The Media Park in Hilversum is not an obvious work location for me. And yet I went to work there last Friday, on the eleventh anniversary of the Security (b)log. Despite the fact that the nation’s radio and tv stations call this place their home, no camera was involved, not even a microphone. I wasn’t there for them, but for a group of students of Make IT Work, a retraining program of the Amsterdam University of Applied Sciences.
The first sentence about this training on their website reads: “A Security Specialist is responsible for the operational aspects of information security.” And yet I was there to give a guest lecture on risk analysis. At first glance, that topic does not seem to fit with operational aspects, but when I was approached for this guest lecture and we discussed the topic, we came up with this anyway. Later, when discussing my concept, I got the suggestion to leave out certain somewhat more theoretical parts, “because these students are doers”. So I went to Hilversum with mixed feelings; I had a good story in my pocket, but would it also work with this group?
As you would expect in a retraining programme, the audience was of very diverse shapes. Someone who had worked in the offshore industry, and someone who had studied law but had never done anything with it, for example. But each and every one of them was on the edge of their seats, asking questions that made it clear that this topic was a bull's eye. In fact, I have rarely been in front of a group that was so interested and motivated. That makes me enthusiastic myself, and I seem to radiate that – it already gave us a new teammate a few years ago.
So my story was about risk analyses, but it started with the Baseline Information Security for Dutch government bodies (BIO). Because that document clearly states that all activities have to be risk driven. Even without that obligation, the organizational unit where I worked a few years ago, our data center, already realized that risk analyses are important and useful, and the board therefore decided that all services provided had to undergo a risk analysis. Such a decision is extremely important – now I don't have to knock on a team's door and ask if I can please come and do a risk analysis; instead, they ask me if I can come and help with this exercise. Management is not only responsible, but also in the lead. Nowadays I work for the CTO of our ICT organisation, the Chief Technology Officer. But our work on risk analyses has remained the same.
Back to my students. It was inevitable that I first threw some theory about the BIO and the risk analysis at them, but then we dived into practice: we actually did a bit of risk analysis, just like I would do in the office. One of their teachers had told me that the group was excited about the 2011 DigiNotar debacle (in short: DigiNotar was a digital certificate authority, was hacked and kept it silent; read more on Wikipedia). The subject of our risk analysis therefore was: certificate management. We covered some threats from the risk analysis list and discussed them as if the students were responsible for certificate management. It provided them with some nice eye-openers, but above all insight into what a risk analysis actually entails.
The organization had scheduled two hours for my guest lecture. When I asked just before the end if I was free to overrun my time, they replied with eagerly nodding heads. I ended up standing there for over three hours. Afterwards, the students told me what made my story unique: I was the first guest teacher to tell and show how we do our work in real life. I recalled the comment that these students are doers. I had interpreted that as a kind of level indication, but now I know that these people have much more to offer than carrying out operational tasks. 'Doers' here also means: people who know how to tackle complex matters with the help of the right tools. Exactly what a university of applied sciences stands for.
And in the big bad world…
This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.
- the police, together with the business community, are fighting against the misuse of login data. [DUTCH]
- A ransomware attack on a meal service may lead to hunger among the elderly. [DUTCH]
- ARTIS zoo has also been hit by ransomware. [DUTCH]
- advanced new malware atttacks routers in Europe and North America.
- the intelligence services experience the Assessment Committee Deployment of Powers as a nuisance. [DUTCH]
- a data company illegally collected medical records for years. [DUTCH]
- More sectors will soon have to make mandatory reporting of cyber incidents. [DUTCH]
- organizations need to deal better with open source components. [DUTCH]
- Using US cloud services does not automatically constitute a privacy violation. [DUTCH]
- one fifth of the tested SME employees fell for a phishing email. [DUTCH]
- many people still use the same password in multiple places.
- Food items are thrown into the fray to find out if packages have been opened en route. [DUTCH]
.jpg)
No comments:
Post a Comment