Information Risk Management – Page 13 – Maverisk / Étoiles du Nord

Comedy crashers

No capers, frankly no comedy either, when some of the most respected in the field are concerned about pervasive probing of whole countries in one go. As here.

Probably, the same is pulled off on smaller countries as well; the infra doesn’t distinguish, but the protection budgets probably are much smaller, so a proof of concept might be interesting. Though this may trigger better protection in the larger country/countries, if done ‘right’ the attack(s) may be class break kind of things not so easily protected against in the first place.
And for now, the smaller countries probed, will have even smaller budgets and capabilities to even detect the probing all together / in the first place. Interesting …

But maybe budgets are better spent on all the other actual risks out there, like: ..?

[Suddenly (of course !!) turned up at the Joinville château; Haut-Marne]

Culture for breakfast, since it's so light and airheaded

Yet again some oversight body / de facto regulator gave wind that they already had changed to auditing Culture and the Tone At The Top including Behaviour and Awareness, apart from mere ([ed.]) process and technology.
To get the latter off the table: Good. ‘Technology’ wasn’t understood the least bit anyway; really (sic).
And Process, ah finally they found that about all they had done in the past, was windbaggery of the worst kind. Yes, process has its place, but a so much more minor, subaltern one than the past Tragedy (sic, again) that ‘governance’/GRC/compliance/SOx was …! Yes again, it really was the little chicken pretending to be a full-grown eagle.

So now, they ‘have’ turned to Culture and related blah. About which they have no clue or would had to have fired a majority of own staff and hire complete+ replacement with psychologically skilled (i.e., fully a square angle to -educated) staff. Which they haven’t, or would have found out that the new skill set would have burned down the house that was.

Of which no (smoke) sign is in sight.

So, … words; the Tom Tom Club was right.

And:

[Blockhead and Culture with a capital C here …; Casa de, Porto of course]

Another Thoreau

Yes another one in a series of The Annotated ~~Alice~~ Thoreau, with:

I am constantly assisted by the books in identifying a particular plant and learning some of its humbler uses, but I rarely read a sentence in a botany which reminds me of flowers or living plants. Very few write indeed as if they had seen the thing which they pretend to describe.

And so it is with, e.g., books and other theory of GRC. Not a living thing to be discovered in them. Just as if the dust of centuries had already descended on ‘process’, ‘structure’, etc. etc. — which it might have, when it is the errand interpretation of what management (sic; not ‘governance’ as that is a nonsense phrase as per this giant) has been around since the dawn of settled farmer civilisation. Note that all that seems, at superficial and likewise erroneous misinterpretation, rebellious might hearken back to the glorious days of the hunter-gatherers as expressed here. But at least, summa, they’re alive as the books/GRC aren’t hence fail.

[Old guns still work, even as a model they’re still pretty, too; Rijks, Amsterdam]

ORM will not fly B-4 People are included

[Warning: Longread]

On the ails of the Basel-IV ORM proposals:

1. Unwarranted, certainly unscientific overreliance on ‘models’;

2. Modeling for prospective use in stead of hindsight understanding;

3. Too much top-down, not enough bottom-up;

4. No humans in the picture, hence the wrong and unactionable indicators.

Introduction

About all of the banking industry, and other financials in their wake, have had to deal with loads of regulatory requirements. Justified, some say, for ‘they’ cause(d) so much misery beyond mere most temporary loss of bonuses that the ‘un’ should be (have been long before) detached from bridled. So, Basel II and -III regulations swooped in requiring much more explicit and detailed handling of financial business than ever before. The move from laissez-faire to regulation, to regulation with sanction schemes, to sanctions (possibly interpreted as ‘token’…), was extended with provability and then complete proof-demonstration as minimum requirement.

This all, however, has created a large, and in general even I would say quite overpaid [disclaimer: am profiting too] industry of consultants, quants, ‘risk managers’, reviewers, assessors, auditors, and scores of Toms, Dicks[1] and Harries of the GRC kind. That are all very likeable nice lads and lassies, but maybe not all quite worth their salt, certainly not their bonuses, or even be sure to be worth much lending one’s ear to.
Keep reading!

"This is impossible!"

‘tWas not long ago, when all that knew their way in Infosecland (when the land had not expanded and complexified beyond grasp of mere mortals and AI was not yet needed to have taken over) would point at the stupidity of any claim like “That can’t happen here because our security beats every threat till Kingdom come”.
And the claimants would have it, by sheer power play. When dinosaurs roamed, it was in your interest to move over when they’d want to pass.

Now, the dino’s are on the way out (well, the current stock of them; new ones in the wings), and this of course happens.
Where the complete ignorance of the dino’s is displayed by their response, as if something new happened.
Where we haven’t heard enough calls for claw-backs of even standard salaries for, give or take, a decade or two back due to willful and (should-have-)self-knowing incompetence, especially at C-level and up.
But then, justice is served cold, by history making a fool of the true culprits (the authoritarian dino’s) at best, or forgetting them in old Greeks’ second hell as deserved.

Can we be friends now; you being the entry-level kindergarten ‘students’ and the rest of the world you scoffed, as your nannies …? For that:

[At least they acted as proper Night Watchmen; at the Rijks, Amsterdam]

Plusquote: Qua Quantification

Qua quantification, maximal isn’t the optimal that minimal is.

If quantification were good, or worth pursuing even anything more than a bit or minimally, Yoda would talk about hidden Markow chains not The Force.
Not all that can be counted, counts, and not all that counts, can be counted. Where ‘not all’ is to be read different than latter-day simpletonian, but as antediluvian ‘none’. Capice ..?

Many more arguments might go here. Suffice to say that ‘evidence-based’ science is a scam. Only those that are too stupid (let’s put it like it is) to ‘get’ the value of philosophy (and ethics etc.etc. as part of it), may not understand it. But as the vast masses don’t have a clue how their car works — chemical reactions within the pistons, anyone? how ’bout the programming of the cabling that controls it all? — but still use it, NO you not understanding does NOT mean it’s nonsense, in your case to the contrary.

To return to the positive of the Plusquote…: All may have a say in matters of society and the ‘control’ (quod non) of its infrastructure including all ‘critical’ sectors like energy, security and finance…

Oh that may be too much of a stretch but still…:

[OK, … quantify this … NO not even the qualifier Amsterdam is correct, it’s Dordrecht and even that doesn’t capture the picture…]

Risk Chagrins

It’s just a matter of Karma…

As long as ‘risk’ ‘managers’ deal with negativity (admit it; focusing on the negative is even written into quite a number of definitions involved ..!), they’ll become the sourpusses they want to see all around (remember, the “passing back risk management to the ‘first’ line” ..?), and according to which they’ll behave ever more, finding evidence everywhere they’re on the ‘right’ track.
Quod non, but conspiracy theorists as they are, they will not listen …

Oh, and this:

[Your ‘risk’ ‘heat map’, accurate picture]

ChainWASP

… With all the blockchain app(lication)s, in all senses, sizes and seriousnesses if that is a word, growing (expo of course) everywhere,
wouldn’t it be time to think about some form of OWASP-style programming quality upgrading initiative,

now that the ‘chain world is still young, hasn’t yet encountered its full-blown sobering-up trust crash through sloppy implementation. But, with Ethereum‘ and others’ efforts to spread the API / Word (no, no, not the linear-text app…) as fast and far and wide as possible, chances of such a sloppy implem leading to distrust in the whole concept, may rise significantly.

Which might, possibly, hypothetically, be mitigated by an early adoption of … central … Oh No! control mechanism of e.g., code reviews by trusted (huh?) third parties (swarms!) where the code might still remain proprietary and copyrighted.
Or at least, the very least, have some enforceable set of coding quality standards. Is that too much asked …??

I know; that’s a Yes. So I’ll leave you with the thought of a better near-future, and:

[Horizontal until compile-time errors made adjustments necessary (pic); beautiful concept — other than Clean Code, actually executed to marvelous effect]

Fintech: Babble-fork

Coining (pun not even intended as I wrote this — lame non-landing anyway) a new phrase: Babble-fork.
Which is what happens now in the financial industry with fintech:

Banks et al. think they have a role to play in the applications of blockchain technology in the financial industry of the future.
As bc is just a distributed ledger technology [ref. Tapscott the Elder & the Younger], right?
Obviously, dead wrong. Or, ‘the Internet’ is just phone lines between mainframes.

Otherhandly, the start-ups that have no role or place for the incumbents. The start-ups that expect the old ones to die [1:03 of the linked]… and then, it is already a mockery of a flattery to relate the financial industry-that-was with that commander that never made it to captain (Navy); an outright self-delusion of the grandest scale when such industrialists think they’ll still be able to catch up with the innovation tidal waves already rushing to their shores (unseen, over still deep seas until reaching their shallow tropical beach sides ..!).
Since bc is the very counterpoint of centralized (‘trusted third party’-, quod non par excellence!) trust, being the utter distribution of it hence contra anything however remotely approaching the delusion of importance that may still be with the traditionalists.

So, fintech forks ferociously for the financial future as a tenable alliteration runs only so long. But you get it. Time again to ask for the entry password — with the wrong answer leading to …?

Well then, I also have for you:

[Dear Lord. In the Attick; Ams]

Reverse firing squad (LIBORgate et al.)

When designing cross-organizational processes ‘hence’ including cross-organizational control structures, who will be accountable to look after the controls in question?

Take LIBOR(gate). Someone(s) dreamt up a structure of ‘self-regulation’, which even the most brief moronically-superficial gleaning over history will tell will fail, and then forgot one’s accountability for putting in place such a sure to fail thing.

’cause only accountability will force ‘taking’ responsibility and actually doing both parts of Trust But Verify.
No, the latter part was not taken up by the individual banks involved. Because they had perfect (O)RM in place. That, by perfectly sensible, justified, and objective achievement-perfecting arrangements, focused on the risks to the own organisation only as they were, are, internal departments working for the optimization of the organisation (taking into account local Board’s risk appetites and attitudes, risk estimations, budgets, cost/benefit analysis and what have we); nothing more or they would bordering-on-(?)-the-illegally overstep their remit. Hence, intra-organizational conspiracy was not something any individual bank’s (O)RM department, or manager, had to worry about let alone be actively fleshing out as a potential risk.

The supra-organizational oversight required, the level where the scheming took place (huh I mentioned ‘supra’ not for nothing..!), could technically, operationally, tactically and strategically only have been envisioned at that same supra level, with the regulator(s) at that level, that instated the L-scheme. [Oh I could add a ton here on how any ‘lower’ level cannot in any logical way have ‘seen’ the risk(s)] So, accountability and responsibility, for setting up a scheme that was prone to the risk(s) in the first place and for not applying due control and oversight (from the strategic all the way to the operational/technical levels!), was and still is with those regulator(s).

How then have they escaped being kicked and imprisoned ..? By claiming ‘temporary’ insanity where Reality in the L-process and elsewhere, is only a string of ‘temporary’ moments ..? The lack of competence is appalling. But drowned in the finger-pointing flying all around except in the right directions.

Uch. One could get very depressed, and/or feel belligerent. Or see the mirror of a firing squad. In the latter, a number of soldiers fire, with only one round not being a blank so no-one knows who did it so none can be held accountable individually for the collective shooting of some villain. [If only in some miracle world it wouldn’t be that most victims are the Honorable very much in an Aristotelian Virtue sense.] Now, we have ‘one’ regulator shooting a whole squad, and all of the squad are blamed …!?

[Just a MSc uni in Delft. Because science ..!]