The P (part 1, too)

Now then, for the grand Part 1 of the People of Information Security. À la the triangle I posted on earlier (see somewhere below) where the People aspect floats around the triangle like a dense cloud; obscuring your clear view and posing a foggy unclarity threat.
To jot down, there are many aspects of People that we have to deal with, but let’s start with some random unstructured angles:
[Generalife, Granada]

People are a Threat. Externally, they are the actors, not random Acts of nature. No, they, they! the people, the masses (even in Ortega y Gasset style), they exist only to attack us!
How nice if you believe such, how nice to all those that have a sense of community and either don’t care to attack you even if it could be to their (risk-weighted) profit, or even help you, tacitly or visibly, explicitly. How hard do you work to alienate all those, too? Notwithstanding that there are indeed some out there that want to attack you: Have you ever stepped into their shoes to figure out why ..? If (very big if) you really stepped into their mindset, wouldn’t you do the same because by their reasoning, you ‘deserved’ it?

People are Vulnerabilities, on the inside. They are frail, failing their duty-above-all to follow your procedures, excuse me the word F.ck the contributions to the organizational success; your procedures are sacred of course?

People are Means in information security. That’s actually what they are in the People, Process, Technology trio. Vulnerability, and Threat by the way, if they deviate from how you wanted to deploy the resource, but they can also be very powerful ‘allies’ as resource to deploy in information security, information safety [nice idea, to defuse the old phrase], information asset protection. People are the thing (sic) that might follow Process using Technology to achieve protection. People are the ones to task doing to safeguard your information assets. They may not be perfect, but they will for a long time to come be the actual actors and re-actors.

People are psychological constructs acting in sociological environments. I cannot write this often enough: Read and re-read Bruce Schneier’s Liars and Outliers, to understand how these People may operate in your artificial society called organization (oh the wishful thinking in that word…).

People then, will have to be included in security design in the prominent role they have not as an afterthough. They will have to take center stage indeed, as alpha and omega of information security organization.
We’ll have to find ways to really start with People and see how their work may be structured, and how their work may be supported (not the other way around!!) by Process and Technology. Process as a little handy tool, not as the raison d’être – an uphill struggle it will indeed be, but also sign of the times already! Totalitarian bureaucrats beware; the Age of Compliance is waning. See a future blog. Technology as a little handy tool (in big plural), not as the first to arrive and to bolt a bit of Process and very maybe even People onto here and there.
But we haven’t explored such a design direction at all, yet! We have no clue, no metholodogy, no vocabulary, to describe such a ‘design’ …

That’s where you come in; through your comments I propose to crowdsource such a methodology. Be part of it!

First Predictions 2014

[Unfamiliarly, from the West]

What’s up, 2014?

The end is nigh, of 2013. Can we predict what the big business / infosec hype of 2014 will be ..?
No. There’s no predicting the unknown. The somewhat-known will not stand out enough. The known… boring!

The knows are the fall of Fubbuck, maybe Tvitter (both to be replaced by the WeChat’s and hopefully Tumblr’s of this world; will Vine and Snapchat take over?), cloud, BYOD/flexwork, etc.
SMAC: Social, Mobile, Analytics, Cloud. ViNT by Sogeti adds a T of Things.

The Things part, I’m unsure about. Yes, for the long run (i.e., 2-5 years) we will definitely see an explosion. But next year already? It’s the infancy of a sine wave, taking off slowly.

So, my prediction is that the thing we’ll all be talking about as the next thing in 2014, would be … People versus Algorithms.
This was pointed out by some #Coney guy(s), with some lead links elsewhere. But algorithms will not conquer the world in one swallow. Rather, we will see both an increase in the use of algorithms for partial (at most!) data analytics, to support TLA-style use of ‘big’ data both in public and private environments – but also a major development of the People component in tha analysis, a wave of development of specialized functions, methodology and tools, re the human pattern detection and interpretation parts of analytics.

Plus, then a more clear picture of how people and algorithms fit together, as function, profession(s), etc., with spin-off everywhere e.g., the development of a better understanding of how the brain works, how humans work (produce / operate), how to describe the purpose of life. On our way to the Singularity, and Beyond!

In the cave, not hunting

60% of any group of people are conservative. They just want a job, any job, and want to do simple, predictable work. The want to stay in the cave, because it’s dangerous out there; you never know where and when a bear or sabletooth tiger may attack.

40% of people understand that one can be safe by staying in the cave, but one will starve. Food is not in the cave, it’s out there. So, for self-preservation (strategic risk management) one has to go out, well equipped and sober to handle the environment (tactical risk management: listen and look carefully, and Be Prepared) and do some foraging (incl operational risk management; don’t be stupid and taste rotten stuff, etc.).

Nowadays, staying in the cave will not make you safe. Bears may hide in the back of the cave already: no matter how still you sit, headcount cuts are coming and may hit you regardless of your conformity. Or your better-adapted colleague-caveman may prey on you for the little comfort that (performance-contribution-)skinny you may bring to hold out another day. If you’d still have flesh, that would be muscle and you would (could) be the one holding out. Either all in the cave die, or through cannibalism at least a more lean and mean gathering of people (i.e., organization) may survive.
And the world outside changes faster than ever, so the cave entrance is besieged (or walled off!) by enemies taking your turf and starving or enslaving you.

[Toronto, but you knew that]

So, join the 40% and be even better at exploring, be better at being safe without a cave. Be better at risk management. Go out, dare; not running around stupidly but with due care. Enjoy the ever (faster) changing view!

On assumed guilt, innocence to be proven

An interesting piece (in Dutch) on documentation and the requirement to prove innocence under totalitairan presumed guilt: http://www.accountant.nl/Accountant/Opinie/Meningen/Naar+de+bliksem.aspx
How true, the story. Now go apply the gist to your auditees as well! They‘re the ones under presuure, that accountants et al are only starting to feel in the past couple of years..!

And here’s another picture for your viewing pleasure:

IHRM

On the integration of IRM into regular business management just the way HR is (was?).
[Some future blog will be about the Three Lines of (NO!) Defense. Now, about a bit more practical stuff.]

It struck me that information security, lately expanded into information risk management as (peer) part of operational risk management, as part of enterprise risk management sometimes fuzzied into ‘COSO ERM’ babble, still has difficulty to be understood to not be a separate function that can function apart from the rest of the business (‘their infosec corner to take care of their things’) but be an integral part of everyday management (and operations) just like e.g., HR.

Yes, HR is also still a separate function – for the parts that can be handled separately from the business as usual in other departments. Payrolls can be processed (almost) without knowledge of any primary business processes, or secondary processes for that matter. Apart of course from entry/leavers, etc., but that’s detail.
But HR is also very much integrated, the way it has always been. Optimising (sic; not maximising) the performance of the resources that are human (are they; are they considered such ..?) has since the inception of the idea of organizations, always been with management. Through target setting, through performance evaluations, through facilitative management. Not through micromanagement as you rightfully point out; that has no place in any organization.
All the core, direct HR tasks that are performed, are performed directly by (‘line’) managers. The less separately recognised as such, the better. Just manage!

How come, then, that IRM doesn’t take the same approach ..? The major part of simple information risk management (as is the major part of all risk management!) can and should be performed by those actually dealing with the information; employees and their management. How is it that managers generally understand that part (*) of their role consists of various HR chores, but information asset protection (and information asset performance optimalization..!) doesn’t, yet?
(*) Depending on how your organization works; when dealing with knowledge workers, the facilitative part of HR may form the core of managerial work altogether.

Yes, well, indeed managers may on the average be insufficiently educated to be able to deal with information risk management within their normal duties. But ‘we’ should solve that. And almost no manager whatsoever was trained to be a manager in the first place! No, certainly also not the business school types. They learn a few bits and pieces of administration, which is something very different. The military (cadres), they learn something (little, simple things, but apparently sufficient to work with many subordinates in life-threatening situations – don’t insult by assuming your organization can even compare to that kind of managerial challenge). But in general: No. That’s why military cadre finds it difficult to settle back into management positions in civilian society: The level of incompetence (they have to work with) is staggering.

And they our common managers may not have been provided with the appropriate methodologies and tools to do that. But ‘we’ should provide those. Work In Progress, but the distance to cover is so enormous.

And here’s a picture for your delight:Madrid, perspectives: where you stand, where you look at.

So, by education and methodology/tool provision, we can indeed bring information risk management back into the main line of management.
But so much work to be done! and rest assured that for decades to come, IRM will have its place as a (staff) department. HR hasn’t gone away quite yet, has it ..?

Comments appreciated.

Interlude: A Mistake made Policy

How a mistake made it to governmental policy…
[Though the above Toronto skyline’s just for your viewing pleasure, unrelated to this blog]

These has been quite some discussion about a thing called the Plan-Do-Check-Act cycle. Rightly so, since ever since Deming’s groundbreaking work on quality control WITHIN small shop floor level work groups, the understanding of the practical trade of small-group (self!)management has flourished.
But alas! So many sorcerer’s apprentices have ran around like lemmings. And have followed the ill-guided amongst them, over the cliffs edge. They have mixed up Deming’s quality improvement cycle with the generic process control cycle, later applied to administrative management ..!

The disastrous consequences we still have to work with. The demise of management as a craft, the attempts, failed by default from the start, to scientifise management, the blindness for the utter contraproductivity, all can be traced to this error of application out of an error of understanding.

Know your history: The control cycle has its origin in (chemical plant) process control, or even in generic control as elaborated in applied cybernetic systems methodology. Inputs, (mathematical!) transformation function, outputs, and a (mathematical!) first derivative control (signal) function; feed-forwards, feed-backs, input- and output-based signals, multiple levels of these control cycles, it should all be familiar but isn’t, on a pervasive scale.
Which is a pity because it leads to dumb, stupid, design of control cycles and the inclusion of Deming’s quality (improvement) cycle as the name-giver of the resulting management control efforts. Which in turn has led to the stupidest efforts to fit management control actions and controls into the Plan (feasible; most ‘control’-related work stays there, luckily given the dumb and dumber practitioners around), the Do (awkward! managers don’t Do anything at all in Deming’s Do sense!), the Check (auditors’ delight but NOT what Deming intended), and the Act (not understood at all, in the mix-up it’ll be wiped under the Plan carpet!) phases.

But so many wrongs don’t make a right.

Putting the two models together into this atrocious mix, leads to heaps of management babble and a destruction of sound management practices at the hands of culpable consultants (external or internal). The utter waste of money, the utter demise of anything actually productive!

And now the mistke [not intended but I’ll leave it there] reaches its peak: PDCA will be required by government directive as a design principle for (management) control! [In the Netherlands, always preaching against someone else’s sins]
What a failure of administration: To unknowingly admit so publicly one’s incapacity at the scale of an outright sackable offence (by the many that go along with this, too!).
Now, can we all please move forward the consequences of the pervasive sackabillity ..?

Trust statistics

“Never trust any statistic that you haven’t forged yourself” as Winston Churchill put it.

With today’s tools, computing capabilities and speed, why wouldn’t accountants draft their own annual accounts statement of their clients’ accounts ..? These could then be published alongside the ones of the clients themselves. The differences would be transparent to investors, and when (not if I guess) the clients can explain the differences to their stakeholders, there’s no pain in anything.

When accountanst would complain that it would be impossible to re-do the annual accounts, they only claim their incompetence. If they truly understand what’s on the books, really understand the underlying processes in every detail required (and note, this would be a very, very hard requirement already!), they would have no problem at all to recreate the sum total of it all. Or they end up with apparently differing interpretations of the processes, and may explain to stakeholders.

So, either the accountants go do this or they declare to not know nearly well enough what they’re signing off. There’s no in between.

Double blind

Just a question: Would anyone know some definitive source, or pointers, to discussions either formal or informal, on the logic behind double secrets i.e. situations where it is a secret that some secret exists ..?

Yerah, it’s relevant in particular now that some countries’ government seems to have failed to keep that double secret completely, but should be more systematically dealt with, I think, also re regular business-to-business (and -to-consumer) interactions.

So, if you have some neat write-ups of formal logic systems approaches, I’d be grateful. TIA!

Ever more learning to go around

In various discussions in my trade, and in general public, there seems to be a point of gravity around insufficiency of latter-day education. The troubles are many, but they fall into several distinct categories:

[Spoiler: the true point of this entry is somewhere near the bottom…]

Children know way too little; much knowledge is lost. No, this is not about the simple learning of facts – it is already quite clear that that Nick Carr’s Shallows, shallow brains, have taken root and may only be undone by a big swing towards renewed rote memorization and a wholesale write-off of current generations. It is more about culture, the effects of too much freedom in education. Be aware that I tend to think that a great many children would be much happier (as adults, too) and society would benefit in a big, very big way if children were allowed to develop (start developing) their non-sports skills into Excellence much earlier than now. On the condition that general education of all sorts of subjects is maintained at quite a level too. We don’t want savants that in the end fail to make the genius grade and end up with nothing else. Conclusion/result/solution/requisite to make this possible: see below.
School-leavers aren’t ready for any type of job available, if any are available. They’re too inexperienced, but also they know too little to understand the most basic, core things of how organizations operate. This complaint is of all times, yes. Solutions have been tried, but have run out of their time. Military or social service, socialist or bureaucratic (there is a distinction between those two, overlooked by those that don’t gauge the depth of the notions behind those simplifying labels!) in its nature, have worked here and there, but were unsustainable because of free riders (fire them for their lack of character!) and moreover because of lack of economic egalisation – rewards for services delivered, education and experience gained, [hi there useful Oxford comma] and societal gains haven’t been calculated, estimated or explicitly transferred hence remained too little visible. This can be solved by reinstating social service requirements on youth – but that wouldn’t necessarily go down well with any economically developed society where individualism has raged. Conclusion/result/solution/requisite to make this better: internships, plus see below.
There’s so many variation within any profession and at all experience levels that education can only deliver base levels of professionals. More differentiated high-level education is required. But that would splinter course programs and may very well tie many too many young still direction- and destination-seeking students into studies and careers that they in the end are disappointed with. With, due to specialization, too little way out; all the places elsewhere have been taken by maybe a little bit less experienced, but better specialized, others. Conclusion/result/solution/requisite to make this better: see below.

What is causing all of this ..? My take is that education as a system is lagging more than ever the increases in complexity of society/societies. Way back in time, when times were slower, societal development could be caught up with through education in relatively sufficiently short time. New generations could be trained, in whatever way, mostly by training on or near the job. But the exponential speed-up of society’s business, and society’s complexity!, over the past centuries, has meant that the developments have become so quick and so unclear as to the one solution to catch all to cater for well-rounded members of society through education, that ever more feel they (individually and as a group) are lost, not able to improve themselves easily enough to cope with the new world order.
A peasant was a peasant, and only the extremely rare exception would ‘escape’. In times when a lord would look down on a peasant for the lack of education, but would regard the peasant as less of a lesser human being than generally assumed. The lord knew well his existence relied on peasants for food, and the purpose of his lordship (and not the purpose of his individual person) was to govern. Excesses apart, all could settle in their place and destiny, and needed not too much education because of this simpleness of society. That has changed…

To educate new generations today to be able to cope with the enormous complexity of society when they have grown up, may hence take much more education, in breath and in depth, than current day education systems allow. All the compulsory subjects that are stripped away at too low levels already (humanities, math, science) due to too low exit levels being allowed and due to too early specialization (without allowing savants to jump ahead in their specific curiosities of choice), should be taught to all at higher levels throughout.
It is sad or a privilege, but current-day youth may need to attend school much longer to be ready to function in society…!

To be able to arrange for all the variety of students that will be around (including some that may want to broaden their horizon, switch specializations or just out of hobby interest want to keep on educating themselves, at various levels of experience and seniority), course structures may have to be changed. In particular, packaging of education should be reconsidered. E.g., in accountancy, not all certified accountants need to know each and every petty IFRS rule by heart as it may have no relevance to their daily job at all during all of their career. Better offer modules!
But this should be doable, in particular with the use of technology (MOOCs et al; blended methods) – and with other parties (both private and public sector organizations) more aware and involved and transparent to allow to learn from the sideline how they operate. To ready the next generations better for their roles.

Comments invited.

No Ethical Hacking, Please!

We still see quite a market for ‘ethical’ hacking out in the information security consulting world. However, if this type of activity should have a name, it would be wise the name would be descriptive, right? Rather than deceiting, swindling… We certainly won’t do that, sir, no way.

We’d call it ‘ethical’ if the purpose of it all would be to further the ethical goals of the ones doing it. Now take a look at who’s doing it. ‘Ethical’ hacking. And for what: Moneyyy! Hey indeed, it is the consultants and Big4 accountants that will only and exclusively do it for the money. You say No? Have you tried to talk off just an hour of their bills because the hacking that they do (more on that, below), serves some ethical purpose that they are happy to work on for free ..? A great many would consider doing just anything that pays and not doing any of it otherwise, the direct opposite, the utmost perversion of ‘ethical’ behaviour. Yet, that’s where we are with ‘ethical’ hacking.

Now for the ‘hacking’ part. Most of that is non-existent again. It’s primarily penetration testing using off-the-shelf freeware tools. Can be done from any phablet while driving, or it’s so outdated that it should serve no purpose. OK, you got me there. Even antiquated tools will find big holes in clients’ defenses that could and should have been fixed aeons ago, you know, decades of internet time (a couple of years in our time). And about that entering through a small hole: it’s still rather common to not go there, stay virgin and only do some port scanning.
So, [except for the few good men that do understand what they’re concocting] no hacking together one’s own new baby tools takes place. Yes, hacking, as in state-of-the-art coding (programming for those of you who have been hibernating the last decade) without the need for any bureaucrat’s architecture principles but with a deep understanding of languages’ strenghts and pitfalls.

So there we have it. Let loose some basic scanning tools, write up a fat report with some fancy letterhead and the usual suspects in findings; long live copy-paste, and bill ‘em for some ridiculous amount that goes straight into the coffers of some elderly gentlemen partners that don’t know how to use the Internet … except for, well, you know, searching for pictures.

Therefore, in search for a truthful descriptory name, let’s either revert to ‘penetration testing’ which for most men wouldn’t feel comfortable or even just ‘port scanning, or find some new designation. Mammon scanning, or so. But let’s not call it ‘ethical’ ‘hacking’ – two humongous wrongs don’t make a right.

Next up, maybe, a rephrased repost of @meneer’s #ditchcyber argument.