Secure South West 13: Speakers

The thirteenth Secure South West (SSW13) event was hosted by the University of Plymouth on the 18th October 2019 and offered six presentations delivered by experts drawn from industry and academia, and a panel session. The event was sponsored by the South West branch of BCS - The Chartered Institute for IT; Chartered Institute of Information Security; Securious Limited; and, South West WARP.


State of Cybersecurity Report – Extended Play
Dan Raywood (Infosecurity Magazine)

Last year Infosecurity Magazine conducted industry research to determine the driving trends in cybersecurity. “Sure there are lots of reports” you may ask, “so why should I be interested in this one?” How many reports are ultimately vendor-sponsored, pushing the problem that their product or service resolves? With this research, we independently interviewed some of the main names in cybersecurity, and in 2019, we did this again with a larger sample set, and precedent to compare against.

In this talk, ‘State of Cybersecurity Report’ author, and Infosecurity Magazine’s Dan Raywood will look at the findings from this report, compare against last year’s results and other industry research, and get an understanding of what this industry’s researchers, CEOs, practitioners and analysts actually think is driving cybersecurity now, and will drive it in the coming years.

This talk will also feature updated research for Secure South West specifically looking at career opportunities among these trends, how the trends are affecting training and education modules, and original survey data from new people entering the industry on how these findings affect their career choices.

Biography

Dan Raywood is a journalist with more than 18 years experience, including 10 years covering cybersecurity including covering ground-breaking stories such as Stuxnet, Flame and Conficker, the online hacktivist campaigns of Anonymous and LulzSec, and broke the news on the EU’s mandatory data breach disclosure law (now a major part of the GDPR).

In his day job at Infosecurity Magazine, he looks after the official webinar channel and contributes to the twice-annual Online Summit and writes articles for the print magazine and website. He has spoken at events including 44CON, SteelCon, Infosecurity Europe, SecuriTay and BSides Scotland.

Dan Raywood


Cybercrime+Scammers vs Cyber Security - Nation state vs SME
Michael Dieroff (BluescreenIT)

In this talk, Mike will examine the rising capability within cybercrime, and the fact that - at the extreme - even rogue nations can attack the small business in supply chains to get to government targets. The variety of cybercrime threats and scams can represent significant challenge to SMEs, with little budget to available to address them.

Biography

A passionate speaker, entrepreneur and self-proclaimed geek, the founder and Managing Director of BluescreenIT, a Cyber Security Strategist, Virtual Chief Information Security Officer and lifetime security guru.

With over 20 years’ experience in information security, Michael has worked in leading private and public organisations, critical infrastructure and military within their information security strategy, governance and compliance and carried out services such as secure design, vulnerability assessments and penetration testing in his previous tech days.

Michael is also part of several strategic boards within the digital industry and is the Chairman of the Digital Policy Alliance’s Security skills and partnerships group for the UK.

Within his role as chairman of the national DPA security skills and partnerships group, Michael is now working with multiple organisations and government molding future national policy within cyber security skills and partnerships.

Michael Dieroff


Developing the Cyber Security Profession
Amanda Finch (Chartered Institute of Information Security)

The Chartered Institute of Information Security (formerly the IISP) has recently been awarded Royal Charter status. This is a significant step in the development of the organisation and for the profession. The organisation will need to adapt to the new status, additional obligations and a change the expectations. More importantly though, we as a community need think about how we want to develop this now recognised but still very young profession. Initiatives across the community such as the development of a Cyber Council reflect that we need to develop more professional structures and pathways expected of a profession and to gain the recognition for the importance of the work that we do. We are at a catalytic moment and have a unique opportunity as professionals to shape our future. Amanda will share the work that has taken us to get to this crucial point and pose some thought-provoking ideas encourage discussion on how we should be taking the profession forward.

Biography

Amanda Finch is the CEO of the Chartered Institute of Information Security and has specialised in Information Security management since 1991. She has always been an active contributor to the industry and for many years she has been dedicated to gaining recognition for the discipline to be recognised as a profession. Over her career she has been engaged in all aspects of Information Security Management and takes a pragmatic approach to the application of security controls to meet business objectives. Through her work she has developed an extensive understanding of the commercial sector and its particular security needs. In her current role she works with Industry, Government and Academia, assisting all sectors in raising levels of competency and education. Amanda has worked within the retail and banking sectors as well as with the Information Security Forum. She has a Masters degree in Information Security, holds Full Membership of the IISP with Founder status and is a Fellow of the BCS. In 2007 she was awarded European Chief Information Security Officer of the year by Secure Computing magazine and frequently listed as one of the most influential women within the industry.

Amanda Finch


Password Meters - Inaccurate advice offered inconsistently?
Steven Furnell (University of Plymouth)

Despite continued promises that passwords will soon disappear, they remain the dominant form of user authentication and we continue to select and use them badly. Password meters are frequently offered as to help users make better choices, but this relies upon them providing credible guidance. In this presentation, Steve presents findings from a practical assessment of 16 password meter services and examines how they rated 16 candidate passwords (ranging from intentionally weak choices through to those created by following credible guidance). The results reveal significant variation between the meters, including various cases of weak passwords being rated as acceptable, and better choices being dismissed as very weak. Although the very reason for password meters is to improve security, the study suggests that they may often be undermining it via misleading information.

Biography

Steven Furnell is a professor of information security and leads the Centre for Security, Communications & Network Research at the University of Plymouth. He is also an Adjunct Professor with Edith Cowan University in Western Australia and an Honorary Professor with Nelson Mandela University in South Africa. His research interests include usability of security and privacy, security management and culture, and technologies for user authentication and intrusion detection. He has authored over 320 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society and Computer Insecurity: Risking the System. Prof. Furnell is the current Chair of Technical Committee 11 (security and privacy) within the International Federation for Information Processing, and a member of related working groups on security management, security education, and human aspects of security. He is also a board member of the Chartered Institute of Information Security and chairs the academic partnership committee and southwest branch.

Steven Furnell


The Art of Defeating Facial Detection Systems
Vic Harkness (F-Secure)

It's not a recent development that CCTV systems are everywhere. What is new is the use of automatic facial detection/recognition systems everywhere. A lot of people don’t like the potential for mass surveillance, including non-techies. Although there are various technical solutions to countering ubiquitous facial recognition systems (such as adversarial examples), people are also taking low-tech approaches to defeating them. Vic will discuss the general concepts needed to understand how to defeat facial detection/recognition systems, how these factors can be leveraged, and provide various examples of how people have already done so. The talk will provide an overview of the facial detection/recognition problem space at a high level, bringing those that are not familiar with the domain up to speed. By talking about how facial detection/recognition systems can be defeated in general terms, it is hoped to inspire others to begin exploring this domain, or, perhaps, to help people to bypass systems that they encounter in their day to day lives.

Biography

Vic is a vulnerability researcher working for F-Secure in England. She holds a Bachelor's degree in Robotics & Artificial Intelligence, and a Master's degree in Cyber Security. Outside of work she enjoys reading and writing about tech, especially facial detection/recognition and space junk on her blog (vicharkness.co.uk). She's also a keen traveller and photographer.

Vic Harkness


Organisational Politics – Where cyber security theory meets operational reality
Jeremy Ward (Security Consultant)

This talk looks at the ways in which organisational politics gets in the way of the effective management of cyber security risk. It considers how poor job definition, siloed working mentality and job insecurity may lead to poor decision making or failure to take timely action. It also looks at the ways in which cyber security professionals fail to engage effectively with management – leading to bad resourcing decisions and lack of adequate support for cyber security. The speaker doesn’t claim to have all the answers – but potential ways of overcoming these challenges are discussed in the talk.

Biography

Jeremy Ward has 37 years of experience in cyber security, having had a range of senior roles in both central government and industry. He has served as an advisor to the World Economic Forum, the Organization for Economic Cooperation and Development (OECD), the European Network and Information Security Agency (ENISA), the Confederation of British Industry (CBI), the British Standards Institute (BSI) as well as the UK Government and the European Commission. Jeremy has worked with organisations around the world helping to develop processes for the reduction of cyber security risk. He has also worked for many years with the University of Plymouth as an industry advisor, academic paper reviewer and occasional visiting lecturer.

Jeremy Ward


PANEL: Cyber Security Skills: Do we know what we need?

To some eyes, cyber security is very much a technical issue, whereas for others it’s all about the people and the policies. Of course, the reality is that both perspectives are correct, and effective cyber security requires a holistic view and the appropriate balance of skills to address it. However, appreciating the theory is often easier than achieving the practice! Aside from the widely accepted cyber skills shortage, organisations can face a fundamental challenge in understanding the knowledge and experience needed to support different cyber roles. For example, the emerging Cyber Security Body of Knowledge identifies topics across 19 knowledge areas, while the Chartered Institute for Information Security has a Skills Framework that identifies no less than 32 skills groups. Should cyber security staff be expected to have understanding and experience in all of them? Are organisations seeking the right skills and are they looking in the right places to find them? The panel will consider these challenges and share insights on how to approach them.

Moderator

Steven FurnellSteven Furnell (Professor of IT Security, University of Plymouth)

Steven Furnell is a professor of information security and leads the Centre for Security, Communications & Network Research at the University of Plymouth. He is also an Adjunct Professor with Edith Cowan University in Western Australia and an Honorary Professor with Nelson Mandela University in South Africa. His research interests include usability of security and privacy, security management and culture, and technologies for user authentication and intrusion detection. He has authored over 320 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society and Computer Insecurity: Risking the System. Prof. Furnell is the current Chair of Technical Committee 11 (security and privacy) within the International Federation for Information Processing, and a member of related working groups on security management, security education, and human aspects of security. He is also a board member of the Chartered Institute of Information Security and chairs the academic partnership committee and southwest branch.

Panelists

Nathan ClarkeNathan Clarke (Professor of Cyber Security and Digital Forensics, University of Plymouth)

Professor Clarke is a Professor in Cyber Security and Digital Forensics at the University of Plymouth. He is also an adjunct Professor at Edith Cowan University in Australia. His research interests reside in the area of information security, biometrics and digital forensics. Prof Clarke has over 200 journal and conference papers, books, edited books, book chapters and patents. He is the author of Transparent Authentication: Biometrics, RFID and Behavioural Profiling published by Springer. Prof Clarke has been involved in a number of successful EPSRC, Knowledge Transfer Projects and EU Framework 7 and H2020 projects and has graduated over 35 doctoral students. Prof Clarke is a chartered engineer, a fellow of the British Computing Society (BCS) and a senior member of the IEEE. Further details can be found at www.cscan.org/nclarke.

Neil GlassonNeil Glasson (Cyber Security Manager, Cornwall Council)

Neil Glasson is the Cyber Security Manager for Cornwall Council. As the largest Unitary Authority outside of the Metropolitan Areas having responsibility for hundreds of Council locations, 8,500 staff, 550,000 residents, Cornwall Fire and Rescue, Newquay Airport, and the newly announced Cornwall Spaceport the challenges are diverse. Neil has over 35 years working in the technology sector with the past 17 years dedicated to Cyber Security having helped HM Land Registry for 16 of those years on their own digital journey helping to ensure the underpinning of property ownership worth over £4 trillion across England and Wales including over £1 trillion of mortgages.

Annette SercombeAnnette Sercombe (Chief Information Security Officer, Met Office)

Annette is the Chief Information Security Officer at the Met Office and has overall responsibility for Cyber Security and Resilience. The Met Office is the UK’s National Meteorological Service which utilises world leading Super Computing to underpin globally recognised science and meteorology. Annette has over 6 years experience in key information security roles and is a member of the Technology Senior Leadership Team. Annette designed and implemented new and innovative approaches to Cyber Security and represented the Met Office at Big Data Analytics (White Hall Media 2015) on the use of analysing large data sets to deliver actionable security intelligence for the business. She is on the external advisory panel for Computing at the University of Plymouth and was a keynote speaker at Women in Stem 2016.