WithoutFire | John Elliott's occasional thoughts on data protection

with not to

This is a collection of resources and references to accompany my talk on Doing Security WITH your organisation and not TO it at the 2017 RSA Conference.


The kind people at RSA recorded the presentation so if you were there, you can go back and re-watch it. If you’re just here for the first time then remember this is unedited so there is hesitation, repetition and deviation.

Notes and corrections

It’s very hard to provide footnotes to a live presentation, and almost impossible to proofread – so here are some references, apologies and elaborations.


“A bit of a Nirvana Land” – I think I more accurately meant “conference speaker ideal world”. Not a land where there is “a transcendent state in which there is neither suffering, desire, nor sense of self”.


If you think that companies really don’t do this type of thing anymore then I give you Virgin Atlantic’s loyalty programme – FlyingClub.
“The first time you log in to your Flying Club account on our new website you will be asked to set up security questions and answers. The answers need to be a minimum of 4 and maximum of 100 characters.”


Yes, I know, SAS does fly to SFO


That came out somewhat wrong. I’ve been to Norway, Sweden and Denmark and I know they are pretty large (with some great coastlines). When Calrson wrote the book the community of people who flew regularly on SAS was small and well connected with each other.


I know, you can’t see the laser pointer. Sorry. I have to admit I didn’t think about the recording at this point. Hopefully you can work out what I’m pointing at.


Yes, in Japan it really is a blue man


No it really would be PCI DDS compliant if the post-it notes were destroyed in compliance with requirement 9.8.1


I know, my pronunciation here is terrible. Sorry Iacovos.


I said right hand, I hope it was obvious I meant “top left hand”


A colleague commented that it appears that I suggest that business usability and security effectiveness were dependent variables. That if you had good business usability it naturally had poor security effectiveness, and vice-versa. This isn’t the case – they are independent. You can have poor security and poor usability (passwords!) and good usability and great security (SSO with something you have and something you are).


If you’re not familiar with Mr Creosote then YouTube will be educational (although avoid mealtimes)


I should perhaps have added “allegedly”


The attack against the Bank of Bangladesh SWIFT system


Sorry 😮


Net Promotor score


I should point out as an ex-QSA I meant this in a purely metaphorical way.


Again, sorry.


Users and Security

Shadow security

Evidence based password research

Customer Journey Maps

The one book to read

Despite its age, this is a great book on security usability

You've successfully subscribed to WithoutFire | John Elliott's occasional thoughts on data protection
Great! Next, complete checkout for full access to WithoutFire | John Elliott's occasional thoughts on data protection
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.