Tag: Information security

Security so(m)bering

There’s this discussion going down on the merits of privacy versus security. Whether the one is part of the other, or the other way around, or both. Whereas the smarts are with considering privacy enhanced by good confidentiality settings ’cause they see that privacy is an issue of higher (abstraction) order than mere confi; achieved by it but only as infosec are the bricks and mortar when all you wanted is not bricks or so but a wall.
Through which you may reflect on compliance in infosec. Because hardly ever, is that taken to include compliance with the principles and business objectives and conditions that include being sparse with hinder to the business. Really, those that truly set only guiding rails not enforcement rails, are the unicorns of the trade. No, not those unicorns, those are just frauds anyway.
You may try to do better; really. It starts with risk … when properly applied, you would not get the remarks about ‘why, it has never happened to us before / what are the odds?’ but might even get better support for some slightly hindering process changes and better (but less end user detectable) ‘infra’ i.e., everything under the users’ level of visibility.
So, I’m not sombering or if, about the eager beaver pervasive prevalence. Because sobering up, wising up, may win the day and may be due…

We shouldn’t somber too much… Isn’t this a perfect opportunity to finally demonstrate how we do (… can …) link up information security to real business issues at the highest GRC levels. Since we shouldn’t be passive, and leave ‘privacy’ to be taken over by lawyers jumping into the current Privacy Officer void. Since we can translate all the operational and tactical work that we do on privacy, all the way up to strategic levels and still be very concrete. And not have to wait till ill-understandable “guidelines” (shackles) keep us from achieving something.
No more wannabe whining about ‘deserving’ a seat at the Board table or at least be heard; not asking to be allowed but matter-of-factly showing ‘Done.’ … if, not when, you did informtion security right all the way…

Just like that:

[“Na na nanana can’t hear you!”; Porto]

The ides of March

… aren’t today only, but are indicative of … well, a lot of what goes on in infosecland these days.
Who to trust, when your buddies and experts and both in ones, may carry knives or worse. Like, turning their your defenses against you behind your back. Like the Brutus’es and Ed S.’s did because their consciousness revived (true in both cases ..!), like the great many are doing without tipping you off already. Until it’s too late. And, in similar vein, how’zat for your backdoors built in ..?
But then, as long as you can sit there like a rabbit in the headlights … sleep now in the fire [insert appropriate link to RATM clip] because the Time Till Collapse may leave you less room for Après Nous la Déluge than ever before.

Just to wake you up, by the way; if you read the above as some kind of chagrain I may have achieved my aim of making you think beyond mere Mehhhh.
So, I’ll leave you with:
DSCN7971
[Shifting politics, shifting alliances…]

Privvezee Shield

The fig leaf of the trade ..?
Probably will blow in the wind at the first whisper over 2Bft. E.g., through ‘misinterpretation’ of the rules and inherent incapacity to understand the Principles, by some vague fifth-line anonymous placeholder instructed to not understand, buried deep down in some TLA you may or may not have heard of.

And then, the wind cried Mary; landsliding into only the thinnest of lip service with a torrent (no double entendre intended) of factual breaches.

You’ll see… Plus:

DSCN7411
[A sub, appropriately, even if only in Baltimore…]

Plusquote: You’re not perfect

Even at the Computer History Museum most of the devices on display stopped functioning many years ago.
This time, not one of my own but quoted from Ray. Pointing out that it’s not that bad if you fail at having the perfect IT management (systems/operations) in the universe — even if you’d had forever you wouldn’t succeed so take it easy on the minor non-compliancies.

So, this in a series inspired by this here Expert, some more of my own (heh) personal ramblings which I would dare to call motivational soundbites but you would consider to be as typically as this sentence to be my interpretation of brief, not necessarily positively motivational but that’s (yes I do use abbreviations to shorten the sentence even further) because that remains your interpretation but that’s not necessarily the right one being the one I intended.

Capice? And:
DSC_0378
[Once – not forever – the newest, carved in / out of stone; Reims]

Ketenregie en legerkorpsvakgrenzen

Tsja en dan denk je terug aan de afgelopen decennia waarin het maar niet lukte om in semi-(quasi-? sub-? nep-?) overheidsland ketenregie op poten te zetten. Nee, nee, nee, er ‘werkt’ misschien hier en daar iets, maar dat komt niet verder dan een operationeel niveau van geen-nucleair-conflict met op tactisch en strategisch niveau een totalitaire koude oorlog.
En ja, in de private sector (op zich al bedroevend, dat er een aparte term bestaat voor wat toch 90+% van de economie zou moeten beslaan maar niet verder komt dan een procent of 30, hóógstens) is er wel iets tot stand gebracht, maar dan met geweld en keiharde afstraffing door failliet bij minder-dan-maximale totale opoffering aan de klant.

Ah, de klant. Van de keten, aan het eind van het productieverhaal.

En oh, er zijn wel modellen. Degenen die nog een kans hebben inzicht te hebben (opgedaan), pakken namelijk hun VS 2-1351 erbij. En lezen vooraf nog even hun IK2-25 ;-] en dan hoofdstuk 8 uit voornoemde. Maar dat terzijde, want de essentie is dat het de lessen terugbrengt inzake de kwetsbaarheid voor aanvallen vanuit het Oosten die zich, van die zijde de intelligentie erkennende die zich zal richten op exploitatie van de zwakke plekken aan onze kant, zal richten op de legerkorpsvakgrenzen.
Omdat daar de coördinatie zwakker zal zijn over de vakgrenzen heen, en de ‘eigen’ suboptimalisatie binnen de vakken tot verminderde aandacht voor de grenzen leidt.

En … dat klinkt bekend ja. En inderdaad, daarin ligt het knelpunt bij regie en toezicht over de hele, van achter, te doen hebbende met een tegenstander (sic) over de hele, tegenover. Die zo is naar interpretatie van de eigen doelen, nog niet in staat is tot tactische nucleaire actie (via de politiek) maar wel de eigen belangen onvoldoende tegemoetgekomen ziet.
En dan? Dan dus de oplossingen uit de door de eeuwen heen ontwikkelde praktijk ter hand genomen. Inzake dwang van hogerhand tot maximale coördinatie tussen de keteneenheden en opoffering van de eigen borstklopperij ten faveure van de totale prestatie, op straffe van degradatie. Zou dat niet boeiend zijn; de holste vaten vanuit de leiding verplicht voor de rest van de carrière in het call center tewerkstellen ..?

Ach, als, áls nou eens de Mexican armies van bureaucraatjes aan de FLOT zouden worden gedumpt… Page en Popla zouden de omzet fors zien stijgen. En het bewust worden van de eigenlijke opdracht zou na catharsis en vervanging door Echte leiders tot zo veel betere overheidsprestaties leiden…

Dromen mag, toch ..? En:
DSCN7902
[Geschikt voor de ‘leidinggevenden’; Stockholm]

AnchoringThink

This might be a signal.
When reading up on mr. S. Godin’s blog (hah, does anyone call him that, these days?), I realised when reading this post that not only can anchoring sink you, it may also be a major contribution to groupthink and subservience to bureaucracy, which seems to be two facets of the same thing. Being, that the anchoring that the group process produces either by clinging to the most-anxiety-reducing interpretation of the opinion of the perceived Leader [with all the side notes of the duce only presenting him(sic)self as such, empty barrel and all] or by averaging out all peculiars and hence reaching an anchor point of political position — reminiscent of Ortega y Gasset style Masses.

On the flip side, this points to what it takes to be a great consultant indeed, as Godin pointed out: addressing the groupthink narrow-mindedness by revisiting the vastly wider potential scope of possibilities and options than can be seen by looking back too little. This might have been the edge that e.g., a McKinsey had — haven’t heard too much from them, the last decade; are they still around, shrunk or not?
So, to be a better advisor, by all means search back for the greenfields from which current ‘opinions’ evolved and take a fresh restart of evolution from there. Also, be a maverick. As I am, qua risk consultancy/management/audit. Hence the signal to hire.

And:
DSCN1051
[Obvious shape, for a library ..? La Défense again]

Your valued info at risk

Ah, just noted: A great many of you may have switched (or, c’mon don’t be a laggard or too late, will soon switch) to self-assessments of risks, even to the level of detail of data security (as part of information security, part of IRM, part of ORM, part of ERM, part of just-freakin’-perfectly-normal-or-are-you-kiddin’-me mundane run-of-the-mill average daily management of which ‘governance’ is the most preposterous windbag label).
Which is all very well, to determine at the shop floor levels, that apparently are the last hold-outs of actual business knowledge beyond the mumbo-jumbo of meddle management (sour joke intended), what the risks, and particularly also, Value of information (data…) processed might be.

But … You’d miss half or more of the picture, then. The value you attach to the info, may very well be what you’d be prepared to fork out to protect it (balancing estimated frequencies of intermittent losses versus continuous costs flying out the window), but you then forget that the attacker isn’t after the value you attach, but the value to the cracker. Which may be completely different. Think, e.g., Sony (and the many others alike): comparatively, there was hardly a nickel value in the ‘stolen’ (exfiltrated, or egressed since it was lying around so obviously) data from the Sony perspective. But the value was enormous from the hacker perspective — whatever the innocuous data was, the mere exposure was of such import that APT’ ing around apparently was worth it.

Now, how’zat (women have deliveries, men have Balls) for all the other info throughout your glocal enterprise/empire ..? Similar to same, I presume.
So, … what about the budgets to be made available to counter data theft/robbery/whatever comparison to physical-world expropriation you’d like to use? And still not trying to overshoot in comparison to the value you yourselves establish for yourselves by yourselves, or you’d run the risk (chance close to 1) of splattering any flexibility and usability under tons of ‘controls’ (quod non, BTW). But then, not protecting ‘regular’ data enough, might expose it too easily — which might be rational but will cost you, e.g., through EU data protection fines … ;-|

So, you’ll not only have to do the multiplication of this and this, but extend in other dimensions as well…
Oh well, the world gets more complicated every day… and:
DSC_0115
[Your data protection; Noto]

Bow the Stork Tie

When analyzing the Stork methodology for EU-wide federated eID- and authentication methods and technology, again one stumbles (rather, ‘ they’ do) over the bow tie of CIA, mostly C, controls. Too bad. Usually, ENISA(-involved) stuff is Great quality. Now, quite too much less so.
Which is too bad. To note, we already commented on the classical CIA rating (incl the bow tie fallacy) before. Now, the CIA seems to have something to bring to bear on CIA as well. Better study hard …!

Oh well …:
DSCN9668
[Weaving transparency and stability, Cala at Hoofddorp again]

RCSA is close to BAU

Close, as in no cigar yet (has the US ban on Cuban import been lifted already?).
But definitely, Risk Control Self-Assessments would, if carried out properly, be that major part of management’s daily (sic) chores that wouldn’t need annual get-togethers coaxed by outsiders (sic) but would be Business As Usual in operational practice. Maybe needing some periodic (weekly? monthly? certainly more than as now weakly annually) departmental review gathering but not a stage show as if this is the holy grail of business information flow. After which the ‘second line’ (as the back not even middle office function) receives the (right) info and acknowledges that the ‘first’ line has so much better sensors since they’re the first line par excellence, integrates the info into the upward report flow and reverts to fine-tuning the tools they provide to first-liners, and furthermore does … nothing. Second line is helpers, not dictators-by-soft-smothering. When it would turn out that all the high-quality hence qualitative (the reverse for quantitative) risk pics cannot be easily integrated into one pic, that’s too bad for the integrators but an appropriate (!) reflection of reality.

And if, on the other hand, first-liners need to be taken away from their actual productive work to sit in some song-and-dance by second-liners because it was so decreed by ‘governance’ levels (emperor’s clothes!), the very objectives will not be achieved. Since the ‘do something’ by deep-lying incompetence has lead to the wrong turn into a blind alley whereas the broad avenue (something like Younge Street) between wilderness and high (?) culture.

[I scheduled this post a couple of weeks ago for release in a couple of weeks but new developments seem to speed things up. For my many posts against Form over Substance … just search this blog for ‘TLD’ or bureaucracy …]
Won’t rant (too much) on; keep it to RCSA = BAU + quite some ε still, and:
DSC_0015
[Distorted? Only your picture is, here for a change, by standing too close; true reality is  not at the Edinburg Royal Mile!]

Prediction16

Yawn. Or not. The following will get real serious in 2016. Like,

Well, for the list with everything and their dog:

  • Some Exits: Green Egg, ‘Cyber’everything, disruption/uberization, privacy, and, certainly and very much hopefully, “Like us on Facebook” … and very, very certainly hipsters let alone their ‘beards’ (quod non).
  • Entrat to replace the latter, hopefully, some actual non- or anti-bureaucratic frameworks of mind.
  • Also out, to be replaced by … [as yet unknown]: Vlogging or what have we, in socmed space, with 100k-1M+/++ followers as being he thing to aim for. As it becomes clearer and clearer in 2016 that only the 10M+/++ leaders (??) can make a dime from it, or barely a living. Who are the big winners, in all of this? User data / experience farmers?
  • Risk Management 3.0 will grow to be the Next Thing in managementspeak. If you’d need any proof, go read back the ton of posts on your perennial Truth site.
  • Also, we might get a last blip from SMAC(T) as a trend summary.
  • All of the points made by The (some) Man. Obviously. And some of this as well though this may all show to be overblown.
  • Still a wave of interest in Rise of the Robots. Combined with AI through and through, like in this. With support at an angle, from this.
  • A further blend of cloudsourcing and deperimetrisation putting your infra and all of your data naked and out there in the cold.
  • Oh almost forgot: A lot more on APTs, 3D printing (when will we finally get 4D printing …!?), MehhDrone stuff, blockchain, IoT, et al.
  • But we may hope, the latter two get much more innovative applications; one the one hand with simpler explications, on the other, truly innovating e.g., into the DAO realm.
  • Ah, DAOs; let’s first see more of this in 2016.
  • Offering a simple list copy from HBR:
    • Algorithmic personality detection: Yes
    • Bots: Yes
    • Glitches: Mwah; we indeed will see scores of them, ever bigger and more impactful (also b/c complexity explosions of the mixed e and physical worlds), but they’re somewhat of the mehhh category for the purpose of Here.
    • Backdoors: See APTs et al; much more of them yes but again, mehhh
    • Blockchain: As mentioned
    • Drone lanes: Hmmm, interesting…
    • Quantum Computing: Probably hung in there from previous (many) years’ lists; mine, too. May, might, but for the same token may not
    • Augmented knowledge: Definitely. Hopefully, in a good way. But maybe even hopefully, steered towards safe use, after a hopefully indicative but small-enough dystopian-style mishap ..?
  • CloudIAMming. IAM, renewed, for federated use in ‘the’ cloud. Yes, this will have a whole new lease of life, as a management field, and a consultancy field as well.
  • This just in: Forgot to mention VR as a thing in 2016. Definitely.
  • I may want to do an update halfway through the year…
  • Oh, and of course our motto for 2016: A CEO with you, is still a CEO.
    #gosubstitute[ _X, _Y | fool, a tool ]

After which there’s only:
DSCN7943
[Purposefully unsharp. Berlin, some years ago.]

Maverisk / Étoiles du Nord