Cyber | There's a good time coming...

...but it's a good time in coming.
‘solitary, poor, nasty, brutish, and short; is not a description of the career of the average cyber security officer. It’s a treatise on a life in a constant state of war by Thomas Hobbes (1588 – 1679).
I like Hobbes for four reasons: he writes about ‘warre’ because spelling had not been invented, his name makes me think about ‘Quatermass and the Pit’, this adjectival clause was adapted by Jon Pertwee’s Doctor to introduce the Sontarans in 1973 (or the middle ages depending on your view), and the applicability of his sad philosophy to the modern cyberman.
Not that kind of Cyberman - I mean the Information Security sortAlright. By cyberman I mean anyone charged with some responsibility for waving the wand of cyber security over the rabbit-in-the-topper of an organisation or community and I know that’s not gender specific. 
This missive is an observation from someone who teaches security in mould-breaking classes where at least half are women, and many of those women come from patriarch-based religious backgrounds.
10 of my 15 MSc research students on cyber projects last year were women. Actually I hate pointing it out. The only students I feel uncomfortable with are those who can’t work up a passion for the subject. So…don’t talk to me about stereotypes. I just like the term ‘cyberman’; the ‘Jon Pertwee’ reference should vouch for me; geek or nerd...epithets borne with pride. Anyway, if you prick me, do I not bleed?
It’s early in the day and it’s late in the year. I may still be persuaded to create a few sound-bite predictions but only if I feel it will be another arrow for my bow of cyber security evangelism. Sellars and Yateman remind us that for everyone wanting to teach you can find approximately 30 not wanting to learn. I should know; I’m blessed with 60‑70 students in each class.
Then there were the two decades served at one of our late, great, national institutions where the cynicism of the employees sent on a security course made the mark-scrabbling expectations of students who want to be spoon-fed positively refreshing. I remember the feedback forms…
Q. Why did you attend this course? A. My manager sent me.
Q. Who else in your organisation will benefit from this course? A. My manager. Sigh.
By the end of it most were a fifth column of further evangelists enjoying group therapy. I’m still in touch with many of them today.
It would seem that the instant gratification society where people ‘just Google it’ (other search engines are available) has created expectations of a quick answer for everything without a care for whether it’s correct because you can always apportion blame (or possibly guilt) to the source. After all, 80 years ago if you read it in Der Stürmer… There is no quick gratification for security, it is a state of grace in the cybernetic sense.
The sad conundrum is that in the cyber field, you need learn so much yet hit the ground running. At the same time, you need to remember the reverse of Ranum’s sixth observation that action is not always better than inaction. If you rely on learning everything first, Alice will still be telling Bob about the lack of pictures and conversations whilst Eve harvests the apples of their intellectual property.
This reminds me of the IISP experience with its Top Gun company v. hacker exercises. Whilst the have-a-go hackers get down to probing and exploiting, the company role players get down to forming committees. If you are going to inform busy people about cyber security then books brimming with useful information are likely to have the structure of the proverbial chocolate teapot after the boiling water has been added. Take some Gawande-like lessons from the standards whose taxonomies can be infinitely debated but at least they’ve been compiled.
Of course you can’t turn a cowering executive into the all-knowledgeable with a Vulcan mind-meld. You need to structure the learning to make the delegation of responsibility (the first principle of governance) easy to assign. It pains me to say it, but a bluffers guide may be effective. Your briefings must marry pinstripes to pony tails and replace the à la carte with the contents of a pizza box. And find wisdom where you can. I cannot help but be reminded of the Tommy Cooper classic where he's demonstrating how he learnt to SCUBA dive. He's swimming with one hand because he's got the instruction book in the other. Criminals don’t wait for the instructions.
Slice and dice your security learning with a few charts and graphs and dashboards. Information measurements to be interpreted will either have no time to be interpreted, be ignored because of their daunting density, or misinterpreted in accordance with Murphy's Law. We need cautionary tales of ToR and other Dark Net denizens to help us climb out of the dark ourselves…so pertinent at this time of year.
Now is the winter of our protective monitoring brought into glorious summer by the emphasis on resilience and the temptation of the punitive hack back...our cyber environment should be riven with such philosophies with a big side order of forensic readiness
Use standards wisely. Standards are wonderful distillations of human knowledge but like all tools they are made for a purpose. ISO/IEC 15408 is a product standard; ISO/IEC 27001 is a process standard. IASME is for process; Cyber Essentials is for systems. Get it? Protect. Operate. Self-preserve.

Dr Danny Dresner - Dresner Associates

Dr Daniel G. Dresner BSc (Hons), MInstISP.
The Dresner Associates |