ESORMA Mastermind

Mike Osman

  • Experienced CISO on Guerrilla Security. Expect controversial observations.

ESORMA Mastermind: Mike Osman on Guerrilla Security

Hi it's David White here. Thanks for joining me on this Mastermind call. The Mastermind we have with us today is none other than Mike Osman, an experienced and highly certified Chief Information Security Officer with a 20 year track record. Hello Mike.

Mike: Hello. Good morning David.

David: I am most impressed by your experience, Mike, you've held a good number of prestigious roles at a good number of prestigious companies. For example, M&S, Barclaycard, Hermes Pensions, Bank of Scotland, I N G, Credit Suisse. A number of insurance companies, including RBS and more. Most impressive. With all that I have a simple question for you Mike. What do you consider to be best practice in infosec today?

Security Starts With Hygiene

0:48. Mike: It's going to sound really boring and cliche'd. But its start with the basics often too much focus on the more high tech solutions, whether that's intrusion, prevention and detection. But it starts with the hygiene. It starts with training, awareness, culture, the message from the top ensuring that senior management are bought into the concept of security that they believe it, that they walk the walk and they support it. So areas like your password policy having robust processes in place when you on-board your staff and general good housekeeping of your estate. Often unglamorous and overlooked areas, which are often exploited first. So don't focus on the glamorous headline type stuff that you're being sold. It all starts with the basics and in the current environment, where we're constantly reminded to wash our hands, it really is a simple message along those lines.

If You Are Not Scoping, How Are You Coping?

2:08 David: I call that, I refer to that as scoping because there's so much to evaluate, isn't it? The initial like where are we now? I noticed you developed out of necessity something that you called Guerrilla Security.

2:19 Mike: Yes, most of my career has been spent as a contractor, and often you are a reluctant hire. So there's a problem that needs to be fixed. There isn't the bandwidth or capability internally, so they have to go outside to bring somebody in. So that's often me. I am often perceived as being an expensive resource. Often your very existence is what they're paying for, so they're not willing to invest in additional tools, resources or services from outside specialists. That being the case, you've got a problem to solve. Having some budget could make life a lot easier, but it forces you to be creative and collaborative. So, for example, one of the things I like to understand very early on are what programmes or projects are in place across the organisation, not just within the security space within the IT space I like to understand what's going on in HR in facilities, et cetera, and particularly a term which is often used, the business. We are all the business, you understand what the business goals are. So once I've examined what's out there, sometimes I'm able to approach people and say, Look, I see what you're looking to achieve here. How would you like to do that in a more streamlined and secure manner? I can assist you in these areas, in return we will deliver the following benefits and we could use the improved security posture to position yourself better in front of your customers or your partners as part of that. There's always a little bit off education that goes with it, a bit of a hand over of knowledge transfer of knowledge, one that challenges I often face, which probably goes back to your earlier question is the lack of an asset register. So, what are we protecting, do we know what we have? and that's often missing! And that touches on so many areas, whether it's for example, software licensing, obviously, there's a financial aspect as well, so I may work with a number of different entities to put that in place because it yields multiple benefits beyond my immediate need. Yeah, it's a really looking for those opportunities to collaborate and take not only your function or your requirement forward but also help those other functions to achieve what they need. If they could call upon or, maybe some project management experience or engineering experience or risk management experience that many security professions bring to the table. Then you know, I'm willing to be that extra pair of hands, that extra body, that facilitator to help them achieve their goals as long as there's often a security aspect to it as well. Sometimes you're looking to move the needle forward overall and not necessarily in a specific area. But once you've delivered on those collaborations, people are more receptive to working with you again. I've been described, and I'm sure it's true of many other security professionals as a useful person to have in the room. I've been involved in things like office moves. You may scratch your head a little as what's that got to do with information or cyber security? Sometimes they just want someone with a risk based approach, well, what if things go wrong. It is not necessary being pessimistic. But a professional, healthy level of cynicism can be quite useful because then you start planning we didn't consider that actually, good point. You know, let's get a contract in place to make sure it doesn't happen. You find a successful security professional will get involved in every aspect of the business. Absolutely every aspect.

Communication In Context

6:32 David: The way I see it and the way you've described it, I think it is: there's a huge requirement for relationship building and cross communication across a business. So many business entities or sales marketing and let's say HR you covered often run in silos because they've got individual missions and objectives. Yeah, they successfully achieve their objectives, which is great. But in the process, they don't necessarily talk to each other. So having someone like you being able to kind of have a requirement to develop a bigger picture is useful for the reasons you suggested. But it does require you to actually build relationships. Go on manoeuvres to a certain extent.

7:15 Mike: Absolutely. And that high level view of an organisation and understanding the context of what you're trying to achieve, how that will help. So, for example, I may be given a brief to help a company and they have set out a Statement of Work to say this is what we need to do. You can blindly follow that. Or you could actually take a good look at it, contrast it with the business and say, well, actually, I don't believe you do need this and this and this and maybe focus a little more on this area because you'll get greater value out of it or is it simply unnecessary? So, quite often, as a consultant, I've cut my assignment short by being honest and efficient. But there's absolutely no point in putting in the effort on areas that aren't gonna to add value. So yeah, as a professional, you're hired to give an opinion as well so I think, is something you refer to related to.

8:10 David: Guerrilla Security is questioning the brief educating and influencing collaborating. But also there's a bit of persuasion in there, isn't there?

8:23 Mike: Absolutely. And sometimes there's some hard truths talking, truth to power. It doesn't always go down well. Maybe another point if you allow me, David, is it's not so much the case now, but in the past there's always been this sort of resentment or hostility towards information security folk. We're seen as bureaucrats or out to get somebody or expose bad practices and often I have a conversation that goes along the lines of why should we bother? We're not a bank. Who's going to hack us? Those very same people who are often your biggest challenges or worst critics. After a period of time they become your greatest allies and they go out on and evangelise for you. Yeah, so an example of we're not a bank. So okay, your a membership organisation. By the way, how much money do you have in the bank? Oh, you know something like 30 million. So and that's an attractive target for somebody. Have you considered, perhaps, disgruntled employees might have access to that or yeah, an employee who's vulnerable, for example, can be coerced. You need to help in external organised crime Syndicate access your systems and those funds. So you just give them these types of scenarios which people don't often think about . It is seen as far fetched, but this is a reality, so changing those hearts and minds is very important.

Security As An Enabler

10:02 David: Well, I know Also, you see security as an enabler.

10:09 Mike: Yeah, absolutely. So I think for a very long time security professionals allowed others to talk about us as a cost center. So is gas electricity network in water utilities? They're all a cost center as well, but they're a necessary part of the machine. More, more often, people are more savvy companies are more savvy you supply chain risk and due diligence are very important organisations to regulated industries. Therefore customers demand more and your customers not necessarily an expert on that information security, cyber security, data protection, so they will look for things like certification against ISO 27,001 as an assurance or, you know, to give them some kind of comfort that you've got some minimum standard requirements in place and that you've got a management system in place. To continually manage the security posture of your organisation. Now a lot of organisations are crippled by the number of questionnaires they need to fill in and whether that's a supplier trying to sell services to a larger corporate or an organisation trying to provide assurance to a regulator and having the right certification in place, can significantly cut down on that burden and bear in mind these questionnaires, you know, if we look at a large insurance company, there may be dealing with several 1000 different questionnaires from different entities and also issuing those questionnaires. Having certification like ISO 27,001, if you truly understand it properly, can significantly cut down on overhead, of assurance and due diligence. But also it's a mandatory requirement in some sectors. So in the government's space for certain types of procurement, it's expected that you have cyber essentials, cyber essentials plus ISO 27,001, etcetera on particularly if you look at defense procurement it becomes even stricter. That is the difference between you winning that business or not. So if I take the enablement position from a slightly different perspective, I've trained sales teams and yeah, it kind of happened organically. So I've had sales guys come to me with a brochure and saying, Look, we want to put this in front of a client they're asking about how security position can you take a look at this? And, You know, shockingly, some of those brochures will say we are 100% secure. We've got huge team and no one can touch us. That's arrogance, unrealistic, and no one will buy it. So how do you position it to your customers or your partners to say, Look, yeah, we take it very seriously. It's well funded. We've got the right people doing the right things. We're not complacent. We know that breaches happen. Here is our resilience approach and this is how we will mitigate and continue delivering services and businesses, even against the toughest of circumstances. So it has to be a little bit more honest open because, look, the customer is also in the same position. They're a lot more aware of what happens out there and all of us have been affected by the household names and major suppliers. All of them have been breached. Yeah, very few haven't. We've kind of become fatigued by it, and it's not necessarily make or break. We want to know. How did you deal with it? You know? Did we receive that phone call? Did we receive that email? Honest email saying, Look, guys, hands up, We got it wrong. This's what we did to rectify it. And often, you know, that response could really distinguish a company from another. These are the soft, subtle human side, if you like that are not necessarily on a checklist, but can you know It makes people feel more comfortable because you're being open and honest with them. Well, instead saying, we are 100% secure, which is an impossibility and get quite arrogant and shows your lack of knowledge.

14:50 David: But it reflects, as you're able to, your real world practical experience.

14:55 Mike: Absolutely. And the challenge is telling your customer or member of the public. How do you achieve this without giving away too much detail that can be used against you? So there are ways and means of doing that. If you'll If you have a strong relationship with a customer, then perhaps under NDA, you could invite them in for a closer conversation or to come and have look at your facilities and how you do things and that posture. The security posture is very important to get that balance right of giving people assurance, but without spelling it out. Indeed, how that's achieved is the art really, the magic trick.

15:42 David: Yeah, well, yet in terms of planning, here is your security, you know, at the same time, you don't want to give away the keys to the kingdom, show them where your weaknesses are because the areas that you're specifically protecting, you need to know when to keep quiet don't you.

15:55 Mike: Yeah, absolutely. And I think people pick up on that as well. So I've seen some brochures go into specifics on what brand of firewall they use and who their suppliers are. You know, this is all fantastic information for your adversaries or your competition. And it's soon ages. You have to have some mystique around what you do. But if you focus on the people, process and the management systems, you have in place, rather than the technology, yeah, I mean, that's more important. People want assurance that you've got intelligent people doing the right thing, its not a case of we've got 500 analysts in a SOC somewhere. That doesn't mean much to people, you know. They just want to know that there are competent people out there doing the right thing and your choice of words and language is very important when dealing with your security communication.

Security And Risk Awareness

17:00 David: One of the tricky areas you might be able to shed some light on that I see a lot in the textbooks and various courses, lots of reference to security and risk awareness. But I find that in a lot of the text books and documents about security, they don't talk about creating awareness in practice, and I feel you touched on it a little bit in scoping, getting this bigger picture. Do you have anything to add to the whole concept of security awareness, we also touched on it in terms of what not to say?

17:45 Mike: Absolutely! So far, the biggest bang you will get for your buck in terms of protecting your organisation is your investment in education and awareness to go further and say engagement, education and awareness. So educating your workforce in terms of the part they play in protecting the organisation, but also making it personal to them in there home lives, so not just educate them in the corporate environment. You're educating them in general. And today in April 2020 has more people than ever working from home so those lines have become very blurred corporate environment and the home environment. For me, as a consultant who has been dropped into many different organisations over the years, you know, I lose count of how many different companies I have worked for. That first day is so important I will learn so much in that first day about that companies posture. So what I consider what good looks like in some of the banks before you're even allowed to set foot in the building. You need to attend possibly on off site location, maybe training facility where you turn up and you have an induction. That induction will include HR aspects. If you're in banking, for example, anti money laundering, treating their customers fairly. All of those compliance type activities but a significant portion of that will be the security awareness piece. So it will be educating you that the company does take security seriously. Here are the policies and resources and you will read them and understand them and agree to comply with them. At the end of the exercise, you may get the candidate to sign an agreement. What is called an Attestation statement to say that you read the policy and you agree to abide by it. Yeah, that might seem bureaucratic and red tape and unnecessary. And we are all grownups. We know what to do. But what you've done is you've set the tone and the culture of your organisation from day one told them what's acceptable. You've told them what's not acceptable and you've told them where to go to get help. Yeah, so that's that's really important, trying to deliver that message after somebody has been in post for six years, and has got into really bad habits and uses corporate equipment for their own personal computing needs. You know, that could be let's say nefarious or people could be using it for gambling and all sorts of other things. If you set the tone from day one to say this is acceptable, this is not acceptable we do monitor our systems, if you need help, this where you go. You could save yourself a lot of pain down the line and auditors look for that attestation statement and we look at the standards and regulations like SOCs, Sarbanes Oxley etcetera. Where's that continual need for re entitlement and reconciliation and they want evidence that you are delivering security awareness training and that people are aware of their responsibilities. And you're monitoring and tracking that. If it ever came to a scenario where there has been misconduct and its security related, it goes to court, for example. Then you know the employees could say, well, you never educated me about my responsibilities. I didn't know I was allowed or not allowed to do that and that becomes a get out of jail card. But it's not about punishment. This is about starting right at the beginning. Sowing the seeds of the security culture often organisation and that's where you start.

Bake It In Like You Mean It

21:34 David: It's baking it in, isn't it? It's the common term now.

21:37 Mike: Yeah, absolutely. It becomes part of your DNA and you've got to mean it. It can't just be a tick box or throw away exercise. And the challenge is keeping it interesting and fresh. Yeah, because yeah, I'm sure. Hey, you know someone who's had a reasonable length of career, they've gone from place to place and they've seen similar activities. Sometimes that message is delivered too late. But how do we keep people engaged and not switch them off before they've even looked at it. None of us like doing the health and safety training or the display screen equipment training, we all know it and in many cases it's obvious. But it's still important to protect the individual and the organisation.

22:30 David: You are protecting the individual, not just the organisation you are actually you know is to the individual benefit. Isnt it?

22:38 Mike: Yes, absolutely. And there's a term I like to use quite often. Risk doesn't run one way. So often organisations are concerned about for example a supplier, you know we're going to take services from this supplier and you know their environment might be dirty and they may impact on us but risk doesn't run one way, you may impact that supplier the other way. It is not just the workforce that's of risk to the organisation, the organisation might be a risk to the workforce as well. Yeah, it doesn't discriminate. Risk is everywhere. So is opportunity.

Asset Management

23:17 David: So Mike, when it comes to implementation, we've kind of steered away from technology. The sexy expensive stuff to talk about people in personnel and relationships, getting to know the business itself, which is absolutely, as you pointed out of the place to start from security. Nevertheless, clearly when it comes to data security, most of information systems are, of course, IT systems. You know, nowadays they fall into two distinct camps, one camp you might regard or describe as the legacy system, the other distinct camp. And you may well give me an additional Camps. I am going to give you two to start with, the other is the cloud Sure you may well have the same security posture a standard you apply to all of your systems through the cloud or legacy. But the fact is, there are differences between the cloud and legacy systems. What are your thoughts? How do you address those?

Mike: You know, there are differences between legacy systems and legacy systems. There's no one flavour and what you're increasingly seeing is hybrid of all of those, not just a hybrid of legacy and cloud, but a real mosaic. If you like of different types of cloud services, so you may have Azure and AWS. But often your consuming software as a service from multiple different providers, and they are distinctly separate systems. There's not necessarily overall management of those products and services on the one console. If you like and is where we are. There's no getting away from it. It's not the future. It's where we are. Many organisations move across to the cloud or use a combination who have done for decades, in some shape or form. Importantly, go back to an earlier point. It's understanding what are your assets, and not just in terms of kit and tin there's licenses and software and people and all of those things and understanding business processes. So often people tend to focus on a server or an application. But how does that map to a business process in your organisation? So if you're selling widgets, how many different platforms do you need to cross, to sell that widget from end to end to fulfill it for your customer? It's having a more business centric view of what you're doing. An analogy I like to use: I'm a Londoner You might've gathered, is the London Tube Network made up of hundreds of different stations? There are those the assets? Or is it the journeys? And often your journeys will cross multiple assets. So having a more again, holistic view of what you've got out there and understand that where the vulnerabilities may exist and what approach you take and the wrappers you pull around it to protect your resources. But it is not a really black and white world out there of legacy and cloud. Everybody's got some form of hybrid going on out there and gaining a great understanding of how all the pieces fit together. It is a challenge. There's no doubt about that and one piece of technology is not going to solve that for you. So we've got the fancy things like CASB and may often hear the term of zero trust. Different people have different definitions of those terms. CASB is cloud access security broker. So it's a concept, if you like of managing multiple identity and access management across diverse systems. So, as mentioned before you got different flavours of cloud. You got software as a service, you've got platform as a service, infrastructures as a service. So it just may be a way of conceptualising what your workforce has out there across all of these services and trying to put some control over. Yeah, with zero trust, it's a way of giving people access to, say, software as a service, but applying the access control and privilege management, all those sorts of things. Right where the data is. So you're no longer securing necessarily networks because your network is the Internet? Yeah, applying the security on your software as a service graphics account. So yeah, this is why I don't get too hung up on the technology. I'm not anti technology at all, I like to think of things as black boxes. What do I put into it and what do I get out of it and when I need to do to deep dive, I'll do the deep dive into the technology to understand if it's delivering on the requirements that we defined.

Risk Illiteracy Within Corporates

28:33 David: We talked about risk registers. We talked about sort of huge, kind of hodge podge mix of assets that service or production might have to spread itself across from beginning to end before it hits a customer. And all the different systems we talked about earlier on about relationships understanding business, et cetera. How do you actually keep track of all this? Because it does strike me as very quickly becoming a very big picture. That's very complex?

29:04 Mike: Yeah, absolutely. And I'm going to be controversial. It's what I'm really good at. Now, one of challenges we have is you have a security silo. You have a well intentioned security manager will come in and say, I got a great idea. Were going to adopt this ISO 27,001 system. As part of that, we're going to develop a risk management methodology and we're going to risk assess everything, and we're going to treat all of the areas of weakness that are beyond our appetite, you know? So you see words like Risk Appetite creeping in to the vocabulary. That's great. But you know, you've got risk function already in your an organisation, possibly operational risk, financial risk. You may work for an insurer that they're really good at understanding risk. What we don't want to do is introduce a whole new lexicon, a whole new scale, a whole new methodology. Of measuring risk and managing risk. Someone might have a six by four grid. Some might have a three by three grid, just adding another set of you know, words and meanings and definitions is not going to help. So where possible. I always look to speak the same language. That is being spoken by operational risk or is already understood in the organisation, but a I'll go a step further, even more controversial. So as security professionals, we're often criticised for not being able to speak the same language as the business we are too techy, we use too much jargon, we switch people off. They don't understand us and we need to speak more in terms of business language. Yeah, that's a fair comment, but many of us already do that and have done for many years. So the controversial part is this: How many C level executive team, board etcetera? Senior management how many of them will actually put their hand up and say risk, I don't really understand it. You know how many have actually received proper training in risk management, risk analysis you find very few. No one's gonna stand up and say I don't understand this risk thing. As human beings, we figure we understand risk. We talk about it all the time in crossing the road with a risk assessment. But there is a certain amount of risk illiteracy within corporates and organisations which people are unwilling to admit. One of the things I try to do is make sure that there is a education message at least around. What risk is how we use it, what these terms mean and try to through osmosis. Get that across the organisation. A CFO may understand risk and people get to positions of responsibility from many different paths. But they may have missed that risk management module or the opportunity to use and learn how to use risk. Risk is a very powerful tool, but only if you understand it doesn't mean you have to be an expert. There needs to be a certain minimum level of understanding of risk because I think we use it to frequently and two commonly without really understanding what that means.

Bringing It All Together

32:31 David: Okay, I was just wondering how we collate all that information, how in practice different business systems like you talk about different assets that journey of that product being created from the beginning through to delivery talked about the tubes in the journeys...

Mile: Well, without sounding too techie and nerdy, and we've got this concept of the CMDB so it's called a configuration management database. Historically, this is a database of IT related stuff that will explain what it is, how it works and how it's configured. But you can take that further and often have many organisations have taken that further and made it so it overlaps into things like service catalogues, etcetera. I've spent some time at a well known German bank and there were many different repositories of information. No one actually brought them together to give that picture. I was able to do that and I'm not going to pretend it was my genius that made that happen. I saw somebody was doing something very similar elsewhere. And, I thought, Well, if we added this system and this system and this system and ran these queries, we would get that picture would get a picture of where are our risks on what lines of business does it effect. And what are the assets that are dependent on delivery of that service and who are the individuals that support those services and where have we got shortfall, can we forecast problems in the future where maybe we've got a change freeze, for example? Or, you know, some kind of public holiday or we've got staff being made redundant that have had an impact on delivery of that service. So I was able to deliver that. So a hybrid picture of risk register asset register their legal and compliance position. Numerous different things. To get that picture and it's not a mature topic it is a hard sell to convince an organisation they need to understand what an organisation looks like and where those risks might be and the value of critical assets. So I'll give you a sort of associated area. So, business continuity, for example, how do you approach that? Do you ensure that the entire business can recover in half an hour? That's not realistic. So often what most organisations will do is define their top 10, top 20 most critical assets or services? That's a good start focusing on what is important. You know, these are the tier one services we need to get back up. Number one should be your people, life and limb. And then you start focusing on things like General Ledger or your your website. Yeah, it's an e-commerce company. How do we get that back up and running? You take it from there And you start getting the understanding of your organisation, your priorities. Your risk to dependencies goes beyond just security, some companies of a certain size will have a chief risk officer or risk function or something along those lines. Sometimes in smaller organisations, someone has to wear several different hats and there could be compromised there. The current climate today This has been a wake up call for everybody to sort of really understand their organisation and some, unfortunately, some companies wont the cover from this, the whole area of business continuity the luxury of being able to explore what could go wrong. Doing Desktop exercises and rehearsing it? Well, some companies do that really well with some companies think it's a waste of time and pointless I think this current situation that we're in may cause us to reevaluate that.

36:27 David: You know another thing is talking about coming from a perspective of being an enabler as we started to be able to create new systems out of existing systems. Like you said, you spotted configuration management systems and various database systems already existed. And you realised if you were able to join them up and then run a query across them, you could suddenly get the big picture, which is absolutely what is needed in most organisations, particularly the larger ones where there's, you know, too much in silos.

36:55 Mike: Absolutely. And that is also another example of Guerrilla Security. I didn't have the budget, so I repurposed what was out there, right?

Is Your Security Operations Center Really Necessary?

37 David: Yeah, absolutely. Well, it's innovation, isn't it? You know, that comes through mother of need. Someone needs to have this big picture view of how's things linked together and it's definitely how data moves along with products, some businesses that the product is the data we can see from the breaches just in the last couple of years. That's how valuable data really is and how for some companies it has signaled the end and termination of the business. A last question for you, the future.

37:35 Mike: I could tell you what I'm unhappy about today and, I could see that changing. Please allow me a few minutes of indulgence to give you my pent up frustration. So what? What typically happens right now? Well, before this crisis, you have organisation A, I have seen it so many times, they get a Big Four consultancy in always part of their annual audit or mandatory audit, they will be audited, deficiencies will be highlighted, or they would have suffered the breach in some shape or form. If it is a public and there's a reputation impact. They're likely to do something about it. Also, increasingly, many exec teams on boards have non exec director on board who is sometimes very knowledgeable about information security but sometimes semi knowledgeable on Yeah, this person will ask the difficult questions in those meetings, so there's no requirement to address those concerns at those levels. The scenario is you've had a bad audit or a breach and it gets discussed at the risk committee or the board meeting of some kind. What are we going to do? Well, you know, we take security seriously. Most execs will tell you it's the one of the top three things that keeps them awake at night. You know, all good stuff. So what we're gonna do and what is happening right now we have a knee jerk reaction and very illogical, if you ask me, is these organisations become convinced that they need a Security Operations Center. So that is a darkened room somewhere where you have some fairly junior but very technical people constantly monitoring your estate, trying to detect various security events and incidents and address them. What happens is these guys used to be at the bottom end of the salary scale used to be and to appease the auditor or investors or the board or whoever, the typical reaction would be: Let's build a SOC. Let's hire 10 people to man that SOC. Let's make it 24 7 and they go down this path and what they find is they can't hire the people because everybody's got the same idea. Those guys that were perceived as a cheap commodity. So let's open a packet of 10 analysts. They don't exist anymore. They're being poached, head hunted, and they will move from one company to the other. For, 5% or 10% increase. It's a horrible job. If you could imagine being in a darkened room with no windows staring at screens 24 7 or you're doing a long 12 hour shift. It's not very glamorous. Many organisations that don't understand security will invest in this approach, and it may take three or four years to actually yield results. They would have wasted many millions and maybe even before those three or four years they'll come to the conclusion it's not working an option is to outsource that service again. They'll go to a big provider, and they'll be made all of the promises under the sun that they will get just this fantastic service. But we have a scenario where say, for example, Ransomware, that service provider may have lets for simplicity sake say 10 clients and all 10 of those clients have been impacted by ransomware. So how do they prioritise on your estate in your environment? Can they prioritise? Yeah, they're gonna be spread very thin. Putting out those fires. So my prediction for the future is the end off the Security Operation Center. Often these rooms full of screens big LCD, the LED, The Plasma, whatever screens you have on the wall there, part of the company's what I like to call: Theatre, they will bring a prospective client in and say, And by the way, this our security operations center. There'll be lots of blinking lights and, you know, people their heads down staring at screens and running reports, um, loads of pie charts and all sorts of things and people could be seduced by that. Hey wow! What they don't realise is they spend a hell of a lot of money on effort and resources, and they're getting nowhere fast. It's just not working. What's the alternative to that? You spend more time on your people from your culture and embed security into all of your systems. Engineering practices, building secure systems, simplifying your systems so that you can understand them better. Some systems will generate billions of different security events. They don't necessarily mean there's something wrong. You've got that needle in the haystack scenario. Yeah, so, yeah, how do you know what's going on in your state? the number of false positives are huge. You know, the tuning required to get some meaningful reports is massive. And yet we need data scientists and analysts, all that kind of thing to try to start making sense out of it, but yeah, what you're actually doing is you've become a historian. You're looking at what happened to your estate or what just happened is not proactive or preventative. Exactly, absolutely. It is fixing it potentially after the event? Yeah, I just think the focus is in the wrong place and it's a little bit short sighted that many organisations are jumping on that Secure Operation Center bandwagon and they are dragging in people from various different industries because that skill set is in demand, erroneously. You hear about this cyber skills shortage? All right? I don't agree at all. I don't agree one bit. Right now, I could probably put you in touch of 80 really competent security guys who are out of work. And that's not because of the current crisis. It's because they can't find the right work at the right salary in the right location. This perceived shortage is a shortage in certain areas. It's not across the board. The industry is creating that shortage where it doesn't have to.

43:55 David: All right. Interesting. I'm really glad I had this chat with you, thank you very much. Thank you for the opportunity. Been good to hear your perspective and points of view, a real mastermind which was the objective. Inside information on what's really happening on the street. Thank you very much for joining us today. And good luck with the future. Will do. Thank you very much. Thank you Mike.

Thank you for joining this mastermind session and if you would like to know where you can download a transcript or to listen into more of our mastermind sessions, just visit That is E S O R M A dot com and look for the mastermind recordings page. Thank you.

ESORMA: The GRC Framework & Community

ESORMA provides a refreshingly practical approach to implementing business security protection.

Get protected - free

Need A Fast Business Continuity and Disaster Recovery Plan? Free? If you have not got a business Continuity or Disaster Recovery Plan, it is possible you could have one in just a few hours time. If you think you already have a plan, then our system would be just the thing to revitalise it, and quick too.

Learn more

Cyber Security Made Easy

You need to deploy simple processes quickly. ESORMA delivers.

Learn more

Get sorted right away

Having worked with many clients, having trained many Risk Professionals we know exactly how to protect a business from cyber attack. If you would like to know more, and get protected right away, click on the link to run through a process that will help you to protect your business immediately.

Learn more

Discover More Now, Don't Be A Cyber Victim

There are many things you can do to take control. Your next move may make the difference.

relaxed inbox desk