Cyber security slaughter

The launch of “Security by Design, not Security by Afterthought” was educational for me.  One of the speakers gave an example where security by afterthought delayed a project by 12 months and doubled the cost.  It wasn’t just the pre-prepared speeches, it was the surrounding chatter – which had better remain anonymous.

• CLAS consultants themselves recognise the problem of differing opinions.  There may be need for specialists.
• All PCs incorporate a hardware security chip to be certified by Wintel.  It’s just that nobody seems to activate it.  A open door for conspiracy theorists.
• Cyber warfare isn’t the sole prerogative of the baddies.  Obviously deniable.

There was a plea for spreading the message around government circles.  Yet, again, there was no attempt in the speeches, nor the document about bringing local government into the fold.  Perhaps selling stuff into local government is just too hard.  Apart from that gripe, the full document is stuffed with good advice and guidance.  Here are three examples:

• consumer surveys indicate that nearly half the public now depends on their broadband connection, more expect to be victims of online crime than of theft from their home or car.
• offer informed choice between “cheap and cheerful” and “secure and reliable” products and services.
• in the absence of shared identity management systems, the need to authenticate each and every time for each of the thousands of services, leads rapidly to a complexity that is antithetical to the intended good practice of access control and authentication. This has been one of the compelling reasons for federated identity systems.

Eurim recognises that MPs are short of time, and the one-pager stress top-down leadership, common terminology and “Policies must be linked to processes for turning principles into practice”.  The MPs present certainly appreciate this approach to spreading technical information this way.

There was lots of food for thought, and I departed resolving to promote the messages through the SOCITM network.   This should bring in other organisations, such as local government, the voluntary sector, fire and rescue, who also need to understand the importance of design and procurement with security as a primary requirement.