Tune in to this episode of Ask A CISO to hear:
- If tradeshows are still worth attending
- What InfoSec Europe 2022 was all about
- How tradeshows are a great opportunity to network, and how to do just that
- Who you should deploy at your booths and how to approach people who come by
- What was the conclusion on incident response and reporting from panel discussions at the event
- How spending time at tradeshows, away from the daily grind, is advantageous
About The Guest: James Mckinlay
James McKinlay is the CISO at Affinitas Global, a company that helps companies with incident responses to cyber events such as ransomware and data breaches.
James has more than 20 years of experience in IT. A gifted technologist, he has specialist knowledge of producing IS policies and procedures from international standards and frameworks, and extensive experience in IT governance, risk management, compliancecompliance, business continuity, threat intelligence services, forensic investigation, SOCSOC, AppSec, vulnerability management, and penetration testingpenetration testing.
James is also a regular speaker at Information Security events and has a passion for educating audiences on selecting security controls.
About The Host: Paul Hadjy
Paul Hadjy is co-founder and CEO of Horangi Cyber Security.
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.
Transcript
Jeremy
Hello, and welcome to another episode of the Ask A CISO podcast. My name is Jeremy Snyder. I'm the founder and CEO of FireTail. I'll be hosting today. I'm delighted to be joined today by James Mckinlay.
James Mckinlay is the CISO at Affinitas Global, a company that helps companies with incident responses to cyber events, such as ransomware and data breaches.
James has more than 20 years of experience in IT. A gifted technologist, he has specialist knowledge in producing IS, that's information security policies and procedures from international standards and frameworks, and extensive experience in IT governance, risk management, compliance, business continuity, threat intelligence services, forensic investigation, SOC, AppSec, vulnerability management, and penetration testing.
James is also a regular speaker at Information Security events and has a passion for educating audiences on selecting security controls.
Wow, that's quite a mouthful and that's quite a broad range of experience, James. We're thrilled to have you here today. Thanks so much for taking the time.
James
Well, thank you very much. It's wonderful to be invited and it's a great topic that you've called me in for. It's great.
Jeremy
Yeah. I always think it's good when we have a chance to have kind of a big major global or regional event like this to get a chance to decompress with people and kind of find some key takeaways from what your experience was and so the topic we are talking about today is Info Security Europe 2022, which happened last week at the London ExCeL.
So, James, I understand you were there. I was there as well. Gave a small presentation, participated in a panel. Love to hear your perspective, just kind of overall first impressions.
What did you think of the event?
James
I was really glad to get to the event. It may have made international news, but transport was a bit tricky that week but I made arrangements to get there. And I really wanted to be there because I was also on a panel which was a fantastic session, but I, I really did like it. I've often described InfoSec Europe as the pilgrimage on this tiny island.
It's the one event that IT managers, security managers, project managers, solutions architects, security architects, everyone who, with an interest in cybersecurity in the UK market. If there's one thing they're allowed to go to each year, whether it's just for a bit of the day. Or whether it's to take a hotel and have a few days there, it's this event. There are lots of other decent events and I've worked with many of them, but this is the big pilgrimage, which is why it takes, now, the big ExCeL in Docklands. It's, it's been, it's tried a few venues and it's ended up there and it's a long time since I've been out there, but I found it easy to get there.
And I found a great sort of venue for a trade show, like to some of the others I've been around the world, you know, it has links with, Dubai, you know, it's that kind of big, whole trade show, but also people travel there to find out, you know, what people are thinking in the industry.
So if you really enjoy listening to vendors explain what they're doing, you can do that. You don't have to go to the stands. They get opportunities to do little sideshows, and they put stages up. Tech talk from the vendors. But if you want to know more about what people are thinking in the industry, or think where the industry will go or what the global picture looks like for the UK networks, then you can go to the keynote theater and listen to things that isn't driven by vendor messaging.
Jeremy
Right.
James
And that be really useful. It's a really good sense check. And also we've gotta remember. I mean, we've been in the game 20 years, we've been invited to speak on these stages. There are people getting into the industry who know it's this big pilgrimage and so they can go and meet people that may have just emailed or they may have just seen, you know, image and their comments flying by in social media. They can go there and bump into them in the aisles of the trade hall or go and sit in front of them in the different stage areas or sit with them if they're meeting peers in the industry. It's a really good experience from all these different angles, which is why I like something like this.
Jeremy
Yeah, absolutely. I couldn't agree more with your, with your sentiments there around kind of the opportunity for exposure to really kind of everything from large to small, to yes, some vendor messaging, but also some non-vendor messaging and really kind of, you know, people who have broad experience in this space, bringing their experiences to bear.
I think one of the interesting things for me, and I'm kind of curious to see if you observed this as well, is there is such a range, excuse me, such a range of companies and such a range of kind of, I guess, different attack surfaces to think about that are being addressed there.
If you walk through that vendor hall, you're gonna see everything from endpoint detection and response, still some classic kind of antivirus to next-gen SIEM to cloud security to really everything.
Do you think that can be overwhelming or do you think that's useful or maybe some of both?
James
I think it's helpful to educate people, no matter how long you've been in the industry, that there's all these different approaches to solving the problems. You know, information security, there isn't a good rule book.
You know, people talk about, when you talk about supply chain checks or even getting your house in order, people talk about international standards, like, you know, ISOISO and NIST and then they talk about external audits like SOC2SOC2 and things like that, but they, those are management standards. They don't prescribe you must have all these controls and these controls solve these problems.
So to get out there and see and hear the hustle and bustle of the trade floor, it really just opens your mind to there's lots of different ways to solve them. And when you're just getting into the industry, you're soaking it up like a sponge, but the grumpy old men in the industry walk that floor going, you haven't changed your messaging in 10 years, you are barking up the wrong tree. This is the future.
Jeremy
Yeah.
James
And it also depends on where the company you represent is at.
Jeremy
Sure.
James
You know if you are the IT manager who has security responsibilities in a small team in a big manufacturing, say you're a bakery that supplies a supermarket chain, or you produce laminate tops for a furniture thing. You're not thinking about ... You, you've not got a big team. You're not thinking about, do I move my SIEM to the cloud or, or do I put an APT simulator in. You're thinking about how do I make sure that we just stay operational? How do I make sure I've got the basics? Where do I learn about the basics?
So it caters for everyone. It caters for everyone. It caters for, you know, people you may have been stood next to someone from CISA or GCHQ, or you may be stood next to someone who reboots server for a bakery. You know what I mean? Everything. The whole spectrum can come to the show and get a flavor of different ways to solve things.
Jeremy
Yeah.
James
I do like it for that. It also, once you've been a few times and maybe got a bit, you know, wise to the marketing and things, as you walk the corridors, you can get a feel for a well-thought-out stand, a well-thought-out message, the right stuff on the stand to less well-thought-out.
Now, if someone approaches you and says, have you got five minutes? Just answer a few questions? They'll get a lot of no's, but some people will say yes. And when they say yes, make sure that it's snappy, it's modern, it's easy to do.
Don't get out a clipboard and a pen and start reading 10-point printed sheets out and ticking boxes, you know?
Jeremy
Yeah.
James
There are good ways to do things and bad ways to do things.
Dream staff that are seasoned in problem-solving, not, you know, they've just joined your graduate program, so they're young, they're vibrant and they've, but they haven't got the experience solving a problem. They're just there to say, oh, come and talk to my friend. You know, so there are good and bad ways of doing a trade show. It's something else.
I mean, you're getting, you know, my blunt, warts-all opinion here.
Jeremy
Yeah, but look, I mean, again, I couldn't agree with you more and I think, look, I've been on the vendor side for a while. I've been on the customer side as well at these kinds of events and I've kind of experienced both sides of it. And I know when I was on the vendor side, we always emphasize being, being able to very quickly try to get our core message and our value proposition across.
And so we made sure that the people who were on the stand could do that and actually knew what they were talking about. And we had demo stations available and people could come and go, and you know, you, you want to make it as pleasant an experience for them as possible. Even if you manage to connect with somebody, if you do it in a way that's more coercive, you're not establishing a positive kind of contact from the beginning.
And frankly, you're probably just turning your buyer off if you're wasting their time or you're approaching them with somebody who says, oh, can I scan your badge? You know, before you just ask to scan my badge, let's talk about what it is you do and whether it's even relevant for me, you know, for instance, right now I work for a company that's a hundred percent in the cloud. If you come to me as let's say a hardware network security device vendor, I have zero interest in what you're doing, because it's completely irrelevant for me and people don't often, or sometimes don't, you know, kind of take a minute to establish whether there's even a, a reason for a conversation as it were.
So I completely empathize with what you're saying. It, you know, it really is important to kind of make those connections.
So the panel that you were on was on, I think, day one of the event, if that's right?
James
That is right. Yes. And so day one was heavily impacted by the travel restrictions, but there was still a good number of people who knew they were gonna find a way to make it there. And so there was a good number of people in...
So the education theater was the keynote theater and there were other theaters of varying sizes around the outside for, for the education pieces. And there was a good crowd. There was a good crowd. We had fantastic guests, and it was a really important message for me so I was glad I was able to get involved with it.
And I, if I distill it down, it was really about how government and private enterprise could work together to better defend enterprises against cyber criminals. That was the basic message. Cuz there are lots of government-backed programs and there are lots of things you have to worry about.
But if you think about international cyber crime and you think about what CISA and the various sort of public faces of the government intelligence organizations can help with. So in the UK, we've got the NCSC, there's something very similar in the other agencies, like Australia, New Zealand, Canada, America, right?
Jeremy
Yeah.
James
These agencies have public-facing places to go to report crime to, to get advice on how to be better. And I was trying to, I mean, I was trying to tease out an experience from my guests on the panel and they were very experienced. So we had someone from CISA and someone from the Cabinet Office Cybersecurity Program.
Now the way that roles work in the UK government, now this isn't official, this is another grumpy old man's opinion.
Jeremy
Right. Something you learn over time.
James
The people who get things done in government, the GSDs are called deputy directors. Because the directors do a lot of interfacing with policy and politicians. I get things done and their direct reports are on the hook for everything that that particular agency is given to do.
So if you ever get the chance to spend some time talking to someone who can publicly say they're deputy director in UK cyber security, in government or organizations, do. They have some fantastic experiences to share. That's just a little takeaway. You know, if you get a chance to spend time with a DD, deputy director, they are the ones who really make things happen.
Jeremy
So I'm curious. From your panel with those, with exactly those personalities and those people. I, I was on a panel the next day, where we were talking about third-party data breaches and one of the questions that came up from the audience was what's a responsible disclosure timeframe? And we talked a little bit about kind of 24 hours, ASAP, et cetera. And, you know, 72 hours was kind of the guidance that came out and I think, honestly, as a former practitioner, anything less than 72 hours is kind of difficult because often in that kind of first one to two-day timeframe, there's so much forensic activity still going on that you could give, you have, you have a high risk of giving a very incomplete or inaccurate response in those first couple of days.
And so I'm kind of curious., What was the vibe on your panel? What was kind of the, you know, where people were thinking about this, and then what were some recommendations about kind of public-private partnership when it comes to disclosing data breaches or cyber events?
James
Now that was one topic we talked about, but what we, the way I introduced it was does there need to be some lead from the government? Does there need to be a change in regulation? Because there are certain areas that have time to report. Two big ones are PCIPCI, the card industry, you know?
Jeremy
Yeah, yeah, yeah.
James
The major brands, long before the discussions about changes in privacy law, had timelines in there.
Jeremy
Okay.
James
And when I was in that industry, it was 72 hours to report, which does give you time, especially if you can work 24/7 in a major incident, does give you time to, to form a decent picture of what's been going on when data breach first comes to light. Even if it's weekend. You know, attackers like to detonate on like a Friday afternoon or a Friday night, knowing that unless you have outsourced a 24/7 SOC that are actually on it and actually tied into incident response, then they're gonna get the weekend to cause even more havoc, even though they might've been in there for a bit.
Jeremy
Yeah.
James
So the way we introduced the question was: does government need to lead with some legislation? We didn't, we didn't say that, yes, that's the answer because data breaches and public view of what's going on and reputational damage and stock price damage, and all these things are, are, they're tricky parts of the puzzle to manage, but having 72 hours is, I think, what our information commissioners officers, the office expects.
But that can be just the first notification, just the ... We are investigating something that is serious and we're letting you know.
Something that has come out over the last few years is the people receiving that call in those offices, actually, they're not there to cause you trouble, they're there to help.
Jeremy
Yeah.
James
They just will just register it, give you some advice about what happens next and leave you to it.
Jeremy
Yeah.
James
So it was like rumor mills that like where you report and when you report and how much extra trouble that will cause for you. But actually in, in the, the government side of things, they just want the information time. They don't want to create extra trouble for an organization.
Jeremy
Yeah.
James
So that, that's where the discussion went on our side.
Jeremy
Yeah.
James
And I personally do think 72 hours is reasonable for the ICO. You might, whether or not you go to law enforcement agencies, whatever they might be labeled in your country, depends a lot on the feelings in the business of what they know about the breach and what they know about their type of business and lots of things. It's, it's very personal to the leaders of the business.
Jeremy
Yeah.
James
And people on the outside shouldn't judge that.
Jeremy
Yeah.
James
And certainly shouldn't judge them in the early days.
Jeremy
Yeah.
James
Later on, you know, if there's a report to the stock exchange in 90 days' time or whatever, pick over that.
Jeremy
Yeah.
James
But in the early days of an incident, just give people the time to try and recover, especially in the age of ransomware.
Jeremy
Yeah. Yeah. I think this is a really interesting point. And certainly, the point that you brought up about these agencies not being there to kind of look down on you or belittle you for what's going on. I think there is a perception often from the companies that if they go report, they're just gonna get. you know, kind of slapped across the knuckles. They're gonna get scolded, they're going to get punished.
But frankly, I do think there is a consensus emerging that law enforcement and these public-private partnerships are actually there to make everybody's data more secure and to do what's in the best interest of consumers over time.
So I think, you know, that it does bear remembering for sure.
I'm curious about something though, because I can tell you as somebody starting a young company, there's this tension that kind of arises here, where on the one hand, all of modern or all of what I think of as kind of modern cybersecurity, which is to say not hardware-based really kind of security in the cloud, where we're really working with software constructs more than hardware constructs.
I have this personal thesis, that it becomes a data science problem. You know, that if you're gathering the right data to kind of find these signals and to find IOCs indicators of compromise and so on, you want to collect as much of that data as possible. But then on the flip side, when it comes to the potential for being breached or the potential for having kind of some impact, reputational damage, whatever. You want to collect as little data as possible from your customers or from your clients.
So how do you think about kind of balancing that and finding the right level of data to try to collect?
James
I like the way that you say it's becoming a data science problem 'cause I feel the same. So it's the first time you said it out loud to me and I agree with you completely.
I want to also be careful. People, I think, attribute a little bit too much value to the indicator of compromise in modern attacks. And I don't like, you know, if one or two vendors have chosen another way to describe it, I want to be careful not to say so I will call it an IOB or an IOC or an IOG instead.
But data science, if you've got the staff or you've got the tools or you've got the people to think about doing things differently, will give you a much better chance against today's attackers. And, but there's lots of things we don't do, common practice that would help us, which would make us a lot harder target.
If I flip back to, you know, I was talking about some of the public-facing agencies out there.
Jeremy
Yes.
James
We're actually doing quite good things that we can be proud of, but we don't always talk a lot about it. So the NCSC's public-facing blog has lots of advice on security architecture, threat assessment, how to build a SOC, whether or not you are the right size of organization to build on, stuff like that. How a small company can protect itself with five things to focus on. How a medium company can protect itself with 10 things to focus on. How a large company can protect itself with 20 things to focus on.
But the Australian, what used to be the Australian defense signals and their material, I think has been moved into their ASCS or ACSC. It used to be the top 35 mitigations against malware, has now become the essential eight.
And the first one is white list your software. So if you live in an environment, whether it was virtual desktops, cuz you want to connect with anything to the cloud or whether it's company laptops, because everything else is in the cloud. The number of people that start with application white-listing as number one before, you know, before patching, before removing local admin access, all of it. And doing it really well is a very small number.
Jeremy
It's gotta be almost zero.
James
Those people are the hardest to attack, you know, so ... and that technology has been around for 15 years or longer.
Jeremy
Yeah. Yeah.
James
You know, SRP came in with XP, so it became easier to do with XP; you didn't have to buy an add-on product. So that's just one example where the, the public face of the government are saying, you know, if you start with this, you'll be a lot better off.
But there are hundreds of millions of companies that aren't doing it.
Jeremy
Yeah. Absolutely.
James
So I'm currently working in incident response and we do very fast. You know, if someone picks up the phone, even someone hasn't worked with us before and says, I'm having a bad day, I've been told you can help, we'll have people investigating within an hour. And we'll investigate 24/7 until, so that 72 hours for us it's very easy for us to tell 'em this is actually where we think, you know, they came and what they did.
Jeremy
Yeah.
James
So companies also have to think about if it goes wrong, how, you know, do I have a plan? Who will I call if I can't do it myself? If I'm doing myself, how do I look after those people?
You do need that plan, but there are so many things that we could do better even for really modern digital born-in-the-cloud things. And you do have to invest in skills. The skills are different. People, time, you know, and if you want to try something new, this is something that came up in our panel. If you want to try something new and innovative, you have to make time to work on it. You can't be doing 40 hours a week of the day job and innovate, you know, you've got to give them 10% 20% every week for things to happen or bring someone in to make it happen.
So if you want to make a change, you can't do it whilst you do it while you're maxed out on the day job. That was another thing that came out of that.
Jeremy
Yeah. Yeah.
James
I'm just throwing random things at you now.
You okay with that?
Jeremy
That's all good. Absolutely. But there's, it's funny. There's two things that really resonate from what you've said here.
One is kind of this theme that I have, which is one of the things to me that makes an event like Infosecurity Europe so valuable is actually kind of getting away from that day job. You know, we went through kind of two years of the pandemic and we went through kind of being stuck at home, work from home, or work from wherever you were. And I did a number of these kind of round table events. I think that's actually where you and I originally met is on one of these round tables.
And you realize from those conversations that very often you're getting about half-engagement from people because they've got their screen there, they've got their email, they've got their Slack, they've got, you know, effectively, they've got their day job, and they're trying to squeeze in a little bit of information on the side of that.
But when you have this kind of event where you really do have to kind of step away from your desk, get outta the office, get away from your, your primary screens for a day, go open your mind and learn. I find that to be actually just as valuable for the simple fact of walking away from the daily distractions as almost anything else.
And the second thing that you said that kind of really resonates to me is, you know, as you said, kind of, you know, allow listing whitelisting, whatever you want to call it. Such a simple thing that we've been doing for, or that has been a possible concept for such a long time. You know, I did a session on identity and access management and kind of let's say next-generation identity security, talking about primarily shifts to the cloud and how it creates new identity stores and so on.
And one of the key recommendations that I had is actually go back to first principles, go back to cyber hygiene. If you can actually reduce the number of the amount of stuff that you have, you actually make your whole life easier from a security operations perspective.
And I think we tend to be tempted by adding more new stuff. Because it's the new hot technology that we think is going to help transform our business and so on. And we don't think about this impact of more stuff equals more attack surface equals more complexity, equals more difficulty to defend. And so quite often less is more from my perspective.
James
Yeah.
There's a few things you've said there that have made me think of things that could bring into this conversation.
One of them is: When you get together and it's two or three- day events like that and some people either travel in each day or take a hotel, you get things going on around the fringe.
Jeremy
Yeah.
James
Whether it is just let's have a coffee on the benches at the end of the hall, or whether it's we have lunch in the restaurant across the road or whether it is something like a round table organized by a vendor, or an event to happen in the evenings because people are together, and they can put different audiences down cause I'm planning on doing something and next year, so we are already planning something for if we're at ExCeL next year, then we'll put together a dinner in the evening and it'll be a no-sales dinner.
It'll just be, we knew you were in town, come and chat. So there's these friends and fringe events that go on and something else that came outta what you just saying is: When you walk in the halls, or when, when I was, this year, I was looking for the things that were being done differently, things I hadn't seen before or things that they were new and because they were new, they could do things differently.
Jeremy
Yeah.
James
So people who only specialize in Office 365, they weren't coming and saying we're the latest new endpoint or we're the latest new this. They would do Office 365, because there are some people who are ready to move everything into that environment as their communications, then they might choose somewhere else for the server room.
Might be server room, might be AWS server room, might be a Xero, it might be GCP. It might be Digital Ocean. I mean, people, there are other options but they're going all in on Office 365.
So companies have sprung up that will back it up, will harden it, will immutable backups, all sorts of things.
And there are people who will do things that are a little bit different. Like we will put hardware in your server room if you still have that environment, and loads of people still have that environment.
Jeremy
Absolutely.
James
That will do things differently. You know, the pushing pixel approach to separating your end-users device from the downloads folder for drive-by downloads and things like that. Or people who have taken a build of Chromium, hardened it, added a management layer, added plugins that pop up warnings.
So taking enterprise management of browser into the sort of the bespoke space, these are different. These aren't people saying
Jeremy
Yeah.
James
Oh, we sell you next-gen firewall and next-gen endpoint so we've got you covered from the old way people used to find things 10 years ago.
Jeremy
Yeah.
James
There's so much of that still going on. I was looking for the people who did things differently. And maybe it's because of the people, guests they're expecting to go to the event.
Two areas I think were underserved, but aren't underserved by vendors with smart solutions, but were taking a stand because of the cost in, in marketing to do that.
Jeremy
Sure.
James
One is IOT and one is APIs. I think such ... like, web design, now, is... There's lots of different ways to do it, but so much of it is can we have an API there? Can we replace the old enterprise service bus ideas with APIs?
Jeremy
Yeah.
James
So like node in front of Flask or something like that.
Jeremy
Yeah.
James
You know, if you wanted to do a hobby at home, it'd be node in front of Flask. If you wanted to do something much more robust and professional, it might be whatever is your offer you or whatever a offer you behind the load balancers. So I thought that API security, both from a pen-test and from a security, SDLC and a security, maybe a WAF approach, those three areas were underserved walking the, the floor of InfoSec as well as IOT.
Jeremy
Yeah.
James
And I don't just mean, you know, the people who are shouting about I'll help CNI Protect, you know?
Jeremy
Yeah.
James
I've, I've converted my NDR to work with CAN bus or System Seven Audit.
Jeremy
Yeah, yeah, yeah.
James
People who are doing creative ways of managing and securing IOT and people who are doing creative ways of testing and assurance or protection, so protection or assurance of APIs, I think they were underserved.
Jeremy
Yeah.
James
And I think that is a trend in sort of marketing team spend you, you know, the kind of books you need to go to a big show, not kind of books that those companies are gonna spend on marketing because ...
Jeremy
Yeah.
James
they are already working their network of people who need them. Is that fair?
Jeremy
Yeah.
I, I, look, I'm a little bit biased cause I work in the API security space so I agree with you a hundred percent on that point but I think it will be interesting to watch and unfortunately, James we've run out of time, but this has been a fantastic conversation. I know we went over our norm anyway, but this has been fantastic.
And thank you so much for taking the time. We'll have to have you on for another episode to talk about other topics, but James Mckinlay, thank you so much for sharing your thoughts on Infosecurity Europe 2022, and thank you to our audience for listening to this episode of Ask A CISO.
