CyberSecurity Leadership Summit logo

CyberSecurity Leadership Summit 2021

I will be speaking at this year’s KuppingerCole Cyber Security Leadership Summit, 9-11 November 2021 in Berlin. It is a great privilege and pleasure to be invited to participate in such a high calibre event. I have two items on the agenda:

From Burden to Benefit – How aligning on business purpose and objectives is critical to maximise the value of Security

In this presentation I will focus on how to position Security as a Business enabler, and how to align and cooperate with those corporate functions that are driving the Digital Transformation. This talk will draw strongly on research in the field of Organisational Leadership and how to apply it to the context of CyberSecurity and the Digital Transformation.

Wednesday, November 10, 2021 12:00 – 12:20

Between Sugarcoating and Scaremongering – How to Position Your Governance & Risk Management Programme

Panel Discission, together with Victoria van Roosmalen, CISO and DPO at Coosto, moderated by Warwick Ashford. We will be diving into whether it is better to down- or up-play the risks addressed and uncovered by a Governance & Risk Management Programme, and how to decide which approach to take. Further participants to be announced.

Wednesday, November 10, 2021 12:40 – 13:00

This will be the first in-person event for me in nearly two years, and I am really looking forward to it! The whole conference will be offered as a hybrid event, both for participation on-site in Berlin, and online for those that can’t make it.

Please do come and join us for this excellent event, either in person in Berlin, or online. For more details, visit the event website at

Privsec IAM – 08 September 2021

I am honoured and excited to have been asked to chair this year’s Privsec Identity & Access Management Livestream Experience.

PrivSec Identity & Access Management (IAM) is a one-day livestream experience focusing on identity and access management.

Over the past 18 months, organizations around the world have seen an acceleration of their digital transformation projects. This has, however, created a set of new challenges that must be addressed in order to successfully manage identity and access management programs.

PrivSec IAM will bring together subject matter experts and industry leaders as they outline how best to overcome IAM related challenges, how to best utilise it across organization of all sizes and provide roadmaps to successful implementation and management of your IAM program.

This livestream experience will focus on the evolution of identity and access management, while also exploring its effects and relevance to blockchain, know your customer, self-sovereign identity and much more.

Come and join us this coming Wednesday from 10:00 – 16:00 BST (+1) for a series of fascinating live stream sessions, free of charge.

For more info and to register, please visit the Privsec IAM Website –

GRC TV: Securing Digital Transformation & Security Threats – 24 August 2021

Don’t forget to join me tomorrow, 24 August 2021, for our panel discussion on Securing Your Digital Transformation with Strong Security.

Joining me on the expert panel are:

  • Host: Stewart Room, Global Head of Data Protection, Privacy and Cyber Security Legal, Strategy and Consulting Services at DWF Law LLP
  • Aiah Pessima Yarjah, Doctoral Researcher at Royal Holloway University and Ranked Law Enforcement Detective
  • Victoria van Roosmalen, CISO & DPO, Coosto

The panel will be running between 17:15 and 18:00 BST (UTC+1) as part of the GRCTV session on Securing Digital Transformation & Security Threats.

Join us live or access it on-demand here:

Managers: Asset Or Liability In Remote Work?

As if we hadn’t noticed it already, Coronavirus is acting like a magnifying glass and accelerator for topics that were already on the horizon before the pandemic hit. Managers that act as enablers and facilitators of their teams and team members were already being seen as an important part of high-performing organisations. In the context of remote work, they become essential for team performance.

The role of managers and clear rules of engagement: lessons from remote-first companies

Source: Managers: Asset Or Liability In Remote Work?

Cybersecurity Culture – What does it mean?

The term „Cybersecurity Culture“ appears to be very much en vogue at present. I have myself participated in several panel discussions over the last year that specifically addressed this topic. But what does it mean?

I have been mulling this over for quite some time now and would now like to ask you, dear reader, to reflect on my thoughts and provide feedback. Perhaps together we can come to a clearer picture of where we stand, anywhere we need to go next.

Today, Cybersecurity Culture is very much interpreted to be the art of getting our users/employees to act in a manner that is appropriate to an organisation‘s risk profile. This is done through training and tooling, to elicit the desired method of behaviour from the subjects, i.e. the users or employees. It is generally implemented as a Cybersecurity Awareness Programme, applicable to the general populace of the organisation.

But is that really a „culture“? And is it even the right approach?

I’ve been mulling over this topic for quite some time now and there are essentially two parts that I think need addressing:

  • First, the question is, is cyber security culture a separate topic, or does it need to be integrated in the overall culture of an organisation? In fact, should we rather be talking about a Cyber-Secure Organisation Culture, rather than an Organisation Cybersecurity Culture?
  • The second part is, whether this one-size-fits-all approach is the most efficient in achieving the organisations goals? Would it perhaps not be better, to have several sub-cultures within the organisation that then outlined the values, beliefs, and actions of different groups of people, e.g. managers, knowledge workers, developers, or front office staff?

I believe that there are still many aspects of this topic that can, and need, to be explored. This is what I will be focusing on in the next few articles. In doing so, I would like to reflect upon not just my own opinions, but also on those of the community in general.

So, dear reader, please share your views and opinions on this topic. The more views we have, the more we can reflect upon them in our discussions and in the articles to come. So please don’t hesitate in providing your own opinion on this topic in the comments below.

PrivSec Global March 2021 – Creating a Cyber Security Culture

I am happy to be joining Dan Raywood, Glen Hymers and Sithembile Songo in a panel discussion on “Creating a Cyber Security Culture” at PrivSec Global on 25 March 2021 at 13:30 GMT.

For this and many more high-calibre sessions on Privacy and Security, join us online at PrivSec Global on 23-25 March. Learn more and register for free here; #PrivSecGlobal

Oliver Carr at PrivSec March 2021

PrivSec Global March 2021

I am happy and honoured to be confirmed as part of the discussion panel on “Creating a Cyber Security Culture” at the PrivSec Global conference at 13:30 GMT on 25 March 2021.

The other members of the panel will be:

  • Dan Raywood – Cybersecurity and Privacy Journalist
  • Glen Hymers – Global CISO and Head of Data Protection, Save The Children International
  • Sithembile Songo – Head: Information Security and Risk Management, Public Investment Corporation

I’m really looking forward to a lively and diverse discussion and hope you will be able to join us too. To reserve your place, just go to

Photo by SpaceX on Pexels

NCSC advice on how to defend software build pipelines from malicious attack

In my previous post on what we need to learn from Solorigate, I pointed out the fundamental need for secure development pipelines. I am happy to see that the UK National Cyber Security Centre (NCSC) has now published some guidance on how to approach this. Check out their post below.

Compromise of your software build pipeline can have wide-reaching impact; here’s how to tackle the problem.

Source: Defending software build pipelines from malicious attack

Home desk setup with multiple monitors
Trying to bridge the gap with lots of technology.

The Oxford (Remote) Experience

Today is the first day of my Executive Diploma course in Organisational Leadership at the Saïd Business School. And while we were all hoping to be able to meet up in person at the University of Oxford to learn and to share ideas, the Coronavirus has turned, at least this first module, into a Remote Learning Experience.

Still, I am super-excited to get to know my classmates and all the experience that both they and the class faculty are bringing to this course. I am sure that this will be a wonderful experience and success for all of us, despite the surrounding circumstances. And hopefully we will then all be able to meet up under the Dreaming Spires of Oxford for the second module in May.