By -

The HSE Data Breach and the State of Irish Cyber Security


Many years ago, shortly after I founded the Irish chapter of OWASP ( http://www.owasp.org ) (in 2007??) we were delivering free application and software development classes to anyone who wanted them. It was a local low key affair but every class we delivered was "sold out". We have 60-80 folks mostly developers willing to spend 4-5 hours on learning the fundamentals of secure application development and testing.


I suppose we felt cyber security was an important issue because that's what we did. At the time many folks in business felt cyber security was an overhead or a "tax" and did not give it much time.


A few years later (late 2010) when the the foundation of the NCSC (National Cyber Security Centre) was announced, a few of us (local OWASP Ireland leaders) wrote a number of emails to the Irish government offering free cyber security training. As we were working for a non profit (501.3c) charity (OWASP ) we thought we could to this locally and "move the dial". The result was.....nothing. We got no response.


Since then I've always wanted Ireland to have a "Kite mark" regarding cyber security and secure application development. This is something I've proposed to many "talking heads " in government and industry over the years but everyone likes to talk but few actually do.


This could be free or tax deductible for employers and be of massive benefit.



In 2018 myself, Tony Clarke (CISO Marken) and David Cahill (AIB) had the idea of reigniting this idea...again no response. We also wrote an open letter to the government discussing the partnership model....as follows...


Ireland as a Cybersecurity “Powerhouse”:

 

Local advantage:

Cybersecurity is a large commercial opportunity for “Ireland Inc.” given the indigenous companies established in the republic who have significant intellectual property and export capability.

The start-up community coupled with established exporting cyber security companies e.g. Daon, PixAlert, NetFort, Adaptive Mobile & edgescan but to name a few have been very successful in exporting and delivering solutions in the cyber security space for a number of years. Highlighting Ireland’s commitment to a culture of cyber security similar to Israel, Estonia model.

 FDI Advantage:

Having a  skilled technical community is part of the attraction of foreign direct investment. Having a technical community which is well versed in the issues of cyber security is an additional advantage. Software developers, architects, DevOps staff who are trained and  “Get” security and compliance requirements are a valuable resource in the global tech market and make Ireland a more attractive place in terms of the modern “knowledge economy”.

 

 

Leveraging Local Talent.

Ireland has a number of significant groups and individuals in the cyber security space. Some are globally recognized and respected. Groups such as the IISF, OWASP, ISACA have thriving communities wherein active knowledge sharing and networking activities occur on a regular basis. It is our belief that such community members most of which are volunteers are willing, available and able to work with the government in advancing the cyber security agenda in the republic.




Suggested Ideas for partnership:

 

·         Tax-deductible Security awareness training (free/Non-profit) - technical and executive

·         awareness.

·         National Cyber Security Strategy review and maintenance.

·         National Cyber Security “Quality Mark / Kite-mark”.

·         Liaison with FDI organizations & indigenous companies  in relation to upskilling and support of Cyber Security Strategy.

·         Establishing a Government-Private sector cybersecurity working group.

·         Tax- deductible Vulnerability management services programme for businesses.

·         An Irish “Cyber Essentials” Programme. (https://www.cyberessentials.ncsc.gov.uk/) and setting up a database of “Certified” companies.



Anyways looking back at this, there is still a chance to push this agenda ahead. The writing in on the wall. maybe it can move from an idea to a reality.

What Y'all think?? Is it time.



Comments

  1. Barry KMay 18, 2021 at 10:03 AM

    I wonder if they would listen to one last push now that the HSE attack has opened their eyes. Happy to help in any way that I can 👍🏽

    ReplyDelete
  2. Barry KMay 18, 2021 at 10:05 AM

    I wonder if they would listen to one last push now that the HSE attack has opened their eyes. Happy to help in any way that I can 👍🏽

    ReplyDelete
  3. Barry KMay 18, 2021 at 10:05 AM

    I wonder if they would listen to one last push now that the HSE attack has opened their eyes. Happy to help in any way that I can 👍🏽

    ReplyDelete
  4. OstendaliMay 18, 2021 at 1:28 PM

    I did started something similar outside of owas, isaca etc, it was purely a community initiative where the basic idea was sharing the knowledge. This is how the free and open source community started where l was a pioneer and I still am. So I like your idea and would be more than happy to kick in. Stefan

    ReplyDelete

Post a Comment

Popular posts from this blog

Edgescan, why we do what we do.....

By -
Image
  The cyber security industry is full of solutions to make you more secure. Some are unproven and other approaches work if deployed properly. Our industry is very fragmented. for example a recent "Cyber Defense" award I noticed has 195 categories!  I suppose we need to ask ourselves as companies from time to time why we do what we do?  So, the following post is, I guess, the reason we developed Edgescan and why we believe its a decent solution to help organizations improve and be more resilient in relation to cyber security and system protection.... Vulnerability scanning alone did not work. The idea of software testing software for vulnerabilities is a good one but both sides of the equation may have bugs. Bugs in one side (The target) may result in vulnerabilities, whilst bugs on the other side (Scanner) may result in false negatives and false positives.  Accuracy : To that end we built edgescan as a combination of automation to discover vulnerabilities at scale but  when c
Read more

20 years of Vulnerability Managment - Why we've failed and continue to do so.

By -
Image
Cyber Security: Keeping Pace with Change. Getting breached can really ruin your day. Actually it normally happens on a friday evening as you are about chill for the weekend. The cause of must breaches is not rocket science, its more to do with the poor approach we have accepted because we underestimate the threat actor.  - An attacker does not scan your website/network once a quarter with a commercial or open source scanner or perform an annual penetration test against your systems to see if there is any low hanging fruit, so how do we expect to defend against such an advisory using that approach? Systems change now more frequently than ever due to the ease of cloud deployments and the speed of software deployments due to iterative development techniques. The rate of change increase results in exposures quickly manifesting and the organisation not even being aware of the exposure in the first place. Many organisations dont know what they have exposed on the public Internet. We need t
Read more