Looking To Up Skill Your Team

This is an example post

ASD scraps Cloud Security Certification Program – Now What?

The Australian Signals Directorate (ASD) announced this week that the Cloud Security Certification Programme (CSCP) is being scrapped, and references to both the CSCP and Certified Cloud Provider List (CCPL) are being removed from the Information Security Manual (ISM) and other publications. So, what does this mean for government agencies, businesses and individuals who rely upon these artefacts?
 
When considering moving to the cloud, the onus has always been on the Cloud Customer (“Customer”) to ask the right questions and have their security and privacy requirements met in the contract with the Cloud Service Provider (“Provider”). The Cloud Security Alliance (CSA) referred to this in their previous artefact, The Treacherous Twelve, as Lack of Due Diligence. The corollary is that, if Customers do not ask, then they are consuming the default security and privacy offerings from the Provider. Unfortunately, many Customers race to consume cloud solutions and forget the contention between cheap, fast, secure – pick any two. Cloud is often chosen as a cheap and fast “quick fix”, with security often neglected.
 
So what now? Organisations will need to ensure that their information security professionals are trained up in understanding the most important points to consider when engaging a Provider. This will include jurisdictional issues, contracts, roles and responsibilities and ensuring service level agreements meet the needs of the Customer, not the Provider. According to a recent online Forbes article, Certified Cloud Security Professional (CCSP), a body of knowledge and certification offered through (ISC)2, is the fifth most sought-after certification. Cloud is also a topic in the four certifications ahead of it – CISSP, CISA, CISM and CRISC. The CCSP is a well thought-out body of knowledge that is relevant and meets the needs of today’s cloud customers and providers.
 
ALC has been at the forefront of cloud training across the Asia Pacific region, and our internal statistics show we have trained over 60% of information security professionals who hold the (ISC)2 Certified Cloud Security Professional (CCSP) in Australia and New Zealand. As the focus will increasingly shift to information security professionals within organisations to ask the right questions and demonstrate good governance, it is prudent to consider a solid basis and foundational level within many of ALC’s cloud, security and privacy training portfolio. Our CCSP trainers include the first person to be certified as a CCSP in Australia and the former lead cloud architect for a major service provider.
 
<a href=”https://www.freepik.com/free-photos-vectors/business”>Business photo created by kues1 – www.freepik.com</a>

Cybersecurity in your pocket: The essentials of mobile malware

An increasing number of businesses are embracing the ‘bring your own device’ policy, allowing employees to use their smartphones and tablets to access the company’s information and work on the go.

This policy can add a new dimension to IT project management training, with products now able to be developed remotely and flexibly using mobile devices. However, it also means that a greater emphasis now needs to be placed on mobile cyber security to ensure that businesses are keeping their information secure.

Threats being detected in the Android app store

Although all kind of devices has risks associated with them, those operating on the Android platform are shown to be particularly vulnerable to malware from apps. It’s therefore essential that companies with employees using Android devices are extra vigilant and aware of the possible threats.

The most prominent threat to Android users is apps, with the Google Play Store being invaded by numerous applications containing malware. Google Play Protect detected and removed 1,700 Android apps infected with the malware Bread (also known as Joker) before ever being downloaded by users.

Likewise, an analysis by G DATA showed that the number of malicious apps reached a record level in 2019. This problem is growing, and businesses have to look out for ransomware and Trojans that might compromise their data for money.

How can businesses protect themselves?

Due to the magnitude of this risk, it’s important for businesses to know the security measures they should take to defend employees mobile devices from malware. Lukas Stefanko, expert at security solutions company ESET, emphasises that the best approach to security is preventative.

“Don’t delay taking security measures until something unusual happens – in most cases it’s too late as the device may already be compromised and the data lost,” he said in an interview with We Live Security.

Businesses should require that all employees using their personal devices to access company information to have the latest operating system and antivirus software installed to defend against cyber threats. They should also encourage people to be careful of the apps they download, and always check the reviews before installing anything.

It is apparent how mobile security has become an integral aspect of information security training, and companies need to ensure they protect all channels of data access. ALC Training can help by educating employees in all aspects of cyber security, resulting in better protection for businesses in the long run.

 

Source:

Google Security Blog – Read the full details here .

G Data IT Security Trends 2020

Where to Start with Digital Transformation?

Digital Transformation is the ability of an organisation to remain competitive.  By using new technologies more effectively than their competitors, this leads to greater market share, lower price points, improved product and/or service quality and constant innovation for clients.  But where do you start?

This article is designed for medium to large organisations that want to know how to do this.  I’ll draw on my 20 years of experience as an enterprise and solution architect with DXC technology. I was fortunate enough to help a range of clients which I can now couple with my knowledge as a trainer, across the 12+ courses that I now run.

Click to open the infographic below to see a snapshot of the steps to take to perform a digital transformation successfully.

 

Here is my list of key steps in order:

Do you have questions with these steps?  Contact our awesome ALC Training team!

What is the Office 365 Security & Compliance Centre?

Believe it or not, Office 365 now contains 27 separate apps that are provided by Microsoft.   Many of these apps are provided with advanced security features.  Clearly managing these security features within each admin tool is a complex and onerous task.  So Microsoft have moved as much security as possible into the Office 365 Security & Compliance Centre.  This is now the central place to manage the majority of security functions in Office 365.

Click on the diagram below to link to the Microsoft TechNet article describing all the key Office 365 services:

You can augment this list by adding third-party apps that are available in the Microsoft AppSource app store.   You can also incorporate various Azure services that integrate with Office.  One service that is already included, is Azure Active Directory. 

Azure Active Directory or AAD, is a mandatory service that manages all the authentication and authorisations in Office 365.  It integrates with your existing corporate Active Directory, which probably lives in your data centre (on-premise), using a service called AAD Connect.  For companies that have very complex requirements around transferring data between your on-premise Active Directory and AAD, you can use the Microsoft Identity Manager product and the Active Directory Federation Service.

Here is a great link to a video that outlines some of the basics of Active Directory:

It becomes quite technical towards the end of the video, so just close it down, once you have the knowledge you need. 

Understanding Active Directory is key to understanding the fundamentals of how the Office 365 Security & Compliance Centre works, so check out my 2 day course where we cover all the basics, in non-technical language, so that anyone can start security their Office 365 tenancy:

Not only do we cover AAD, but we also run through:

Let’s pick out a couple of my favourite Office 365 services…Flow.

Flow is a product that allows you to integrate various cloud services, providing a platform for automating many of your tasks.  It’s a competitor to IFTTT.com, which stands for If This Then That, which provides a similar set of services.  For example, if an email comes into your inbox from a customer, there may be a series of manual tasks that need to be undertaken to start servicing that customer.  This can be automated and free up your time to focus on talking with customers, rather than having to do repetitive manual tasks.

Click on the graphic to be taken to a video outlining potential uses of the tool:

Now, let’s look at some of the key features of Data Loss Prevention

If want to know more about Office 365 services, please reach out to me on Linkedin.  Click on the image below to see my profile and start reaching out….

What is a Value Stream?

It may not be obvious, by the concept of a value stream is one of the most important concepts in a digital transformation.  Why?   Because once you understand a value stream, you start to truly understand your business and you’re on a clear path to improving customer experience.  Exceptional customer experience is your key business differentiator in the world of digital disruption and needs to be the core focus of any digital transformation.

Let’s define a value stream.  I’ll use what I consider, to be the best sources of knowledge reference. 

First from Scaled Agile.  

If you click on the image it will take you to the Leading SAFe 2 Day course I run at ALC Training.

Second from the TOGAF certification, written by the Open Group:

And here is a picture of a sample value stream map for an online purchase:

And here is another, outlining an emergency hospital admission:

As you can see it’s a simple overview, usually shown in 5-9 stages, of how a product or service starts life and is delivered to the consumer. 

As you can see, the business processes beneath can vary in complexity.  With an online purchase, the process is relatively simple.  With say intensive care, the process can be extremely complex and there are probably 1000’s or paths, depending on the type of care required.

It can also be known as:

Clearly, there are many values streams and they are quite different between industries.

Once we understand our value stream, we can then consider decomposing each component into systems and people.  An example of this is from Scaled Agile, where they define two types of value streams:

You’ll notice that the operational value stream is the one that is focused on the customer.  Whereas the development value stream is aligned to delivering systems in an agile manner.  In fact, these are development value streams are also known as a CI/CD pipeline:

So what we’ve now done, is to understand our business in the context of delivering value through software.  We cover this in our DevOps Foundation course:

Any questions on Scaled Agile or DevOps concepts, as always please reach out via twitter – @MusicComposer1 or find me on LinkedIn:

Governments Could Fall If Digital Transformation is not Successful

There are a number of examples in history, of how governments have fallen.  Either through the ballot box, through a coup d’etat or via a civil or military war.  But have you ever stopped to think that a lack of progress in a digital transformation, could be a fourth reason?

Let me back up a bit…and outline what I believe are the reasons we have a government.  Why does it exist and why we need one.  There are five:

Here is a great video that provides some more information on what government is?

Failure by governments to maintain those outcomes and deliver great customer experiences will result in disruption.  We’ve already seen this movie before right:

But hey, they’re all commercial examples.  Have you got anything that is relevant to government?  Sure:

Here is a great video explaining Brexit:

You can also extend that to local government, such as Queensland in Australia:

I talk about digital disruption and governments in the latest #AskTheCEO discussion here:

The same forces that have helped Uber, Netflix, Google and especially Apple become commercial disrupting forces, are the same for the government:

So what is the solution.  Well it’s important to understand what needs to transform in government and then do so, quickly.  Using the latest Lean-Agile and DevOps principles, along with great talent, is how Spotify undermined their competition, so government needs to do the same.  Here are three examples:

Interesting in learning more about digital transformation.  Check out a range of courses that I run at ALC Training:

DevOps Foundation

Cloud Security

Cloud Computing

Scaled Agile

Enterprise Big Data

 

What is Microsoft Azure and why should I use it?

Microsoft is one of the world leaders when it comes to cloud computing services.  In the last comparison of revenue streams from the cloud giants, back in Feb 2018, it seems that Microsoft was just ahead in front of AWS.

Want to learn more about Azure?  Well, there are options.  There is a great free resource from Microsoft that covers Azure fundamentals here:

https://docs.microsoft.com/en-us/learn/paths/azure-fundamentals/

Or, if you’re looking for more a hands-on 1 Day Azure Technical Quickstart to understand how to provision resources, you can check out our 1 Day course here:

https://alctraining.com.au/course/microsoft-azure-technical-quickstart/

You can also reach out to us, for customised Azure and Office 365 courses.

Azure is classed as an Infrastructure-As-A-Service (Iaas) and Platform-As-A-Service (PaaS) in the cloud computing world.  IaaS services are designed for system engineers, where you can set up and build servers, networks, and storage, and then install your apps on top.  If you’re in the software development business, then the PaaS services are designed for writing, testing and managing code, and target developers.  

Some important PaaS services that developers will need include:

Below is a brief snapshot of just the Compute services:

By combining together these services, you can create a rich tapestry of solutions.  It’s very similar to the age of analog electronics, where you could select oscillators, diodes and specific electronics components, to create solutions like creating a home radio.  

In Azure you can create very complex business solutions.  Below is an example of how you might integrate a complex corporate environment with Azure services, in a model known as hybrid cloud:

There are some very important services that are available in Azure, that align nicely to medium to large clients that have to comply with complex regulation.  Clients involving in banking, government, healthcare, and defence, need to maintain a level of corporate and regulatory governance, as well as a high level of cyber security protection in their cloud services.  Tools such as:

The diagram below shows an example of the types of recommendations that the Azure Advisor can provide:

Feel free to reach out anytime with your Azure of Office 365 questions or queries?

 

Why Governments will be Disrupted?

Digital transformation is the process of cultural,  technological and thought leadership innovation, that is required to ensure businesses remain competitive, relevant and able to survive.  Let’s break that down and explain what I mean.

Click on the image below to see ALC’s range of courses that can help with your digital transformation journey:

Cultural Innovation

This means allowing people within a business to develop and grow, by learning in a safe environment.  We often call this Failing Fast.  This helps to foster a culture within an organisation, that moves away from:

And move towards:

You can only innovate when you allow people to take risks.  But in concert, you need to provide tools and an environment for continual fast feedback.  This includes:

All these concepts and learnings appear again and again in many of the cultural change courses I run:

Click on the picture below to watch an awesome video from our DevOps Foundation course, covering Spotify Engineering Culture:

Technological Innovation

This means adopting the latest technological innovations, to help business leaders learn and act quickly.  There are many examples:

It’s no surprise that at ALC, we’re focusing on these key technological innovations:

Click on the diagram, below to see an awesome video from the Enterprise Big Data Professional course on why we use Hadoop over SQL when dealing with Big Data:

Thought Leadership

This is the most critical.  Leaders are the people in a company that pave the way for new things.  Just like in music, they are the avant-garde, breaking new ground, failing fast and leading by example.  They are skillful coaches that bring all their people with them on the journey.  They lead through:

You’ll find these leadership traits are exemplified in the following courses for leaders:

The diagram below shows you the Scaled Agile Framework, of SAFe for short.  Click on it and you’ll be taken to the FREE clickable version on their website:

Government

If you have ever worked in a government department or a local council, there are very few examples of these digital successes.  Why?  I believe many leaders of governments, whether they be the lord mayor of a council or the elected minister, fundamentally do not understand digital disruption.  They believe it is a phenomenon that only affects commercial entities and is not relevant to them. And the ones that do try and embrace digital disruption, don’t focus on cultural change, with leaders not leading by example.

Unfortunately, it is extremely relevant.  I believe governments will be disrupted, just like every organisation in the world will be disrupted.  Charities, councils, regulatory bodies, none of them are immune.  In fact, they are the entities that are most at risk of being irrelevant.  Why?

Because for every government service, there is are much better ways of delivering, by adopting the key tenants above and embracing digital transformation.  This means, if enough people do not see the value in government services, they will protest, they will resist taxes and want to live in a place where the services are incredible. 

We’ve seen trailers of this movie before:

Click on the diagram to show you how you digitally transform your government organisation using SAFe:

Check out my latest conversation on “Navingating Digital Disruption” on the New York hit show, #AskTheCEO with Avrohom Gottheil:

Online Voting – Why are we so afraid?

We live and breathe in a world that is a bizarre dichotomy.

On one hand, we want anonymity and privacy, on the other, many people pump full details of their private lives into social media and online services, happily enrolling personal questions such as mother’s maiden name, favourite colour, first pet, streets names, and so on; site after site after site. These are mostly in the hands of private enterprise, and we happily and blindly use these online services, placing trust in the hands of a third-party to get it right.

And so it is, that there is an apparent distrust when we come to think of electronic voting, because these are in the hands of the government. Claims abound of errors, outcomes being rigged or platforms being hacked. These are all valid concerns, and let’s face it, can happen.

On the path of being honest, in the physical world, I can be also coerced into voting through bribes or incentives; papers can go missing; votes can be added up incorrectly because the process is manual, I can be threatened in some parts of the world just because of who I am, who I want to vote for or perhaps because of my gender. Some of this happened in our most recent elections here in Australia; not too sure about the bribes though – my bank account remains incredibly thin.

I have had the benefit of working on one of the world’s largest electronic voting systems, consulting to the Electoral Commission of NSW in Sydney, Australia. At the time, late 2013, we were asking, why would anyone be interested in swaying the outcome of an election using electronic or any other means? Fast forward to 2016, and we had our answer – Donald vs Hillary. The Medicare scare by the Australian Labor Party (ALP) on the morning of the federal election in 2016. They term is being labelled cyber tampering.

However, it wasn’t any electronic voting platform to blame. In the first instance, it was social media (Facebook) being used to leverage data mined from potential voters (Cambridge Analytica) who would ultimately show up in their masses to vote for the Don. In the second instance, it had enough of a disruptive impact to sway voters in Australia to move their vote away from the Liberal National Party (LNP). Sure, the ALP was fined, but did the level of the fine send the right message? Did anyone go to gaol?

Voters complain in Australia how long it takes to produce an outcome for the federal election, or even state elections. How can we solve the problem? We are smart people, aren’t we? Secure software development. Dedicated voting systems. Apps for mobile devices. Good Governance. The ability to tabulate results in the blink of an eye.

Can a vote in the electronic world be discounted just like a vote in the physical world? Yes it can, and the electoral commission knows this. Ever put “Jon Snow – King of the North” on your ballot paper in the House of Representatives? If so, your vote is not legal. Ever written a kebab menu on your Senate ballot paper? If yes, then provided you filled out the rest of the form correctly, your vote still counted. Ever done a donkey vote? 1234567 or 7654321? Your vote still counts, but it is an “I don’t care” vote.

In many ways, good governance and a well-developed secure software development lifecycle with well-tested, reusable code would steer voters into not spoiling ballot papers.

Now I hear you cry, but it is my democratic right to show up and vote for Jon Snow or order a kebab. I hear you. And we need to include an option for “I showed up because we have mandatory voting but I am selecting the DO NOT CARE” option. Or just use 1234567.

We have to get over our phobias in order to transcend and embrace the inevitable of electronic voting. It is not a matter of if, but when it will happen. I am a big proponent of it happening here in Australia, and just like we showed the world when it came to WiFi, the Lawnmower and bionic hearing, I am sure we here in Australia can be world thought leaders to make a secure, online voting system.

Why I have switched my search engine away from Google

The Internet used to be a friendlier place. In the late 1990’s, it was Microsoft versus the rest of the world. We had Gopher and WAIS as early pre-cursors to Internet search engines, then along came AltaVista, Yahoo and Google. I was never keen on Yahoo, AltaVista was kind of interesting, but Google was it for me; as a geek with a UNIX and security background, it was the search engine I constantly used, until recently. I used to say to people, “Have you tried using Uncle Google to find what you are looking for?”

Over the years, it has become apparent that many online services are not only annoying, but downright invasive. I read a book called Future Crimes by Marc Goodman which outlined succinctly how companies such as Google, Facebook and many others mine your data and target you with advertisements, or sell your mined data to others so they can bombard you with services. Even the browsers we use, by default, usually connect into Google somewhere, so I am constantly being mined. There is no such thing as a free Internet service.

Isn’t this a perverse situation? For those of us who read George Orwell’s 1984 about a future world where there is no privacy, aimed at the former Soviet Union, it is perverse that we are in exactly the same position in the so-called free world; perhaps my improved ration of cabbages will appear after all.

According to recent surveys, most of the world (approximately 80%) uses Android by Google, especially in developing countries. Countries such as Australia, Canada, New Zealand, the United States, United Kingdom and much of the EU use the Apple ecosystem. Switching to Apple doesn’t safeguard you either, you still need to go to your settings and select a different search engine. If you are a diehard Android fan, consider CopperheadOS, a stripped-down version of Android that works on a modded version of the Nexus or Pixel range. Blackberry, Windows Mobile or SymbianOS anyone?

So, I have switched my search engine to DuckDuckGo. Why? Because it is what Google used to be. Light. Simple. Non-invasive. Anonymous. Private. And most importantly, I am not being tracked. Am I missing out on any search results? Yes, I am – I am not getting paid-for Ad services appearing at the top of my search results – what a relief! In reality, you get less search results, but is that such a bad thing? When was the last time you went beyond the fifth page of search results? With DuckDuckGo, you receive higher quality results without the data mining and cross-milling of junk you don’t need.

I value my anonymity and privacy, and specifically try to keep a light footprint wherever I go. DuckDuckGo is the new default search engine for me. #ComeToTheDuckSide

Choosing the right security framework for your business

When deciding on a security framework, it’s important that you choose the most applicable and appropriate set of foundation technology and software that suits your business and company needs.

Below, we’ll look at our SABSA® offerings, and how our courses are structured to provide you with the most effective and relevant IT security training possible.

Discovering SABSA framework

SABSA (Sherwood Applied Business Security Architecture) is a foundation framework and methodology that is applicable for service management and enterprise security architecture.

It can be considered the world’s leading open security framework and allows trained individuals to conceptualise, design and manage security in a business.

In fact, we at ALC believe the term “business-driven” is key to SABSA’s power, as the framework allows a company to conduct business on their own terms, while having constant assurance of the security level in the network.

The SABSA roadmap

So you’re considering SABSA training for yourself or the IT team in your business – what’s next? 
Our training program is split in three distinct areas, providing a clear pathway for any individuals wanting to undertake SABSA training while remaining flexible about their career options:

In contrast to other training courses, the SABSA roadmap provides a non-specific, mix-and-match process, opening up any of the main career areas upon completion; risk, assurance and governance, architectural design, crisis management and more.

SA

Click to open a larger view

What to expect from your first training course

When you set out to begin your training, it’s unlikely that you’ll know exactly where you want to go. With the flexibility offered in the training courses, you can ensure that no matter the direction your training takes you, we’re here to help guide you on the best career path.

Within the SABSA foundation course, we cover security strategy and planning, as well as service management and design, with the five-day course leading to SABSA Foundation certification and further IT governance training.

Expert support with ALC Training

We at ALC can provide an extensive range of training courses that cover a wide range of topics and specialisations. Above, you can see how following the SABSA pathway can lead to many different career paths, but this is only one of the courses offered by ALC Training.

To discover more about our range of courses and programs that includes ITIL, ISO 27001 and COBIT 5 training, get in touch with our specialist team of trainers today.