Interview with Professor John Walker

Email interview held on 9th September 2017 – as follows between Alan Radley (questioner) and John Walker (relator):

1. What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?

In my opinion, to answer the question relating to the state of cybersecurity inside organisations, one only has to look at the public ‘facts’ – Yahoo, Talk-Talk, Experian, the NHS to mention but a few who have fallen victim to cyber-attack, and/or compromise of sensitive client records. On the other side of the fence, when it comes to what I have observed internal to many big-name Oil and Gas, Financial Houses, and Industrials – I have seen PCI-DSS data left exposed for ‘all’ to view – PCI-DSS and Data Protection Beaches which were not been correctly as mandated, and the loss of assets from an East Midlands based Financial Agency which were holding 35,000 sensitive unencrypted banking records of a third-party bank who they were the custodian of, not to mention one organisation who had a pile of sensitive transactional data left exposed on their web server. So, conclusion here is, can, and ‘must’ do better. In the case of the Public user, they are left seriously wanting – there is still no real point of presence for them to report breaches into, and when they do attempt to report into Law Enforcement they can be met with the face unawareness of cyber-crimes. To further ecacerbate the problem, there would still seem be a complete lack of Security Education and Awareness being pushed out to the public, so again, all in all, a very serious state of affairs which must be radically addressed with some urgency.

2. What – in your estimation – is the percentage of “cybersecurity professionals” that actually know what they are doing?

Good question – and I expect my answer will get me shot (again). However, first of all I know many accomplished security pros’ who are top shelf, and are without doubt high value for any company who engage. However, on the other side, there are more who simply do not understand the real cyber-threat, and commensurate cyber-security mechanics beyond that of the latest hype pushed out from the lacklustre annual Infosecurity Show – One year we can be experts in PCI-DSS, another it may be AET, and of course now it is GDPR. Until such time as the industry gets to grip with the fact that CISSP, CISM, and the rest of those expensive Certifications are only of value when they are underpinned with a wide, and deep awareness of the technical aspects that support awareness, beyond what can be Boot-Camp Driven Certifications based on the box which is selected to tick – another side of Tick-box-Security!

3. Where do you go to find your “science” of cybersecurity?

The Science of cybersecurity may be discovered in the understandings of the historical facts, and the knowledge born from the real players in the past, and current cyber-landscape. Clifford Stoll, Steve Gold, Dark Tangent, Rain Forrest Puppy, Gene Spafford, Bill Cheswick, 2600 and many more, all provide the primer of the real base-coat of knowledge, which you will never find at Infosecurity.

4. Do you recommend a particular cybersecurity blog that our readers could follow?

I like to read Information Security Buzz (http://www.informationsecuritybuzz.com/) and Tripwire State of Security (https://www.tripwire.com/state-of-security/). However, one I avoid at all cost is my least favoured, and outdated – Get Safe OnLine.

5. What keeps you up at night in the context of the cyber environment the world finds itself?

What keeps me up at night is the awareness of all those highly paid people who are presiding over broken and flawed security postures – telling themselves that the route under the ISO/IEC 27001 will secure the enterprise, whilst they know that Nero is in the corridor with a box of matches!

Thank you kindly Professor Walker for taking the time out of what must be a busy schedule to answer our questions in such an enlightening way.

Interviewee: Professor John Walker,

CSIRT/SOC/Cyber Threat Intelligence Specialist & Insecurity Professional.,

Apress. University of Westminster.,

London, United Kingdom.

Professor John Walker – Biography

Professor John Walker is a fellow of the Royal Society of Arts, and Purveyor Dark Intelligence; he is a CSIRT/SOC/Cyber Threat Intelligence Specialist & Insecurity Professional.

John spent 22 years in Royal Air Force service in Security/Investigations and Counter Intelligence operations [Overt/Covert] working with GCHQ, CESG, British Intelligence, and US Agencies. He is a Visiting Professor School of Science/Technology – Nottingham Trent University [NTU], and has also been a Visiting Professor/Lecturer University of Slavonia, Visiting Lecturer at Warwick University [2016], and as a Visiting Lecturer [Digital Forensics] National Defence University of Malaysia.

John is a Registered Expert Witness, Certified Forensics Investigator Practitioner [CFIP], Editorial Member at MedCrave Research for Forensics & Criminology, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute [CRSI], Digital Forensics/Cyber Security listed Trainer at Meirc [Dubai], and Fellow of Royal Society for the Arts [FRSA], and writes for Apress Publishing New York.