Archive by Author | Colin Williams

2019 Security Predictions – “Ensure the basics are BRILLIANT”

Happy New Year and I hope the festive break was “a break”. Some continue to work throughout the festive season (or the global economy would meltdown), but for many back to work for 2019 started in earnest this week. I have so far avoided 2019 “predictions”, “prophecies”, “educated articulation of interesting stuff” to date based on so many of them circulating the social media and email landscape. However, a fair few messages asking for a perspective on the networking and security world for 2019 have stimulated me to scribble a few words.

And here comes the shock, I will be quite boring with my summary of the market and technology impacts for 2019 (well at least the first half) because I will continue to encourage to all who will listen that the most important edict they can institutionalize in their own psyche and the organisational operational IT approach is to ensure the basics are “brilliant”. Modern business should only have a single state, secure business with an unintentionally insecure environment almost unthinkable in the digital age. As the creation, processing, analysis and management of digital data streams continue to underpin and energize both user and business outcomes an intentionally secure by design philosophy is the only way to stem the attack tide.

Security isn’t the task of security professionals alone, but every application or system user with a level of consciousness about the consequence of breach or failure must now acknowledge “intentional security” is the responsibility of all.

Ensuring the basics are brilliant, with security controls mapped to business activity, outcome and consequence, with auditing and automation leveraged to optimize operations will increase the level of certainly of a user or organisations security posture.

·        Privileged account security

·        Multi factor authentication

·        Managed encryption.

·        Vulnerability management PLUS

·        Identity management PLUS

·        Enterprise anti phishing with associated user education

·        Intelligent endpoint security (user or things)

Can you embrace how boring the list above may seem – hopefully that’s the case. The list above are subset of the “Brilliant Basics” that MUST underpin the secure defences of all. You are possibly about to click away from this screen buoyed by the view “we have got all of those” and that may be the case. But even with great guidance from Cyber Essentials, CIS, NIST, etc many organisations I meet are a snippet of “luck” away from a comprehensive breach due to absence, failure or poor execution of the controls above with the negative consequence avoidable.

If there is no auditable and actively managed operational state of the items mentioned above integrated together to ensure security is seamless, intentional, proactive why consider the wealth of advanced and esoteric new products showcased daily – get the basics right.

So my 2019 ask so early in the year is to be brutal and rigorously appraise the brilliance of your “basic” security controls. Are they operational consistent, audited, integrated, holistic, bidirectional from an information and threat exchange, automated where possible – score your current state.

Why make it easier to be breached when organisations highly engineered, often very expensive, operational complex defences fail due to the failure to control the controllables or optimise the known basic elements.

Until next time.

Colin W

Twitter: @colinwccuk

LOB CTO – Networking and Security Computacenter UK

Note: This perspective is the viewpoint of Colin Williams and does not constitute an opinion of Computacenter Group.

Black Friday – Cyber Monday. “Be a beneficiary not a casualty”

This must be the “strangest” of strange states as our consumer society evolves from zero “Black Fridays” to two – and gives my original article a second lease of life. The early bird resellers launched Black Friday part one last week attempting to steal a march on the masses, but the real frenzy and furore starts now with the default Black Friday fast approaching followed by Cyber Monday just around the corner.

These two shopping days were absent from my childhood as I lived a world of window shopping that on the odd occasions evolved to in store browsing when I sought to interact and engage with the myriad of products I hoped I could one day afford to buy. Click and collect didn’t exist but via a very thick paper based catalogue “click and deliver” was a highly rewarding activity with the click of buttons on the home phone followed by that feeling of Christmas when the catalogue item was delivered via the postal service (nothing ever fitted or looked as amazing as the catalogue pictures).

But as we fast forward to the present day with frequent announcements of the demise of the high street, much of our in store browsing is online (and frequently from a mobile device), click and collect / deliver an essential way of life and our approach to product selection and purchasing is now unrecognisable from a decade ago. Our immersion in social networks, digital procurement platforms and financial systems have helped to make many of us digital by default when we shift into product buying mode because the sheer breadth of offerings and convenience is unmatched.

But it comes with a health risk. The “digital me (or you)” and our always on entity existing on both known and unknown public platforms, ensures we become valid targets for attackers seeking to emulate our digital personas for financial gain. Black Friday signals the start of one of the busiest and most frenzied trading weekends of the year. The mix of in store and online price reductions results in both “want and need” based purchasing to ensure “too good to be true” deals are not missed, culminating on Cyber Monday with an online price war second to none.

Secure business, secure purchasing, secure user experience are often assumed by customers without a second thought of the cyber threat spectre waiting in the wings. This leaves many combing the net for deals, offers, codes or any other digital token to make “cheap” even “cheaper”, blissfully unware that many of those “benefits” are fake, malware ridden or designed to harvest personal credentials for future use.

Cyber Monday 2017 surpassed $6.7bn of sales which for both retailers and cyber treat actors is a prize too lucrative to ignore (stat CNBC). For retailers, getting the security basics right will be essential to ensure successful and secure consumer trading outcomes. DDOS mitigation, enhanced phishing protection, web application security, anti-malware, access review and least privilege are essential controls that must be tested and optimised in advance of the starting gun for Black Friday.

For consumers / users, education and heightened levels of cyber vigilance plus a realisation that too good to be true – “is too good to be true” when interacting with online systems prior to and beyond the Black Friday / Cyber Monday weekend. This is the time of year where spam and phishing Email volumes reach unprecedented levels with social engineering used to make those “offers” too compelling to ignore. DONT CLICK emails for “amazing deals and offers” – pure and simple as a moment of weakness may result in malware, ransomware or other forms of compromise taking hold of your digital persona and potentially that of your company. Its safer to visit the website of the vendor in question “directly”, no need to click a link that may not be from the company in question.   

If you want to be “online smart” a few simple things can deliver HUGE security enhancements to your Black Friday shopping experience. Ensure you turn on the two-factor (or multi) authentication and notification options on your various online email services and accounts with further security improvements gained by using a password manager to ensure different passwords are applied to various services you use.

Building the walls higher just won’t do, both vendors and consumers must work in tandem to ensure the most secure possible online and digital trading experience is realised by all reducing the potential for data breach or subsequent misuse.

Safe and happy shopping during Black Friday and Cyber Monday 2018 (and beyond).

Until next time.

Colin W

Twitter: @Colinwccuk

LOB CTO UK: Networking and Security – Computacenter UK

Black History Month – “Time to stand proud”​

October is Black History month and celebrated as such in the UK, USA, Canada, Irish Republic and the Netherlands to name a few nations. It reflects on the history of the African, African American, Afro Caribbean community and its experiences both negative and positive within the world as we know it. I have been torn for many years on my viewpoint of the use of a single month in the year to celebrate the achievements of Black people – we are no different from every other race with experiences and achievements illuminated daily through the course of normal life, so why the focus on a single month.

However my stance has softened somewhat in recent years in the midst of the lack of focus and importance placed on reflecting on historical experiences in the many forms irrespective of race, or colour as constant digital recalibration of the past becomes the historical signpost for our future. We live in an information rich world with access greater than ever before to the amazing historical insight available and via the magic of AI & ML now have a platform to “what if” the future. The film “Hidden Figures” told the story of three Black women mathematicians who were fundamental the success of early NASA Apollo space programmes. If the “Black History Month” moniker results in more positive historical stories of a similar nature to be told and heard, it will help so many unwind public domain, lazy stereotypes that may exist.

But our absorption of those knowledge nuggets can be somewhat compromised by the harsh realisation that “written doesn’t mean real” with fake news at times impossible to discern from real news (and who validates real as real). With all of the above guiding our historical lenses, it’s essential an underrepresented community at times from a “good historical news” standpoint is granted a stage or a spotlight to expose past and showcase current good news stories for the present generation to reflect on and learn from.

This post isn’t the forum to chronicle the achievements of black people and how they have positively affected humanity, many are well documented elsewhere. But it is to radiate a digital smile that for at least one month in the year children, adults, all people of all races within the countries that celebrate black History month can be informed, stimulated and educated based on valuable historical information that without focus they may have no imperative to seek out and consume.

Black History Month October 2018

Until Next Time.

Colin W

Twitter: @colinwccuk

LOB CTO UK – Networking and Security

The rise of machines – “Time to worry about the digital soul within”​.

Things just became really interesting.

The recent news is awash with worrying claims from a credible source of “hidden” spying chips embedded within the motherboard of a leading server manufacturer. As yet, no manufacturer has released a statement confirming their existence but the information illuminating the potential is compelling. Surely it forces us all to consider our own personal, personal and professional “digital state” in this heavily connected world. Do we technically appraise every computer based device we use at design and component level to determine the source, use and security impact of all of the minute elements that make the device work. Of course we don’t, not only would the majority of us struggle to find out how to even open the device (have you tried to open a modern mobile phone with the myriad of specialist tools and hidden pressure points to make things pop open), we no way of actually understanding the function and outcome delivered by the components (when they work in harmony).

Can we be sure the most innocuous of household device has no secret and potentially malicious embedded elements that whilst not explicitly installed to be utilized in a nefarious way in the right hands can’t be leveraged to invoke a surveillance, recording or tracking function? It is this total ambivalence to the likelihood of it, until possibly today that means the potential may be more likely that we ever dreamed.

The days of hardcoded firmware delivering static intelligence to all but the most expensive and programmable devices is from a bygone era. Even the simplest digital device consists of user or system driven remotely programmable aspects that in some cases are core to the function of the device. Whether it’s used from software updates, device troubleshooting or in the case of some advanced modern vehicles to deliver totally new functionality, device or system programmability is a fundamental aspect of modern IT that enhances the consumer or user experience by making it “personal”.

Could we be shifting to a position of worry so great that we “sweep for bugs” when entering a room or prior to switching a device on in true James Bond mode – highly unlikely. But I suggest the recent announcements will ensure many IT leaders and operational teams increase the priority of network based security visibility platforms, AI or machine learning systems that examine and re-examine the most granular elements of telemetry and security aware behavioral analytics platforms that understand things we can’t comprehend.

Ask yourself when considering the IT platforms that underpin your business (or social existence), what can you really see, are you sure you know how they work and do you really understand the security heart that beats within?

Who would have thought, we are not even close to the iconic year 2020 and already we may be worrying about the moral intent in the digital soul of our machines. The future ahead is likely to be way more interesting than we have ever previously dreamed.

Until next time.

Colin W

Twitter: @colinwccuk

LOB CTO UK – Computacenter Networking and Security

Time for network change: “If you can’t connect you won’t connect.”

It has become an intellectual tug of war to determine which is more important in the “connected” or “digital age” – networks or applications. Silly argument I hear you say, it’s obviously the …… not easy to answer. In the pre-connected world (if it really did exist), personal computing was as personal as possible, with no connectivity to / with anyone else. Local application, local storage, local processing and a local user made the need for a network superfluous. Fast forward to the present day with distributed processing, “the Internet”, streaming, “always on”, cloud based interaction and a socio digital culture with collaboration and engagement at its core. Without a network, the media rich, highly collaborative now fundamental “always present and connected” mode we embody at work or play is at best compromised and at worst eliminated.

We cannot envisage a world where the network doesn’t work, whether mobile carrier based entities or the home Wi-Fi, if you can’t connect you won’t connect. I spend most days in positive disruption mode challenging colleagues and customers to rethink the traditional approach to enterprise networking with the onus on automation to unlock agility and consolidation to drive simplification. The enterprise networks that underpin today’s digital reality are a wonderful amalgam of technology, people, process plus twenty years’ experience of “getting things to work”. But more is required by the network than a functional existence, as the carrier of our “Digital DNA” an optimised, flexible, agile network holds to the key to many of our future successes. It’s time to be “bold” – to embark on the network evolution required enterprises must dare to dream and envision the secure transport layer required for enhance current user interaction and energise future business outcomes. And when the dream presents the storyboard of how things should or must be, “make it so”.

Technical feature wars labouring the technology based rationale for network modification will be fruitless with a dead heat between vendors the likely end result. Only a user experience driven or business change inspired network transformation agenda will contain the intellectual and emotional energy required to overcome the cultural tides ahead. Wait and see changes and nothing, the time for change is now. With the right network, with tomorrow’s network today a potentially business limiting factor becomes business enabling. And not forgetting, if you get stuck – drop me a line.

“If you can’t connect you won’t connect”

Until next time.

Colin W

Twitter @colinwccuk

Chief Technologist Computacenter UK – Networking and Security.

GDPR Remediation – “Something positive to shout about”

It is impossible to ignore the momentum behind the General Data Protection Regulation (GDPR) compliance requirement. It stimulates many process, information governance and security related discussions as its swings between saint and sinner in the minds of legal, business and technology based personnel. May 25th 2018 is the ICO issued GDPR compliance deadline, however Gartner believes 50% of organisations affected will not be complaint by the end of 2018 (Gartner, May 2017).

GDPR cannot and should not be considered a short term fix but instead a pragmatic review and recalibration of security controls to effectively manage “EU” user centric digital assets in the 21st century. It’s time to shift GDPR to a positive, business enhancing consideration rather than a board level topic of dread based on sluggish progress and hard to quantify expense. Expanding beyond “doing the minimum required” will highlight the fundamental relationship between consumer / user trust in a digital world and secure information handling. Few data assets can be more important to a user / consumer or the organisation than PII information based on its digital representation of the persona of an individual.

The relentless rise and rise of the digital economy is underpinned by confidence, trust and uncorroborated belief in a mass of interconnected IT systems that users / consumers cannot see and often have little access to. GDPR attempts to bolster that confidence by highlighting organisations that leverage good practices and deliver certainty to user centric digital data processing and management elements to reinforce “trust” in a very fluid digital world. Now is the time to accelerate GDPR activities to realise the business and consumer benefits of compliance faster. This is unlikely to occur from hard work alone (but that is certainly required), it requires a reframed philosophical viewpoint conveyed to all involved in the GDPR working party of review and remediation.

The GDPR compliance team must be motivated and inspired to undertake their work with urgency, passionately volunteering regular stakeholder progress updates to the exec board – the importance of GDPR stakeholder information updates to convey the importance and ongoing benefits cannot be overplayed. GDPR progress bulletins will energise all involved in GDPR remediation with the knowledge that everything they do enhances the overall security posture of the organisation, delivers optimum management of user / consumer personal data assets and therefore improves both the internal and external company perception to a measurable degree.

These small changes will help to evolve the intellectual view of the GDPR from a compliance work programme to one of the most important consumer and business impacting information management activities in recent times. Serious stuff….

Until next time.

Colin W

Twitter: Colinwccuk

Chief Technologist: Networking, Security & Collaboration. Computacenter UK

 

Citation: 1 http://www.gartner.com/newsroom/id/3701117

 

Arise the new Cisco. Why the innovators dilemma has become the “innovation imperative”.

After a few silent months away from from philosophical scribbling about market, societal and technology based change, something has caused me to reach again for my pen (“what pen I hear you say”, stay with me on this one).

In the digital age, “do nothing” delivers the worst possible outcome – “nothing”. Does this mean a relentless march forward ideally at “digital” speed is the order of the day – to a degree, yes but not without thought or calibration. Harvard’s, Clayton Christensen formulated a memorable principle in his seminar book the Innovators Dilemma in 1997, “An organization’s capabilities define its disabilities”. Put simply, an organisation should rightly be validated for the actionable elements it delivers over pomp, history or rhetoric.

Surely this is obvious stuff, but changing focus, reinventing successful products or undertaking “blank sheet of paper” style development is time consuming, challenging, provides no guarantee of success and is downright risky. With the result, many crank the handle on the “same old way”, turning the handle faster as competition, market saturation and reducing income signposts the race may be close to being run. But that isn’t the only way, “do nothing” or “do the same something” whilst safe is a sure-fire way of ensuring the only future ahead is one as “yesterday’s great”. As the digital age drives our personal and business lives forward pressing reset on everything safe and known at a speed we can barely consume (much less digest), the winners will be those who manage to maintain a level of effective competitiveness within existing markets whilst guiding existing customers and new prospects to take advantage of adjacent or original innovations that unlock reliable and previous unforeseen benefits.

I was compelled to scribble this post by a recent and potentially market defining strategic announcement from Cisco. As the campus and datacentre network infrastructure market leader by some magnitude, “do nothing” for Cisco could still have some mileage. By using superior purchasing power to develop products at market prices others may struggle to match profitably or via customer loyalty plays to retain and maximise existing advocates, Cisco could continue to maintain a slightly better version of “the good old way”. Or they could flip script with a fundamental reframe of everything known, building on existing legacy value, but enhanced for the future via insight and innovation – that’s what Cisco has done. Cisco DNA (Digital Network Architecture) and SDA (Software Defined Access) is so new in the market, the ink has barely dried but initial observations point to a technical philosophy that will redefine strategic, functional, operational and technology based customer outcomes.

The ability to deliver local and in time wide area secure network connectivity, that self-configures, is rich with relevant user or network insight, is policy drive, self-heals, is adaptive, abstracts complexity, is API open, secure by design, enhanced by automation reads like a CIO wish list to Santa. But this is just a selection of announced initial release functionality inherent within the DNA and SDA footprint from Cisco. It leaves me encouraged, inspired and enthused, not because it signals a one vendor world of customer benefits as that equally delivers the fear of “lock in”, but based on the potential for a vendor and market open platform that will bring together co existing and competing vendors integrated by APIs to deliver an autonomic secure network layer to underpin digital transformation.

Forget dilemmas, it’s time for the “innovation imperative”. As Cisco reinvents itself to guide both customers and the industry forward, the game changes for everyone. Competitors will be compelled to respond fuelled by their own innovation imperative, partners inspired to retool and reskill to service & support the new normal and lastly customers whilst initially confused will soon be engulfed by a wave of excitement that old problems may soon be eliminated by new solutions.

I’m not just a Cisco fan, I’m also seeing mind blowing innovation from the top ten networking & security industry leaders and the next ten UK, San Jose or Israel based emerging technology startups as they paint the new picture for business enabled IT. What a fantastic transformational journey we have ahead as we march towards that spiritual IT milestone date of 2020.

Who knows, as digitisation becomes the DNA of societal and business existence, a flawed something may far outweigh a perfect something. Time to get involved.

Until next time.

Colin W

Chief Technologist – Computacenter UK, Networking, Security and Collaboration.

Twitter: @colinwccuk