BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Talks.cam//talks.cam.ac.uk// X-WR-CALNAME:Talks.cam BEGIN:VEVENT SUMMARY:No One to Blame\, but... : Fear and Failure in Securing Large Orga nisations - Ahana Datta\, University College London DTSTART:20230221T140000Z DTEND:20230221T150000Z UID:TALK195853@talks.cam.ac.uk CONTACT:Kieron Ivy Turk DESCRIPTION: When staff at a critical national infrastructure organisation were recently polled to associate a word with infosec\, they chose “fea r”. This is a talk about fear and failures - unavoidable and avoidable - their systemic and institutional causes\, and how to overcome them. Using case studies from large organisations such as the civil service\, aviatio n\, CNI\, and media\, I will discuss the role of security engineering\, pu rple team operations\, threat and compliance. Drawing from experiences as a head of information security/chief information security officer\, I attr ibute poor organisational security to failures in correctly interplaying p eople\, processes\, and technology. I will discuss issues such as why user access is breached despite multi-factor authentication and dedicated iden tity and access teams\; why legacy technology remains misunderstood\, and friction in patch management\; how to know you’ve hired the right (or wr ong) expertise\, and why we still get hacked despite all the right intenti ons\, if not the right incentives. I will explore third-parties and supply chains\, deploying security tools\, disjointed processes undermining secu re behaviours\, the perils of confusing regulation as a threat model for s ecurity\, incident management and reactive security\, as well as why board s struggle to care about information security\, and how to make them. LOCATION:Webinar &\; FW11\, Computer Laboratory\, William Gates Buildin g. END:VEVENT END:VCALENDAR