Cybersecurity and Security-by-Design in IT, OT and IoT

CyberSecurity Leadership Summit logo

CyberSecurity Leadership Summit 2021

I will be speaking at this year’s KuppingerCole Cyber Security Leadership Summit, 9-11 November 2021 in Berlin. It is a great privilege and pleasure to be invited to participate in such a high calibre event. I have two items on the agenda:

From Burden to Benefit – How aligning on business purpose and objectives is critical to maximise the value of Security

In this presentation I will focus on how to position Security as a Business enabler, and how to align and cooperate with those corporate functions that are driving the Digital Transformation. This talk will draw strongly on research in the field of Organisational Leadership and how to apply it to the context of CyberSecurity and the Digital Transformation.

Wednesday, November 10, 2021 12:00 – 12:20

Between Sugarcoating and Scaremongering – How to Position Your Governance & Risk Management Programme

Panel Discission, together with Victoria van Roosmalen, CISO and DPO at Coosto, moderated by Warwick Ashford. We will be diving into whether it is better to down- or up-play the risks addressed and uncovered by a Governance & Risk Management Programme, and how to decide which approach to take. Further participants to be announced.

Wednesday, November 10, 2021 12:40 – 13:00

This will be the first in-person event for me in nearly two years, and I am really looking forward to it! The whole conference will be offered as a hybrid event, both for participation on-site in Berlin, and online for those that can’t make it.

Please do come and join us for this excellent event, either in person in Berlin, or online. For more details, visit the event website at

Privsec IAM – 08 September 2021

I am honoured and excited to have been asked to chair this year’s Privsec Identity & Access Management Livestream Experience.

PrivSec Identity & Access Management (IAM) is a one-day livestream experience focusing on identity and access management.

Over the past 18 months, organizations around the world have seen an acceleration of their digital transformation projects. This has, however, created a set of new challenges that must be addressed in order to successfully manage identity and access management programs.

PrivSec IAM will bring together subject matter experts and industry leaders as they outline how best to overcome IAM related challenges, how to best utilise it across organization of all sizes and provide roadmaps to successful implementation and management of your IAM program.

This livestream experience will focus on the evolution of identity and access management, while also exploring its effects and relevance to blockchain, know your customer, self-sovereign identity and much more.

Come and join us this coming Wednesday from 10:00 – 16:00 BST (+1) for a series of fascinating live stream sessions, free of charge.

For more info and to register, please visit the Privsec IAM Website –

GRC TV: Securing Digital Transformation & Security Threats – 24 August 2021

Don’t forget to join me tomorrow, 24 August 2021, for our panel discussion on Securing Your Digital Transformation with Strong Security.

Joining me on the expert panel are:

  • Host: Stewart Room, Global Head of Data Protection, Privacy and Cyber Security Legal, Strategy and Consulting Services at DWF Law LLP
  • Aiah Pessima Yarjah, Doctoral Researcher at Royal Holloway University and Ranked Law Enforcement Detective
  • Victoria van Roosmalen, CISO & DPO, Coosto

The panel will be running between 17:15 and 18:00 BST (UTC+1) as part of the GRCTV session on Securing Digital Transformation & Security Threats.

Join us live or access it on-demand here:

Cybersecurity Culture – What does it mean?

The term „Cybersecurity Culture“ appears to be very much en vogue at present. I have myself participated in several panel discussions over the last year that specifically addressed this topic. But what does it mean?

I have been mulling this over for quite some time now and would now like to ask you, dear reader, to reflect on my thoughts and provide feedback. Perhaps together we can come to a clearer picture of where we stand, anywhere we need to go next.

Today, Cybersecurity Culture is very much interpreted to be the art of getting our users/employees to act in a manner that is appropriate to an organisation‘s risk profile. This is done through training and tooling, to elicit the desired method of behaviour from the subjects, i.e. the users or employees. It is generally implemented as a Cybersecurity Awareness Programme, applicable to the general populace of the organisation.

But is that really a „culture“? And is it even the right approach?

I’ve been mulling over this topic for quite some time now and there are essentially two parts that I think need addressing:

  • First, the question is, is cyber security culture a separate topic, or does it need to be integrated in the overall culture of an organisation? In fact, should we rather be talking about a Cyber-Secure Organisation Culture, rather than an Organisation Cybersecurity Culture?
  • The second part is, whether this one-size-fits-all approach is the most efficient in achieving the organisations goals? Would it perhaps not be better, to have several sub-cultures within the organisation that then outlined the values, beliefs, and actions of different groups of people, e.g. managers, knowledge workers, developers, or front office staff?

I believe that there are still many aspects of this topic that can, and need, to be explored. This is what I will be focusing on in the next few articles. In doing so, I would like to reflect upon not just my own opinions, but also on those of the community in general.

So, dear reader, please share your views and opinions on this topic. The more views we have, the more we can reflect upon them in our discussions and in the articles to come. So please don’t hesitate in providing your own opinion on this topic in the comments below.

PrivSec Global March 2021 – Creating a Cyber Security Culture

I am happy to be joining Dan Raywood, Glen Hymers and Sithembile Songo in a panel discussion on “Creating a Cyber Security Culture” at PrivSec Global on 25 March 2021 at 13:30 GMT.

For this and many more high-calibre sessions on Privacy and Security, join us online at PrivSec Global on 23-25 March. Learn more and register for free here; #PrivSecGlobal

Oliver Carr at PrivSec March 2021

PrivSec Global March 2021

I am happy and honoured to be confirmed as part of the discussion panel on “Creating a Cyber Security Culture” at the PrivSec Global conference at 13:30 GMT on 25 March 2021.

The other members of the panel will be:

  • Dan Raywood – Cybersecurity and Privacy Journalist
  • Glen Hymers – Global CISO and Head of Data Protection, Save The Children International
  • Sithembile Songo – Head: Information Security and Risk Management, Public Investment Corporation

I’m really looking forward to a lively and diverse discussion and hope you will be able to join us too. To reserve your place, just go to

Photo by SpaceX on Pexels

NCSC advice on how to defend software build pipelines from malicious attack

In my previous post on what we need to learn from Solorigate, I pointed out the fundamental need for secure development pipelines. I am happy to see that the UK National Cyber Security Centre (NCSC) has now published some guidance on how to approach this. Check out their post below.

Compromise of your software build pipeline can have wide-reaching impact; here’s how to tackle the problem.

Source: Defending software build pipelines from malicious attack

crop hands holding each other
Photo by Tim Samuel on

Lessons from Solorigate – The need for trustworthy development pipelines

This post was quite some time in the making. However six weeks on, the relevance of the lessons to be learned has not diminished.

The Compromise of SolarWinds’ Orion platform calls into question the integrity and trustworthiness of the development process used. The usual approach of detecting the behaviour of the resulting backdoor and blocking it, does not address the underlying trust and integrity issue of the development pipeline. It is also a very costly approach if every customer of a company such as SolarWinds must implement it. A far more effective approach is to invest in the integrity of the development process, to ensure that unwanted code changes in development are prevented.

What happened

At the beginning of December 2020, a supply chain attack of one attacking many organisations globally, including US government agencies and many international institutions hit mainstream media. It appears that through changes in the SolarWinds Orion product, attackers were able to create a backdoor to the product, enabling attackers to infiltrate environments of SolarWinds customers. It appears that the recent attack on cyber security vendor FireEye, resulting in the theft of many of their hacking tools, is the result of just such an infiltration.

The analyses of both FireEye and of Microsoft of the SolarWinds compromise makes for some interesting reading. In short, attackers were able to place code within the Orion product itself, that then was able to open an attack channel for the attackers to exploit in the target companies’ environments. It appears that this was placed so early in the development process, that it became indistinguishable from the legitimate code of the SolarWinds developers and therefore shipped to SolarWinds’ customers as part of the normal distribution and update processes. A significant amount of effort seems to have been put into the code to prevent it being detected, which is an indication that this might well be a state-sponsored attack. At any rate it looks like the attackers knew what they were doing.

First reactions – block, shutdown, and rebuild

First reactions to this attack were to shut down the vulnerable components in SolarWinds Orion both by implementing patches from SolarWinds and also by disabling either the vulnerable code itself, or the communications channels it uses. An Emergency Directive by the US Cybersecurity and Infrastructure Security Agency (CISA) included the requirement to rebuild the affected systems to prevent the attacks from persisting due to yet undiscovered components.

Preventing future attacks – the usual approach

What then followed was the usual reaction by the security industry, of showing how their specific product can, or would soon be able to, discover the behaviour of such backdoors and prevent them from being exploited in future. And whilst this may detect and prevent same or similar attacks in future, it is just dealing with the symptoms of the attack on SolarWinds, not the root cause. I would venture to say that attackers capable of crafting an attack such as this, are also skilled and innovative enough to create further attacks that again will not be detected by the security products of today.

Addressing the root cause – creating trustworthy development pipelines

The root cause of this attack was that the attackers managed to insert malicious code into a vendor’s product, and that this change went undiscovered for months, if not years. It begs significant questions as to the level of trust we can place in the integrity of the development process employed by SolarWinds. And SolarWinds is not alone in this.

In the last few years, a discussion has been gaining momentum around how we can ensure that hardware and software suppliers are trustworthy. The discussion around companies like Huawei and ZTE are a good example of this, albeit only the tip of the iceberg. All vendors of cyber products will need to demonstrate the trustworthiness of their products and the underlying development, manufacturing, and distribution processes. The question must be “Does our product only do what we intend it to do?”.

Even if developer methods are paying a lot of attention to ensuring that the intended changes are free of error and achieve what they are there for, very few are going that extra step of checking that there are no unintended changes bundled in as well. And such inconspicuous, unintended changes may well be so far away, that they escape even the most diligent peer-review processes. The only way to properly pick these up is by continuous monitoring of the code base using automated tools to support the review and release process.

Development teams update their testing and review processes to look for all changes to the code and configuration that occur, and then to ensure that these are justified and correct in terms of the user story being addressed. If these are correctly documented, we will come a long way towards not only creating more stable products with fewer defects causing “collateral damage”, but also to significantly increasing the trustworthiness of the overall process.

Trustworthiness is the new currency

If Solorigate has taught companies and senior managers one thing, it is to show how complex supply chains have become in this digital day and age. The cry has gone out ensure that this “doesn’t happen again”. And the security industry has answered with their usual “buy are tool and you will be safe” mantra. This may provide them with an increased revenue in the short run but won’t stop the next incident that was outside their direct line of sight from happening. It is a recurring pattern that is becoming all too obvious.

The long-term solution is to get the processes of creating our digital products right and ensuring that they are not circumvented. This is how we (re-)build the trust in our products. Companies like Huawei, Solarwinds, or ZTE are already today experiencing what it means to not have the trust of their customers, and that list is sure to grow. To come out on top, companies will need to put in that little bit of extra effort to ensure the trustworthiness of their development cycle. And the best time for that is now.

Threat Modeling Manifesto

As described in the BLUES overview, creating a threat model is one of the first steps in ensuring security is aligned with business goals is to ask the four basic questions:

  1. What are we working on?
  2. What can go wrong?
  3. What are we going to do about it?
  4. Did we do a good enough job?

Some of the most influential thought leaders in the field of Threat Modelling have now published the Threat Modelling Manifesto. A great source that outlines the basis on which Threat Modelling in Cyber Security is founded. Well worth a read.

Documents the values, principles and key characteristics as an industry guidance for conducting threat modeling.

Source: Threat Modeling Manifesto