Security Focuses: The Science of Cybersecurity – a summary

Today I attended Security Focuses: The Science of Cybersecurity. Here’s my inexpert summary of the event.

The costs and risks of security are increasing

  • 90% of large businesses had a security breach last year.
  • Security breaches are becoming more expensive: £1.15 million in 2014; £3.14 million in 2015
  • 1,000,000 new pieces of malware are created each day.
  • 14x increase in infections year on year.
  • When Target was hacked, its CEO and CIO resigned. So directors’ jobs are more vulnerable to security risk.

Basic framework for cybersecurity

  • Assess
  • Detect
  • Protect
  • Respond

Reactive approaches to security aren’t good enough. We need a proactive approach, with a broader vision

Talk Talk only noticed they were hacked because their website slowed down. So they probably aren’t an exemplar of best practice.

Threat Inteligence allows us to:

  • identify and resolve internal and external threats.
  • understand how attackers think and behave, and select appropriate countermeasures
  • focus our security resources in the most important areas

We need a broader approach to cybersecurity:

  • Holistic view of systems needed, not a silo approach (e.g. via end-to-end cloud systems, rather than having server security separate to firewall)
  • of external threat environment (e.g. via a threat exchange)

The future of cybersecurity

Analytical detection is more sophisticated than signature detection

A signature approach is the most basic; rules are a bit more sophisticated, correlations are better still, but an analytical approach is strongest for identifying security issues.


Your internal understanding of your network estate is different to how external attackers will see it. So it’s useful to carry out external footprinting.

Hackers can use less well-defended elements of an organisation’s web presence to successively break in to other areas.

e.g. lots of the 2011 Sony hacks were on smaller, national sites. The hackers had a better understanding of Sony’s footprint and vulnerabilities than Sony did.

The commoditization of exploits

Charl van der Walt’s excellent presentation was my highlight of the day.

Zerodium recently paid a bounty for jailbreaking iOS9:

Zerodium can now sell knowledge of this exploit to clients.

Because Apple doesn’t know what the exploit is, these clients can reliably use this exploit to attack people.

Government security services want reliable exploits like these, which leads to this commoditization of the exploit market. It also leads to the industrial use of these purchased exploits as they are employed at scale. This is in contrast to the more patient, research- and expertise-led footprinting carried out by other attackers, which presumably requires much more resource for a given output.

I found the day an interesting overview of the cybersecurity space. The biggest single improvement I’d recommend for next year is including female speakers – the keynotes were entirely presented by men.

Harnessing the Web – MemberWise – a 20 tweet summary

Today I attended MemberWise’s Harnessing the Web conference. I’m largely new to the world of membership, so I was hoping to understand how other organisations were using digital to promote and deliver their membership offers. Below I’ve summarised the key points from the sessions I attended, in 20 tweets.

Chemnet gains – online support for the next generation of membership

Users expect:

  • Easy-to-find content
  • Easy-to-access content
  • A focused, unclutted experience
  • Consumable, interactive content
  • Trusted quality

User participation encouraged by giving them points and badges. Probably socially powerful signals in their own right, but additionally powerful motivators for an audience thinking about UCAS applications.

A membership community requires ongoing investment:

  • Content planning is very important to sustaining engagement
  • Chemnet is planning to make improvements over time.

Creating a thriving online membership community

User needs must be the driver for creating a community space. If it doesn’t meet a user need, you’ll struggle to build engagement.

“Focus on user behaviours, not features.” Focus on understanding your users’ needs, not the specific mechanisms you’ll use to satisfy these needs. That’s your designer’s job.

Know the purpose of your community, and have a plan in place for community management and content. And resource it.

Know what will make your space better than anywhere else. The importance of quality, easy-to-find content was mentioned again.

The GpmFirst platform is focused on social learning – a community of practice, participating, sharing, and creating knowledge. It seeks to empower users.

When starting a new community, take the ‘lean community’ approach:

  • Start very small, with a minimal investment, with a basic product.
  • Observe how this product performs and how people use it.
  • If it fails, you can close the project having invested only a small amount.
  • If it goes well, you can make targeted improvements.
  • This approach reduces risk.

Summarised in three steps:

  1. Start by finding an overlap between user needs and organisational goals
  2. Plan for active, high-quality community management
  3. Test, measure, learn, repeat

Web chat – making life easy for your members – Caravan Club

I eavesdropped on this presentation via twitter.

So web chat can help you understand where people are having problems on your website, and obtain a stronger understanding than a Contact Us form.

I’d like to know how the costs and staffing challenges compare to phone calls.

How digital acted as a catalyst to transform a traditional business (YHA)

Challenges faced by YHA:

  • cost per booking was very high.
  • Membership in decline.
  • Tactic of forcing membership on all visitors unsuccessful

There was sufficient senior buy-in for investment in digital, and some acceptance of risk.

They used data to inform marketing and development work, which led to increased revenue, which led to increased confidence.
This mechanism powers digital transformation at YHA.

Some specific actions taken:

  • Embedded Trip Advisor reviews on site to show quality of experience. A tough sell internally, and took conviction in the product, but greatly increased conversions.
  • Google 360 tours are very effective marketing tools
  • Users can now search the YHA site based on their interest/activity, then the YHA website suggests hostels nearby. More focused on user needs than asking users to pick a region first, particularly if regions are not intuitive.
  • YHA has ended the tactic of “tricking” people into becoming members. For a number of years, if you stayed at a YHA hostel, you would be signed up for membership automatically. Ending this tactic has reduced the number of members, but increased their engagement.

YHA’s digital transformation has seen good results:

Using user experience to improve online member journeys, optimise new member and student acquisition

The problems that CIPFA user research uncovered are pretty common:

  • Registration was confusing
  • Labelling was based on internal structures
  • Content was overwhelming

I was pleased to see the information architecture techniques of card sorting and tree testing advocated.
Card sorting groups your content into categories, and tree testing checks whether your categories make sense to users.

CIPFA has improved its structuring of content, reduced the volume of text on pages, and moved away from internal language towards language that makes sense to users.

I’ve heard stories of organisations thinking about their website and content at five year intervals so many times. Why is everyone still getting this wrong?
The ever-changing digital landscape – and user expectations – mean that we have to keep adapting. Even if neither of these factors existed, ongoing investment is important to refine and improve your digital offer.

Using digital to streamline the member acquisition process

Round Table had a complicated membership sign up flow. Not so much because they had massive sign up forms, but because of the different internal steps involved in the process, and the amount of administrative overhead associated with these. Processing each new member enquiry took about an hour of admin time.

Digital agency IE carried out four phases of improvement to the process. This was more manageable for everyone. (I lost track of the boundary between iterations 3 and 4 – sorry for any inaccuracies.)

Iteration 1:

  • Remove non-essential form fields from initial form. Ask the bare minimum number of questions to increase conversions. Ask the other questions in a follow-up survey.
  • Validate user details automatically.
  • Improved dashboard for recruitment team.
  • Process for recruitment team to transmit info to colleagues streamlined via email templates.

Iterations 2 and 3:

  • Mobile web forms for recruiters.
  • Contact information sent to recruiter via text, with click-to-phone link allowing instant and easy follow-up of leads.

Iteration 4(?):

  • Recruiter replies to the text message telling them about a prospect now populate the CRM log. This has massively increased compliance with the CRM’s data needs.
  • Website allows users to text to register interest in membership.
  • New website focused on location.

Why was this approach a good idea?

What improvement did Round Table see as a result of this work?

Holding the line: the long and short of a successful CRM integration

“This wasn’t an IT project, it was a businesses transformation project.” Digital and IT projects so often involve business change – I wonder how many people plan for this from the start?

The two hardest parts of the project were:

  1. Data integration.
  2. Process and culture change. You need to run a parallel cultural change project. But how many people plan or put resource in place for this?

At the start of the project, they spent a week or two on “benefits dependency mapping”. This produced an intricate diagram, but, more importantly, a shared definition of project drivers, objectives, benefits, outcomes, and necessary organisational and IT changes. Although I’m not sure that all projects can predict what their impact will be at the start.

One other factor behind the project’s success was setting clear governance from the start, so that decisions could be made with authority.

Before they got a supplier on board, they held workshops to “drain swamps” in advance – explore and investigate contentious areas so that the organisation isn’t considering them for the first time when the agency arrives.

Once the development agency had been chosen, they spent six weeks building a technical proof of concept, to check the technical feasibility of the project, and to check the cultural fit with the agency. Its success built organisational trust.

One quite sad statistic on CRM projects circulated during the day, which came from a MemberWise survey: