Blog

Note: In-fosec-centives

‘Because’ that’s not a word yet. But one might miss this presentation here, at one’s loss – if only for the return of this little gem:
It is difficult to get a man to understand something when his salary is dependent on his not understanding it. [Upton Sinclair Jr]

If only, not only, semantics [i.e., the things that actually matter, not syntax as much – excepting code where things seem to be in the inverse!], we have many important talking points. Like, nudging solutions [on a scale from true nudges, small and isolated, all the way to supernudges, big blows on many dimensions as society is so complex little local nudges will meet resilience], and the above
that is oh so very true for all sorts of situations in organisationland. Like risk management, that is in its so very required overhaul it seems. Maybe make full and all salaries dependent on change, then you may achieve a little. Privacy, the same [though it is but a subset of infosec that needs the changes anyhow] – nudging, or making the wanted behaviour the easiest [creating resistance against the less-wanted behaviour] already played a sideline role there but wasn’t operationalised enough yet.

Yes one feels a sledgehammer is needed against the incumbents, the crazy ones.

Oh well. Check out the pres, and:

[Great for a museum, to protect the inside. Organisations need to go out, not stay in; Vienna]

Will the AI hype go on(to) Evolve next ..?

After the generic-AI hype will have slowed, and actual generic AI of the Normal kind gets integrated into society big time / you ain’t seen nothin’ yet time, what ..?

Apart from a huge spread of more ML algo’s than the mere Bayesian and non-linear regression (e.g., this one that I tested in a thesis already back in 1994 – it worked even when I had the feeble cpu power of the day),
And apart from the return of Expert Systems, since when the above start to become analysed everyone realises that is what ML does, on a big scale but still,
let me propose:

Evolutionary (genetic) algorithms.

Which is mentioned in this overview, I believe to recall – I’m human, and perfection is boring.
But not enough. Strange, when one considers how effective these are, and how e.g., ‘quantum computing’ actually is only a massively-parallel implementation of this.

To Be Continued …
[Already post-schedule, pre-release: this]
Plus:

[Ah, as designed by evolutionary Nature… was temporarily my Martinique off-site working office… (cabin just off the beach there)]

You’re so non-compliant …!

Since you don’t have the real chapters in place. Not even on paper.

Since those initial chapters of just any standard you can dream of (Alptraum, you know) have the essence, the principle-based stuff. Whereas the latter ‘chapters’ of any standard regard guidelines or even-mere examples for the lazy, of what needs to be done after those initial chapters are working effectively.
Yes, a lot of you may jump directly past the fluff to the annex that has some of the things you understand. The penny-wise stuff. ISO 27001 as a prime example I happen to work with every now and then. Others apply, certainly.

Since for very sure, it is the first few chapters that describe the processes that you need to have (sine qua non), to even be able in the most basic form, to move from unconsciously inept, past consciously inept [I can certainly help with that part!] and consciously able, to … well maybe not unconsciously able – the ideal, but then you lose control, of the ‘provable’ type – but semi-consciously able then.
Only then may you be compliant.

[An intermission on ‘provable’: That is not that you have a full stack of binders with all info an auditor might ask for.
For one, the auditor should, must according her/his professional standards, only sample not check in full. The sample(s) to be determined by the auditor’s risk analysis on your administration. According to the standards that absolutely require to work efficiently, meaning (s)he does not waste any of her or your money on, what should be, utterly superfluous testing. When an auditor requires ‘all’ the proof to be handed over in a binder (irrelevant whether electronic or not), they a. don’t know their job, b. are non-compliant with their standards, c. try to drive up your cost for no reason whatsoever; where c. may come close to deceit, fraud.
For another, ‘prove me’ is requiring the firing squad convict to pay for his own bullet. Which is among the most immoral things dreamt up in the sickest of minds. Come to think of it … auditors … shouldn’t!… ‘Provable’ means that if asked, one can (start to) produce the evidence immediately. Pre-produced evidence is circumspect hence useless. Why ask for useless stuff, and then not use it for that ..!? Or use useless stuff still, and lead everyone incl yourself astray?]

 
The processes involved, revolve around risk management of the real type – for now – in which business decisions on what to do or not are based on the risks present, mitigated or not. Only if that is done, can one select from the annex those controls that make sense. Yes, there’s tons of non-linearity in that, since the selection also requires to inculcate the costs involved.
Proof that one has implemented all this, is in pertinent records that such weighing has taken place, decisions have been made on the business side and have been signed off by … not some scapegoat like the CISO or so, but the Board themselves. Yes, they might need to know about some nitty-gritty stuff. Bad luck for them, or they’re simply incompetent! They are the ones ultimately and immediately accountable, their heads are on the block – that’s what they are paid for or they get way too much; enormous insurance premiums they fetch? Yes. But not heads I win tails you lose.
(Yes such proof is of the pre-pared kind; can’t be produced on the spot sometimes long after the fact and hence needs to be tested in detail.)

Only when such proof exists, does one follow on via testing of Design, to some sampling of effective implementation (Existence) of the annex-controls. Testing of Design will lead to two things: 1. establishing whether the requirements from the risk business have been translated properly to frameworks of controls and the controls selection was fitting, 2. establishing the very possibility that the controls selected, if implemented to the max of their efficiency, might in principle lead to appropriate risk reduction (Effectiveness, Working Effectively). Or already, one can point out that the controls selected are (only) fighting yesterday’s war and will fail against today’s and tomorrow’s circumstances – most often, this is the case; certainly when one started at this wrong end by having jumped to the annex too early.
Oh how often [infinitesimal off ALWAYS] does one have no trace of this effectiveness testing of the design. I.e., the auditor does something but not his work according to her own standards! When this were characterised as Fraud, one couldn’t argue against that period

With Existence testing as a final closure thing, and proof produced on the spot. If not producible, not provable. Note that one needs repeat this only sparingly, the maintenance of controls deisgn and implementation should have been built into the design otherwise the design is a failure.

TL;DR Yes I’m serious. When the Board doesn’t understand the first couple of chapters of some standard, compliance efforts as resistance against change in the Board and business culture are futile. Auditors involved cannot move onward unless this is fixed.

On the bright side:

[“Hey, the sun’s out so who cares we’re running after the emperor’s new clothes compliance standards?” – yes that’s putting it mildly]

… Yes ..? The laudable efforts

Somehow, I’m unsure that this is presented as a [laudable and] serious effort and now gets a humorous twist where it also lists this that wasn’t funny.
Let’s not forget this even.

And does Nway have this ..?

Hey people …! When one wants to make fun of international affairs, let’s stick to the lesser issues like global warming or the plastic soup.

And:
[Bet you don’t have clubs like these in nor-way, eh? Proud wearer.]