Month: December 2017

The Challenge of Staying Fit

This time last year the excesses of the festive season had taken their toll. I was overweight and I had done no significant physical exercise for weeks. With my New Year’s glass of Champagne in hand I made a commitment that the same wouldn’t happen next year. Of course I’ve made resolutions before, but they’ve always been too vague. Promising to ‘get fitter’ is destined to fail as it isn’t definable or measurable. So this year I decided to focus on 5 very specific goals, chosen rather arbitrarily as you might expect when under the influence of Champagne:

  • Complete the Coast to Coast in a Day Cycle event (150 miles) – Completed on 24th June. A great experience cycling across the country from Seascale to Whitby through 3 beautiful National Parks and including the hardest climb in the UK.
  • Cycle 1000 miles in 2017 – Completed in June. Lots of early morning training for the Coast to Coast added up to just over 1000 miles.
  • Achieve a Personal Best in a Half Marathon – Completed on 1st October in the Great Scottish Run in Glasgow. I managed a time of 1:45 improving my PB by 7 minutes. This is the first time I actually trained for a running event and (unsurprisingly) it makes a big difference!
  • Run 500 miles in 2017 – Completed in December. I thought this would be easily achieved by training for the half marathon, but in reality I had to keep regular running going through the year to hit the target.
  • Run at least 3 miles every day in December – Completed on 31st December. This was the challenge that was specifically intended to curb the festive excess, and it worked, although there were a few days when the 3 miles was a bit of a slog!

By doing these things I re-learned two valuable lessons. Firstly, having clear goals is invaluable. It focused me on what I wanted to achieve and gave me a real sense of satisfaction when I was able to tick each one of the list. Secondly, maintaining a consistently high level of fitness throughout the year makes a huge and positive difference to mental and physical health. I have been happier, more motivated and more productive as a result of my five challenges.

So this Hogmanay I will again take a glass of Champagne in hand and look forward to 2018 by setting a fresh set of challenges that will keep me active all year. One thing is for certain though, after running 3 miles every day in December there is no way that any of my 2018 challenges will involve running on New Year’s Day!

Information Assurance and Defensive Cyber Operations – An Important Distinction

During a recent planning meeting I found myself explaining my views on the difference between Information Assurance (IA) and Defensive Cyber Operations (DCO). This is something I do a lot, but it is worth doing because it is an important distinction. Knowing which you are pursuing ultimately determines what you do, the mindset and methodology you adopt and who in your organisation is accountable.

IA has been established and understood for some time and, until recently, it sufficed as an approach to achieving protection in cyberspace. IA is focused entirely on protecting information systems at an accredited baseline level. This extends to technical measures, both hardware and software but also extends to the physical security wrap around a system. Routinely these measures are built into procurement so that a base level is achieved at the beginning of a system’s lifecycle. This is then maintained through life with periodic reviews and frequent updates and patching. Both in analogy and literally it is making sure the door is locked and the intrusion alarm is on.

Until fairly recently IA was considered sufficient; if the accreditors ticked all the boxes on their inspection sheet then information was ‘safe’. There are benign occasions when this might be true, but in the majority of cases, and especially on deployed military operations, a completely different approach is required to raise the standard well above base level protection.

This delta is met by Defensive Cyber Operations. These are fundamentally different from IA in that they focus on mitigating operational risk by delivering Cyber Mission Assurance. This is not the domain of the accreditor, rather ownership sits squarely with leadership and their operations team.

DCO are proactive and draw on an offensive spirit; they are the antithesis of sitting in a locked house not knowing what threat lies outside. They are rooted in understanding and therefore begin with detailed and aggressive threat analysis so that the intent and capability of the adversary is understood. This should include actively hunting for adversary activity. Additional measures can then be taken to counter that threat. DCO are less worried about protecting individual systems and more concerned with operational resilience, so business continuity and rapid response and recovery become essential. Perhaps most importantly, DCO are not limited to protecting information on command and control systems. Their scope is much wider, essentially anything that could impact the mission must be considered. This includes platforms, Industrial Control Systems, supply chain systems and welfare communications irrespective of who owns them. Finally, under certain definitions, and with the correct authorities in place, DCO can include the ability to strike back at an adversary to stop, or even prevent, an attack.

Fundamentally protecting our businesses in cyberspace is about mindset. To do it well we must think more in terms of operational assurance and less about simple compliance.