Data Toxicity and Automatic Number-Plate Recognition (ANPR) – Take Five for CyberSecurity

Archive for April, 2020

Empathy is the Heartbeat – Design Monday

Posted by

On a recent webinar, an attendee asked how we should talk to our end-users about passwordless authentication. My answer: don’t.

Look to Doug Dietz to understand why. Dietz is the principal design thinker at GE Healthcare. The book Creative Confidence featured his work on MRIs for children. Originally, the MRI was a technologist’s technology. This meant it scared the kids, often to the point of them needing sedation. Dietz realized this and redesigned the MRI as an experience attractive to kids. The key insight was empathy. To paraphrase Dietz’s TED talk, “Empathy at the beginning sets the heartbeat of the project. When you move forward into the iteration and prototyping and some of the design phases you go through, you need to refocus and see what the empathy was that got you started.”

We don’t talk to kids about the MRI. We talk to them about the jungle experience. We don’t talk to end-users about passwordless. We talk to them about a more enjoyable work experience.

When designing security, we start with the vision, the business capabilities, and the business outcomes. We begin with empathy and then, as Dietz put it, let empathy be the heartbeat through the design process. Don’t do this, and we end up with the equivalent of the MRI machine. That is, security which people avoid and workaround. Possibly security that will have people wanting to be sedated. Good design creates security experiences that people adopt and, in rare but exciting cases, actually enjoy.

Empathy is incredibly hard. Seeing the world through someone else’s eyes always is. It is doing the hard things that elevates design.

GE Healthcare children’s MRI, photography School Nutrition Association.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

DevOps: Securing without Slowing

Posted by

(TEK Keynote) We turn to DevOps for speed. We turn to Cloud for flexibility. We adopt faster, leaner, more collaborative processes to drive change. And then? We turn to information security for protection. But can we secure the technology without slowing the pace? This session presents an entirely fictional development organization adopting DevOps. We will discuss which traditional software security processes work, and which ones fail entirely. Awareness training, muscle memory, culture shifts, all will be brought together. The presentation will conclude with take-aways for applying security to your DevOps team without slowing down.

Watch more videos on my YouTube channel.

CSO: Implementing Zero Trust

Posted by

Having a vision and a specific use case help get companies started toward Zero Trust implementation.

Excerpt from: Zero Trust Part 2: Implementation Considerations

A piece of advice at the outset: “Don’t do too much too fast,” says Wolfgang Goerlich, CISO Advisor with Cisco. “Have specific goals, meaningful use cases, and measurable results.”

To build momentum, start with a series of small Zero Trust projects with deliverable milestones, and demonstrate success every few months by showing how risk has been reduced.

“We need to show the board progress. With specific initiatives aimed at specific use cases, we can demonstrate progress towards Zero Trust,” Goerlich says. “You build momentum and a track record for success.”

Read the full article:

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Prioritizing use cases – Design Monday

Posted by

Roberto Giolito has the distinction of winning Car of the Year and Ugliest Car. Both from Top Gear. Both in the same year. Both for the same car. That would be the Fiat Multipla.

To call the Fiat Multipla ugly is to miss the point. It certainly is no looker. The length is shorter than a typical car. The height? Taller. The resulting car looks squat and boxy. But as they say, beauty is on the inside. In fact, the New York Museum of Modern Art (MOMA) showcased the interior. The dash is as highly usable as it is highly unconventional. It seats six comfortably. The large windows create a feeling of space. Small but spacious and maneuverable. The point of this car is to completely satisfy one use case: living the European life while driving the crowded European streets.

When we are designing security capabilities, we start with the use cases. No, that’s too many use cases. Put one back. Still too many, put another one back. There. Good. We start with a few specific use cases and then get to work. Our goal is to fully satisfy these use cases given our limited resources. We will have to make trade-offs. That’s the nature of prioritizing. And when we do? Think of Roberto Giolito who let his design be ugly where it didn’t matter, in order for the design to be Car of the Year where it did matter. Ruthlessly prioritize. Dare to be ugly.

Fiat Multipla: Ugliest Car and Car of the Year

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

CSO: Demystifying Zero Trust

Posted by

Despite the fact that Zero Trust has been around for a decade, there are still misconceptions about it in the marketplace.

Excerpt from: Zero Trust Part 1: Demystifying the Concept

Zero Trust is not one product or solution. Better to think of it as an approach, says Goerlich.

“Zero Trust is trusting someone to access something from somewhere,” he says. “Is it an employee, an application, a device? What is it accessing? What was can we determine if we trust this request? At the end of the day, Zero Trust means providing a consistent set of controls and policies for strong authentication and contextual access.”

The term was coined by Forrester Research in 2010. It was established as an information security concept based on the principle of “never trust, always verify.” Since then, the National Institutes of Standards and Technology (NIST) has produced comprehensive explanations and guidelines toward the implementation of Zero Trust architecture framework.

“NIST has a draft standard that dictates their view of Zero Trust — what the principles are, and what an architecture looks like,” Goerlich says. “The U.K. NCSC has done the same. Zero Trust has matured, and the need for it is now in sharp relief due to changes in the market and the way we use technology.”

Read the full article:

Wolf’s Additional Thoughts

I am leading a series of Zero Trust workshops this year. One concept I always stress: we’re applying existing technology to a new architecture. If you think back to Role Based Access Control (RBAC) was first being standardized, we used off-the-shelf x.509 directories and existing Unix/Windows groups to do it.

Now of course, better products offer better solutions. But the point remains. The application of existing standards to realize the principles of Zero Trust brings the concept beyond hype and into reality. Moreover, it makes it much easier to have confidence in Zero Trust. There’s no rip-and-replace. There’s no proprietary protocol layer. We’re simply taking authentication and access management to the next logical level.

Want to know more? Watch my calendar or subscribe to my newsletter to join an upcoming workshop.

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.