Secure By Design

Well it has been good start to our 6th year in business. We would like to thank all our customers and partners both old and new who are contributing to our success. Without you we do not exist and most importantly get to build stronger more secure companies and products for our clients.

I wanted to bring your attention that on Feb. 7th I will be in Toronto to give a presentation to CIA Plus. My topic will be about IoT Challenges and Issues and Standards. If your in the Toronto area this evening please drop by and join our open discussion on security and IoT.

I will be joined by on my panel with Sangam Manikkayam of Symantec, Bob Martin of Cisco and Victor Garcia of the Schulich School of Business. It will be very informative if you or your organization are considering IoT projects this year. I will provide the security and privacy aspects you should consider when planning or getting ready to launch a new IoT project. If you are able to attend more information can be found here: https://www.meetup.com/CIA-Plus-TO-the-business-of-Cloud-IoT-and-Analytics/events/236370120/

In the meantime, if you have any security questions or concerns for IoT please do not hesitate to reach out to us.

Updated: Feb. 13, 2017

I would to take this opportunity to thank all of those that came out on an icy night in Toronto to the CIA Plus Meet Up. My only regret was the lack of time to discuss all the topics in depth. We did have some good discussion after in the networking portion of the meeting and key topics of discussion worth mentioning are how does one who has no experience in security and privacy conduct threat modeling? The other is finding the resources necessary to support these projects.

While there is publicly available information on threat modeling, you may have need to find a cyber security partner or consultancy that has this expertise in these areas to help you with a project to teach you approach, tools and train your staff. They should be able to provide the baseline elements to implement these aspects in your organization including the after project support, should you required it.

The second point about security resources is a bit more difficult as the number of technical security experts for IoT is limited. If you are looking to hire a security resource(s) look for reference-able projects that include aspects of technical architectures in mobile, cloud and distributed systems. Experience in these key areas will provide the necessary basis to conduct risk assessments against IoT architectures.

As discussed please find the following:

1. A copy of the presentation
2. A IoT mind map
3. The threat poster

Also please find an article from reporter, Denis Deveau, who was in the audience. Thank-you Denise for the coverage of this event.

IoT-Threats-and-RisksCIA Plus – Feb 7 – Final SWG_5_IoT_Technologies_MindMap

Saw this post today about programmers discussing the unethical and illegal things they’ve been asked to do and it really made me think about all the battles I had as a young cyber security practitioner. Fortunately I was very fortunate in that I had lots of support and worked for an organization who respected security at the onset of my career in cyber security more than 20 years ago. This helped me when I experienced the other side of the coin where executives wanted things like breaches covered up and threaten you with lawsuits if you refuse to obey or speak out….. And yes that happened to me once.  The choices that I made then and throughout my career were and still are shaped by those experiences and my ethics.

Five years ago Marc Andreessen penned his famous “Why Software Is Eating the World” essay in The Wall Street Journal. Today software is feasting on the world; its footprint is in our businesses, our smart phones, our physical activities, leisure and even sleep. This footprint is only going to grow exponentially with the Internet of Things (IoT) as are the opportunities for those with less principles or ethics to take advantage especially in terms of unethical coding and the misuse of the treasure troves of data that many companies are custodians of today.

Companies who are data custodians but do not have the required cyber security for their customer’s data, either through negligence and incompetence, are doing a disservice to their customers. However, despite the rash of data hacking in recent years, it is not all negative. More and more executives appear to have turned the corner and are now willing to listen and learn about how to better protect their companies and their customer’s data. Moreover, I strongly believe that relatively new legislation such as PIPEDA in Canada will motivate many companies to not just think about meeting a requirement but how to better secure their organizations. Believe it or not being cyber secure is, and will be, a differentiator in many markets as those who are unwilling to invest in better cyber security will do so to the detriment of their customers, shareholders and themselves. Going forward executives will be in the cross hairs of data breaches and will have to own up to any oversight on their part in terms of cyber security and the protection of their customer’s data.

That said my advice to all employees is to protect yourselves. Ensure that requests to perform unethical activities are recorded with data, time, and people — record, who, why and what and remember to keep your journal encrypted. If you are asked to do something that is completely illegal contact a lawyer and report it to the relevant authorities. If and when you leave the organization for these reasons make sure you report it during your exit interview. You ethical duty is to make them aware of it and that you have recorded all aspects of the activity. It is then up to them to deal with it as it is their responsibility to ensure secure software.