The ninth Secure South West (SSW9) event was hosted by Plymouth University on the 12th October 2017 and offered seven presentations delivered by experts drawn from industry and academia, and a panel session. The event was sponsored by Securious Limited; and the south west branches of BCS - The Chartered Institute for IT and the Institute of Information Security Professionals.
With the higher profile of security coupled with a relative skill shortage, there remains an emphasis on grow teams to respond to the ever changing threat landscape. In order to grow teams, experienced security talent must recruited. What can you do to ensure that you are in a position to go attract some of the best talent? Equally as important is the need to create the right infrastructure to ensure that your current workforce are motivated to stay put.
Owanate Bestman assists security professional in securing their next career move. With 12 years recruitment experience, Owanate started his career in IT and Operational Risk where he was successful in staffing a number of high profile regulatory programmes. He has found individuals and teams that meet specific technical and/ or leadership requirements across a variety of companies, to the mutual benefit of individual’s career progression and the needs of the company. Today, he advises CISO’s, Heads of Security and HR on hiring trends, market movements, and of course staffing needs. Working with technical security specialists and non-technical security specialists - Owanate assists seekers throughout the entire security spectrum.
The GDPR comes into force on 25 May 2018. By the end of this session, you will know:
· the key changes being introduced by the GDPR and why
· various simple and practical ways to make the most of the data you hold in a legally compliant way
· how to improve your organisation’s personal data handling practices
· what you need to do in order to plan and progress your own GDPR compliance project
There will be an opportunity to ask questions at the end of the talk. A number of one-to-one slots are also available with James, where you can also find out more about his GDPR compliance-ready solution.
James Boyle is a Commercial & Technology lawyer at Taylor Vinters in London and Cambridge where he specialises in supply, procurement and outsourcing transactions and advises on Data, eCommerce and FinTech compliance. James has an in-depth understanding of the technology solutions sector together with the software and platforms that underpin it. This enables him to anticipate potential issues and structure commercial relationships for his clients at the contracting stage, saving them time and money by helping them avoid the need to fix practical problems later down the line. James excels in finding ways for his clients to commercially exploit, hold and share data in a legally compliant way. He is currently helping many of his clients become GDPR compliant by deploying a compliance-ready solution, which will enable them to achieve this goal by the implementation date in May 2018. In addition to his daily client commitments, James is also on secondment to a large e-commerce retailer advising primarily on data compliance and electronic marketing issues. James previously worked at a leading law firm in the South West, where he supported the Met Office during its procurement and implementation of the Cray supercomputer, and also spent time on secondment to the University of Plymouth’s Research and Innovation team.
People - a business's most important resource - are also its greatest source of risk. To be both secure and effective, businesses must be aware of the qualities and attributes of individuals and teams so that they might better understand the culture necessary to minimise people-risk. In a business, the ability to trust individuals to ‘do the right thing’ – especially when supervision may not be practicable for extended periods – is critical for credibility and vital for reputation. Andrea's presentation will highlight why 'Value Science' is your first-line of defence in mitigating the 'insider' threat and offers organisations the ability to monitor their internal culture and the effect that culture may have on their employees ability to perform, be that for or against the best interests of the organisation which then either results in positive growth or actual financial and reputational loss.
With a background in leading teams and business development across the IT, Training and Engineering sectors, Andrea is dedicated to improving employee engagement, driving improved human capital and business results. As a leadership and productivity expert, Executive Leadership Coach, Master Coach and Director of Catapult Solutions Ltd and Axiometrics Partners Europe Ltd, Andrea understands the pressures and dynamics facing Leadership today. A passionate advocate of Axiology – the science of value – Andrea uses its insights to help organisations create the culture required to deliver their vision through the attraction, retention and development of their people. She has successfully used the broad Axiometrics™ toolset (based on the work of Research Philosopher Dr. Robert S. Hartman) to deliver performance improvement for individuals and businesses. When Andrea is not helping organisations create the Right Culture that delivers their vision by ensuring they have the Right Values, Right Risk and Right People she can be found in the Dorset hills on her horse and occasionally competing in local show jumping competitions.
Symantec will give an overview of the current threat landscape highlighting the trends that we have seen in threats over the last 12-18 months. This will include:
• Rise of Ransomware
• Weaponizing common IT Tools
• Email Threats
• Cloud Threats
Richard has spent the last 11 years at Symantec, the worlds largest Cyber Security company and is currently focussing on protecting some of the largest organisations in the UK. In previous roles Richard hosted hacking challenge events around Europe, Middle East and Africa as part of the Symantec Cyber Readiness Challenge. Richard holds a Certified Ethical Hacker certification and in his spare time enjoys travelling and golf – often combined!
Following wide consultation with representative of commerce, industry, government and cyber security practitioners, the Information Assurance Advisory Council (IAAC), supported by the Institute of Information Security Professionals (IISP), has produced a report defining the context and nature of the challenges facing the cyber security profession. In this session, these challenges and the emerging themes are discussed.
Pete has over 30 years’ experience in Information Security. He is a Fellow of the Institute and chairs its Training Accreditation Committee In recent years he has led the review of the IISP Skills Framework which resulted in the publication of Issue 2.1. He is working on the development of an IISP Knowledge Framework and is supporting the NCSC with its Cyber Security Body of Knowledge project. Pete’s previous roles include: Lecturer in IA at the National School of Government; Head of the Information Assurance and Certification Schemes at CESG; Head of the UK Common Criteria Certification Body; and Head of Information Security and Accreditation at GCHQ.
The presentation will discuss the role of Artificial (or Augmented) Intelligence and Big Data Analytics in the development of actions plans to: Reduce Threat, Reduce Vulnerability, Avoid, Detect, Recover. It will also discuss whether AI can be used to help bridge the skills gap in the industry.
Ian Glover has worked in the IT industry for the last 40 years and has been working in information security for the last 36 years: and has enjoyed nearly every minute of it. As President of CREST he has taken it to a position of influence in the technical security industry. He has been instrumental in a significant number of major initiatives in the cyber security industry. The most recent are the award winning Cyber Essentials scheme, assessing basic levels of cyber hygiene; and the CREST, BoE and government project to develop the STAR and CBEST Schemes designed to provide higher levels of assurance for critical parts of the UK financial services and other parts of the critical national infrastructure. He also helped to develop and implement the UK government CIR (Cyber Incident Response) and CREST Cyber Security Incident Response (CSIR) schemes providing recovery services following a state sponsored attack through to industrial cyber-attacks. Internationally he is working with governments and regulators to establish or develop CREST chapters in Singapore, Hong Kong, Malaysia, Australia and the USA. He is also supporting member companies in a number of other regions. Ian has also worked on a number of IPR-free collaborative research projects in support of the industry to facilitate sharing of knowledge and professionalisation. He is working on a number of social responsibility research projects, for example working with the National Crime Agency to provide interventions to reduce the risk of young people entering cyber crime and IAAC and the National Autism Society on supporting individuals with autism into careers in cyber security. These initiatives are gaining significant international attention. To help address the skills gap Ian is working with industry, government, training organisations and academia to try and create a consistent message to encourage the best people into the cyber security industry and provide them with a clear, achievable and defined careers path. He is working on initiatives at school age level including the roll out of Digital Defenders and the distribution of career information guides. He is working on level 4 and level 6 cyber security apprenticeship programmes. He is supporting the CREST international academic partners with career guides, career advice through www.inspiredcareers.org and providing careers and ethics talks. He work collaboratively with a number of other organisations with similar objectives. Prior to representing CREST he was one of the founders of Insight Consulting a leading specialist information security consultancies. The business was purchased by Siemens. He then sat on the Board of Siemens Communications. Prior to establishing Insight Consulting has worked for the MoD, Treasury (CCTA) and Ernst and Young.
Industrial Control Systems are ubiquitously present in the modern world, touching our daily lives in almost every way. At the heart of Critical National Infrastructure and high vale industrial processes, these systems are increasingly becoming the target of cyber attack from a variety of threat actors. Differing significantly from IT systems and suffering from a large legacy estate, securing Industrial Control Systems is a difficult, but evermore important task. This talk outlines the evolution of Industrial Control Systems and the threat landscape they face, a brief history of current events, the challenges of securing these systems and some of the cutting edge work being done to redress the challenges.
Adam Wedgbury is the Technical Lead for Cyber Security Research and a Senior Scientist at Airbus Group Innovations, a global network of; teams, projects and collaborations that undertake; research, innovation and state of the art cyber security solutions development. He holds a BSc in Network Administration and Security from the University of South Wales. Starting his career in the defence industry, Adam has a breadth of experience across the cyber security domain. Experience ranges from enterprise to embedded system security, to industrial control systems and industrial research. He is active in the cyber security research community, being the lead author on a number of peer reviewed and published papers within the domain. Adam’s specialist areas include security architectures and testing, vulnerability analysis and mitigation, and network management with experience in commercial, defence and critical national infrastructure industries. Current technical interests are focused on the protection of industrial control and SCADA systems, particularly applying protection to legacy environments. Adam is actively contributing to the state of the art in the field with his research, whilst also undertaking rapid prototyping projects and integrating the outputs with the business. He is a frequent public speaker on cyber security topics and the protection of critical national infrastructure, having presented to recognised industry experts at a number of conferences and workshops.
We are now in our ninth run of Secure South West, and it is one of several initiatives that helps to promote and support cyber security awareness and skills in the region. We also have the South West Cyber Security Cluster, the South West Branch of the IISP, other events such as Cybercon, various companies offering cyber-related services, and security-related degrees and research at our regional universities. So, with all this available to them, are organisations in the South West feeling more protected? Are they sufficiently aware of the issues, and do they feel they have access to the necessary skills and support? This panel brings together industry and academic representatives to answer related questions from an audience largely composed of those that may need such support.
Steven Furnell (Professor of IT Security, Plymouth University)
Prof. Steven Furnell is the head of the Centre for Security, Communications & Network Research at Plymouth University in the United Kingdom, an Adjunct Professor with Edith Cowan University in Western Australia, and an Honorary Professor with Nelson Mandela Metropolitan University in South Africa. His interests include security management and culture, computer crime, user authentication, and security usability. Prof. Furnell is the current chair of Technical Committee 11 (Information Security and Privacy) within the International Federation for Information Processing (IFIP), and a Board member and Fellow of the Institute of Information Security Professionals (IISP). He is the author of over 290 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society, and Computer Insecurity: Risking the System. He is also the editor-in-chief of Information & Computer Security, and the co-chair of the Human Aspects of Information Security & Assurance (HAISA) symposium. Further details can be found at the CSCAN website, with a variety of security podcasts also available. Steve can also be followed on Twitter (@smfurnell).
Michael Dieroff (Managing Director, Bluescreen IT)
Michael Dieroff is the founder and Managing Director of the information security, training and consultancy firm, BluescreenIT. Michael is also part of several strategic boards within the digital industry and is the Chairman of the Digital Policy Alliance’s Security skills and partnerships group for the UK. With over 20 years’ experience in information security, Michael has worked in leading private and public organisations with their information security strategy, governance and compliance and carried out services such as secure design, vulnerability assessments and penetration testing in his tech days. He has also worked with many SMEs to assist in their development and understanding of how to strengthen their Cyber Security defences.
Peter Jones (Senior Cyber Security Consultant, Securious)
Peter Jones is a Senior Cyber Security consultant with Securious. He is an information security and data forensics professional and has experience of working in both public and private sector organisations including Avon and Somerset Constabulary and South West Forensics, University of Central Lancashire and the BBC. Peter’s experience includes leading the data forensics team for Avon and Somerset Constabulary. He has also held senior roles in the private sector at technical director level, and he has specialised in mobile device forensics and recovering a wide range of data. His professional qualifications include IRCA certified ISO 27001 lead auditor and PECB certified ISO 27001 trainer. Peter holds three different degrees including his latest, a PGCE in Higher Education from UCLAN. Peter is the co-author of the CREST accredited course, Intrusion Analysis and Digital Forensic Essentials (CRIA), and is currently developing additional courses for CREST. He is also a co-founder of the South West Cyber Security Cluster.
Maria Papadaki (Associate Professor of Cyber Security, University of Plymouth)
Dr Maria Papadaki is an Associate Professor of Cyber Security, at the University of Plymouth. Prior to joining academia, she was working as a Security Analyst for Symantec EMEA Managed Security Services (MSS), UK. Her postgraduate academic studies include a PhD in Intrusion Classification and Automated Response (2004), and an MSc in Integrated Services and Intelligent Networks Engineering (2000), University of Plymouth, UK. Her research interests include intrusion prevention detection and response, network security monitoring, incident prioritisation, security usability, and security education. Dr Papadaki is a GIAC Certified Intrusion Analyst (GCIA), GIAC Penetration Tester (GPEN) and is a member of the GIAC Advisory Board, as well as the British Computer Society. Further details can be found here.