Uncategorised

Yes, someone actually said that to me in an interview!

SRM’s GDPR specialist Melanie Taylor explains some of the challenges faced by women trying to get into the world of IT

‘I don’t understand why a woman with a family would want to work in IT’…

Is just one of the things an IT Solutions company in Catterick said to me during an interview.

To start at the beginning! In August 2012 I had an operation to fuse 2 of my vertebrae in my lower back and insert some ‘scaffolding’ to support the once above due to collapsed discs. I knew the operation was coming and had decided that once I could go back to work it would be in IT. I was not going to settle for less, having always enjoyed dabbling in IT and taking PCs, Xboxes and mobile phones apart to fix or clean them it seemed like a logical choice. Getting into Information Security was the ultimate goal but I needed to start with IT in general.

“An apprenticeship! that’s what I’ll do” I told my husband. So I started to apply for any IT apprenticeships I could find, sometimes 5-10 per week and then….. Nothing! Nothing at all. Not even a ‘sorry this place was filled’. I kept going and did, now and again, receive a reply, TOO OLD! You see I was 34. When a company wants an apprentice they want a young one so that they will be fully funded. I still kept going. Applying and chasing with telephone calls. Too old.

But then finally, an interview!

It was for a Network Technician Apprentice role for an IT solutions company in Catterick. I was currently living in Bishop Auckland and was more than happy to travel 25 miles to work each day.

On the day of the interview, I was extremely nervous and also excited at the possibility, this could be it…. The beginning. I arrived in plenty of time and smartly dressed with a little makeup on and hair done, anxious to meet with my interviewers.

Now I can tell you that when someone walks into the room, sees you, and their face drops, you do not get a good feeling, that sinking feeling. That feeling of dread. I was asked to have a seat and was made a cup of coffee. The interview started in an unstructured way and I remember being asked why I wanted the role. “Since leaving school I have wanted to get into IT but just didn’t know how back then. I have had a few years away from work due to a back injury but am now able to work again and decided to go for my career of choice” I said some other stuff and waited for a response. Awkward silence. Then one of the men said, “I just can’t understand why a woman with a family would want a job like this, it gets cold in server rooms you know”. I said I would wear a coat if I was cold. This seemed to be the theme of the interview and I was enlightened with some interesting statistics about how many women worked in IT or rather didn’t work in IT. On the plus side, I was told that the clients would love me although I’m not entirely sure that it was meant as a compliment. Near the end, I was asked if I would not rather take a position in admin! As a last attempt to convince these people (clutching at straws) I blurted out that having my hair done and wearing makeup was not me and I really wanted this opportunity. After I left it didn’t take long for the recruiter to ring to break the news to me, I was not experienced or knowledgeable enough for the position and the learning curve would be too steep, an interesting point considering that the interviewers had already told me that the role needed no experience being an apprentice role and that the last apprentice they had was completely starting from scratch with their knowledge and experience.

Desperately wanting to prove myself I emailed one of the directors that interviewed me and offered to do voluntary work so that they could see my work ethic and how quickly I would pick things up. Nothing! Not a thing back.

I was absolutely determined to keep going, everything happens for a reason right? and looking back at the interview I was beginning to think that maybe it was not the best place to work, for a woman anyway.

Thank you! Thank you so much for not taking me on! I would not be where I am today if you had.

After around 8 months of applying, I had an interview with Newcastle College which was successful and my journey began, but that is another story.

The point of telling you this is to say never give up on your dream career and never stop searching for your perfect employer. You’ll know when you get there and you may not stay forever but it’ll be right at the time.

I am so lucky to have found a company that not only let me fly, they give me wind beneath my wings. Thank you SRM!


Learn more

GDPR – The General Data Protection Regulation

How US internet giants are tackling the issue of GDPR compliance

Time running out for GDPR compliance

What does GDPR mean to SMEs?


 

Can Decision Cycles help us maintain the initiative in cyberspace?

As our world gets increasingly complex we must choose the levers we use to influence it with care. One way to look at this is through the lens of decision cycles.

For those not familiar with this concept, decision cycles are the cyclic process through which we perceive a stimulus, understand its implications, decide on a response and implement that decision. (There are a number of models and references). Simplistically, if we can make effective decisions quicker than our opponents, then we will, theoretically, hold the initiative.

The decision cycle lens is a useful one for those responsible for making decisions about cyber related issues as it throws any dangerous policies into harsh relief.

Most businesses work in a world where their policies, and here I’m talking about management intent rather than paperwork, refresh on a 12 month cycle based on standards which tend to refresh on a 5 year cycle. I note many will be smiling ruefully at this optimistic view!

In today’s information environment many of our risks are changing on a much smaller (faster) cycle, measured in days and weeks rather than months. Our operational tempo is defined not just by the speed of change, but by the way that the speed of change is accelerating.

This presents us with an exciting challenge; if we rely on static policy and processes – and many organisations still do – then we must expect our adversaries to outmanoeuvre us, and our risks to out evolve.

Where does this take us? Decision Cycle theory gives us a number of areas where we can hard wire agility into our business systems.
* Firstly, we can ensure that our warning, reporting, alarm and monitoring systems (Technical and Procedural) are tuned to report those events that most concern us.
* Secondly, we can ensure that we fully understand our own vulnerabilities and sensitivities, and the impact that adverse events will have on our operations. We can test and exercise those scenarios that most concern us. We can challenge our own assumptions. This will enable us to understand impacts and qualify outcomes more quickly.
* Thirdly, we do need to understand our own options, their limitations, and review these on a regular basis. This will enable us to make decisions more quickly.
* Finally, we need to ensure that our implementation of these decisions are well planned and where possible, practiced. We must also review effectiveness at every level and make changes that are required at any part of the cycle.

All of this would seem to be common sense… though is often not done in practice. There are many reasons for this, ranging from technical inertia to process stagnation. The important thing is that we acknowledge and track our challenges – then we can mitigate the changing risks.

If we are able to design agility into our business systems and processes, and if we tune our organisations so that we can take a proactive posture, then we can keep the initiative. The simple decision cycle model then gives us an easy way to challenge our posture on a regular basis to establish where and when change is required.

This is not rocket science, but many of us do seem to find it surprisingly hard. This simple model is one way of stepping forward and bringing effect to bear in our defence.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Emerging Trend: Persistent JavaScript Ecommerce Malware

Our analysts report another trend that Administrators should be aware of.  This is a JavaScript-based eCommerce malware that enables the malware to re-infect websites automatically upon incomplete removal.  It has been identified as a new technique being used by cyber criminals.

This type of malware obtains its persistence by modifying databases to force the injection of a malicious JavaScript file into an eCommerce webpage. By targeting databases, the malware therefore becomes resilient to normal removal attempts. Cyber criminals have recently used this technique to target eCommerce merchants by successfully injecting the JavaScript code into a database field of a merchants website and compromising payment card data.

This malware reinfection method can be used on any eCommerce platform that uses database fields to populate content on the shopping cart webpage. Reinfection of websites can be done with the following processes:
1. A database trigger is added to the order table, which injects the malicious JavaScript link into the website template fields.
2. The trigger is executed every time a new order is made.

Scanning for malicious code in HTML files is not sufficient enough to detect this malware alone. Analysis of the database is required to ensure a proper clean-up of JavaScript eCommerce malware is conducted.
Regular scanning of webservers for malware is one recommended mitigation measure eCommerce websites can take to identify security vulnerabilities. Another recommended best practice is to check for malicious database triggers on eCommerce websites and subsequently remove these.

If you are in doubt, contact the SRM  team who can arrange to run a check for you!

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

The uncertainty of Brexit, the certainty of GDPR and the responsibilities of the CISO

As Britain navigates its way through the choppy waters of Brexit, there is a great deal of uncertainty about exactly what form our new relationship with Europe will take. In many ways our trading relationships will change; this is the inevitable uncertainty. But on one level the situation is significantly clearer: UK businesses will still be required to comply with EU law if they wish to maintain any trade links with European customers. So the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018 will still apply to most of us.

But the trouble with certainty is that it is rarely ever that simple. When it comes to our relationship with Europe it appears that the words of John Allen Paulos, an American Professor of Mathematics apply: ‘Uncertainty is the only certainty there is’. So where does this leave the CISO, whose responsibility it is to ensure compliance with not only GDPR but also any future UK and EU regulations? Well the clever mathematician went on to say that ‘knowing how to live with insecurity is the only security.’ And this is the key.

By accepting a degree of insecurity and establishing a means by which to manage it, a CISO can maintain compliance and provide strategic direction for the company’s information security agenda. The following steps will help to navigate this difficult course.

  1. Continue to steer towards whole company compliance with the existing information security standards like PCI DSS, Cyber Essentials, ISO 27001 and ISO 9001. Embedding these standards within your business will ensure you are well placed to deal with new challenges on the horizon.
  2. Work with an established professional team which will not only help you set your course but will also support, enhance and resource your information security strategic agenda. As industry experts they will know about impending changes and will ensure your compliance objectives take these into account.
  3. Make sure everyone on your ship is heading in the same direction. To do this you will need to exert board level influence. With access to high level of technical expertise and strategic guidance the CISO will be able to articulate the state of information security to the company stakeholders and lead employees, accessing company-wide support and making the case for adequate resource. This will set you up to be flexible and responsive to change.

SRM’s VirutalCISOTM has been developed to provide a cost effective bespoke solution to organisations without a CISO or where a board level strategic adviser is required to ensure Information Security remains high on the board agenda. The SRM VirutalCISOTM has access to an extensive portfolio of professional services to help embed Information Security throughout your organisation.

A Cautionary Christmas Tale

present-1893643_960_720

‘Twas the night before Christmas, and all through the house,

Not an iPad was stirring, nor PC or Mouse;

 

The shopping had been done on the internet with care,

In hope that the presents soon would be there;

 

The payments were processed, at least in their heads,

Until they found out their account was in shreds;

 

What should have resulted in toys in gift wrap;

Had led them into an elaborate trap,

 

The fraudsters had found an outdated website;

And changed the checkout so it wasn’t quite right,

 

Away to the next site, Dad went like a flash;

Not knowing his card was in the fraudsters stash

 

The website looked fine but ‘twas misdirection;

He’d fallen foul of Sequel Injection,

 

The site wasn’t bad, that should be made clear;

But the standards ignored, no PCI here.

 

With hackers so many, so lively and quick;

The change was so easy, it was done in a click,

 

So please spare a thought, when you next do your shopping,

And check that the site that you found while you’re hopping,

 

Is up to the standard to which we’re reliant;

And make sure it’s one that is PCI compliant.

 

Information Security Consultant, SRM’s Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.