The Business Philosophy Of Security by James Bore

right I was told someone was going to be doing introductions but I can't see them so I'll do it uh I'm James bore I tend to overthink things sometimes I do security stuff and other times I experiment with talks to see what on Earth big sites will let me get away with this is one of those times so business secure business philosophy or security not the other way around now what do we actually mean when we talk about stuff really simple question if you have any challenges any hack calls any feedback anything you want to ask or do to a query as I'm talking just shout it out go for it this guy is Socrates Socrates was a Greek philosopher ancient Greek philosopher uh he was also the most annoying man in Athens and it was so annoying that he was forced to drink poison it was executed for asking too many questions and too many simple questions where everyone knows the answer like what is truth what is art so basically he was executed for being a toddler he was also asking some really important questions because it wasn't that he didn't understand what those things were it was just he didn't understand how you get to the conclusion that that's what they are everyone can point at something and say that's art or that isn't hard sometimes they'll disagree but no one can give you an objective measure for exactly what it is and I promise you this is relevant to business and security so in that line what is a business anyone helps if this is interactive by the way there are no wrong answers or right answers money making Venture yeah I mean normal definition is it is an entity which is engaged in industrial professional or commercial activities it is usually taken to be a money-making Venture and whether if you think of something like a non-profit that is still a business so I tend to go with the argument that a business is an entity which is engaged in any of those three types of activities and has a purpose that it is trying to achieve because that covers Charities as well that's an organization a business can be one person or it can be thousands the process is everything else that's the organization that's the government structure so there we go we've got a business entity engaged in industrial professional and or commercial activities in order to achieve a goal what is safety also again I promise relevant really this is that dialogue piece again anyone what's safety safety is about prevention of Hazards environmental arts or environmentally caused Harms and it's about controlling those brilliant when we're talking about safety the harms the hazards they are static they do not adapt they do not change yes I know there's arguments with things like fire and so on if it doesn't adapt it just gets bigger until it stops so what about security what's the key difference between safety there may be a hint up there security is when there is an active autonomous threat attempting to cause harm the key thing there is that there is a person unless you're believing some of the nonsense about AI or you think the UFO thing is real we can call it a human being pretty much all of the time but security is about threats not hazards now what we often refer to as vulnerabilities would be considered hazards by safety we've got things actively trying to exploit those which are threats whereas in safety it's more a case of there's a big hole in the floor that is a vulnerability and someone's going to fall down it people exploit themselves we do get some of that insecurity but thank you okay all good so far so we have business safety security important questions answered everyone's confident that we know exactly what security is what safety is what business is no further questions right we're going to take a quick segue into axioms so axioms are something you will come across in mathematics and in philosophy the key thing about axioms is whichever system you are discussing them in it will be founded on some and you cannot prove them within that system you simply have to accept them as fact to make it a useful model the whole point of this is to introduce you to some weird model stuff that you might then take away and spend if I'm really lucky one of you will be up until 4am tonight just thinking what does it really mean so the answer is here that we're working with are that businesses are that entity and that security is about prevention of harm from threats really simple so business questions what do we really know about business is profit seeking required what do they have to be seeking money we've got the non-profits we've got charities do they have to work with money do they money may be involved commodity commodity of some kind of a commodity of some kind yeah so it could be barter it could be favor trading it could be anything else cottage industry used to be basically favor trading between Cottages next to each other and then if we want to commercialized it and industrialized it and spoiled the entire fabric of society but profit seeking is not required we don't have to build up a huge pile of money to call it a business we don't even have to be trying to get money in fact we may be giving money away so if it's not profit what is the purpose of it what is the one purpose that will Define all businesses no there were temporary businesses I mean there's the gift shops that pop up at Christmas for two weeks and then vanish they Define their own purpose a business has to have a purpose it might be to make a lot of money it might be to change the world it might be for some charitable cause it might be to make a lot of money using ransomware they're still businesses they're just not legal but there has to be a sense of purpose to a business they get to Define what that is or we do if we are the business that that is the key thing that there is a purpose it's not just existing for the sake of existence that would be a bank now when we're talking about businesses often we're talking about companies so shifting perspective slightly I'm going to cut out all of the tiny little Partnerships and the one-man bands because it gets too complicated to try and include them because there's not the same laws that govern them in the UK the directors of a business are the ones who shockingly give them the name this direction they are the ones who can make binding choices they are the ones who can sign contracts they are the ones who get to dictate the overall strategy there's one detect director they are fully in charge if there's more then they'll share responsibility or they might have specific areas so here's a question for you do shareholders own business yes the shareholders own the capital business so they own all of the property all of the stock all of the intellectual property everything else that the only Power they have in terms of deciding the direction of the business is to appoint directors to represent them so given that shareholders are Point directors what do you believe the primary duty of directors is throughout the history show and that's a very common misconception and that's what leads to things like the states now in the UK at least it is explicitly called out in law and in guidance that directors are to act in the interests of the business and all its members and all its members includes themselves it includes employees it may include customers it include clients it could include third parties vendors and others so it's everyone who has a stake in that business and it is explicitly called out that they are not surely to act in the interests of the shareholders how effective that is is a different question that does also apply in the states it's less explicit and it's generally seen more as a arcade pulled over from the time when businesses had ethics but the exact wording so I have it here the duty requires a director to act in the way he or she considers in good faith would be most likely to promote the success of the company for the benefit of its members as a whole yeah so it's not the shareholders it's to achieve the purposes of the company they are there for the company they are not there to represent any single stakeholder other than in achieving that purpose right we've got business covered everyone's mastered it now what do we mean when we say things about security is security a business enabler this is a nice fashionable term that's been going around now for years so is it a business enabler can it a business enabler is something that enables Business Without It Business doesn't happen so without security business will still happen possibly not for long but it's not a ultimate requirement s if you've got strategies are trying to optimize yeah it will enable specific strategies but it's not a business enabler in and of itself it is a tool for the business it can be a point of competitive Advantage again that's not a business enabler that's a competitive advantage if something enables something it makes it possible if it disables it it makes it impossible it's a very binary state so it could be a business accelerator a business Improvement an advantage but the term enabler suggests it's required for a business and it's not it's helpful it's good to have it's a competitive advantage it's also a constraint in the same way as safety I think that's a security company the Regular Show is necessary to do business I mean regular requirements get broken all the time so I would say yes regulatory is required but that again doesn't make it an enabler unless you're saying uh financially yeah FCA regulated and they take the license away in which case you may just do what Finance have done and carry on unlicensed but yeah there are advantages it is I would say vital to a business but it's also not an enabler it is a constraint in the same way that building a playground you have safety constraints and we'll get to that so remember it's applying structure around the business it's putting limits on it it's not actually enabling it to grow Beyond those deliberately so now which of these two buildings is more secure it's not a trick question I promise so they come down to their threats in your face it does come down to the threats that you're facing say they're facing the same threat um an army which one's more secure what's up you could pick up and move the tent fine you're too lazy to move the tent which ones I'm going to argue that if you're an army there's lots of places so it's it's pretty clear which is not secure yeah now if you didn't know the threats and you just knew there was a person living in each one which person is more secure I asked this on LinkedIn they were interesting arguments prayer to act without worrying about security without worrying about all of those constraints applying more controls applying more constraints suggests that you are insecure it's necessary to improve your security but being secure is not the same thing as applying more security I know this is a bit weird like I said this is experimental I expect heckles you have got the option of trying to force Hemlock on me at the end but really it comes down to what is it that we mean by secure so when we're talking about the building we are talking about how well it's protected from a threat whichever threat we happen to choose when we're talking about the people we're often talking more about their freedom to act now companies are legally entities they are entities which have freedom to act in various ways so a more secure company should be able to act more freely without fear of harm because that's what it comes down to you can do that by building your Castle around it and that's fine and they can feel very secure in that castle but you have to recognize that that is applying constraints which constrains that freedom to act which is what they exist for it is a trade-off it's a lovely Paradox catch-22 if anyone solves it let me know go to the doctor you'll have great fun I haven't done a doctorate because I've not answered that question yet right so with safe if we have freedom to act without fear of unintended consequence of our own actions so we don't want unintended unanticipated consequences because there is a concrete flooring background that would be bad that would be unsafe because then if we trip over because we're running too fast we get skin knee everyone gets upset because they're screaming and crying of blood everywhere security similar we are secure when we can act freely without fear of the negative consequences of other people's actions upon us or Upon Our organizations you're allowed to walk you in debate I welcome it is yeah yeah I've got a whole other one with that but I'm going to a different country to deliver it right so an answer then or something close enough because I needed to come to some sort of conclusion on this vague philosophical rambling we ask you if we have the freedom to act without unanticipated consequences of other people's actions impinging negatively Upon Us beyond the level that we can sustain so we are secure if we have freedom to act without the consequences of other people's malicious or negligent actions negatively impinging upon us that is my definition for security I am desperately trying to find a better one so far I haven't that doesn't mean there isn't one it means I have spent far too long thinking about this and giving myself a headache and I need more input but if anyone has ideas please let me know so security for a business then is about resolving uncertainty because other people's actions can only impinge Upon Us negatively if we can't anticipate them so security is about closing down that uncertainty that lack of knowledge about what will happen we can do that in some cases by looking at vulnerabilities looking at holes and applying controls which will affect any attempt to exploit them because only those vulnerabilities are in our control the threats themselves aren't because we can't even see them this is why management and vulnerabilities is really important because management threats unless you're a government and have armies or legal systems or police forces isn't really possible so thank you I'm hoping you've enjoyed the rambling um if you do want me to drink Hemlock after that then there will be a poll or something a loss that organizers to set something up questions debate arguments your technician at the end of that this sentence welcome to my last two years of trying to figure this out the answer to me is we've got yeah the known unknowns are something that we can anticipate we can put controls in against the unknown unknowns they're they're a problem they're Black Swan events there's nothing we can do same implies safety you know there's a reason we have safety rules and it's because there used to be a lot of unknown unknowns and I'm not talking about concrete and playgrounds I'm talking about storing radioactive material where you've been told not to store too much of it together in two separate rooms separated by a stud wall that was an unknown unknown until a physicist walked in there and went oh dear God no so the unknowns unknowns are unknown which means we'll find out about them and hopefully the first people to find out about them will survive and tell everyone else so everyone else can go yeah we don't want that again the known unknowns we can deal with the no knowns are even better uh the unknowns are the ones where I think there's a real problem because that's where it's implicit in the organization everyone accepts it everyone just says oh this is how it is rather than going I need to think about that ransomware's an example ransomware just happens for a lot of people and that's a real problem any other questions I like your analogy of comparing your security to safety years ago nowadays too not great so security itself is a wider discipline and there are areas of it which are much more mature than cyber security there are also areas which are somewhere between us and health and safety so I think there is progress in the right direction if only for the same reason safety that there's a darwinian effect where if you don't wear the hard hat on the work site you aren't going to live long enough to pass on that practice but that does apply to security as well businesses which do not get to the right level of security whatever that might be for them aren't going to become extinct so inevitably we will move in the right direction unless we all die but it has to head the right way it can't not the issue is regulation and the speed of Technology so there's going to have to be something either other than regulation that deals with it or a change in the way that we regulate I think oh we have nearly lunch time [Music] well a big thing feed the toddler ask loads of stupid questions because people don't know what they think they know you know if you are someone are you secure enough and they say yes then they're lying if you ask them what security is and they give you a nice try answer like I just did they're probably wrong it means they've not understood more just question thank you foreign