Mornings With Mark

We know that cybersecurity isn't the best name to describe what is ostensibly, "information security" but it's the name we're stuck with. What exactly does it entail? Turns out...a lot. More on the genesis of the term "hacker"

Is it just attitude that keeps security teams from working well with the rest of the organization? And if so, can that attitude be changed? What's keeping things so negative. Some thoughts...

At some point in the past few years, the term "information security" took a back seat to "cybersecurity". That might not seem like anything of consequence but it implies a narrower focus that actual increases the overall risk. Unfortunately, the ship has sailed and we're stuck with "cybersecurity" as the term. Just remember, that despite the prefix, we need to protect information in the physical world too!

Most of the focus around cybersecurity education is on the technical aspects. That's understandable, the technical areas are far, far, easier to manage vs. the people side of the equation. However, the vast majority of security work should be focused on people. How do we change our approach? Wired article on their Bitcoin experience, https://www.wired.com/story/wired-lost-bitcoin/?mbid=synd_digg Most recent cryptocurrency hack/breach, https://www.bleepingcomputer.com/news/security/hacker-steals-135-million-from-cryptocurrency-trading-app-taylor/

I am often asked what a good undergraduate program is to take if someone is aiming for a career in cybersecurity. There are plenty of fantastic options but ironically, one I'm not a fan of is an undergraduate focused purely on cybersecurity! Breadth is the key to success in security, get started early and focus on key principles like rapid learning, exploring different points of view, and persistence!

GDPR comes into effect tomorrow and one of it's biggest advantages is how it will force companies to actually manage their data...well at least personally identifiable information. This will be a massive boost to security programs as we can finally make informed decisions about protecting that data since we know it's value to the organization! It won't be an easy road but it is definitely one worth traveling.

GDPR is now of the law of the land in the EU. Did everything change overnight? No. But the process has kicked off with advocates filing GDPR complaints starting the 30 day clock for responses in each case. It's going to be a very interesting summer... The BBC on how some sites went dark to EU visitors Fortune covering the first wave of complaints

Apparently the FBI misrepresented the number of devices they can't access due to encryption by up to a factor of 6x. This is most likely due to clerical error and a lack of actual statistics rather than malicious intent. But it does bring up the bigger issue of statistics and data tracking in security. Most organizations struggle finding and tacking meaningful security data. So how do they make informed, evidence-based decisions? More on the FBI numbers

GDPR comes into effect on Friday, 25-May. What does it mean globally? Um...we're not really sure. The intention is to help push control of your data back to you. In order to accomplish that, GDPR contains two sets of penalties. The big one is negligence in protection the data (up to 4% of your global annual turnover) and the "smaller" is for failure to notify the regulators and affected people after a breach (up to 2%). Both of these fines are designed to shift the risk calculus in favour of privacy and security BY DESIGN. It's going to be a very interesting next few months...

How do you handle data collection from your users? Is it hidden and suspect like the current rash of mobile provider exposures? With no opt-out like Microsoft Office? Or clear and transparent? More on Canadian mobile provider tracking More on North American mobile provider tracking Case-in-point as to why that's bad

Listening to customers is built into the DNA of a lot of organizations...why aren't security teams doing the same?

Deep thoughts in this episode around ethics in technology and their use. Sparked by the latest issues around mobile phone tracking, this episode tackles the lack of ethics discussions around security and technology. More on the cell phone location issue from ZDNet. A book of interest, "After On: A Novel of Silicon Valley" at Amazon

Continuing on the theme around careers in cybersecurity (https://www.youtube.com/watch?v=h8vyCZTmJuk&t=179s), this time we tackle how to create a break for yourself to get your first gig in the field. More on Security BSides First in a great blog series from Matthew Middleton Great talk from Anna Manley from AtlSecCon Key hashtags on Twitter: infosec security cybersecurity LinkedIn groups to look for; OWASP (ISC)2 same hashtags as Twitter

Getting started in cybersecurity isn't as hard as you think. There's no "ONE" path but there are a few key attributes that'll make it easier.

Google announced several new AI advancements at the I/O 2018 event. On the surface, there's a lot of really usable features. The downside is more profiling and implicit trade offs. I much prefer explicit trades and I think most people agree.

With MS Build and Google I/O in the same week, the technology news is slammed with announcements around AI and AI-enhanced products. There have been a lot of advancements in AI research and use lately, but are we moving in the right direction? Are we having the right conversations around AIs impact? More on the story about the Welsh police using facial recognition.

A lot of people have reached out in response to my video, “How To Get Started in Cybersecurity”. So many, in fact, that I can’t keep up. In this episode, I speak to the challenges around today’s cybersecurity and what that means for those just starting down the cybersecurity path. Here's the UX Movement article that brought some of this to mind

A lot of security folks know that the guidance we've given around passwords for YEARS has actually lead to poorer security outcomes. The recent Twitter error that encourages all users to change their passwords is an opportunity to move to a passphrase and password manager. Slowly but surely, together we can kill passwords... ...it's just going to take years of dedicated global effort

Facebook wrapped up it's F8 conference this week with a series of new product announcements. There's some genuinely interesting things there but unfortunately they also sidestepped the real issues around data privacy while paying lip service to the overall crisis. Here's a recap of the announcements from The Verge

Facebook is hosting it's annual F8 conference and it appears that this will be a reserved year. It's generally expected that Facebook will address the Cambridge Analytica scandal and various changes they have made to the platform and APIs. It's those API changes---some made quickly under pressure--that raise the security question for 3rd party developers. Can you build a resilient application if the platform is unreliable?