ICT and Cybersecurity for Lawyers August 2021
Download as PPTX, PDF0 likes99 views
This document provides an overview of various topics related to ICT and cybersecurity: 1. It discusses interactions with lawyers regarding contract negotiations, disputes, and security incidents as well as legal compliance of solutions. 2. It describes the evolution of technologies over time from physical infrastructure to virtual infrastructure and cloud computing models including IaaS, PaaS, and SaaS. 3. It also briefly touches on topics like artificial intelligence, machine learning, DevOps, cybersecurity threats and trends, and supply chain security.
ICT and Cybersecurity for Lawyers August 2021
- 1. ICT and Cybersecurity 101 August 2021 Doug Newdick
- 2. Once upon a time in New Caledonia
- 3. Warning, this product may contain.. Generalisations Opinions Side effects may include: • Better questions • Better conversations
- 4. My interactions with lawyers Contract negotiations Contractual disputes Security incidents Legal compliance of solutions
- 5. That was then, this is now How do I get to the cloud? How do I manage my cloud? Cybersecurity is SEP Cybersecurity is front page news Agile – agile – agile! DevOps – DevOps – DevOps! Big data is the new thing It’s part of the furniture
- 6. IT: People and Process Strategy to Portfolio • Takes your strategy and generates a portfolio of projects Requirements to Deploy • Takes a project's requirements and generates a working system Request to Fulfil • Takes your service desk request and gives you the thing you asked for Detect to Correct • Takes a report of something broken and fixes it CIO, enterprise architects, EPMO Project managers, solution architects, developers, business analysts, testers Service desk Support team IT operations manager
- 7. Infrastructure What we run software on • Servers • Storage • Networks (cables) • Racks • Datacentres These days it’s all virtual!
- 9. And shared responsibility Operating systems, databases, integration Software, logic, data, what you use it for, what you put in it Software, logic, data what you use it for, what you put in it What you use it for, what you put in it Operating systems, databases, integration Software, logic, data Hardware, networks, virtualisation SaaS PaaS IaaS Provider responsibility Customer responsibility
- 10. Not all clouds are created equal • Enterprise cloud services can bring efficiencies and quality unthinkable for in- house services • Other cloud services can hide poor quality behind a façade • Beware cloud washing
- 11. Artificial Intelligence and Machine Learning • A system that doesn’t do what it is instructed, but figures it out for itself. • AI and ML are everywhere: Google, Spotify, iPhone • Facial and image recognition, machine translation • Machine learning is only as good as its learning set
- 12. DevOps • The latest thing in software development, cooler than agile • The people who build it, fix it • Continuous integration/Continuous deployment • It’s all about the tools: CI/CD pipelines and automated testing
- 13. Cyber Security The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards
- 14. What’s on trend in cybercrime? • Ransomware • Phishing • BEC • Professionalisation • Nation states
- 15. Supply Chain Security • It’s not just about IT • Maybe your suppliers are an easier way in • One supplier gets you lots of customers • How good is your supplier’s cybersecurity?
- 16. Questions?
Editor's Notes
- #3: In New Caledonia I had to manage negotiating contracts between our legal team and vendor legal teams.
- #4: This is the world according to Doug. We have only enough time to cover some key things a high level, not everything, and nothing in detail. I’m hoping at the end of this you will be able to ask better questions of your IT colleagues and have better conversations with them.
- #6: When I gave the previous version of this talk the world was a different place. An IT “generation” is 5 years so a huge amount of stuff has changed. Cloud: back then everyone was trying to figure out how to get to the cloud, now everyone is in the cloud and trying to understand how to manage their (multiple) cloud(s) Cybersecurity: back then it was always Somebody Else’s Problem (security, IT, anyone), now it your ELT and board care deeply. Software development: back then everyone talked about “agile”, now DevOps is the phrase du jour. Big Data: back then this was a big new thing, now it has largely a bunch of tools and techniques that we use everywhere in IT.
- #7: Borrowed from the Open Groups IT4IT model, the 4 key value streams of IT mapped to the people/job titles you will work with. The rest of this presentation largely talks about technology, but you should also understand the people and processes of IT.
- #8: Non-IT people use the word “infrastructure” very loosely. IT people use it with a very specific meaning.
- #9: Software as a Service (your business apps) runs on top of Platform as a Service (your developer tools) which runs on top of Infrastructure as a service (the raw computing, storage and networks).
- #10: Some people think that if you are in the cloud, all security is the provider’s job. Not so! There is a shared responsibility (between customer and provider) for security, even if you are using Software as a Service. (There are a million versions of this diagram out there, this is mine).
- #11: There is no such thing as “the cloud”, just lots of cloud services of varying quality and security. Some are brilliant, and some are rubbish. At the worst they can just be old-fashioned managed services with a veneer of cloud (“cloud-washing”).
- #12: One key new(ish) trend that is having a big impact is AI and ML. Your iPhone uses ML to change it’s behaviour to match yours. Poor learning sets can lead to poor outcomes – e.g. facial recognition that doesn’t work for ethnic minorities.
- #13: Brilliant if done right – but hard to do well. While it is not only about the tools, you can’t do it without a sophisticated toolset. Can massively improve efficiency and quality.
- #14: Anyone who says “this system is secure” is lying. It is only ever: this system is secure enough for this organisation, with this risk appetite, for this purpose at this point in time. If any of these change, it may no longer be secure enough, and it could always be compromised by a determined enough attacker.
- #15: BEC = business email compromise.
- #16: Some of your vendors or suppliers have lots of your important or sensitive data (e.g. your accountants, your lawyers) even if they aren’t IT suppliers. Do you know how good their cybersecurity is?