University of Cambridge > > Computer Laboratory Security Seminar > No One to Blame, but... : Fear and Failure in Securing Large Organisations

No One to Blame, but... : Fear and Failure in Securing Large Organisations

Add to your list(s) Download to your calendar using vCal

If you have a question about this talk, please contact Kieron Ivy Turk.

When staff at a critical national infrastructure organisation were recently polled to associate a word with infosec, they chose “fear”. This is a talk about fear and failures – unavoidable and avoidable – their systemic and institutional causes, and how to overcome them. Using case studies from large organisations such as the civil service, aviation, CNI , and media, I will discuss the role of security engineering, purple team operations, threat and compliance. Drawing from experiences as a head of information security/chief information security officer, I attribute poor organisational security to failures in correctly interplaying people, processes, and technology. I will discuss issues such as why user access is breached despite multi-factor authentication and dedicated identity and access teams; why legacy technology remains misunderstood, and friction in patch management; how to know you’ve hired the right (or wrong) expertise, and why we still get hacked despite all the right intentions, if not the right incentives. I will explore third-parties and supply chains, deploying security tools, disjointed processes undermining secure behaviours, the perils of confusing regulation as a threat model for security, incident management and reactive security, as well as why boards struggle to care about information security, and how to make them.

This talk is part of the Computer Laboratory Security Seminar series.

Tell a friend about this talk:

This talk is included in these lists:

Note that ex-directory lists are not shown.


© 2006-2024, University of Cambridge. Contact Us | Help and Documentation | Privacy and Publicity