Friday, June 17, 2016

My talk at US Consulate about Cyber Security and Agile Development

I had a talk at the United States (US) Consulate in Amsterdam last Tuesday (June 14, 2016) on a Cyber Security v. Agile eCommerce event. Companies like SBS Broadcasting, KLM, ION-IP, WhiteHat Security, Bureau Brandeis, Isatis Group and many more attended this event. I was asked by ION-IP to speak at this event and, of course, I immediately said yes!

Before I say something about my talk, let me first start with the US Consulate itself. This was a very nice and new experience for me, especially from a Security perspective because it has airport-tight Security levels. First of all, I needed to get a personal invite the Commercial Specialist of the US Commercial Service of the consulate itself (besides the invite by ION-IP and WhiteHat Security). No invite from the consulate itself means no access. For obvious reasons I had to show my passport (driver’s license was also possible) and had to turn over all my electronic devices.
US Consulate in Amsterdam - Source: Wikipedia
Thinking to be efficient, I had already switched of my phone, but I had to turn it on again. The reason for this was so they could see it was actually a phone. Then it was tested for drugs and explosive substances, and then I had to switch it off again and turn it over. I decided to not bring my smartwatch, because that would have been submitted also. The next step was to walk through a detector and, thankfully, I had to only take of my belt and no other clothing. We were then escorted by an employee towards to meeting room (through a couple of locked doors). We also could not leave the building without an employee present.

My talk was about Security Awareness and why we should stop it, or at least have the ambition to make it obsolete. This is obviously a statement to make the audience think about the value of Security Awareness and when and when not to invest in it. When looking to the organization I work for I see that the most value comes from Security Awareness on the level where change is done. Whether it is IT, HR or the Legal department, everywhere there can be made a change there can be made a difference. Obviously the Security Awareness in every department is for the most part completely different.

I ended with my talk with an advice that Security Awareness for IT departments should focus on automation. The more you automate, the more predictable and agile you will become. And when you are agile, you can even become anti-fragile. Every time an IT-department consider training users on Security, we should first ask ourselves if we can make our technology better. If not, then we need to question if we can make our policies, procedures and baselines better. And then, and only then, we can start training users. Because leaning on awareness for security, is leaning on the weakest link in the chain of security, the humans.

And again, for Security Awareness in general, focus it at the places where changes are done in order to really make a difference!

If you want to read more about my point-of-view concerning awareness, read these posts of mine.
I really want to share my gratitude towards ION-IP, WhiteHat Security and the United States Consulate in Amsterdam for giving me the opportunity to talk at the event and help creating awareness within the field of Cyber Security and Agile Development.

If you have questions or want to debate or challenge my point-of-view! Please do so! Sharing opinions is creating knowledge and knowledge leads to wisdom! So feel free to comment below.



Post a Comment