The phrase “you can’t be just a little bit pregnant” means that the situation that is being described is a binary. It is something that is either IS or ISN’T. Such as is the case when one is pregnant. One either “is” pregnant or “is not”, there is no in between or partial pregnancy. It means it is a situation in which there is no ambiguity or no gray area. You can’t be “just a little bit” of certain things. We need to change our thinking – you can’t be just a little bit secure.
In this context, this talk will review 2019, a year that has seen ongoing incidents and data breaches resulting in significantly higher fines levied against those at fault. Ransomware continues to increase and the response of individuals to phishing attempts remains sufficient to result in real organisational and/or personal harm. The causes of these incidents and breaches continue to be identified as security 101 fails – i.e. the fundamentals! There are a core set of “key controls” we can easily identify that continue to be in our security professionals kitbag of “rinse and repeat”.
And yet it seems that a combination of complacency and ignorance exists, particularly for those who have never previously experienced anything similar. Assuming somebody else is checking or monitoring a situation can leave gaps in the effectiveness of whatever safeguards have been implemented for previously identified good reasons. Business impact analysis and scenario setting need to get more REAL.
There are real issues of culture; blinkered views exist in vertical teams; budget cuts lead to skewed understanding; time pressures impact success. However, people are required to effect transformation. Taking the headcount out of a situation without identifying the impacted processes – that way leads to madness! Consider this – having a latch with a bent nail in it – from a distance it looks locked, but you can easily remove it once you are up close and have investigated if the door is actually secure. These themes and others will be covered in this fast paced insightful session.
Andrea is an experienced information governance, risk and compliance (GRC) specialist with over 20 years experience across a range of data protection, information assurance and cyber security related projects and programmes. Andrea is a published author addressing information security topics and enjoys public speaking on a range of related subjects. Grounded in the depth of thinking that a philosophy degree from Trinity College Dublin affords - Andrea’s views are often contrary! Andrea is an active advocate for professionalism in the wide spread information security industry.