A discussion of security through the lens of ML – the algorithms that help us find the patterns in data, detection of anomalies and underpin the self-healing of systems – and the future of Artificial Intelligence with all it’s potential for both harm and good. We’ll touch on present-day use of ML in security including big data and integrated signals, data gravity, adversarial ML and threat kill-chains; then wander into projected futures, the three laws of robotics, and the heuristically programmed algorithmic computer (HAL) and finish up with building trustworthy intelligence that integrates human values to augments human abilities.

The goalposts have always moved. The modern Enterprise shares all the characteristics of a complex system: it is comprised of many moving parts that interact, conflict, and have systemic dependencies between them, and with the environment in which the Enterprise exists; it changes organically as a result of the behaviours of its parts, each of which has its own objectives, success factors, methods and risks.

Turning security strategy into reality within such a complex system has always been one of the Architect’s greatest dilemmas.

But now we understand that the goalposts do not just move, they can be completely redefined by a new normal. And we know there will always be another new normal.

Future success depends upon an Enterprise’s ability to understand complexity, be resilient to complex disruption, and adapt to ever-changing complex requirements. The question is “How?”. Even if we prioritise with a risk-driven approach, there are far too many high priorities and far too few resources for us to succeed before the goalposts move again.

In this session we will demonstrate SABSA Architecture techniques to prioritise a security roadmap to transform and adapt to ever-changing complexity, ensuring that security solutions are always traceable to business requirements, whatever they are, whatever they become, no matter how quickly they change.

We have brilliant technical security systems which are necessary in responding to today’s security threats. But we still need also need humans in managing these systems and also managing the human related information security risks.

Humans are often referred as the weakest link in security, but competent and motivated humans can also be the strongest asset for security management. Much depends on how the context enables and empowers the individuals, but naturally also the characteristics and attitudes of individuals have a significant impact on security.

Psychology is always present when we are dealing with humans. We should for instance neither underestimate nor overestimate the impact of cognitive biases. People can express unexpected creativity which can be either beneficial for security or undermine the security arrangements. … Let’s have a closer look at two phenomena which can have disastrous impact on security.

A person with impostor syndrome is in continuous doubt of being “a fraud” – he/she feels that personal achievements are based on luck and not competence and skills, and a disastrous exposure as a fraud can happen at any time. An overconfident person seems to have everything under control and with excellent verbal skills creates the impression of high competence – in which he/she firmly believes.

These two behavioural models seem to be opposite to each other, but are they really? This session explains what impostor syndrome and overconfidence mean in human behaviour. The basics explained, we study their potential impact on security – if held by security manager, user of security services or it systems or other interested party.

We also discuss how it is possible to identify these behavioural models in organizational context and how to reduce their negative impact on security.

All organizations want to know how well they are doing in managing information security risk. Every significant beach that gets wide coverage prompts the Executives or the Board to ask – “could that happen to us?”. A common method of trying to answer that question is through assessing what the organization has in place to control the risk by determining the relative “maturity” of the risk management controls and processes using a reference standard for comparison coupled with a maturity scale to provide a measurable level. The product of measuring the maturity of the controls and processes is meant to answer a number of questions: are we doing enough to manage our risk?; are we getting what we expect from all the investments that we have made?; and even more important to some – how do we compare to our competitors or our industry?

There are wide variety of methods and supporting mechanisms to conduct maturity assessments that have varying results. This session will provide an overview of the various methods and mechanisms and describe many of the typical pitfalls and potential solutions to arrive at results that are actually understandable, meaningful and repeatable. We will have a look at the various reference standards and maturity scales from ISO, NIST, CMMC, ISF, CMMI, and several others typically used to assess maturity. Is a maturity assessment the same or comparable to assessing implementation tiers? How to you measure the effectiveness of the controls and processes and the risk associated with the various levels of maturity? The objective of the session is to strip away the mystery and magical thinking that tends to creep into maturity assessments and provide information that can be used to establish realistic expectations and beneficial results.