Great work that we should be sharing
Secure by Design and moving the burden
I was delighted to see this work by Google on secure software design and deployment. I highly recommend reading through it,or listening to the recording. I strongly believe in secure by design principles and in making them meaningful and a core part of cybersecurity work. I absolutely support training for teams in software development, architecture and engineering, and giving them supportive safe environments for work. I feel that we have lost a lot of leadership trust for security teams over the years because we made the work about “cybersecurity awareness” training for non technical teams. While we often abandoned the technical teams who needed the training and support the most. Training for technical teams is the solution to a lot of the security issues that we face.
This links nicely to the incident report published by The British Library this week. It is a good report that acknowledges issues and explains how the incident was managed. I always appreciate good write ups as they are there to help us all, hopefully,avoid similar issues.
Sadly, the issues that are admitted such as over extended admin access and lack of MFA, will be familiar to many of us. This is something I see a lot in my work with schools, but I have also seen MFA and access control issues in the private sector. It usually comes down to cost, as is suggested in the report.Yet it should not be cost, as MFA isn’t expensive to implement. If it is, then your systems have larger issues. Which is usually the issue: legacy bad setup.
This is why I always push for good training for anyone building or maintaining systems. And for just culture so that whistleblowing is encouraged. As I keep repeating: we make so much security education about non technical people doing the work. Yet the burden really should be on the technical ones to know what they should do, and to be empowered to report things that aren’t right.
A Royal trust issue
I have written extensively about the need to do mis and disinformation education, and this week the Royal family had an image rejected by global media agencies due to it being “manipulated”. I have seen people defend this as simple face tune or editing, the statement the royals made supported this. But that is twisting the narrative and missing the point. We are used to a bit of retouching or cropping. This image went beyond that. It must have done to have been rejected by global news outlets.
Taxpayer funded institutions should be beyond reproach, especially in global election years. While it is an excellent example for me to use in workshops, the image has eroded public trust at a critical time. Trust is important and we say this all the time. As is accountability and transparency in public life. It also reveals the docile nature of the UK media, who happily published an image that global agencies then identified as unreliable. So it is really important for us to help people to fact check information, and to hold power to account. Of course this is political,but it isn’t about partisan statements, but helping people to get to the truth. And that often means simply giving them the tools to fact check independently without guiding them one way or another. The public need to be empowered to fact check, not to meekly accept information. It is our job to help with this and I know many of us are very actively doing the good work.
This week’s tarot: The Devil
The Devil card here is showing how we can often be caught between doing the right thing and doing what is easiest. I think we can all relate to this and find professional and personal examples. In the end, you are born looking like your parents and die looking like your choices, so we have a path to take.
