Abstract

When staff at a critical national infrastructure organisation were recently polled to associate a word with infosec, they chose “fear”. This is a talk about fear and failures – unavoidable and avoidable – their systemic and institutional causes, and how to overcome them. Using case studies from large organisations such as the civil service, aviation, CNI , and media, I will discuss the role of security engineering, purple team operations, threat and compliance. Drawing from experiences as a head of information security/chief information security officer, I attribute poor organisational security to failures in correctly interplaying people, processes, and technology. I will discuss issues such as why user access is breached despite multi-factor authentication and dedicated identity and access teams; why legacy technology remains misunderstood, and friction in patch management; how to know you’ve hired the right (or wrong) expertise, and why we still get hacked despite all the right intentions, if not the right incentives. I will explore third-parties and supply chains, deploying security tools, disjointed processes undermining secure behaviours, the perils of confusing regulation as a threat model for security, incident management and reactive security, as well as why boards struggle to care about information security, and how to make them.