they need to be there but so that we can get stuff in without having to go through competitive tender processes and looking for the best price and all that sort of stuff so this took months in the meantime we've got a budget we're not spending any

money or anything we're not necessarily doing security yet what we're trying to do effectively is sort of build the interface between what security will be and the rest of the business it's a strange one and it struck me actually I was reading something in a magazine I think when Harvard or something on the plane on the way up yesterday and it was talking about doing agile at scale now I'm not a developer I was one a long time ago 27 years ago I started in security in 25 years ago because I realized I was a really crap developer probably crap developer not half-bad Penta so I don't know and but in this article it was talking about doing agile

at scale and the fact that if you build part of the business that's using an agile methodology that's going to get bottlenecks by all the other parts of the business that are still doing things in a kind of hierarchical command and control manner and it struck me that actually what we do in security particularly pen testing and security testing is sort of agile we find a load of things that are wrong and we try and fix them as fast as we possibly can which is why stuff gets bottleneck so that just kind of made me think and it's something to think about over the weekend astir as to how I can learn from what the developers do and

how they interface with the rest of the business I think we've got somewhere through this in order to buy stuff but then what I've noticed now here now I'm on sort of if you like this side of the fence I you know I could throw stones and I've got a real job and I used to be a consultant but that's all just rubbish anyway because it's all they're all real jobs just the hilarity of emails that come in trying to sell me things it's they're brilliant this one I get an email from this chap and you know Fair Play he's trying to sell I assume what is quite a good solution the emails very good

how many privileged accounts are active in your network right now world loads privileged accounts are essential for day-to-day operations in all areas of IT attackers are aware of how important how far-reaching privileged accounts can be they are a golden ticket to compromise allowing total control of all resources and a network well no [ __ ] Sherlock you know we know this the problem is the subject line when I look at my email on a Monday morning and I see that it's bloody terrifying does it work as a sales technique no that's the first time I've read his email I might go back to him a and say look actually you know what I took the piss out of your

conference maybe we should meet if you're in the room talk to me afterwards you need people this is this is really really really obvious and businesses are populated by people not processes again obvious statement that the trick here is that you need to get the people doing what you want them to do and that's very difficult and I found that one of the hardest things in the mood from consulting into client side and I think one of the reasons is in consulting work there is a team of people who are tasked with a specific goal for a client the deadlines are known the team forms and everybody broadly speaking is driven towards doing that that one thing so

getting people to do what I want them to do or what the task leader wants them to do is a relatively easy thing because when it comes to review time in consulting firms it's all about did you keep the client happy did you hit the deadlines did the projects come in on budget and so on so there's a set of drivers sort of hanging over every project team in a consulting firm that are pushing them all in the same direction and drivers are really important but in client-side if you like in industry there isn't a common set of drivers because you know I work for a retailer that means there's a blind adobe statement coming up that

means we're not a security firm so the drivers for the business are not necessarily about security and the drivers for the board are not about security yes they need to manage risk but security to the board is a nother risk that they manage in what we do the key drivers are making profit selling things in the stores selling things online keeping the shareholders happy keeping the investors happy that sort of thing that's the drivers that are coming in to the top of the company and they spread out and various teams as I said are driven by various different things so I've talked about procurement and how their job is to keep the cost down finances job is to add up the numbers

and make sure we're hitting budget and so on but you also find in any organization that the real network is not what it says on paper because when you sort of dropped into a company as I was two years and I love my job please please don't get me wrong I think I really really really really enjoy it's excellent because it's hard there are some people that have been in the job for 10 years 20 years 30 years these are really good people don't get me wrong these are very very good people they're sort of you know family man family women they they want to do they want to do a good job they want to provide for their

children they want to come to work they want to do well what they don't want is disruption because it's terrifying and I can understand this because I've been disrupted in the past and it's not funny they don't want this they don't like change not because they are they don't understand it just because it's not what drives them so you end up with a very very very tight what's the word I'm looking for effective informal all chart where Bob or no Jim who knows Mary who knows Lisa who knows Colleen who knows George that can get something done so something came up this morning actually funnily enough I've got a contractor working for me on my team I've extended

his contract because I've brought him in using my security procurement route not the standard way we bring contractors in we had a little glitch this morning I've extended his contract which means his his user account needs to also be extended otherwise on Monday he can't log in which means he can't do the stuff that I want him to do HR can we extend his contract yes just go on - I'm not gonna say the name just go on to the company that we use to bring all contractors in and they will trigger the process in order to get his user account extended he didn't come in through that company what do we do and this is the

problem so what I did is I use the informal org chart to get it done so I'm now supporting the very thing that was working against you when I started and this is this is tricky this is really really tricky to figure out how to deal with and you have to sort of work with it and you have to sort of work against it and hopefully the end of the day something will something will happen I like John Kotter quite a lot he's written a lot of books on unchanged and and I would sort of urge anyone here really to read coarser I'm assuming a large number of you will be aware of what he what he wrote I think his his

kind of seminal work if you'd like is a book called leading change and it talks about the seven stages of change in any in any book written by an American there has to be a number of stages that you go through but to be fair it's quite a good way break problem down and I can't remember off the top of my head what all that what all the stages are but the key thing that always sticks in my mind is you have to articulate a vision of where you want to get to and keep reiterating where you're trying to get to otherwise people forget why you're trying to drive the change they get bored and they go

back to doing what they're always doing he also talks about the fact that you have to get some early wins in otherwise people don't see the change happening and again they get bored and going back to doing what they what they always do trying to sort of make security be a thing in any organization is actually a massive change so continually articulating what you're trying to attempt to do is pretty critical so I kind of refer back to mr. Kotter quite a lot as a decent sword IDing point just to remind me that because we're not a security company 99% of people in the company forget about security within about 24 hours so I have to keep

reiterating it which is why awareness and culture is absolutely critical I just really can't emphasize this enough I'm a huge believer in the fact that human beings I think frankly cause every security problem which which might sound slightly bizarre but code is written by humans so if the codes failing there's a human at the root of it humans attack us so it's humans so so changing the way that people think and the way that people behave around security is absolutely fundamental I don't I don't think as a and without sounding pompous or anything I don't think as a society we've got anywhere near understanding what digital actually means most people's mindset is nowhere near figuring out what what we're

actually doing with all this digital technology things that I'm not here to talk about but it might be fun is why do we have to connect everything together I don't get it why does why does everything have to be connected it's bizarre surely the best way of protecting massive pieces of data is to not connect them to the Internet if they don't need to be if it's an internal system why you know is is the benefit really worth the risk I do wonder if there's going to be a big push now to you know the digital disconnectors let's call them people who don't want their data kicking about in Cambridge analytical or other companies people that don't want massive online

databases that can be hacked that contains their personal data I think there is you know maybe on there you know this the Gartner hype curve we're kind of at the the peak of inflated expectations and we're sliding rapidly down into the trough of everything's being hacked and all our data is out on the internet for free anyway so why not just put it there let's just put my personal date on there and say there you go make my job a lot easier politics kills anything particularly the large business I mean it's its political by nature again this isn't the criticism I'm not going to go through any particular specific examples but there are always senior level politics in in

any in any in any company and one of the things I've learned over the last couple of years is sometimes you have to fight this again is all pretty obvious I mean really fight sometimes you have to give things away you absolutely have to choose your battles you can't push on all fronts in one go and this is something I'm constantly sort of telling my team to do look don't worry about that someone will say I don't know there's a load of paper lying about in people's desks and we've got clear desk policy okay that's bad obviously but how much paper whereas about that much how many records on that few hundred okay are you

really going to pick a fight with that guy in procurement who's leaving that stuff on his desk well actually really what you want him to do is buy database access management products so we can protect a million records in the databases so let's just choose the debate we're going to have with him are we going to give him a kicking for something at which point he's probably going to make our lives difficult now I'm not having a pop up procurement I like the guy but I have to sort of advise my team just just be a bit careful what you're doing because the person you're kicking today is going to be the person you really want

to help you tomorrow this was something III sort of didn't expect at Odin it's linked to the budgetary problem it's just moral hazard all over the place so so so moral hazard basically is sort of defined as making decisions that won't really affect you in the long term so so for example moral hazard some of the banks look out for its effectively gambling with other people's money in in my in my environment it's a part of the business that is doing something and I have this conversation quite regularly and I'm saying that we've got to look at what what we're doing from a security perspective if we're going to I don't know put this new system in open these

stores whatever it is we need to make sure that we do this in a secure way oh but that's your job pool I thought I thought that we do it and then you come along and sort it out afterwards no no that's that's not how it works oh but we've them we've already signed the contract ah so I didn't see that contract so I really don't know what you're doing and it all looks you know reasonable but I think there's going to be some holes in it so we've got to come and sort it out well that's that's your problem well we're gonna hit our revenue targets and our budgetary targets so no problem so

I'm trying to figure out a way and I haven't got the answer yet of putting some security targets or some security drivers in place to try and catch the things the business does that it just assumed that we're going to come along and sort out again this is this is not a criticism this is about sort of whole scale change in people's thinking so that stuff is sort of baked in from the top if we do this we have to understand the risks inherent in doing it and we have to pay as necessary to mitigate the risk that the most common conversation actually there's two really common conversations that I have the first one is what we're doing this and I'll be

sort of at a meeting talking about what what the business is going to do and I'll say well actually broadly speaking it's going to cost X million quid or whatever to build security in well that's what your budgets for isn't it Paul no my budget is there to do sort of operational security and effectively transformation across the piece my budget isn't the pot to be robbed whenever the business wants to do anything in year because I can't predict what it's going to do so I couldn't possibly assemble a budget to do that at start my general response is if the business wasn't going to do this would we have to pay to security to secure it if the

answer's no then it's not my budget it's got to come from the budget the asset budget if you like that the second most common email I get is Dipple we really support what InfoSec are trying to do and obviously we know that we've got to mitigate the risk and we've got to protect the business however my particular project is going to generate 10% incremental revenue in year and why percent 5% dragwon say incremental profit in year and it really has to go live on Monday your team have identified some problems with it and they're saying it can't go live can I have a security exception no you can't you just can't I get I used to that they've calmed down a

bit now because I think I've got across a lot of the business but I used to get those sort of emails on about a bi-weekly basis and if you start giving security exceptions to everything you sort of end up with a colander and that's not a very good place to be so the second thing I learned I've probably covered some of this in what I've been talking about already is is that getting stuff done is actually just really hard there's there's no other way of putting it it's just hard because as I said probably cover some of these slides the business does do dumb things and this is exactly what I was talking about with

the theme and I keep guessing the main one we get is well we have to keep the business running so we can't shut this thing down to upgrade it or patch it well we've got over that hurdle and now we can do that the 15 million quid incremental revenue as I said I get those emails about not as often as I used to but I used to get them a couple of times a month excuse me the CEO is asked for this person that's a good one as well I get that a lot the CEOs asked for this personally I'm sure in some sense he or she has but actually what they haven't specifically asked for is to take liberties and take

risks so in another very real sense they she hasn't asked for this personally quite often it's very easy to get caught in a sort of escalation game so I'll have my security analysts working with project managers or doing whatever they do and the project manager will write my own list of email saying well you know we're going to have to try harder to get this live on next Wednesday because insert name with very senior director here needs to see this live and is going to be very annoyed at you if it doesn't happen I've told my guys just to escalate that straight up the chain if it happens we have a process where we sort of risk assess things this is this

is nothing particularly rocket science see we have a process where there's there's a risk assessment the start of a project and if we get those kind of emails and people saying well we're going to have to have a security exception we write back and say that's that's fine let's just have a half-hour chat about it and we put the the risk assessment in front of them so well this these are the risks that we've we've identified and these are the controls that were that we need to put in place and one of the sort of first things I did was was put in place a a whole sort of you know risk governance piece with

what grade of person can sign off which which type of risk so we put the risk assessment in front the project manager and say that's fine you know it's it's our job to advise and guide on security and in this instance we recommend strongly that you put these controls in place otherwise you're taking a risk it's not my job to decide between you know decide what risks the business should take that's the job of directors and the board and so on so we say to the project manager well here's the here's the risk assessment as you can see these are the risks we're recommending you mitigate them if you don't want to that's absolutely fine but as per the

the guidance here you're going to have to get sign-off from the exco or from the PLC board so you know I'm happy to come in front the board with you and support you and say this is my opinion and this is what you're asking to do and we'll see if the board makes the decision ok Paul and just I'll tell you what let's put half an hour in tomorrow and have another chat about this okay magic tomorrow comes hey Paul yeah I found some more budget and we can deploy these controls yeah we recommend get them in by Wednesday easy it's about getting the decision-making in the right place and making if you know I think of

it as a sort of the common point of ancestry in the org chart who is the right person to make the security risk versus gain for the business decision and we've tried to identify those people and push the process so that when the project matters is trying to take liberties they know they're gonna go and have to ask someone and explain why they want to take a risk and possibly expose the business the last one on this is that we've done it that way before is it's just that you know we'll know this when it's really really hackneyed one of the things we're trying to do and as a strategic goal if you like for security

is is to not do anything that would downgrade our security okay so you kind of incrementally improve so if we replace something with something else we make sure that something else is going to be more secure which does cause a few ructions and quite often we just get the thing well you know Bob's doing like that over there well that's fine but if he was slapping himself in the face every morning for half an hour would you just do the same well crack on or well that's the way we've always done it but surely that's that's the absolute reason not to do it that way because that's the problem and that's kind of why I'm here

and that's why I've spent the last year trying to fight and get a budget and do something to sort this out so if you like they're that they're the kind of four key reasons the people come to me with as to why they don't want to do security we are we are slowly winning I'm not I'm not suggesting that we're not this was the one that has an ex pentester and is this net this next sort of little section it is quite pen testy because I love pentose and it's great actually it's really it's it's it's just brilliant but vulnerability is how do they actually get fixed when I was a pen tester you do a pen - so my pen test

vintage is is you know if we kind of wind the clock back about 17 years year 2000 2001 2002 and give me the Unicode standard I could probably hack an iOS 4 box but you know and I did buy the Unicode standard back in the day it was a riveting read but I'm actually does does go a long way if anyone here and there's a lot of young people I'm now old and gray I almost you to read the stuff about what Microsoft did when they were solving the Unicode vulnerabilities because it was a very very good tale of not fixing the root cause when you into the kind of double decode vulnerabilities and things like that

anyway probabilities get fixed by IT people okay at that that's fairly self-evident I used to put a Penta support in you know here's here's a bunch of things that need to be fixed go back six months later do another pen test ah hang on a minute this kind of looks pretty similar to where the six months ago I'm sure the situation is a lot better now but I know it's not completely solved IT people have to fix vulnerabilities you have to put it in the queue the IT demand queue to get something fixed which is not necessarily the right way because the problem with IT people is they're generally quite busy wondering why something's gone offline so you think

okay let's just look at fixing the really critical stuff because that's the bit that we have to deal with absolutely the mediums and the lows fine we'll put them on the pile and we'll we'll get round to those but I'm really worried about the super critical stuff but IT people are really busy they're always but the thing that I've learnt as well actually is that the digital economy it's not really that digital to be honest it's it's held together by a bunch of people sat in rooms looking at massive screens waiting for a red light to come on somewhere and then frantically fixing it that's how digital works it doesn't work by being digital it

works by people who are drinking a lot of coffee so a better question to start asking is how fast are we fixing the critical vulnerabilities and if this is something where we've we've simply had to inject more pace into what we're doing and I think this is something that when I speak to other other sort of people in my position this is something we all wrestle with is how to get the stuff done really really fast because if we're not careful we get caught in queues of change requests and IT demand and all that sort of thing so coming back to the point I made about about agile I'm trying to start adopting a more agile approach to fixing critical

vulnerabilities with sort of squads of people who are going to fix stuff and people are going to find the problems and so on and trying to sort of learn from what the what the software development community have done in order to just inject pace into things but this means we sort of have to go around change request queues which does make life a little bit difficult because there are certain things that we need to inform IT that we're doing we simply can't go in and mess with the stuff because it'll probably break something so this is an this is quite a difficult one to crack I'd like to get the quick the critical fixed time down to about 24

hours on the basis that was internet-facing an apprentice has hacked it then probably someone else has and that's really quite terrifying the other piece I I sort of had to learn a lot about was how penetration tests actually happened when you on this side of the fence once you've gone through procurement we refreshed our pen test suppliers we've got a sort of mechanism where we have four suppliers and we allocate work and so on and so forth but then I had to deal with the absurdity and it is an absurdity of raising a change request when I wanted to do a pen test of our internet-facing systems which honestly I banged my head on the

desk or now and that was just bonkers you know and this is basically what I say and this is actually what I'm going to start distributing around the business now I think because why do I have to race a change request to do what many people are doing to our systems anyway I just don't get it there's so many arguments if I do a pen test and the pen tester knocks it over at least we knocked it over and we can hopefully get it back off having said that I have a good degree of sympathy for the IT people buried as they are under racks of spaghetti and why they want to know what I'm doing and when I'm testing the

systems and this is sort of my plea if you like to the pen testers amongst you and how you can help people like me and how you can help people in my team and a key one sort of with regards to change requests and the raising thereof before I do a pen test is number seven and I can't stress this enough you've got to make us really comfortable that you're not going to cause a p1 outage okay because in IT world yeah there's security high priority obviously there's also system outage high priority there's there's a problem with the re-platforming over the weekend in another company I'm sure you saw it on the news they are having a devil's job

with their new platform and and they absolutely have my sympathy they are there it's a horrendous position they're in system outages these days are are huge and in fact as I'm sure you're aware the GDP are now is shining a real spotlight on availability of data and there's going to be some fairly meaty fines for companies whose kit falls over which you know arguably on my side of the fence is going to make IT even more itchy about getting pen testers in because there's going to be have to be a balancing decision about is it worse to knock something over for two hours or lose a little bit of data I don't know I think this is going to be thrashed out

in the courts for quite a long time to come a nice second career as a lawyer in this field would be quite lucrative so pen testers please engage with our incident response processes engage with our service management processes understand how they work and understand you know that if you're testing something and you're I don't know fuzzing the fussn't ahead out of something and the site suddenly becomes a bit laggy and your thing you know crap what have I done don't just kind of hit escape and control see and stop what you're doing and then say nothing tell us right please because at that point we've got guys in an ops war room oh god what's happened trying to

find the problem and then what happens is they find the problem and they track the IP that is coming from and they come to my team thundering literally saying your pen test is just knocked over the site but this process could take three hours of fault-finding but if you just phone us up and say look oh boy might have a might give me a bit of a problem we can fix it really fast and it makes my case for doing pen testing that much easier you know things are going to go wrong and and particularly on internet facing systems as I said with system outages arguably being as bad as as data losses potentially going forward we need

to know what's going to make the site laggy I'm not going to go through all of the rest of these I'll just pick out a couple of really key ones consistency with titles of findings I would like to see consistency across the whole of the pen testing industry I know you do CBE references and things like that that's all fine but even just the way that the things are worded so we can get the same company testing the same system finding the same vulnerability about calling it two fairly different things now on my team we understand that they're the same because we're in that we're in the subject domain when we take them to IT

we then have to explain that these things they're seeing that look different are actually the same and that just takes time which kind of goes counter to my my concept of reducing fixed time four critical vulnerabilities so anything that requires a level of discussion waste Simon and one thing I think that sort of I've observed after a length of time in security is that sometimes we can be a bit rubbish explaining what we do to other people we get too technical we use too much jargon most people don't care they just want to fix so I think there's there's got to be a sort of industry-wide effort to bring a lot more consistency and make us

easier to engage with

number six I want to just comment on quickly when we get a pentas report the executive summary yes interesting but straight to the table here's the red ones here's the yellow ones IT fix them that that's it we don't necessarily read all of the reams of descriptions of vulnerabilities because in the main we're finding the same types of vulnerabilities many times there has to be a better way of distributing findings you know I know some companies the pendous findings go straight into a demand queue and sprays a ticket straight away to get it fixed not all companies or as sophisticated as that but there is opportunities and money to be made Pro pentas incumbents to come in to the client and help us

build a process end-to-end that deals with this the last one I think is really critical no pun intended need to be really clear about what constitutes a critical finding we we I have a guy on my side who upgrades quite a lot of findings in Penta supports when he receives them and downgrades a load of others I'm we're trying to get our suppliers to come and work with us to put together a consistent way of rating findings and I would like to get them in and brief them on the business and for us what actually constitutes something that's really going to hurt us because it doesn't always or rather there's and there's not always a direct match from

what's in the pentose report to what we consider to be a significant risk and the worry here is not necessarily things being overrated although that obviously takes time when we fix stuff that possibly we don't need to if that's a reasonably true statement the worst one is actually when there's findings that are underrated and as a result are not necessarily going to get fixed as fast as we need them to get fixed I guess what I'm saying here is also try not to cry wolf too much because I too don't like that they have enough to do keeping everything up and running so I have to be really careful as to what I raise as

a critical finding and how if you like how loud ice down the klaxon and there is a real balancing act here in terms of sort of keeping the business should we say alert enough to the problems or keep raising the alarm and get into the trap of crime wall from them when something really does happen one's actually listening so on the communication point and this is sort of particularly when talking to senior folk in the business something that had mrs. John Kotter again something that addresses people's anxieties so a pentose report is a list of anxieties and it talks in big technical jargon about how to address those but they're not necessarily understandable to a lot

of people and what makes if you like this this sort of lay people people who are not in security but who are very clever people and very senior and businesses anyway what makes them more anxious than anything is knowing there's something they should be anxious about but not understanding it enough to understand how anxious they should be that makes them more anxious and leads to me and my team trying to explain what this actually means so we we just simply have to get a lot better I think as an industry at explaining exactly what we do findings have also got to be credible a lot of a lot of sort of you know business management is there is a lot of

gut involved in it because a lot of it is making decisions based on risk and uncertainty which by definition is not a deterministic process you have to effectively place your bet and hope that things go the way that you predicted they would which is gut and sometimes I think as you know as we are we're very technical people I'm a lot less I used to be but I still have technical personality traits which means things that don't fit into nice compartments compartments scare me but I'm having to talk to people whose things don't fit in those compartments and figure out a way to sort of make that interface work I was consulting for 20 years I'm sure I

had some really good ideas but things are just very difficult to implement I'm not going to say a lot more than what's on that because I've kind of talked about it for the last 20 minutes but this this is really critical I think there needs to be a lot more support sometimes in actually getting things done rather than just raising a list of things that need to be fixed you know quite often you can get to a point where the last thing I need is a little issed of things to be fixed and if I don't need another list of things to be fixed you can show us how about the IT need even less this is obvious right but I

work in retail that's the biggest threat I have that is the biggest threat I have is Christmas okay Black Friday who invented Black Friday I mean really we have to run you know with an order of magnitude more capacity through Black Friday and Christmas than we do for the rest of the year I can't you know if any of you seen spinal taps surely some people are old enough to have seen spinal tap with the guitar and don't look at it don't even breathe on it you know that's what I tea is like over Christmas because so here's that here's how the math works right we have to have enough capacity to sell as much stuff as

we're going to sell online as we go through Christmas Christmas from Black Friday through to sort of the broadly speaking the back end of the January sales is our busiest time it is in every and every retailer Black Friday incidentally is called Black Friday because traditionally in the u.s. it was the day when retail accounts went into the black okay so it's massive Christmas is massive the whole of the year is about preparing for Christmas so we have to trade through with enough capacity to get things working to their peak so if Trump predicts how many people going to buy stuff and yada yada yada and then buy just enough capacity to serve that if we're ten percent spare capacity

that's ten percent wasted money that's CPU we don't need this memory we don't need its network bandwidth we don't need its stuff we don't need so IT do a lot of work trying to predict exactly how much capacity we're going to need and then and this this is a bit that sort of them immediately was quite new to me there's a lot of load testing before they would literally thrash the hell out of the websites with load tests see which part of the whole chain falls over is at the load balancers of the firewalls is at the front end is it or whatever right that's that's a 100% CPU here the rest of its running at 50%

that's unbalanced that's wrong so literally everything in the whole econ pipe is thrashing away at night your percent through Christmas so I can't get any changes done and when I have let's say an urgent need for a pen test in October then I really do have an urgent need for a pentose and it can't wait until December I can't do it then and that means we're trading through Christmas with with an uncertainty which is not a good thing this is Christmas it's great actually in retail it's genuinely really exciting because of all the work you have to do to make all this stuff actually hold together but I will implore you to kind of know your client and understand what

their business cycles look like other sectors in retail Easter DIY sector that's their biggest piece not Christmas it's over Easter everyone's got a guy out and you know mow the lawn and like I did buy some barbecue cleaner and buy some steak and ham barbecue um isn't it obligatory in any in any talk or a conference like this you gotta have anonymous you gotta have a county gotta have mr. robot who thought serious one was great but serious to lost the plot I've not I got two episode yes I've got 2 episode 3 on series 2 and thought gave up if anyone comes and says actually it gets better after that like Breaking Bad didn't serious to then let me know and

war games which you know how about a nice game of chess this is a really good book actually no you must be aware of this I'm sure you are I'm sure it's it's shown every every every year here but please read this it's still really good it's it's still relevant it's all really old eunuch stuff and rattling keys on bare wires to to disrupt the attack which is a which is an interesting thing because if anyone reads as read Lockheed Martin's intelligence-led Network defense disrupting attacks is a good thing and is a strategic decision I wouldn't rattle keys on the racks anymore that would annoy IT but so it's definitely worth having a read of that

book I think and then you can read his second book called silicon snake on and laugh at how wrong his predictions were but then think all hang on a minute we're about to fall into the trough of disillusionment a digital a maybe cliff was right all along we're starting to circle in on our upcoming London dinner this was another sales email I just really like that starting to circle in on our upcoming London I also learnt the perception this fact the board are absolutely listening please consultants don't come and say to me how I can get your board interested in cybers they are they they really are and they are genuinely worried about it absolutely and the reason they're so

worried as I said it because they don't know how worried to be I probably covered a lot of this in my rambling just now but then we've got to be able to articulate it properly we have to have a consistent way of talking to the board this is this is critical for one reason I wouldn't say one simple reason alone one reason is a lot of boards of large companies the directors and the non accept directors you know have chairmanships and and roles in other companies so they'll go to company a and the seaso or whoever will kind of present what they think the risks are around cybersecurity in a format that to them makes sense

and to be fair in a format that that over time they've you know that they've discussed with the board the best way to present it and the way that the board can consume and then you know the chairman of the board of that company will go and take up his non exec director on the Audit Committee of another company and have some papers talking about cybersecurity risks in a completely different way so he he or she just simply don't know what they're supposed to be reading what they're supposed to be taking away from it one of the things I sort of talked to people in my position about is how we get to a point where we can actually report in a

consistent way if you're an accountant you have to write the accounts and order the accounts according to GAAP which is the generally accepted accounting principles I think any auditors shouting if that's wrong we sort of need the generally accepted principles for explaining information security risk it's not really as matías GAAP is it but um we need something where there is a standardized way of reporting this and also accountability so that there is a sort of equivalent to an audit partner for example in a big four that signs the accounts off and says these are a true and accurate representation of the what the wording is the state of the company at the point in time of which I

signed these accounts off there needs to be an equivalent I think for the way that we deal with in Passaic I think as an industry we've done a really really good job figuring this stuff out as we've gone along and now is the time when we've we've if we're going to be absolutely taken seriously in the boardroom we have to professionalize ourselves and we have to be consistent and we have to hold ourselves to account in the same way the accounting profession does and actually the account profession the legal profession the architects engineers nurses doctors pilots anyone in a position of responsibility in any other industry has professional credentials that they can be stripped of if they misrepresent

something it doesn't mean that the FD gets stripped of his credentials if the company goes under that's not what it means what it means is is that if it goes under and he's misrepresented the facts he's probably got a problem I don't think we hold ourselves to account in anywhere near the same way and I think we need to we write things like this and apologists to the companies here I'm sure these are all pretty good pieces of research share prices drop an average of 5% when a data breach is disclosed share prices fall by an average of 1.8% on a permanent basis following a severe breach stocks on average suffer an immediate decrease in

share price following a breach of 0.43% in the long time share prices continue to rise on average but at a much slower pace now can anyone tell me by how much the share price drops on average six months after notifications the Information Commissioner can't find out from that so what can I say to the board well there's some research that says probably somewhere between 0.4 3 and 5% over an indeterminate length of time your shares might drop but actually they'll continue to rise anyway but at a slower pace compared to something I don't know about remember John Kotter how does this address the board's anxieties at least credible they might be in and of themselves but there's a

mess of reports are is that credible as an industry is that credible the last thing we'll talk about is this is that the media and their brief stories brilliant right it's cyber it's digital it's exciting it's hackers it's North Korea's Russia it's brilliant the FT love it and the BBC love it but it's a really really febrile atmosphere and in in the scale of sort of breaches sometimes a company hasn't done what they should have done absolutely the control environment is not in place sometimes they have done all of that and they get hacked anywhere and there's a massive breach and there's one simple reason why this is is that the and you know this you know this

better than anybody the adversaries have a mission objective and they won't stop until they achieve it so by definition they are going to get there in the end and this is something I think that it's going to take a while to sink in to the sort of public consciousness and for the media to kind of understand the nuance in this but at the moment the atmosphere is so febrile that sort of miss this really relates back to my crying wolf point that it's very very easy to cause emotion right at the very point when emotion is the absolute last thing you need you to think about the airline industry clearly there's a motion when the aircraft goes down obviously it's a

tragic event but what happens then is there is a the air-traffic investigation board or I can't recall what they're called they come in as an independent entity and they figure out what happened and they don't stop until they get to the absolute root cause of what happened in that accident it's not investigated by the aircraft manufacturer or the airline rather it's investigated by an independent entity that has the what's the word I'm looking for teeth is the wrong word but has the right powers to demand things are provided to it and to work through it and and as much time as it needs to actually get to the root cause of the problem and then they have

the powers to order the you know airline manufacturers or sorry aircraft manufacturers or Airlines or whoever put in place the remedial actions and they actually try and figure out genuinely what went wrong they don't just sort of guess at it a bit and say well there's a few things that I've said 27001 that were amber and not green and therefore that must be the problem it's probably not the problem and I think we've just got to get a lot more collect a lot more science around the way that we deal with breaches and the way that we sort of allocate if you'd like to blame and cause this slides broken which is slightly irritating that's supposed

to be a slide showing the number of data breaches from 2005 to 2017 just increasing like this and this is the sort of thing that this was somewhat an industry put it on LinkedIn number of data breaches since 2005 to 2017 has increased markedly well you know the slide doesn't work so well cuz it's broken but I wanted to show comparison so the picture on the Left should look very similar and if not identical to the picture on the right the number of Internet users has gone up to Z since 2005 and 2017 so simply saying the number of breaches has gone up since 2005 to 2017 doesn't really tell us anything what if you control the size of breaches

or the cost of breaches or whatever for the number of people on the internet or the number of devices connected to the Internet and then have a look and see what breaches are doing I I don't know but we need to have some clever people doing things with data and actually trying to figure stuff out so I think there needs to be much better education into the public and in a way that they can consume so that they can understand sort of what digital security is all about

and this is a big problem I think people are starting to understand what fake news is I remember talking to people a year or so ago about sort of Russian troll farms and this sort of thing in that way really and now it's it's in that it's in the media and people sort of guess it it's difficult to know how to conclude this part from Donald Trump obviously you know this is move on this was the best sales approach I had and I will sort of finish here didn't work but it's the best one hey Paul how's you Co give a quick call and if so when what numbers best for you yes brilliant so I think to sum up what I've

learned over the past couple of years in many ways is is that sort of the role of the seaso is to represent security to the business and represent the business to security so one thing I've sort of figured out is that I'm pretty much always devil's advocate in any room I sit in if I'm sitting with the business I'm arguing as to why we need to do more security and why we need to manage the risk if I'm sitting with my security guys I'm sort of arguing why the business can't just turn off the website on the 24th of December and that we're going to have to trade through that was me thank you questions

[Applause]