Featured in 2021 Who’s Who in Cyber Security, a regular keynote speaker and author of “The Art of Benefits Realization Management,” Alex Antar was the perfect candidate for our Interview with a Specialist Series.
Alex is a passionate Cyber Security & IT Programme Leader with a wealth of global experience delivering complex digital transformational changes for fortune 500 multinationals.
Hope you enjoy his insights as much as we did!
Security. I started my career as a software developer in the early 90s. Project Management was then a logical career progression after three years of coding.
Fun Fact: Before the commoditization of the internet, security for mainstream software development was mainly limited to access authorisation and rarely addressed encryption.
Elementary, my dear Watson: Security is an ever-ending co-evolutionary predator vs. prey game where cybercriminals are the predators.
Sophistication is key to success for both sides.
A security expert can only make a difference by keeping abreast of the latest advances in cyber security warfare in terms of defence techniques & tools and the latest attack techniques and tools.
MITRE ATT&CK, because it is an adversarial attack-oriented security defence framework based on up-to-date real-world attacks.
It makes sense, as a minimum, it makes sense to ensure your security defences can protect against known real-world attacks that are documented in the MITRE ATT&CK matrices.
However, it is only good for producing security heatmaps to the sub technique granularity level. Other frameworks must be leveraged for a comprehensive view, such as NIST CSF and ISO 27001.
Getting the Board, decision makers and budget owners who have not yet suffered a major attack to understand and stay away from the following fallacies:
Well, suffice it to say that for those fallacies above, cyber criminals don’t give a hoot by certified companies or reputable SSPs.
The sooner they adopt DevSecOps the better. The essence of DevSecOps is to embed security end-to-end cross all phases of the traditional SDLC (Software Dev Lifecycle). Some of its key practices are as follows: Controlled, standardized build & update process, Automated infrastructure and code security testing as part of CI/CD pipeline, threat modelling, shared threat intelligence, least privilege, automated testing and container isolation, enforced configurations in production by using configuration management scripts that continually run against all your environments to enforce configurations, static application security testing (SAST), Dynamic testing (DAST) also called black-box testing, interactive application testing (IAST), Runtime application self-protection (RASP). Of course, for a successful DevSecOps, you have to provide certifications and training to the relevant staff.
Don’t forget to implement the tightest security measures to your Disaster & Recovery (DR) platforms and include it in the frequent cyclical automated testing too. The DR is is often a blind spot.
I don’t have to convince anybody that today, the old school thick paper books are outdated for self-learning advanced technical topics. I have thrown away many of my paper-based books or given them to charity.
Today, I learn mostly through the following: