Secure South West 1: 20th September 2012

The first Secure South West event was hosted by Plymouth University on the 20th September 2012, and included a programme of six presentations delivered by experts drawn from industry and academia as well as a hands-on practical session in the University's dedicated IT Security and Forensics Laboratory. In addition to these sessions the event was supported by exhibitors including Cryptshare, MetaCompliance and the Stem Group.

Presentations/videos (where available) can be found below. PDF copies of slides are made available wherever possible and in most cases a video of the full talk can be accessed from Plymouth University's iTunes U site or our dedicated YouTube channel.

G-Cloud Security
Mark Craddock (Cabinet Office)

Download slides

The G-Cloud programme represents a change in the way government works with suppliers and enables the Public Sector to buy assured Cloud services. This is an overview of the G-Cloud Programme and the G-Cloud Accreditation process.


Mark Craddock has over 23 years experience in ICT andis currently managing the G-Cloud CloudStore and Propagation. Mark has worked on many Cloud projects and programmes, including the Cloud First Strategy for the Houses of Parliament.

Mark Craddock
Sorry, no video available.

Practical IT Security and Digital Forensics techniques
Dr Paul Dowland (Associate Professor in Information Systems Security - Plymouth University)

By way of a break from the more formal presentations, this session provides an opportunity to tour our new Computer Security Laboratory together with a visit to our dedicated Forensics Suite. We will start by looking at a number of network monitoring techniques before demonstrating a number of biometric authentication mechanisms with an opportunity to try some of them out. The session finishes with a discussion on password practice.


Dr Paul Dowland is a member of the Centre for Security, Communications & Network Research and is manages the teaching of computer security and networking within the School of Computing and Mathematics at Plymouth University in the United Kingdom. His interests include network and system security, user authentication, and security education. Dr Dowland is the secretary to the International Federation for Information Processing (IFIP) working group 11.1 (Information Security Management) and an active member of the BCS South West committee. He is the author of 45 papers in refereed international journals and conference proceedings, edited 23 books and co-authored "E-Mail Security: A Pocket Guide" (2010). Further details can be found at the CSCAN website. Paul can also be followed on Twitter (@pdowland).

Paul Dowland
Sorry, no video available.

Practical barriers to using security
Prof. Steven Furnell (Professor of Information Systems Security - Plymouth University)

Download slides

One of the reasons that people often fail to use security effectively is that, at the end of the day, it can be just too difficult to do so - perhaps because they don't properly understand it and sometimes because what it requires just seems to take too much time. Although some of this may ultimately be inevitable, it can be valuable to ensure that these constraints are understood, and that appropriate efforts are made to address them where possible. The talk will consider the various challenges that users may be facing in terms of actually using the security tools and processes expected of them, looking at examples of the practical difficulties that may present themselves and identifying means to ensure that compensatory measures can be put in place.


Prof. Steven Furnell is the head of the Centre for Security, Communications & Network Research at Plymouth University in the United Kingdom, and an Adjunct Professor with Edith Cowan University in Western Australia. His interests include security management and culture, computer crime, user authentication, and security usability. Prof. Furnell is active within three working groups of the International Federation for Information Processing (IFIP) - namely Information Security Management, Information Security Education, and Human Aspects of Information Security & Assurance. He is the author of over 220 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society (2001) and Computer Insecurity: Risking the System (2005). He is also the editor-in-chief of Information Management & Computer Security, and the co-chair of the Human Aspects of Information Security & Assurance (HAISA) symposium. Further details can be found at the CSCAN website, with a variety of security podcasts also available. Steve can also be followed on Twitter (@smfurnell).

Steven Furnell

Why good security is not just about good technology
Ram Herkanaidu (Education Manager/Security Researcher - Kaspersky Lab UK)

Download slides

Is having good security solutions in place enough for you to feel secure in the workplace? What about the human factor, can you train your staff to act in a security conscious manner? Or maybe we should just accept that it would be useless and divert the training money to obtain more security solutions.


Ram graduated in Economics before going on to complete his MSc in Computer Science. He joined Kaspersky's UK Technical Support team in 2001 though by then he had already acquired 2 years support experience through a Kaspersky partner. As well as 1st and 2nd line responsibilities his role grew to include; Pre and Post-Sales support, installations, technical training and presenting at seminars, exhibitions and workshops.

In Feb 2009 he joined Kaspersky's new Global Research Analyst Team where he used his practical knowledge and experience monitoring and investigating malware as well as helping in Kaspersky's education programs. This led to him joining the Education team in Feb 2011 as Education Manager helping organise Kaspersky's CyberSecurity student conferences and also projects engaging schools and universities.

Ram Herkanaidu

Legal and compliance aspects of IT security
Paul McKay and Laura Cox (Bond Pearce LLP)

Download slides

During this discussion we will look how Bond Pearce LLP have gained a competitive edge by achieving ISO 27001 certification, but is this enough to satisfy prospective clients and existing ones. Paul McKay (Information Security Officer) and Laura Cox describe how Bond Pearce LLP achieved ISO 27001 and have recently retained their certificate and what it means to them and their clients.


Paul "Mack" McKay, CISSP has been with Bond Pearce LLP since 1999. He has held various roles at the firm, including sole helpdesk analyst and IT services manager. Mack's current role is within the infrastructure team, where he serves as a Network Analyst and as the firm's Information Security Officer. Mack is charged with the firm's ISO 27001 processes and procedures, and he attends all external audits and ensures that discovered issues are corrected.
Mack has also played a key role within the creation of a robust BC/DR plan and engages with business areas to ensure plans are tested on a regular basis.

Paul McKay and Laura Cox

The "Business" of Malware
Alan Thake (Head of Sales - ESET UK)

Download slides

This presentation will examine the threat landscape, drawing upon facts and figures from ESET, and looking at interesting cases, in order to show how issues are dealt with and what organisations can do to protect themselves.


Alan has been involved in the IT Security industry for the last 12 years, the last 10 of which have been with ESET, a leading global IT Security company focused on "best of breed" Endpoint Antivirus/Endpoint Security solutions for Consumer, Business and Enterprise level organisations, as well as Education and Public Sector. Alan's product, competitive and industry knowledge is second to none. That in-depth knowledge coupled with an ability to simplify technical issues and industry rhetoric makes his presentations accessible to all levels of IT personnel, as well the "untechnical".

Alan Thake

"Bring your own device" or "Bring your own disaster"?
Dr Jeremy Ward (Business Development Manager for Security Consulting Services - HP Enterprise Security Services)

Download slides

This talk will look at a topic which is currently "hot" for many organizations: "how far should users of my networks be allowed to connect with their own personal mobile devices?"

The talk will be based on the work done so far by the current ENISA Expert Group on Consumerization and will look at the opportunities and risks associated with "bring your own device". It will consider what sort of controls need to be in place to manage the risks and how effective these are likely to be.


In May 2011, Jeremy Ward took on the role of business development manager for security consulting services for HP Enterprise Security Services.

Jeremy is responsible for ensuring that innovative and customer-centered services are developed, delivering strategic and governance risk and compliance. Especially services concerned with business-driven information security risk management; including security operations services.

Before he took on his new role, Jeremy was responsible for running his own consultancy business; with contracts that delivered information security risk management solutions to banks, telecommunications companies and governments. He also delivered contracts for the European Network Information Security Agency (ENISA) on emerging and future risks and on national risk management for EU countries.

Until then, Jeremy worked as service development director for Symantec; responsible for process development and as internal security auditor for Symantec Security Operations Centres (SOCs). He was also responsible for thought leadership in information security risk management and the development of new services to solve information security risk management issues for customers, working with many large enterprise customers globally. He developed the Symantec IT Risk Management Report and was principal subject matter expert on IT risk management.

Prior to that Jeremy was at the UK Government Cabinet Office, where he was involved in writing 'Encryption and Law Enforcement' and '[email protected]' which set the agenda for the development of information age policies in the UK government. He then helped set up the Office of the e-Envoy; given responsibility by the Prime Minister for driving forward those policies.

Before working at the Cabinet Office, Jeremy was at the UK Ministry of Defence, specializing in security-related matters and managing major IT and telecommunications projects.

Jeremy has been heavily involved in information security policy formulation with bodies such as the Confederation of British Industry (CBI) and the OECD. He helped to draft the OECD's Guidelines on Information Security, published in August 2002, as well as the ISO 27005 information security risk management standard. He is an ENISA registered expert and has been chairman of the ENISA Risk Assessment and Management Working Group and is a member of the ENISA Working Group on the Economics of Security. He has also been a member of the Steering Committee of the UK Government's Cyber Security Knowledge Transfer Network.

Jeremy is a qualified IT project manager and lead auditor for ISO 27001. He was responsible for achieving ISO 27001 certification for Symantec's Security Operating Centres in the UK, USA, Germany and Australia. He has also consulted on ISO 27001 compliance for a number of large organizations internationally.

Jeremy Ward