Information Risk Management – Page 70 – Maverisk / Étoiles du Nord

Flavours of IoT

In my on-going attempts to get a grip on IoT, I recently developed a first, for me … Being a broadest of classification of IoT deployment, with characteristics yet to work on:

B-internal; the ever more intelligent, ever more (visually) surroundings-aware robots in factories, replacing extorted laborers thus taking away the last options to life they had. On the other hand, freeing humanity of toils at last ..? If not when there’s a Hegelian end…
B2B; having near-AI ‘machines’ as the new middlemen, if at all or incorporated on the sell- or buy-side.
C2B; as with most lifelogging e.g., through wearables. You didn’t really think your health data was for your private consumption, did you!? If so, only as a weak collateral product of insurer’s ever better reasons to turn you down the more you need them. No escape.
C-internal; maybe, here and there, with domotics. And with this; will already a blend with the previous, probably.

To which I would then add some form of mapping to the various layers of discourse (as in:

but then, much more stacked with OSI-like layers and elements performing various functions like collection, aggregation, abstraction. Seems relevant to do a risk analysis on all those levels and points/connections.
Yes, it’s rather vague, still. But will work on this; to see whether the classification can shed some light on various speeds of adoption, and where privacy concerns et al. may be worst. Your comments, additions and extensions are much welcomed.

I’ll leave you for now, with:
[From an old analog to digital time, still SciFi ..?]

Your info – value

Wanted to post something on the value of information. Then, this came out a couple of weeks ago. By way of some sort of outside-in determinant of the value of (some) information… [Oh and this here, too, even more enlightening but for another discussion]

who-has-your-back-copyright-trademark-header
Which appears to be an updated but much shortened version of what I posted earlier. Players disappeared or doesn’t anyone care anymore about the ones dropped out ..?
Anyway.

Yes I wasn’t done. Wanted to add something about information value within ‘regular’ organisations, i.e., not the ones that live off ripping off people of their personal data for profit as their only purpose with collateral ~~damage~~ functionality to lure everyone, would value the information that they thrive on, by looking inside not circling around the perimeter.
I could see that being established via two routes:

The indirect avenue, being the re-build costs; what it would cost to acquire the info from scratch. Advantage: It seems somewhat tractable. Drawback: Much info would be missed out on, in particular the unstructured and intangibly stored. Employee experience …!?
The direct alley. Not too blind. But still, hard to go through safely. To take stock of all info, to locate it, tag it, among other things, with some form of revenue-increase value. Advantage: Bottom-up, a lot of fte’s to profit from the Augean labor (Hercules’ fifth). Drawback: the same.

OK, moving on. Will come back to this, later.

Not yet one IoTA; Auditing ‘technology’

[Apologies for the date/time stamp; couldn’t pass.]
First, a pic:
20140226_113554
[Classy classic industrial; Binckhorst]

Recently, I was triggered by an old friend about some speaking engagement of mine a number of years back. As in this deck (in Dutch…).
The point being; we have hardly progressed past the point I mentioned in that, being that ‘we’ auditors, also IT/IS auditors!, didn’t fully adapt to the, then, Stuxnet kind of threats. (Not adopt, adapt; I will be a grammar and semantics n.z. on that.)
As we dwelled in our Administrative view of how to control the world, and commonly though not fully comprehensively, had never learned that the control paradigms there, were but sloppy copies of the control paradigms that Industry had known for a long time already, effectively in the environment of use there. As in this post of mine. Etc.

But guess what – now many years later, we still as a profession haven’t moved past the administrative borders yet. Hence, herewith

A declaration of intent to develop an audit framework for the IoT world.

Yes, there’s a lot of ground to cover. All the way from classification of sensors and networks, up to discussions about privacy, ethics and optimistic/pessimistic (dystopian) views of the Singularity. And all in between that auditors, the right kind, IS auditors with core binary skills and understanding of supra-supra-governance issues, might have to tackle. Can tackle, when with the right methodologies, tools, attitude, and marketing to be able to make a living.

Hm, there’s so much to cover. Will first re-cover, then cover, step by step. All your comments are welcomed already.
[Edited to add: Apparently, at least Checkpoint (of firewall fame oh yes don’t complain I know you do a lot more than that yesterday’s stuff; as here) has some offerings for SCADA security. And so does Netop (here). And of course, Splunk). But admit; that’s not many.]

Meet no more, continuously, and excel

I posted before on the atrocities of current-day meeting practices. And on the changing role of the Document, here.
The latter, provided some thought towards predicting the demise of the former: When we’re connected (at the information level, not mere technically) constantly and continuously, wouldn’t all the errors of meetings be resolved (resolvable) by not having them anymore, or at least, re-styling them in a wholesale manner?
First, a picture:
[Reflections of – the way life used to be (lyrics)]

I mean, all the meeting errors have been allowed to play out because the in-charge’s liked them, for the display of faux leadership caricature they provided. But with the change towards always-on mesh communications, which is do-or-die, the very reasons to have meetings diminishes. Social advantages of meeting F2F, that were collateral ‘damage’, may still be around but in the form of having drinks. Who’d need more? and now recognize the benefits outright, without the formal hassle and hilarious chair and topper pomp.

Though I treasure the value of the Document, if, very big if, it is in itself an attempt to Masterpiece. Which it sometimes is, in organisations, but then, so desperately few would survive public muster. Yes, there’s a trend towards deployment of Narratives everywhere. But that’s not what I mean here. I mean stuff like Books, nuggets of Culture carried through the ages. Where mere documents, even, let alone casual socmed conversations, will leave no (! storage re-use needs, TLA?) trace of your existence. As the Greek Hell beyond the underworld: In the underworld, even the villains were still known by name. But beyond that, in Hell, wailed the spirits of the Forgotten, the nameless. That truly was as bad as hell could get. And, of course, true heroes would attach to the pantheon, become stars and constellations. Do you strive for that, when filling out the TPS report at Initech? If you had to look that up, you’re on the naïve side of young…

Well then, to summarise: Meeting mania is curable, and Documents sharpen our skills. What a blunt conclusion. But don’t blame me when your greatness takes off.

Clustering the future

Was clustering my themes for the future of this blog. Came up with:
[Sizes, colours, or text sizes not very reflective of the attention the various subjects will get]
Low sophistication tool, eh? Never mind. Do mind, to comment. On the various things that would need to be added. As yes I know, I have left much out of the picture, for brevity purposes. But will want to hear whether I missed major things before I miss them, in next year’s posts. Thank you!
And, for the latter,
[Bah-t’yó! indeed]

Pulling, and pushing the compliance boundaries

A reblog again, delving into the breath of being the peers that pressure towards conformity or be the Maverisk that wants to prevent stale and mould. Read past the starting stuff, and find the value of nonconformity explained. If you don’t see that… You may be the one most in need …
And,
[Accelerating, not so bad]

SPICE things up, maturely

Where just about everyone in my Spheres was busy ‘implementing’ (quod non) all sorts of quality ‘assurance’ or ‘control’ (2x quod non) models, in the background there was quite some development in another, related area that may boomerang back into the limelight, for good reason.
First, this:
[Zuid-A(rt)sifyed]

The subject of course regards SPICE, or rather the ISO 15504 that it has turned into. Of the Old School of software development quality improvement era. Now transformed into much more…
In particular, there’s Capabilities instead of ‘maturity levels’.

What more can I add ..? Systematic, rigorous, robust, resistant against commercial panhandling. The intricacies … let’s just point to the wiki page again; ’tis clear enough or you need other instruction…

Lemme just close off with asking you for your experiences with this Standard…?

Cuffed to happen

This here masterpiece of course was bound to happen. Although with WiFi access, one would wonder about cloud sync / storage …
Oh WiFi hotspot no less…
Pic, again next time.

A simple explanation of Bitcoin “Sidechains”

Noteworthy. In one sense, a dilution. In another, a move to widespread adoption and acceptance. From which, probably, some unforeseeable, maybe even weird, whole new societal developments may spring.
And, for the heck of it:
[Pre-1998 analog to digital, FLlW @ Bear Run obviously]

In that Case, No.

Is your organization still replying on ‘business’ ‘cases’ to fund projects? Then there’s a special place for you in Dorchester.
When building such business cases – apologies for not mocking that newspeak already –, have you ever come up with one that did not pass the hurdle rate ..? Or come across a case where no business case was needed because the case for investing was so obvious or it wasn’t most clearly but someone of the Board wanted it so whatever dreadful return was expected all still had to be done?

Which made business cases the spider web that catches the little flies when the big ones simply smash on through.

And the insects that game-change and disrupt your feeding/business model and/or market share, don’t even fly near your web or turned inedible.

How many start-ups go through formal business cases for every investment or pivot ..? And only just making the 10% rate ..? With all costs so exactly calculable as you present those (the 100%+ error rates you leave out ’cause band widths are too difficult to understand by the ones with the money bags. You presume that, they deny that vehemently because it would show them to be the emperors in their newest clothes (but with piggy-fat pay checks), but you are certain of not being able to mark the averages for the cost items so you take lowest estimates), and the benefits monetized [my italics, auth.] to fabulously inflated figures. With oh so many unethical rounds of ‘adjustments’. Newspeak for: cooking the books of your business case. By lack of the hardest of scientifically concrete counterevidence you maintain your weakest of kindergarten estimates still hold.
Again, not very much like the start-ups you envy. You envy for their success rate. Ah, you now say the failure rate of start-ups is dismal. How about the failure rate of your projects; if they had been single initiatives, wouldn’t they have gone bankrupt at an even higher rate? Aren’t your successes the panting hanging-in-by-the-thread shrill-shouts of objectives achievement? Where the start-ups are considered successful only after passing the … maybe 500% return rate; reflective of … business value through non-monetary returns you could only dream of.

Don’t feel like I’m just bullying you like all the rest, with the weapon of slight. I’m trying to provide ammo so you can be allowed to move away from the bleak common business case of ‘decks’ full of PPTs where the content would be much, much better presented in Word and the 6 words shoud be per sheet not per half inch; unreadable, not made to understand. [Why!?!? Why use PPT; why are you using a truck to get a dozen of eggs from the Walmart ..!?]

So, what pointer can you provide to beat the business case system; not to game it but to replace it with another that might actually be useful, functional, in (larger) organisations …?