The Pyramids

Recently I visited Egypt and went on an adventure, with one stop being the famous Pyramids of Giza. As I went through the experience and shared pictures and videos both on and offline, some people seemed to find it weird that I wasn’t sitting behind a desk all every day hacking away and thought that made Cyber Security seemed more interesting…Wow! If you’re in IT or Security, you don’t have to stay behind or fear to throw some creativity into your career. Use your creativity and uniqueness. For example, I like to think I’m artistic, so I explore my creativity like this:

  • I write security articles expressing my perspective and try to use real pictures that I take myself
  • I learnt the basics of Photoshop so I could create simple images and banners such as my series on Jamaica’s Cybercrimes Act. More info at https://gavindennis.com/resources/cybercrimesact 
  • I used a screen capture program to create a basic video tutorial showing a simple vulnerability scan of a WordPress site.
  • I create educational websites about Cyber Security and often use vivid colours because it feels like painting.
  • I try to relate my life events to inspire positive action in the security industry. E.g. When I exercise in the gym with weights, it always reminds me of the benefits of challenging myself because I keep getting better. I then wrote a brief article about how security professionals should challenge themselves to be better.
  • I talk to people who are struggling in the industry and offer realistic advice based on what I know works. In one recent situation, someone landed a job in Cyber Security shortly after.
  • I avoid multi-tasking, and that helps me be significantly more productive. Multi-tasking is a delusion; it’s not real. We only time-slice and it makes us distracted.
  • I TRY VERY HARD TO NOT SIT BEHIND A DESK ALL DAY LONG! GET UP AND BE ACTIVE! I try to frequently exercise, play, eat well, avoid negative company and spend time around positive people.

Cow liver (the broad flat one) and Cow brains (the small round one) from a restaurant in downtown Cairo

At the Pyramids I defeated the grandest of hustlers, rode a very photogenic camel, sort of raced on a horse and then rode into a nearby town, was searched for bombs at every major place I went, started searching myself for bombs, ate really weird food (Cow brains), witnessed many stereotypical lies about Muslims, and observed the most paranoid police force I’ve seen so far.

Police

This is where the tour guide said the boats docked which brought the stones for the Pyramids

But when the dust settled (and there was A LOT of DIRT… so much DIRT… everywhere), I learnt a vast amount about Egypt’s culture and Muslims. Now let’s get into the serious issues affecting Cyber Security because we need better habits to move Cyber Security and our economies forward in the Caribbean.

Where we are but should be going – My perspective on the Caribbean’s current cyber security face

Cool guy in the back of a moving van…moving things…while I was on the move 🙂

Very few countries in the Caribbean have been making strides to develop good cyber security practices, and I’m trying to improve that. There is consistently a lot of talk from people in IT management (yes including senior management) but not much serious action. Many Caribbean companies want competent IT security staff but haven’t created the roles for persons to fill, existing security staff wish to further their training and education but don’t have management support, and many IT professionals in the Caribbean want to enter the cyber security industry but aren’t even willing to buy their first book from their pocket.

Governments want to protect their internet presence and grow the economy but spend vasts amount of money on trivial things that don’t help their efforts or economy, Like buying the latest cars while most of their websites and web apps are poorly hardened, don’t even use HTTPS or have a web app firewall protecting them. It’s all VERY concerning. We’re flawed humans, and we don’t always prioritise wisely and sometimes, that’s ok. So share this article with an IT manager in a Caribbean entity and start playing your part to improve our cyber security.

What am I doing to help?

I recently launched five (5) of several websites which provide FREE cyber security resources specifically designed for Caribbean people and businesses. Here they are:

  • Cybersecurity Volunteers – A volunteer movement to help Jamaica and the wider Caribbean identify and mitigate security weaknesses in public computer systems before attackers hit.
  • Penetration Testing Guide – FREE and simple guide for new Penetration Testers.
  • Cybersecurity Due Diligence Standards – A FREE online resource to help guide businesses and individuals to take responsible steps to protect their data.
  • Cybersecurity Awareness – FREE and simple Cybersecurity awareness tips for everyday people at work and otherwise).
  • Cybersecurity Policies – A FREE and easy to implement cybersecurity policy and supporting controls for very small Caribbean businesses (less than 15 employees) (mini-marts, shops, entrepreneurs, etc).

Dealing with 1st world issues early

In the few months leading up to this adventure in Egypt, I read several tweets from people expressing their frustrations, sadness and concerns about the IT Security Industry. These people seemed to work in the industry from 1st world countries (where Cyber Security is also well established), and it caused me to reflect on how those same issues may eventually affect the Caribbean. The Caribbean will not be spared from them, and at least now we can take action early. The tweets I saw pressed the following matters:

  • A lot of management talk and poor support to drive progress
  • Constant finger-pointing when compromises happen
  • Long work hours, stress, anxiety, suicide, poor work-life balance and “misleading” vacations
  • Women being deterred from entering and staying in the security industry because of disrespect by men.

A lot of management talk and weak support to drive progress

In the Caribbean, we are severely short on people with practical security experience and reputable qualifications. At the same time, we are short on universities offering Cyber security degrees, we are short on companies willing to invest in their staff, and we are short on people who are “serious” and willing to sacrifice their favourite all-inclusive party to pay for their first cyber security course. All of these are psychological issues which ultimately help to keep us in a “3rd world” state of mind.

Let’s include Cyber Security in our educational institutions – Our big GAP

I don’t know of any university in the Caribbean that offers a cyber security degree, despite us all agreeing that technology will drive our economic growth and that we are losing millions economically to cybercrime. For someone fresh and talented out of university with a Bachelors degree, serious about a career in cyber security, their experience may be like this:

  • They leave high school at 19 and with a plan to pursue cyber security.
  • No Caribbean university offers cyber security degrees, so they do a regular computer science degree.
  • They’ve now graduated from university but that large, profitable company they applied to doesn’t even have any IT security posts created, and if they do, they only want to hire someone with experience because training the new graduate is “expensive”.
  • That large, profitable company, if hit with a single significant compromise, is likely to lose at least 100 million dollars. In the interview, the graduate asks for 1 million dollars (J$1,000,000) per year in salary but the employer offers less, so the graduate declines.
  • The graduate takes some non-security related IT job for 1 million and use their own money to pass 1 or 2 security international security qualifications at your own expense.
  • Their ideal Caribbean company is now seriously interested in hiring them, but by now this new professional realises after passing their security certifications that they are worth 4 million (J$4,000,000) outside the Caribbean market.
  • So they accept a new job outside the Caribbean market which gives them training opportunities (the ideal company wasn’t open to that).
  • One year later the same profitable company Caribbean company they applied to after university now wants to offer them 6 million (J$6,000,000) for just a slightly higher post. Why? Because by now they have lost over 200 million (J$200,000,000) to compromises and now realise it’s wise to fairly compensate people who have scarce skills.

Strangely, the cycle continues as we still tend to be reactive and not proactive. Not everyone but a lot of the people who are decision makers and can effect change.

This kind of thinking and response is also unwise and helps to restrict our economies from thriving.

Ease off the constant finger-pointing when compromises happen

Serious breaches happen, sometimes. It’s unfortunate and not always sophisticated. What is, even sadder is when finger-pointing takes greater importance over a responsible incident response process. Things can go wrong, but it’s more important to contain, recover, and prevent recurrence of a breach. People should be held accountable for irresponsible actions but don’t practice to blame others to avoid owning your role in the process.

Lower the constant fancy talk and little action – do more, talk less.

Cover the essential security controls both internally and externally. At least implement baseline hardened configurations for all deployments, so you know you’ll be starting at a good point. Let’s put a high focus on protecting the Caribbean’s online presence because it’s harder to contain news of compromise and prevent panic if the affected system is exposed to the internet.

In some of my recent research using public data on the internet, I realise that many Caribbean businesses, even large ones, even ones that publicise how much they care about protecting customer’s data, aren’t applying the most basic of security controls online. For example, many who have a corporate website do not have a security role in their company, do not use HTTPS of systems transmitting sensitive data, do not use a web application firewall, poorly hardened their systems, exposes sensitive data to the internet, and hardly update their software.

Let’s lead with action. If you log into or submit private messages through a Caribbean website, ensure you at least see HTTPS to the left of the website’s address in your browser. If not, ask them to start using it or even what are they doing to protect their web users like yourself.

People are stressed – Minimise work stress

With the state of security online, companies are constantly on edge. The tension often filters down to the internal security teams which help these companies. The people who defend against security attacks (Blue Teamers) are becoming increasingly stressed. They seem to be facing a lot of struggles with stress and anxiety and insufficient resources. Sometimes these teams are significantly understaffed, have received unrealistic expectations from management which leads to more extended working hours, very little time away from work, even when on their vacation. Although poor work-life balance is a pain to multiple industries, I’m championing for mine. So please be more considerate of your staff, especially if they are on vacation, need to spend time with their family or if they’re just stressed. Ultimately a miserable work life will lead to declining health. Let’s manage this issue from early as we try to develop the Caribbean Cyber Security industry. Also, promote healthy lifestyle habits.

Stop blocking and deterring women from Cyber Security and IT

Sexism has almost never faded away and has remained big in the news globally as women fight for equality. I’ve read stories about women in Cyber Security with the sad experiences of unfair treatment or disrespect just because of their gender. Such experiences must stop. Even I, as a man, feel uncomfortable with the significant imbalance. I like working with a mix of both genders; they often bring different perspectives and attitudes, which if managed wisely, will excel any team.

OTHER REALISTIC WAYS WE CAN IMPROVE ACROSS THE CARIBBEAN

Try to reward/commend unexpected acts of good

An Egyptian souvenir shop owner unexpectedly gave me some free Pyramids as a gift for changing about 50 euro coins to paper so he could redeem at the local banks. It felt good because It was unexpected and had just reluctantly bought some from him.

 

The Egyptian souvenir shop owner

After visiting the actual Pyramids, my tour guide started on his cross-selling skills, taking me to his friend who sells Egyptian souvenir items. I didn’t have much Egyptian cash on me, so I tried to avoid spending it before I reached an ATM. After some persuasion from his friend, I eventually purchased a set of 3 medium Pyramids. He then realised I was visiting from Germany and told me he had some euro coins he would love to change for euro cash because the Egyptian bank doesn’t accept foreign coins. I was guessing he received the coins from other European tourists over time and didn’t want to turn down the sale.

Security teams should be rewarded for small acts of good outside normal expectations, especially where they take initiative which makes a notable difference. It can significantly improve their moral. Don’t wait for them to resign then offer them incentives/benefits.

Create your security signature and find your horse and camel

If you’re familiar with Usain Bolt, you’ll recognise something about the picture. Usain developed a signature and reputation which people recognise and respect. Senior security management in Caribbean entities should also create a signature through their operating. You know, the whole “tone at the top” thing. As staff changes, how likely is it that your previous security staff would recommend new and promising talent to join your company? Will they tell people to stay far away because it’s a crappy environment? If you’re unsure, then you have some assessing to do.

My camel, I nicknamed him “Breeze” because he is so C… 😀

The cowboy’s return leg on the horse. Back off about my socks!

On my way around the Pyramids I was first on a camel, but I also wanted to see if I would feel better on a horse (because I mentally measured the fall). It turned out I preferred the horse as it was a better fit, even though both of them essentially served the same purpose. Shape security to work for your operations and try different approaches. There are multiple pre-built and reliable security guides available. Every business is different but can adopt similar security principles.

Despite its looks, it was kicking up some speed on the road

A protective structure may be in place now which mostly functions, but it’s not a great fit for your operations. Explore your options.

Feedback should be a conversation; it should go both ways

Management should implement periodic feedback from top to bottom and bottom to top. If possible, feedback should come from lower level staff should to get the truth out about bad practices, not just in Cyber security.

I’ve seen way too many managers who are poor at managing. I’ve seen way too many senior personnel who don’t have a clue how staff feel about the people managing them. I’ve seen wayyyy too many companies who are suffering because performance reviews of low-level staff only come from their managers about them and not also from them about their managers. If your company doesn’t genuinely care about how their staff feels about their managers, then there are likely a few managers who are significantly demoralising staff.

Extra sensitive data deserves an extra effort of protection

My bags were searched for bombs almost everywhere I went. In Egypt, the bomb threat seems to be realistic to Egyptians, it’s the Middle East, so why not right! So when I went to any large corporate buildings like hotels, malls or big businesses, I anticipated being screened for bombs. Are the Egyptians taking it easy despite the history of the Middle East is? No! So why should we with cyber security in similar situations?

If the data your company processes has a higher than normal sensitivity, then it should be treated that way. Screen the hell out of it even if there is an extra cost to pay. High sensitivity is usually the case for entities like financial institutions and national security operations which transmit some of the most sensitive data about a nation. In the end, highly sensitive operations may need to accept that they may have more false alarms but it may be worth it.

MAKE GOOD CHOICES

I’d love to see 1st world thinking spread across the Caribbean. The real solution, to me, is that WE ALL NEED TO PRACTICE GOOD habits and everything else…. will fall into place.

References: