Tag: Information Risk Management

Vindication …

With due respect, but vindication is a beautiful thing…
As I had delivered a lecture over five years on all the places that risk management of the Basel II/II style, using quants and all to model (an übercomplex combination of scores of) human behaviour thus sublimating one’s model errors and one’s misunderstanding of how the world turns, not even mentioning the risk of the 15.5 risk; necessarily (if you’d had got It) speculative about what’s next, the evaluation was heaviliy tilted from quite (UK style) positive to mediocre by one bad review, that had as only comment “not based in evidence”. See the latest pres’s in my LinkedIn profile; without much by way of speaker notes, the ones on e.g., Blind Alley et al. can be readily understood qua intent.
Recently then, finally, this arrived. Maybe spinning off in an adjacent direction; veering off or running in parallel? But definitely touching the sore spot.
To the point where the dish is sweetest served cold.
But hey, would have liked all the business (and ~travel…) opportunities that could’ve been…

Now, let’s all go study Basel IV’s methodology and learn (e.g., as in the above-linked article). Maybe there is a future for risk management. Even if not as a separate discipline; see my posts of management-in-general. Plus:
000003 (8)
[Once was my ‘work’ location; worth re-pursuing Trois Islets, Martinique]

Plusquote: You’re not perfect

Even at the Computer History Museum most of the devices on display stopped functioning many years ago.
This time, not one of my own but quoted from Ray. Pointing out that it’s not that bad if you fail at having the perfect IT management (systems/operations) in the universe — even if you’d had forever you wouldn’t succeed so take it easy on the minor non-compliancies.

So, this in a series inspired by this here Expert, some more of my own (heh) personal ramblings which I would dare to call motivational soundbites but you would consider to be as typically as this sentence to be my interpretation of brief, not necessarily positively motivational but that’s (yes I do use abbreviations to shorten the sentence even further) because that remains your interpretation but that’s not necessarily the right one being the one I intended.

Capice? And:
DSC_0378
[Once – not forever – the newest, carved in / out of stone; Reims]

Ketenregie en legerkorpsvakgrenzen

Tsja en dan denk je terug aan de afgelopen decennia waarin het maar niet lukte om in semi-(quasi-? sub-? nep-?) overheidsland ketenregie op poten te zetten. Nee, nee, nee, er ‘werkt’ misschien hier en daar iets, maar dat komt niet verder dan een operationeel niveau van geen-nucleair-conflict met op tactisch en strategisch niveau een totalitaire koude oorlog.
En ja, in de private sector (op zich al bedroevend, dat er een aparte term bestaat voor wat toch 90+% van de economie zou moeten beslaan maar niet verder komt dan een procent of 30, hóógstens) is er wel iets tot stand gebracht, maar dan met geweld en keiharde afstraffing door failliet bij minder-dan-maximale totale opoffering aan de klant.

Ah, de klant. Van de keten, aan het eind van het productieverhaal.

En oh, er zijn wel modellen. Degenen die nog een kans hebben inzicht te hebben (opgedaan), pakken namelijk hun VS 2-1351 erbij. En lezen vooraf nog even hun IK2-25 ;-] en dan hoofdstuk 8 uit voornoemde. Maar dat terzijde, want de essentie is dat het de lessen terugbrengt inzake de kwetsbaarheid voor aanvallen vanuit het Oosten die zich, van die zijde de intelligentie erkennende die zich zal richten op exploitatie van de zwakke plekken aan onze kant, zal richten op de legerkorpsvakgrenzen.
Omdat daar de coördinatie zwakker zal zijn over de vakgrenzen heen, en de ‘eigen’ suboptimalisatie binnen de vakken tot verminderde aandacht voor de grenzen leidt.

En … dat klinkt bekend ja. En inderdaad, daarin ligt het knelpunt bij regie en toezicht over de hele, van achter, te doen hebbende met een tegenstander (sic) over de hele, tegenover. Die zo is naar interpretatie van de eigen doelen, nog niet in staat is tot tactische nucleaire actie (via de politiek) maar wel de eigen belangen onvoldoende tegemoetgekomen ziet.
En dan? Dan dus de oplossingen uit de door de eeuwen heen ontwikkelde praktijk ter hand genomen. Inzake dwang van hogerhand tot maximale coördinatie tussen de keteneenheden en opoffering van de eigen borstklopperij ten faveure van de totale prestatie, op straffe van degradatie. Zou dat niet boeiend zijn; de holste vaten vanuit de leiding verplicht voor de rest van de carrière in het call center tewerkstellen ..?

Ach, als, áls nou eens de Mexican armies van bureaucraatjes aan de FLOT zouden worden gedumpt… Page en Popla zouden de omzet fors zien stijgen. En het bewust worden van de eigenlijke opdracht zou na catharsis en vervanging door Echte leiders tot zo veel betere overheidsprestaties leiden…

Dromen mag, toch ..? En:
DSCN7902
[Geschikt voor de ‘leidinggevenden’; Stockholm]

AnchoringThink

This might be a signal.
When reading up on mr. S. Godin’s blog (hah, does anyone call him that, these days?), I realised when reading this post that not only can anchoring sink you, it may also be a major contribution to groupthink and subservience to bureaucracy, which seems to be two facets of the same thing. Being, that the anchoring that the group process produces either by clinging to the most-anxiety-reducing interpretation of the opinion of the perceived Leader [with all the side notes of the duce only presenting him(sic)self as such, empty barrel and all] or by averaging out all peculiars and hence reaching an anchor point of political position — reminiscent of Ortega y Gasset style Masses.

On the flip side, this points to what it takes to be a great consultant indeed, as Godin pointed out: addressing the groupthink narrow-mindedness by revisiting the vastly wider potential scope of possibilities and options than can be seen by looking back too little. This might have been the edge that e.g., a McKinsey had — haven’t heard too much from them, the last decade; are they still around, shrunk or not?
So, to be a better advisor, by all means search back for the greenfields from which current ‘opinions’ evolved and take a fresh restart of evolution from there. Also, be a maverick. As I am, qua risk consultancy/management/audit. Hence the signal to hire.

And:
DSCN1051
[Obvious shape, for a library ..? La Défense again]

Your valued info at risk

Ah, just noted: A great many of you may have switched (or, c’mon don’t be a laggard or too late, will soon switch) to self-assessments of risks, even to the level of detail of data security (as part of information security, part of IRM, part of ORM, part of ERM, part of just-freakin’-perfectly-normal-or-are-you-kiddin’-me mundane run-of-the-mill average daily management of which ‘governance’ is the most preposterous windbag label).
Which is all very well, to determine at the shop floor levels, that apparently are the last hold-outs of actual business knowledge beyond the mumbo-jumbo of meddle management (sour joke intended), what the risks, and particularly also, Value of information (data…) processed might be.

But … You’d miss half or more of the picture, then. The value you attach to the info, may very well be what you’d be prepared to fork out to protect it (balancing estimated frequencies of intermittent losses versus continuous costs flying out the window), but you then forget that the attacker isn’t after the value you attach, but the value to the cracker. Which may be completely different. Think, e.g., Sony (and the many others alike): comparatively, there was hardly a nickel value in the ‘stolen’ (exfiltrated, or egressed since it was lying around so obviously) data from the Sony perspective. But the value was enormous from the hacker perspective — whatever the innocuous data was, the mere exposure was of such import that APT’ ing around apparently was worth it.

Now, how’zat (women have deliveries, men have Balls) for all the other info throughout your glocal enterprise/empire ..? Similar to same, I presume.
So, … what about the budgets to be made available to counter data theft/robbery/whatever comparison to physical-world expropriation you’d like to use? And still not trying to overshoot in comparison to the value you yourselves establish for yourselves by yourselves, or you’d run the risk (chance close to 1) of splattering any flexibility and usability under tons of ‘controls’ (quod non, BTW). But then, not protecting ‘regular’ data enough, might expose it too easily — which might be rational but will cost you, e.g., through EU data protection fines … ;-|

So, you’ll not only have to do the multiplication of this and this, but extend in other dimensions as well…
Oh well, the world gets more complicated every day… and:
DSC_0115
[Your data protection; Noto]

Information does(n’t) Matter

Another consequence of the analysis mentioned before about answers flowing upward through infosystems and command and inquiries/questions flowing down: When the latter get viewed as anti-data or even anti-information, we see Information Theory in action.

Where without the creation of potential (difference) by an inquiry standing ready at, say, a sensor [abstracting for a tiny moment away from the complexity that could be in any sensor, assuming it a math point] to capture some data it may produce, the potential may not pull away the data created by a Heisenbergian creation (-by-measurement ..!?) of the data/anti-data pair. Leaving the anti-data, the uncertainty behind. Is this the creation, the maintenance, or the destruction of a Schrödinger’s measurement ..?

More operationally: In what way does this interpretation induce metaphoric (?) insight into the connection between physical world, ‘signals’ (as in Shannon and other Info Theory), and continuous (!?)/discretised sensor-data streams..?
[For once skipping the bullying of those not understanding the fundamental nature of the continuous/(math-)discrete divide]

Well, there’s also this:
DSC_0478
[The gift of far-sightedness. SE Sicily you recognize of course]

Bow the Stork Tie

When analyzing the Stork methodology for EU-wide federated eID- and authentication methods and technology, again one stumbles (rather, ‘ they’ do) over the bow tie of CIA, mostly C, controls. Too bad. Usually, ENISA(-involved) stuff is Great quality. Now, quite too much less so.
Which is too bad. To note, we already commented on the classical CIA rating (incl the bow tie fallacy) before. Now, the CIA seems to have something to bring to bear on CIA as well. Better study hard …!

Oh well …:
DSCN9668
[Weaving transparency and stability, Cala at Hoofddorp again]

RCSA is close to BAU

Close, as in no cigar yet (has the US ban on Cuban import been lifted already?).
But definitely, Risk Control Self-Assessments would, if carried out properly, be that major part of management’s daily (sic) chores that wouldn’t need annual get-togethers coaxed by outsiders (sic) but would be Business As Usual in operational practice. Maybe needing some periodic (weekly? monthly? certainly more than as now weakly annually) departmental review gathering but not a stage show as if this is the holy grail of business information flow. After which the ‘second line’ (as the back not even middle office function) receives the (right) info and acknowledges that the ‘first’ line has so much better sensors since they’re the first line par excellence, integrates the info into the upward report flow and reverts to fine-tuning the tools they provide to first-liners, and furthermore does … nothing. Second line is helpers, not dictators-by-soft-smothering. When it would turn out that all the high-quality hence qualitative (the reverse for quantitative) risk pics cannot be easily integrated into one pic, that’s too bad for the integrators but an appropriate (!) reflection of reality.

And if, on the other hand, first-liners need to be taken away from their actual productive work to sit in some song-and-dance by second-liners because it was so decreed by ‘governance’ levels (emperor’s clothes!), the very objectives will not be achieved. Since the ‘do something’ by deep-lying incompetence has lead to the wrong turn into a blind alley whereas the broad avenue (something like Younge Street) between wilderness and high (?) culture.

[I scheduled this post a couple of weeks ago for release in a couple of weeks but new developments seem to speed things up. For my many posts against Form over Substance … just search this blog for ‘TLD’ or bureaucracy …]
Won’t rant (too much) on; keep it to RCSA = BAU + quite some ε still, and:
DSC_0015
[Distorted? Only your picture is, here for a change, by standing too close; true reality is  not at the Edinburg Royal Mile!]

Maverisk / Étoiles du Nord