Why continuous monitoring is like observing your teenager

http://www.computerworld.com.au/article/593819/why-continuous-monitoring-like-observing-your-teenager/

 

What is continuous monitoring?

For many parents, keeping an eye on your teenagers is a critical activity. You worry about all the bad things that could happen and try to prevent this from occurring.

There are technologies in the market for the nervous parent, such as TempTraq – which provides a 24-hour intelligent thermometer. It continuously senses and records your child’s temperature and can send alerts to your mobile device.

The problem in enterprises is that we have, metaphorically, a bunch of teenagers working for us and we have no choice but to ‘trust but verify’. These teenagers want to work with corporate data on their mobile devices from every airport and locations that are uncontrolled.

Enter continuous monitoring

Continuous monitoring is on the brink of doing to cyber security what cloud deployment did for global productivity.The definition:“Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organisation's financial and operational environment” 

Every good CIO and CISO has this on his or her watch list of new technologies to, er, monitor. Continuous monitoring has a role to play to prevent data breaches and also assist enterprises to achieve compliance.

The old-fashioned password, even the strong ones are usually insufficient.We witnessed LastPass get hacked recently, and, as suspected, this is about the human element and tricking someone.

Biometrics only take you part of the way
Most banks have been quick to embrace biometrics – finger, face, voice or iris.These are good 2nd factor authentication approaches and can bolster the security that is already in place.

Biometric authentication technologies can lock things down “using something we are rather than just something we know”. But there are issues with adopting this approach.What happens when there is an accident or a person is sick – then the finger is injured or voice different to normal. You are locked out of the account.






What is continuous monitoring?

This is all about watching multiple factors to constantly validate who you are.Yes you got the right password from an IP address that is recognized. Then you are also accessing the same applications that you normally use at the business hours that you usually keep.

But it just goes deeper.


The best way to introduce this concept is to look at a few examples.

Darktrace
Darktrace is a startup that is based on the biological principles of the human immune system and uses advanced machine-learning technology to analyse raw network traffic. This startup has already raised $110 million in VC funding.

There are no signatures or patterns that are predefined; instead Darktrace’s machine learning technology “allows it to learn what is normal for a company’s network environment, so that it can then determine if any behavior is abnormal”.

Biocatch
Biocatch is another startup that has a unique approach to continuous monitoring and it is a little spooky. It is watching you and how you interact with the technology.

It uses all the data from the accelerometers that are built into modern smartphones.BioCatch records comprehensive data on all of these movements, acting as a sort of seismograph.

“We can not only detect it, we can try to see if it is consistent, because if it is and you don’t look like other people, that is a very good way to analyse your behaviour and see if it is you operating within your account,” the company says.

A great mobile banking example
Turn it on and you will be observing very subtle things like the angle you hold a device and to the way you browse around an app. How hard you are tapping on the phone and the speed that you type.

This is all based around building an individual profile for you; you yourself are unaware of these small idiosyncrasies. Once this pattern is established it operates as a background tasks, always watching – when something unusual occurs then you may be flagged for closer monitoring.

We all use the keyboard differently, including commonly used keys. A small example —I never use the numeric keypad but I know that my wife will routinely use it. Continuous monitoring software can measure hundreds of these parameters.

Biocatch will build a profile after 10 visits of around 500 parameters — ‘physiological’ from your smartphone and ‘cognitive’ from how you use your PC.

Maybe I was right - it’s just like watching your teenager?

How does Singapore's startup scene compare to Australia's?

http://www.computerworld.com.au/article/593974/how-does-singapore-startup-scene-compare-australia/

 

The Singapore government has a framework to support startups at every stage of their journey

I recently had a discussion with Neal Cross the chief innovation officer at DBS Bank in Singapore.
It started with a statement from me, noting that based on a recent visit to Singapore it seemed that the innovation startup scene is stronger was Australia.

Neal said that he has had a meeting with the Singapore minister for education, as he had commented that there were not enough startups and entrepreneurs in the country.That being said, Neal thought that Singapore will win ‘hands down’.

The case for Australia
I argued that we had the smartest prime minister for many decades, who also had built and owned a technology startup.We have an innovation minister who is engaged with the community and ecosystem — things were looking positive, with many new startups (particularly fintech startups in both Sydney and Melbourne).

Further, I added, we have a great premier in NSW who ‘gets it’, and the ongoing competition between Sydney and Melbourne will serve us well.
Innovation is high on the on the national agenda.

The case for Singapore

Neal noted shared that unlike Australia, Singapore is flush with funds — and VCs in Singapore can get funds from the government with only an expectation of a 5 per cent return.

A big believer in getting the model right, Neal explained that the Singapore government has a framework to support startups at every stage of the journey — from pure R&D activity all the way through to series B and even C.

It can also provide space, mentorship, incubation and acceleration.
In Singapore there is the EDB (Singapore Economic Development Board), NRF (National Research Foundation), Spring (for seed funding) and IDA (Infocomm Development Authority).
 
Support from the government also extends into corporate, and DBS has active partnerships with EDB, IDA, NRF and the regulator MAS (Monetary Authority Singapore), to drive a cohesive strategy to help turn Singapore into a smart nation.

The jury is out
Australia has a larger population and a naturally innovative mindset. We need, however, to make shifts to how we encourage the ecosystems to operate. It is the interaction between business and government that appears to be where we need to do the most homework.

We should be aiming higher, but the reality is that we are not yet set up for success.
 

The problem with cloud

What barriers to cloud adoption are holding enterprises back?

D

What barriers to cloud adoption are holding enterprises back?

 

http://www.computerworld.com.au/article/594537/problem-cloud/ 

Cloud has made headway but within most enterprises it is still confined to a minority of workloads.
A survey by RightScale (PDF) revealed that almost 70 per cent of enterprises ran less than a fifth of their workloads on cloud services.

Why is this the case?
Moving applications from each enterprise from legacy is not that easy, with most of these solutions not having been built with the cloud in mind.

The truth is also that the discipline around test management means that the test scripts are likely to be quite specific to the legacy infrastructure.

There is significant work in recreating test scripts to validate this on the new cloud platform. Perhaps the costs of migration outweigh the potential savings.

Decision making is split
To move the bulk of applications to the cloud will require business agreement — and this is not merely a decision for the CIO.Who pays? Answering this question is always going to a significant factor.

The way I see it is the only way is to take an enterprise approach and sweep all these into a single budget with a savings target to achieve. The decision making can be still business and IT but it is completed at a holistic level.

Unfortunately this is not the reality at most enterprises.

True commitment to cloud strategy

To be truly committed is to be ‘cloud first’. But who has really done this? From what I understand Suncorp, GPT and News Corp have been very aggressive with cloud adoption

Compared to many enterprises, however, they remain an exception. Many of the Big Four banks, for example, would not be considered to be ‘cloud focussed’ and perhaps at best ‘cloud explorers’, according to the RightScale methodology.

Cloud readiness in IT
Are we ready for the cloud? For most teams there are new skills to learn and risks to consider.All current monitoring, security and reporting tools will need to be evaluated and perhaps a change required in order to manage a combined cloud and non-cloud environment.

There are usually staff reductions in the infrastructure teams and as a result a ‘go slow’ attitude.I’ve heard a story from a few good sources about a Big Four global head of infrastructure saying he “never wants to ever implement cloud”.

Quite a silly thing to say, given this was based not on logic but more personal preference and positioning to maintain power.But resistance both passive and active will have a slowing effect.

DevOps maturity
To get the true benefits of Cloud, we have to be able to integrate the whole process of getting code into production.Most enterprises are making progress with adoption of Agile. I’m not convinced that DevOps has progressed as quickly and more maturity that is required in these new processes.

Without this maturity, there will not be the same uptake as our appetite.

Cloud security
There is a need for new approaches to security to take an enterprise into the cloud world.It is equally important for cloud beginners, cloud explorers and cloud focused organisations.In the absence of this capability projects will remain stalled.

Unfortunately, security resources for BAU are heavily invested in existing projects and there is not that much capacity for cloud projects.

Legacy and cloud integration
This is still at a somewhat clumsy stage with the degree and ease of integration limited between the newer cloud applications and enterprise applications on legacy.

Having to navigate between non-cloud and cloud applications across a business process can cause frustrations.This is a problem not just for the architects; but what is needed is a new blueprint to take these a collection of new startup apps and figure out how this replaces and/or integrates with existing technology.

This creates a new level of architecture maturity and discipline.

My crystal ball:

Cloud adoption will never be 100%: This will only happen for new enterprises that have no legacy. The cost and benefits of migration will get in the path of this change. This will also be adversely affected by the earlier factors I outlined.

Industries that are moving to digital will be faster adopters: Yes, a no-brainer. New digital channels work better on cloud thanks to the ability to be able to scale swiftly.

Industries facing significant cyber security threats will be slower adopters: Unfortunately many that are moving to digital channels for opportunity are also going to be facing cyber security threats.This will create natural gravity and slow down any momentum.

Take away the choice: The problem with cloud is that we expect corporate IT to immediately embrace and move. But that’s not going to be the way it pans out.
New startups all embrace cloud as it their only choice.

While there is choice, there will be a slower uptake.That’s simple: Remove the choice and enterprises can move faster into the cloud and perhaps also compete on level terms with startups.

What kind of CIO do I want to be?

David Gee offers his insights on chief information officer archetypes

http://www.computerworld.com.au/article/597319/what-kind-cio-do-want/

It is arguably the greatest job in the world – so what kind of CIO do you want to be?
[Read part 1 of this series Who wants to be a CIO?]

Well, I’m sure that like me you have observed some really good ones and some poor ones. To protect the innocent, I’m not going to mention any real names or ‘pseudonyms’.But I have to use some actual stories to illustrate.

In my 18-year career as a CIO, I have observed leaders that had qualities that I admired; frankly every one had some good attributes. The question is always: Do the good attributes overshadow the bad?

It is only by reflecting on different characters that you can try to distill what is the real essence of that leader and what makes that person great.What kind of CIO do you want to be like?

There are many types but let’s try to summarise these into a few categories:

The Machiavellian CIO
Let’s start with the one you don’t want to emulate: The Machiavellian CIO.This is the one who has read The Prince and actively re-models him- or herself on it.This CIO is all about allegiances and alliances, and is willing to cross over to the dark side willingly and without any conscience.

Machiavellian CIOs can be either male or female. It is not about testosterone but more about the survival behavior.The trait to observe is if ‘fear’ is used as a weapon on a regular basis. When you see that then, I suggest you have found one.

It is not a bad thing, to want to survive. The question is more about personal integrity and what you stand for. There are times as a CIO that you have to wear this ‘hat’, but I personally think this is old school management.

The Transformational-Entrepreneur CIO
A rare species. They are always looking at the bright and shiny objects.You can learn some great habits from these CIOs in terms of how they think or even ‘think about thinking’.
Entrepreneur CIOs are all over external ecosystems and focus on digital, big data, cyber security and customer experience.They do care about operational IT, but only that it runs smoothly and is a platform for their new ideas.

Often their weak point is around attention for details; they love to have staff around them to fill in this gap.

By nature, this CIO is about inspiration and vision and rarely uses the ‘fear’ approach.They are collaborative and want their staff in the world to also be inspired.

Working for this boss, will be exhilarating and fun (at times) but can be stressful as they push the boundaries and make you stretch. They think abstractly and are hard to keep up with.

The Professional CIO
A much more common species, these are solid citizens who get on with supporting the business and getting things done. They do not have the high highs or low lows, are much more consistent and balanced.

The Operational CIO is perfect for ‘Run IT’ and can sometimes stretch into ‘Change IT’. However, they tend to get uncomfortable with truly being the leader for a Transformation.

They are organised by nature; you will see that they have strong governance in place, with weekly operational staff meetings. The Professional CIO is in control and manages the whole portfolio.

They have good staff coaching skills and are very effective at managing their team and the customer’s demands.

Got-there-by-chance CIO
Then there is the CIO that doesn’t really fit any of these categories. They have come from an unusual background via the business or after completing a major program of work.

Their career path has not been aimed at reaching this role, but nevertheless they found themselves in this senior position.Typically, their experience is quite narrow in terms of IT, but they usually have other attributes that can compensate for this gap.

In some cases, they have excellent interpersonal skills or great ability to analyse and drive programs of work. The ‘got there by chance CIO’, is never that comfortable in the role but will become more at ease over time.I’ve seen brilliant CIO’s that have come from strategic business roles and been elevated into global CIO positions.

What happens is that their strength is also the weakness. In some cases, being naïve and curious can be valuable; it can also mean that you don’t have any context to understand what has gone before.

Frankenstein CIO

Yes, technically Frankenstein was the scientist, but with this category I am more interested in evoking a creature created out of an assortment of different parts.

My view is that the best CIO is a combination of all three of the three preceding positive CIO archetypes.I have worked for all of these different types of CIOs in the past.Taking the ‘best’ parts and rejecting what I consider to be their ‘worst’ attributes has been the approach I have adopted.

I’ve had an unusual career with 18 years as a CIO in a 28-year career; I was elevated earlier than many of my peers. Because of this I really wanted to be the best CIO and observed others in action.

In many ways I believe that I am myself a Frankenstein CIO. If your ambition is the top job in IT, the question you need to ask yourself is: What kind of CIO do you want to be?

Who wants to be a CIO?

David Gee offers his take on what it takes to become a chief information officer

http://www.computerworld.com.au/article/595553/who-wants-cio/

For many IT managers becoming a chief information officer is an ambition that may be openly or — more likely — secretly hold.

Being the CIO can be the greatest job in the world and, some times, the worst.
A natural starting point when trying to understand the top role in enterprise IT from the perspective of someone with the ambition of becoming a chief information officer may be to think about one or two CIOs that you have worked with in the past.

That’s okay, but I would encourage you to start observing a broader sample set.The more senior executives that you can learn from the better!
From my own standpoint, I’ve worked with many good executives and also some who are not so great.You will learn from both — traits that are worth emulating and pitfalls that are worth avoiding

  

So who wants to be a CIO? It may be the highest paying role in IT, but with it comes the ‘A’ from the RACI model (Responsible, Accountable, Consulted and Informed). The buck stops with the CIO for so many things.

The CIO is supposed to take all the ‘heat’ from management — although I have seen some bad ones that just reflect this to their staff.

When you are the CIO you have a job that has incredible variety and you are expected to be broadly experienced, wise and fair. The role is testing on the individual but that is also part of the allure.

For me this is what makes you grow and continue to learn; the level of constant re-invention is the best part of being a CIO. (Later in this series I will talk about the different types of CIO that exist and
I’m sure that you will identify with some of these characters.)

The loneliest job in the world?
The CIO role can be ‘lonely’ as you have to make the tough decisions.However, my personal belief is that the best CIOs will involve their teams in nearly all decisions, taking their input and then making a final deliberation based on understanding all points of view.

The decisions are tough, as they never occur in isolation — a simple technology decision has short-, medium- and long-term implications.A decision always has a customer impact; it might be small but it can never be ignored.

There is always pressure to have made a decision ‘yesterday’, so being able to handle time pressure and conflict is all part and parcel of the role.Being totally honest in your dealings is the only way to operate.

As a CIO, your decisions are always being second guessed by others and it is best to be able to explain what and why.

Passing the smell test
Passing that ‘red face’ test is always the acid test for the CIO. Being caught out is never a place that you want to be; it just sets a precedent that your team or a business partner will hold up in future.

The personal brand that you have as a leader is what others say about you, when you are not there to defend yourself. That’s the brand that you carry and it always precedes you into a meeting, including with people who don’t know you.

This brand will be part of your executive ‘presence’. So let’s make sure that it is a brand that is positive and resembles what you actually intended it to be.

CIO = career is over?
Most CIOs have a fairly short tenure; around three to four years. Not surprisingly the tenure of the CEO is around five years and this is a clue to the length of time CIOs tend to spend in organisations.
There is much to be said for the CEO wanting his or her CIO to be a certain style and have a compatible approach to their job.

When you get a gig as a CIO, it is always important to work out where the CEO is in his or her own career path in the organisation. I have even asked this question directly in the first few weeks. By doing this you can try to ensure that you are aligned to where that boss is actually going.

When they are in different stages of their own career, both broadly and more specifically within a particular company –this can inform you of what might be their preferred approach. I’ve nearly always had as a boss a CEO who brought me into the organisation with a mandate for change.

Everybody wants a piece of you
The role has evolved over the 18 years that I have performed as CIO across 15 countries.There have been new partners to work with and a constant trend for new technologies to emerge.

To start with the CIO traditionally worked for the chief financial officer and that was an interesting relationship. I’m not saying this is inappropriate but to make it works requires complete honesty and to basically ensure that the CFO understands that his or her own priority list has to be part of the overall business portfolio.
 
The CIO has to work with the chief marketing officer, the COO, the CRO and the CEO.
Each of these executives will have different requirements and approach. That’s all part of the fun of the role.In the last few years you have had to also work with chief digital officer, chief innovation officer and chief data officer.

Everybody wants a piece of you and I mean that in the both positive and negative sense. It is arguably the greatest job in the world.
(This article is the first part of a series on what it takes to become a CIO.)

Encryption by default at 80%

Encryption by default is becoming the norm

http://www.computerworld.com.au/article/597981/encryption-by-default-80/

You should care about the new block cipher standard.Each and every time you use one of those point-of-sale devices what happens, your precious credit card information stored in that very reader.

The National Institute of Standards and Technology (NIST) has a new standard that is designed to protect your details (PDF). It’s been a tricky problem to address, as there was a mandatory requirement to retain the length and current format of the credit card numbers.

This allows for two alternatives for format-preserving encryption, to allow this data to be read and processed by applications but still protect payment card information from the bad guys.
We are entering an era of encryption by default.

The NIST solution
The NIST standard (SP 800-38G) creates new approach for “format-preserving encryption,” which makes long strings of numbers indecipherable in both binary and decimal formats.
Older NIST standards were designed to be applicable to just binary data. Using what is termed format-preserving encryption or FPE – there are two approaches: named FF1 and FF3.Each is a 128-bit block Advanced Encryption Standard (AES) that conforms to the new standard for block cipher algorithm.

The ‘smarts’ is that when this standard is applied the FPE-encrypted credit card number appears just like a credit card number. This allows for existing systems and hardware to continue to operate.

In the previous standard it was not possible to encrypt decimals and at the same time also allow system programs to read the number in that original format.

What drove the standard was to resolve credit card vulnerability. Interestingly, this approach also has a use case in medical records.This will allow personal information from medical records to be also protected.

Benefit for medical research
With every database, we need to have a unique key to search, index and locate information.Typically speaking a key is assigned; in countries like the USA a social security number is used.

The advent of this standard can ensure the requisite security and ensure privacy of records is maintained.I would expect that given the recent HIPPA decision to integrate their health standards with NIST that adoption will certainly occur. There will be increased focus on the critical need for cyber security for medical devices and the personal information that is stored.

Encryption by default
The dust from the and we are already seeing that Whatsapp chat and calls are now being encrypted. I believe that we have started entering an era where encryption by default becomes the norm.

In a recent CSO Roadshow on this topic, there was an expert opinion that encryption by default would eventually cover 75 to 80 per cent of all data.

Clearly there are performance issues to be overcome to enable this level of encryption in that regard. But in a time of increased data breaches and inability to insure fully against subsequent losses, it is somewhat inevitable that we start to see more encryption everywhere.

I’m a big believer in appropriate action and response.As managers we have to understand risk and manage this appropriately.

Right now I’m happy for my credit card and medical records to be secure.

A startup accelerator for social good

UNSW students are in the running to win the Hult Prize

http://www.computerworld.com.au/article/594105/startup-accelerator-social-good/

On a normal day I work with a variety of startups, especially in the fintech, enterprise technology and health tech spaces.

It is an amazing and exhilarating experience. But recently I had the pleasure to work as a mentor with Venturetec, mentoring a group of inspiring UNSW students from the Australian Graduate School of Management who are striving to win the Hult Prize.

The Hult Prize is a start-up accelerator with a major difference. It’s a startup accelerator for social good and it’s the world’s largest student competition.

From the 25,000 global applications received from 500 colleges and more than 150 countries this year, 300 will compete in five cities around the world for a chance to win one of six places to pitch in the finals to secure US$1 million in startup funding.

This is all about social entrepreneurship; bringing together college and university students from around the world to identify and launch disruptive and catalytic social ventures that aim to solve the world’s most pressing problems.

It’s a joint initiative by Hult University and the Clinton Global Institute. Bill Clinton set this year’s challenge to double the income of 10 million people living in crowded urban spaces and will be on stage to present the award.

The judging panel includes some heavy hitters, such as past Nobel Peace Prize winner Muhammed Yunus.

Introducing Bobbin
Bobbin (formerly solarweavers), comprising Ben Pask, Shalendra Ranasinghe, Lisa Shannon and Dimitry Tran, are the AGSM (UNSW) Hult Prize Finalists that are on their way to London for the Regional Finals in March.

The objective of Bobbin is to connect women in urban slums to a source of sustainable income. There is technology involved in their social enterprise, but this is not your usual high tech.It includes a solar panel (low power), sewing machines (low tech) and a cell phone for connectivity.
Their solution includes micro-financing but they are also exploring micro peer-to-peer lending.

Bobbin’s customers will be able to sew clothes from raw materials sourced locally, with sales into existing marketplaces and a new online solution.

I asked Trey Zagante, Venturetec CEO, to comment on why he was working with Bobbin, which is a departure from his normal enterprisetech focus:

"We chose to sponsor the Hult Prize @ UNSW to support social entrepreneurs who are driven to make a positive social impact that could potentially change the lives of tens of millions of people,” he said.

“The Bobbin team have really embraced the lean startup approach of Venturetec’s incubation program, and they’ll be going into the regional finals having rigorously tested and validated their business model”.

A new online marketplace
This is about setting up a new marketplace in a country where online is not that commonplace.The product to be sold will be items of clothes. The phone’s camera will be used to snap the item, which will then be placed onto a new online marketplace.

Bobbin has partnered with technology provider Arcadier to develop their marketplace.At first I was surprised that Arcadier, which operates in advanced next-generation marketplaces, would be able to service outside of their comfort zone, but they are clearly comfortable in the social enterprise space, which can require less sophisticated technology.

Clearly there is a major assumption around when a tipping point that will see a move from 2G phones and increasing availability of smartphones. In developing world countries we are starting to see rapid adoption of cheap Android-based handsets.

Bobbin’s other partner is Barefoot Power, which deploys solar panels and has a great existing penetration of markets in countries like Kenya.They are also in talks with the Kenyan Federation of Women Entrepreneurs.

There is an underlying belief that education is the answer to breaking the poverty cycle.

The stated goal of Bobbin is to double the income of people living in crowded urban spaces. Bobbin is focused on helping women who are on home care duties with few prospects of working outside of the home to generate an income.

“Empowering women may be the single most poverty reducing factor in developing economies which can lead to significant macroeconomic gains.It is shown that women are also more likely than men to invest more of their income into their children’s education,” says Lisa Shannon.

The model is deliberately simple to ensure that it ill work. They create a small craft industry for eight women to work in a sewing circle, with a leader to use phone to manage logistics and sell in the marketplace.

The provision of solar power to use the sewing machines also brings light and power for houses that would otherwise not have them. So the impact of this is remarkable.

The secret sauce
It’s not technology; in actual fact, Bobbin’s secret sauce is ‘care’.
The secret sauce is Bobbin’s connection with community to enable the skills that already exist within these communities.It is also anticipated that when community pride is harnessed the default on microfinance loans will be minimal.

With care and connection, these small steps to create new work will start to change the world one solar panel and sewing machine at a time.

What makes ‘smart contracts’ smart?

Smart contracts are another potential use of blockchain technology

http://www.computerworld.com.au/article/593550/what-makes-smart-contracts-smart/ 

Contract law has been a fundamental cornerstone of the formation of modern human society. Smart contracts, an expression coined by Nick Szabo, represent a digital evolution of contracts.

Szabo coined the term in 1997 to described self-enforcing digital contracts.

The advent of the blockchain — the distributed ledger employed by Bitcoin — has enabled the concept of smart concepts to come to life.


What is a smart contract?
A smart contract is one that is “capable of executing or enforcing itself,” writes Cryptorials’ Dean Walsh.

“Smart contracts are written as programming code rather which can be run on a computer rather than in legal language on a printed document.”

By definition, it is not necessarily a legal contract: It has programming code to detail strict rules and consequences.Thus it mirrors a normal contract in that such obligations are outlined, as are the breach penalties for non-conformance. 

Are they really smart?
Smart contracts are “modular, repeatable and autonomous scripts, usually running on a blockchain, which represent unilateral promises to provide a determinate computation,” states a BBVA paper (PDF).

“These scripts are stored in the blockchain at a particular address, which is determined when the contracts are deployed to the blockchain.”

When the specified event in the contract occurs, a transaction is automatically sent to execute the code. An example I recently heard a startup pitch was a new water market.This platform created a market where buyers used traditional contracts when they bid for quantities of water, which were then paid by bank transfers.

But in the world of a smart contract, the contract would detect who used the water, perhaps signalled from IoT sensor.There would be an automatic audit trail of the quantity, time, date, quality of water was shipped and received, from A to B.An agreed contract payment term would be invoked to make the required financial transaction also settled in real time.

Where else could you use a smart contract?
A loan could be stored as a smart contracts (in the blockchain) and also with collateral ownership information. In an example where the loan is completed, then the token for digital rights will be transferred. Similarly, if a default occurs and the borrower misses a repayment, then a smart contract could automatically revoke the digital keys that grant his or her access to the collateral.

Therefore if we take the example of a car loan, then your finance company could prevent you from being able to access or start your motor vehicle.

Smart contracts that also be established for securities and this would monitor the performance of digital or non-digital assets (futures, forwards, swaps and options)

Smart contracts, by definition, operate where there is no thrust between the parties.They allow individuals to contract with each other and manage the payments of funds without the middleman.

We use eBay and Amazon as intermediaries when we conduct trade over the Internet —we trust that these bodies to ensure that the goods will be legitimate and we also don’t want our credit card details held by shady characters.

In the case of music, it could potentially reduce file sharing.If you purchase songs or video media, a smart contract may you the right to use it.Your right to this would be stored on the blockchain — and it could be a specific digital right; for instance, the right to play it once in the next three months.

Smart contracts don’t mean that we trust the other party – it just means that they mechanism is automated so that you cannot be cheated.

See you in court!
Clearly this is all yet to be tested in court.One major drawback is that smart contracts assume that parties know all the rules at the beginning of their collaboration.Thus smart contracts must have mechanisms to allow parties to amend their agreements as mutually desired.

But given their ‘automatically execute’ nature, smart contracts may hold the potential to significantly reduce the chances of a dispute reaching court.

If you default on your car loan – then you can’t start the car and it automatically returns to the finance company, or is even put up for immediate auction and delivered to the new owner.

In the future, we will all learn to use smart contracts — and they will talk to each other.

How to pitch your startup to a VC

What is the best way to pitch for the venture capital your startup needs?

http://www.computerworld.com.au/article/598451/how-pitch-your-startup-vc/

So you have a startup and your excitement is hard to contain.You have a novel concept and are in the process of building it out.To get to this juncture you have used your own funds plus monies from friends and family.

The idea of living the dream and starting up the next billion-dollar unicorn is one that I’m seeing more and more regularly.

For many of these startups, the rude awakening is that it is not an easy path. If this is an endeavor that you are doing part-time then progress is slow. But if you take the plunge and work on it fulltime, then it is likely that your cash-flow projections might leave you shorter than anticipated.

So if you’ve reached the point where you’re ready to pitch to a VC — what’s the best way to go about it?

Getting ready to pitch
First, you have to have a unique idea that is going to be the centre of the pitch.That customer insight, based on facts, is what you what to test.Don’t make the mistake that what you believe to be true is universal.This needs to be part of your market research, and tested with a good sample.

Once you have that idea, then build out your MVP.This will start to test your own personal limitations and in every team, there are strengths and weaknesses.Be that technology, marketing or sales – every startup will have gaps.

It’s best to identify them and if possible, seek out advisory board to help you fill the voids.

As you are non-solvent, then you will need to establish this on the basis of a future equity arrangement.The most critical element is to get advice — and that means hearing things that you don’t want to hear.

Preparing your MVP and then testing this in a segment of the market is the right way to proceed.If you can get some revenue from this effort it will also help prove that there is a need for the product.

What to expect when you pitch
You have your tested MVP and received some results, and perhaps some sales revenue.Then you have effectively developed a business case, with expected costs, margins and distribution growth projections.

Then the hard part, how do you take this and distill into a seven to 10-minute pitch? Yes: Most pitches are decided within the first few minutes.There is no alternative but to have the best salesperson pitch — and that should be the CEO.

When you pitch to a VC there is a short list of what he or she is looking at:

• Do they believe that the MVP product has wow factor?
• Does the CEO and the team impress you?
• Is there any revenue that validates the MVP?
• Assuming there is no IP protection, then how easy is it for others to copy this?
• Does your request for funding make sense, the amount and how the funds will be used?

Pitching
The pitch has to nail the above checklist; if you have gaps then it is very likely that your request will be graciously declined.

Remember a VC is not a bank. They are in the business of making a margin from successful startups.In truth only one in ten startups succeeds, so VCs have to back winners otherwise they also don’t eat.

The pitch is a sales event, but has to be grounded with facts that support the case.A VC will be pitched to 30-80 times per month, and can identify any BS pretty quickly.

In every pitch, you will need to provide an honest assessment of the competitive landscape and why your startup is superior.

There will be times that a VC will see part of your pitch and really value that component. In these instances they are joining the dots on what else they have seen in other startup pitches.

Assess the value of the VC
A good VC provides much more than purely funding: They will also provide your advisory support and open doors.As you pitch and then do the Q&A, you will have the chance to engage in dialogue that provides you some insights into what other value a VC can provide.

However be aware that this is not the time and place to be demanding to hear the value-adds.But they can be a source of know-how around funding, IP lawyers, network connections, technology platforms and other disruptive startups that compete with you.

The aftermath
The VC will be able to assess afterwards does he or she believe in your product enough that he is willing to invest time to the startup.Most VCs are used to kissing many frogs before they find their prince or princess.

The aftermath is tricky can be confronting for the CEO of the startup who has invested time, energy and money.My advice is the listen to whatever the feedback that is provided, even when you disagree.

It doesn’t mean the VC is always correct, but as it is a small world you never know when you will be back for another round.

Furthermore, a VC is always attracted to a CEO who is confident, but not arrogant.When you come across as not ‘coachable’ and willing to take input, then that is not a great sign for the VC.

Most likely you have to regroup and make another run at pitching. But also don’t be blind to the fact that perhaps your startup idea is not as great as you think. If you can pivot and apply the feedback, then your chances of a winning hand improves.

Good luck with your pitch!

Computerworld IT Leaders: Simone Bachmann, Australia Post

IT Leaders: Simone Bachmann, Australia Post

Simone Bachmann is head of information security, innovation and culture at Australia Post

122194

 

• 
  

David Gee talks to Simone Bachmann, head of information security, innovation and culture at Australia Post.
Simone as head of information security, innovation and culture at Australia Post – you have the coolest title of anyone I’ve met.What exactly are you key responsibilities and what is the hardest part of your job?
 
It’s not just a cool title; it’s a really fascinating job. 

The innovation part is using customer-led design and lean innovation methodologies to solve customers’ pain points. This means anything from delivering solutions to keep people safer by default, through to creating discrete, revenue generating products and services.

Fundamentally the culture part of the job is about educating people such as our employees and customers about online security. Our mission is to help Australians be safer online.

To help make this a reality we use a variety of education principles and techniques, as well as behavior change models and partnerships with a variety of organisations.

It’s really easy to be passionate about striving to make a real difference to both these areas because the customer is at the heart of everything we do.

This is also the hard part of the job. Australia Post has such a broad range of customers (almost anyone), so there certainly no one size fits all approach.

Thinking about your own strengths what is your strongest soft skill?I would bet that is it all about influence, communications and interpersonal skills?
I think it’s the ability to try to put myself in other people’s shoes to see things from their perspective. 

It’s also not assuming that I have the all answers and asking others for help.

This helps me in many ways, such as when making decisions about people’s careers, creating customer solutions, and trying to explain why people should join you on a strategy.

When you think about leaders that you model yourself on, what attributes have you tried to emulate?
That’s a hard one, because to me the most important attribute is authenticity. And by definition it’s something you can’t really emulate - it kind of just has to just be the way you are.

Another key attribute is bravery. Sometimes I have bouts of ‘imposter syndrome’ when I look at what I get to do and the amazing people I get to learn from and work with, and feel like I don’t quite belong.

I’m aware of this, so I remind myself that it’s not about me. It’s about representing the work the whole team does. This helps me have the level of confidence and courage of leaders I look up to.


In terms of self-development, are you a person who likes to identify tough and perhaps unachievable goals?Or are you more pragmatic and centred?
I definitely like to challenge myself in many forms. This can involve taking a new job or project with many unknowns. As long as the team and I are well enough supported and set up for success to deliver something great, I’ll give it a go.

Outside of work I like to challenge myself by testing my perceptions. For example a few years ago, I would have told you that boxing was a silly sport — a test of macho bravado. So I did a class and three years later I am still training and have even competed in two boxing matches.

Fighting is counter to everything I know, so this was one of the most confronting things I’ve done. It was therefore one of the most incredible feelings of achievement.

I’d be lying if I said either of these were part of a grand goal. They were both totally opportunistic as most of my best decisions have been. However, when they come across my path, I often have moments where I think ‘wow, this is what I have been preparing for’.

Do you have a mentor that helps guide your career?
Yes, in fact I have three people who I consider mentors. They are people who have amazing perspective and are not afraid to offend me by challenging what I think or say.

With each of them, mentoring was an organic process and I didn’t actively think about what I wanted from them. They are just brilliant people in their own right and are people whose advice I have taken and applied in so many situations, both professionally and personally.

What’s the best piece of career advice that you ever received? 
There are many, but the one that comes to mind is that being underestimated can be a powerful advantage.

Early in my career, I was a mid-20s, blonde female in a male dominated IT industry. Wearing my suit, heels and makeup. I was often mistaken for the secretary when I was actually the head of the largest revenue generating division in the company.

It used to bug me but one day a customer pointed out that because I was considered less threatening than the other execs, people tended to be more open with me about what they needed to achieve and how I could help them.

I never misused this trust, but it taught me that what I perceived as a weakness could actually be a unique strength.

Just to understand more about what makes you tick — could you share what drives you?
This is where I sound like a walking cliché, but it comes down to two things. First, helping people achieve things that make a positive difference to their lives – I love seeing people achieve something they didn’t think they would or could.

Secondly, learning something new. It could be a random topic or something unexpected about a person that changes the way I view the world, even just a smidge.

What’s the hardest career decision that you have had to make?
Leaving a company where the CEO was both my manager and one of my closest friends on the planet (and still is). We made a formidable team. It’s unusual to be able to work with someone so closely who almost knows you better than you know yourself.

When I was leaving I felt like it was betraying them. I shouldn’t have worried in the end, but I’ve rarely dreaded anything as much as having that conversation. It was the right career decision, but it was the hardest.

Outcomes from the National Fintech Cybersecurity Summit

http://www.computerworld.com.au/article/599720/outcomes-from-national-fintech-cybersecurity-summit/


Last week an assembly of Australia’s who’s who of cyber security came together for a roundtable in Sydney. The event was organised by CSIRO’s Data61 and Stone & Chalk with partners KPMG and the Australia-Israel Chamber of Commerce (AICC).

This roundtable, was chaired by Australia’s Chief Scientist Dr Alan Finkel, and the discussion well moderated by Tony Jones from the ABC.

In an interview with Computerworld Australia, Alex Scandurra, CEO of Stone & Chalk, shared his reflections on the event and its outcomes.
A key theme that emerged time and again in the inaugural National Fintech Cybersecurity Summit was the criticality of collaboration – a point echoed by both key Australian and international corporate and cyber security leaders.

This event, which included industry, fintech, government, universities and thought leaders, was a first cyber security-focussed meeting of such a diverse group of stakeholders in Australia and indeed globally.

Both startups and corporates have acknowledged that collaboration in the past has been difficult and that a number of things need to change such as procurement processes and legal frameworks to make collaboration between big and smaller parties a lot easier.

Q&A
Alex Scandurra was kind enough to reflect on the day. Here are his reflections and responses after the event:

What are the next steps after the cyber roundtable and what do those who participated need to do to move the conversation forward?

We will be producing and sharing a report highlighting some of the key topics of conversation and themes that emerged from the summit and roundtable, and sharing in more detail our proposals for phases 2 and 3 of our Joint Fintech Cyber Security Innovation Program.Several organisations across defence, government, the private sector and research have expressed deep interest to participate in our program.

The intention is that phase 2 will consist of a national design challenge providing commercial opportunities for cyber security startups to collaborate with large organisations. This will be a key precursor to launching our Joint Cyber Fintech Security Innovation Lab.

The lab will bring several startups together to participate in a series of commercialisation opportunities driven through existing demand and areas identified for capability enhancement.The program and lab are proposed to be the leading fintech node within the federal government’s recently announced Cyber Security Growth Centre and national strategy.

Our program will help reduce the time it takes startups to commercialise and scale new innovation and we will be simultaneously helping corporate participants become ‘startup-ready’.

What is your general reaction to the roundtable? What were your key takeaways?

We were thrilled and humbled at the same time with both the very high quality and seniority of leaders from across the country and world as well as the sheer number that attended. We had close to 50 people attend in what was a very packed room full very engaged and passionate people that represented the who’s who of the industry.

Several people remarked that they wished the discussion could have gone on for longer despite the two hours already spent. We will be definitely having a follow-up meeting to start to zero in on key capability and opportunity areas we may wish to focus on in as well as in identifying the organisations across the full spectrum that are interested in participating.

What role do you think the roundtable will play in the development of Australia's cyber security ecosystem?

We think this is where the rubber will hit the road. There are clearly a lot of pockets of innovation in cyber security happening across Australia where some great work is being done. Some are in research institutions, some within corporates and defence and some across the cyber security startup community.

What we don’t have is a way that all these can be brought physically together in a structured program grounded in needs based commercialisation. The roundtable will play a key role in helping to shape, co-design what the program looks like and co-deliver with key startups and investors.

We will be looking to key roundtable participants potentially also form part of our brains trust.

My takeaways
While I’m a massive believer that this is the right thing to do, we should however temper our expectations that this will be have a quick payback.As Australia moves into positioning itself as a digital nation, being a strong cyber security player is 100 per cent complementary with this ambition.

Having grounded expectations is necessary and I would expect that this will be the first of many engagements that include industry, government, academia and innovation incubators.To me it is not important ‘who’ is driving this, but more critical is that we agree ‘how’ we get to this destination.

Do we need more immigrants for cyber security gaps?

Do we need more immigrants for cyber security gaps

http://www.cso.com.au/article/597070/why-we-need-more-immigrants-cyber-security-gaps

There is an undeniable shortage of Cyber Security resources in Australia and the short-term answer has to be to bring talent in from other countries.

My proposal is that we have to re-evaluate our immigration policies and make this process easier. Fortunately for skilled professionals, they can choose to work in about any country that they want. Such is the global supply issues that are in play.

Immigrate to Australia?
In Australia we have a complicated process that on first blush, has to be difficult for non-english speakers. The employee nominated scheme would appear to be the best approach to get someone that is a known talent into your organisation. Effectively you are sponsored in this instance and with the right skills and experience – it is as simple as pressing a button.

To take the 457 skilled temporary visa approach gives you 4 years in Australia, assuming that you fit the criteria.

What are the priorities?

Using the Australian Federal Government Skillselect process, there are specific skills that are identified by industry bodies. At present these are the listed ones:

	ACS
Systems Analyst	261112
Analyst Programmer	261311
Developer Programmer	261312
Software Engineer	261313
Computer Network and Systems Engineer	263111

Hmmm, sorry but I don’t see Information Security or Cyber Security on this list. I have to trust that the person processing these applications can understand that when they see ‘Information Security’, then this should be given priority.

Cyber Staff are under qualified
As a result of the shortage of talent and seeming difficulty to bring in new staff from outside of Australia, we have seen CISO and CIO’s instead tapping into adjacent skills in the resources. There are transferrable skills that can be re-trained from network administrators, system administrators, and programmers.

While I understand the pressure to use this approach, this has the resulting effect that these critical roles staffed with resources that are not qualified for the job.
How bad is this issue? Is this an exaggeration and we should actually focus on real issues at hand??

Actually it’s worse than you think
In a recent study State of Cybersecurity: Implications for 2015”, fewer than 25% of cyber security applicants are qualified to perform the skills necessary for the job.

Taking this in plain english - 75% of staff in cyber security are effectively learning on the job.

The longer term implication is that enterprises are not ready to address the harder issues, and these are postponed or simply delayed. Perhaps we have just been lucky that hackers have been making bigger impact breaches elsewhere?

But real the frightening prospect, is that our under trained staff just are not able to detect these breaches and the 200 days average may indeed be longer in Australia.

The Inside Lane
Just to end on a ‘darker’ note, with a global shortage of staff it is actually easier for rogues to be accepted into an organisation as a new hire. Our screening processes have to be increased and referencing made even more robust.

 

In our frustration to hire we take on rogue outsiders, who are just pretending to be ‘white’ hat.Once a low-key rogue is on the inside, then the risks increase exponentially.

We need to address our cyber security gaps and this will need to be comprehensive approach using education and training to grow our own. Also a more concerted campaign to attract cyber security talents to move permanently to Australia.

Grow your Own
Growing our on base of talent has to be the medium and longer term answer. We will need to develop and mentor this talent, while at the same time ensuring that they don’t become arrogant given all the hiring attention that they will receive.

The stakes are high in a digital world, and Cyber Security is as much an enabler of the business as Agile Development. Once we realise this, we will then give the appropriate level of focus this issue deserves.

The Cyber Security Marketplace

 

http://www.cso.com.au/article/600460/cyber-security-marketplace/

We have heard about the gaps in the marketplace – we can’t find good cyber security resources. I’ve also heard that students remark that I can’t get a job in cyber, even after doing a degree in this area.


In my own words we have what I regard as a terrible situation. Late last year I was speaking on this topic on CSO Magazine and my own reflections on the gap in the market. Abigail Swabey and I lamented on this situation and we decided that we needed to change this dynamic.

Why should we accept that students can’t get placements in firms. How can we encourage enterprises to provide that valuable work experience to these graduates and students?

The Cyber Security Online Marketplace
Earlier this year we agreed that we wanted to build a Cyber Security Online Marketplace CSOM. As you know CSO is in the business of publishing what is the leading authority on Cyber Security opinions and news.

It is a natural extension that we engage with our audience and also make them aware of the opportunities in the marketplace.

Let me introduce the Cyber Security Online Marketplace or CSOM.

What is CSOM?
This is a place that with a simple click of the button, you can populate your Linkedin profile into CSOM.

Once you are there then the fun starts. There are two different modes: the first is the anonymous one where you are in a Cyber Security job now but want to change to a new industry or company.

In this instance you, then choose to mask your photo and surname. Then as you search through job openings that are being posted you can apply. Conversely, employers will be looking for roles that are not advertised and conducting searches of the database.

Once they find potential matches, through CSOM you can conduct a confidential chat. When a short-list is set, then and the parties agree, then you can move into a normal recruitment process.



Why Students will love CSOM? 
Let’s look at CSOM from the view of the student. We can see advertisements from companies for Internships, Cadetships and Scholarships. It costs you nothing to join and you can see what cool offerings are on offer.

This is all about trying to give our young undergraduates some much needed experience in cyber security. Just imagine having access to a few really smart undergraduates and getting them involved in your newest agile project where you want to drive ‘Secure by Design’.

The students will love the experience and be able to work with the standup meeting and also with the more senior staff to learn from them.

Then in the future, when we are looking to fill a vacancy they are just a perfect fit for the organisation. And if you , aren’t hiring then there will be others who are able to hire that bright young person with some great experience under their belt.

It is a classic “win-win-win”.

Why Companies love CSOM
There is a shortage of talent in cyber security and companies are the one’s left holding all the responsibility without having the capability to address all the projects and risks.

CSOM is about creating a ‘on demand’ marketplace for Cyber Security. We are aware that this kind of market is new and doesn’t formally exist outside of a SEEK advertisement.

You will see that CSOM is much more about engaging potential hires and trainees. It is more active than old passive models. And you will find that there are new sources of talent in this market than you currently are able to gather from running your own job fairs.

CSO Industry Engagement

CSO has engaged with a number of the major universities including Deakin and Macquarie. In addition, we have been also working with industry bodies such as ISACA and FINSIA. 

 

These bodies are extremely motivated to help drive professionals into Cyber Security and they understand the strategic importance to Australia’s Digital Future.

We will continue to engage with industry, please contact me if you feel that we have overlooked your organisation and you want to be involved.

The Launch of CSOM
The launch will occur around the end of May and coincide with events such as Aust Cert and ISACA organised professional development sessions.

CSOM can’t succeed without the support of your company and of Cyber Security Professionals. The goal of CSOM is to build a stronger community and that starts with creating new talent and also rewarding those professionals that are already in the industry.

Will you join me?

Tags Cyber jobsFinsiaISACA researchCSOMInternshipsS

National Fintech Cyber Security Summit

 

 

http://www.cso.com.au/article/597858/national-fintech-cyber-security-summit/

I’ve been recently invited by Finsia to attend as their representative at the Inaugural National Fintech Cyber Security Summit.

This event is being held in Sydney on May 3^rd and is aimed to help to accelerate the relationships and collaborations necessary to develop Australia’s innovative capability in fintech cyber security.

The Federal Government in March released a statement on its future innovation strategies and priorities. Implicit in this plan is the overarching goal of driving Australia, to become the FinTech Hub of Asia.

It is acknowledged that cyber security is an integral part of Financial Services and we want to grow our national capability in that regard.

This Summit has been designed to accelerate Australia’s fintech cyber security ecosystem.
We need to start this conversation by understanding the technological, cultural and mindset challenges.

Not surprisingly we look at Israel with envy and they have a thriving and profitable cyber security industry that nets an impressive US$4.5B per annum.

To duplicate this will take some doing, but it is clear that many Australian Cyber Security startups, look to relocate to Silicon Valley as the struggle to find local support and funding.

Australia’s Fintech Priorities
The Federal Government has committed A$30 million to establish an industry-led Cyber Security Growth Centre. This initiative is designed to both expand and strengthen Australia’s cyber security industry.

To me there is a clear nexus between a strong cyber security to enable the move from Analogue into a Digital world.

Each and every enterprise has to have confidence in their cyber security, otherwise this creates unacceptable risk for their operations.

It is expected that the “proposed Cyber Security Growth Centre will facilitate improved engagement between research and business, improved access to global supply chains and international markets, improved management and workforce skills, and regulatory reform”.

With a global cyber security market estimated to be US$71 billion, this is an attractive market proposition to be engaged with and the logic is indisputable.
But how does this fit in with our parallel push into China?

Impact of China (ChAFTA)
China is already Australia’s number‑one for both export market and imports supplier. The Australian Treasury notes that:
“China is already Australia’s largest services market, with exports in services valued at $8.8 billion in 2014–15. China’s share of Australia’s service exports has increased from around three per cent in 2000–01 to around 14 per cent in 2014–15.”

Building upon this foundation we have a unique window with the China–Australia Free Trade Agreement (ChAFTA), that came into effect from 20 December 2015.

What this means is that Australian Financial Services and Startups have an ability to have products launched into that market

We want to be able to have our Fintech startups launch into China and make inroads into what is shaping to be a massive sector. Just for a flavour, bite on this factoid

“China’s e-commerce industry is worth about $672 billion and is expected to more than double to $1.6 trillion by 2018, accounting for more than half of global e-commerce, according to Citigroup’s report.

China’s peer-to-peer lending business last year of $67 billion was more than four times bigger than the U.S. market, Citigroup said”

It’s already huge and growing bigger. It makes sense that we want to get a slice of this pie. But……

Cyber Security Quandary
Here is the tricky part. Israel has built an enviable cyber security industry on the back of their Israeli Army and from the ongoing daily practical experience in defending themselves.

We have to start to integrate how the Australian Army works with industry and it would be great to see the same setup that ex Special Forces Cyber Security specialists also launch startups here in Australia.

That’s where it becomes really problematic. It is often the case that cyber security encryption or technology have US Defence heritage.

I’ve seen some great examples of video facial recognition analytics that would be ideal to sell into China. But I suspect that some of the technology that underpins this may be sensitive or indeed forbidden to be sold into China.

The upcoming National Cyber Security Summit, will discuss how to position Australia as a regional hub for fintech cyber security collaboration and innovation.

It is a real quandary and we have to find a way to address this with our number 1 trading partner.

We have to work out if we are friends or frenemies?

The comments expressed in this article are my personal opinions and do not represent Finsia

Threat Modelling

 

http://www.cso.com.au/article/598276/threat-modelling/

Move over Zoolander, this is not about weather that upsets your hair-do.

Threat modelling is a depiction of critical security concerns. Sometimes represented diagrammatically as a Data Flow Diagram illustrating potential external attack points.Why you do this exercise is that a threat model can help to assess the potential harm that an attacks will bring and help us anticipate thus minimise the risks.

It is in essence a set of approaches that you use to allow you to identify potential threats and conduct this as new systems are being designed. This helps you understand your actual vulnerabilities.

Understand my vulnerabilities
By doing threat modelling for both IT infrastructure and IT applications we are able to really understand the risks that cyber threats bring. In other words we develop an understanding of the expected attack surface.

This is critical that you look at the bigger picture as it is very easy to fall into the trap of focusing on operational patching and alerts. Every organisation has a long list of identified risks with specific vulnerabilities that are at various stages of being remediated.

Any organisations that are able to link their threat modelling and enterprise risk analysis will have a much better understanding of the cyber risks. This clear understanding of the attack surface will then enable me to prioritise my cyber security tasks.

This needs to be based on real actual risks not perceived risk, or even worse hype that is currently manifesting.

Approaches to Threat Modelling
There is no perfect way to conduct threat modelling. But here three well regarded approaches:
Privacy approach – this is an asset-centric threat modelling, where you look at where personally sensitive data is being stored, transmitted etc. Just focus on the asset and follow it through the business.

Microsoft approach – this is Software-centric threat modelling. You look at the architecture, commencing with the design of the system and walk through evaluating threats against each component.

Black Hat – start from the outside in. By looking at what the attacker is trying to do. This is often called an Attacker-centric threat model.

Getting your act together
At an Enterprise level, the worst situation is that there is a department that conducts risk management and a separate division that does threat modelling.

Having no interaction really will provide for your business the worst of both worlds.

From my experience, the typical risk management committee reviews risks every month and reports these to the risk board meeting. The fact that this is intermittent and when the world is working in real time continuously is an issue.

The intervention that you as a leader need to do is to create active link between risk management and threat modelling. An example of the benefit is that then after a penetration test is completed and we learn about new vulnerabilities then this is linked to our risk management. This just means we get to root causes, rather than just having meaningless activity.

Cyber Insurance to drive Threat Modelling

I think what is going to happen is that we see more and more enterprises adopting Cyber Insurance.

But as insurers will face difficulty in pricing risk then they will start to asset that organisations demonstrate that they are following good practices around threat modeling and risk management.

As high profile security issues continue to get attention, we will need to ensure that we avoid the ‘beauty’ contest and really look hard at the essence of the issue at hand.