Managing Fortuna’s Risks

On how Risk Management is self-defeating… or just something one has to do while Life has other plans with you(r organization).

First, the übliche picture:
20140813_154840
[Shadow (play) of Dudok, Hilversum again of course]

First, the Defeating part. This, we hardly discuss at length, full enough, but when we do, it’s so obvious you understand why: Because RM is about cost avoidance, even if opportunity cost avoidance. Which makes you the Cassandra, the Boy Cried Wolf of the courtiers (sic). It’s just not interesting, not entrepreneurial enough. [Even if that would be pearls before swines…]

Second, this is why it’s so hard to sell (no quotes, just outright sell for consultancy or budget bucks) the idea of RM to executives – they only see the cost you are. They don’t see themselves as delivering something if, if, if only, they had integrated RM into their daily ‘governance’ (liar! that’s just management!) / management. They don’t want to do anything. They just don’t understand to do something that doesn’t show to be effective even if others for once see no harm (though the others will not even care to flag the kindergarten-level window dressing that’s going on with the RM subject; too silly that, to call out).

Third, this happens not only with ‘boardroom’ RM (~consultancy/advisory), it has been well-established at lower ranks; all the way from the mundane IT security, Information Security, Information Risk Management, Operational Risk Management (where the vast majority of organisations don’t make anything tangible anymore), including the wing positions of, e.g., Credit and Market Risk (which are in fact, with the visors to mention, the same as the previous!), to Enterprise Risk Management altogether.

Fourth, we tie in Queuillism. The Do nothing part almost as in Keynesianism where in the latter, future-mishap prevention should be arranged during the years where government intervention wasn’t required as such. As in Joseph’s seven fat years contra the seven years of famine (Genesis 41). How does this reflect on RM? Would it not be just BCM in its widest, enterprise-wide sense? Isn’t that what ‘management’ is about, again..? Just sanding off the rough edges and for the rest, give room to the actual stars, the employees at all levels, to let them bring out their best – so exponentially much more than you can achieve by mere, petty, command & control. You raise KPIs, I rest my case of your incompetence. And this goes for governments even more. Just enormously expensive busywork.

Fifth, finally, the fourth trope points into the direction of Machiavelli’s Fortuna. Which was also covered by Montaigne, of course. It doesn’t matter what you do, in the end, Life has other plans with you. Sobering, eh? Oh but again, you can shave off the rough edges for yourself, too. Just don’t think in the end, that will matter much beyond some comfort to you. Katharsis, and move on.

OK, since you held out so long:
20140813_154800
[The same, from another angle]

Security accountability: We’re off

Remember the Vasco i.e. Diginotar certificate breach scandal ..? For the many that don’t read Dutch easily enough, the gist of this court decision is that the previous owners of Diginotar are accountable for the damages to Vasco following the breach since the previous Diginotar owners hadn’t secured their systems well enough.

There’s a lot to be said here.

  • E.g., that the security lapses could have been known. Due diligence …? Well, the PwC reports were all green traffic lights, at the procedures-on-paper level. But a couple of years before the take-over, already a third party (ITSec, which I know for their good work [disclaimer: have no business relations]) had notified Diginotar about shop-floor level deficiencies. That remained uncorrected.
     
  • Add to that, that actually, the previous owners themselves started legal claims. Because a major part of their sale proceeds were still held in escrow, and they wanted the monay. Vasco filed a counter claim; logically, and won.
     
  • Also, the auditors that had time and time again ‘assured’ the security of the scheme (and don’t get me started about limiting the scope of such assurance in scope vagueness or in the fine print!), haven’t felt too much backfire. Yet, hopefully. Though recently, the same firm announced an initiative towards a new, proprietary one can guess, security standard. Right.

So, are we finally seeing accountability breaking through ..? I already posted something on the Target Cxx stepdown for similar security lapse(s). Now this one. The trickle’s there, let the deluge follow. That‘ll teach ’em! And of course, generate a humongous market for backlog bug remediation, from the software levels up through controls to governance levels…
Even if that would stifle innovation for a while. Would that be a bad thing; having only the real improvements breaking through and not the junk ones ..?

OK then, now for a picture:
DSCN0358
[Monteriggione security was effective, until not, then abandoned as control approach… they did, why not all of us today?]

Progress: Hacked (short note)

OK, so there’s progress… hackers (of the ethical kind …! …?) actually improving security, as per your Nest thermostat.
Contrary, of course, to the hacking of your home security system as spelled out here and already ‘predicted’ by means of requiring solutions, quite some time earlier here

For their, and your, viewing pleasure:
019_19[The ‘old’ shouldn’t be underrated by not being rated well enough…]

Gotta TruSST’MM

Had been planning for a long (?) time already to write something up on the issue of Trust in OSSTMM3© – in particular, how it doesn’t conform with received (abstract) notions of trust and how that’s a bit confusing until one thinks it through wide and deep enough.

First, a picture:
DSCN4198
[Controlled to I/O, Vale]

Then, some explanation:
As I get it (now!), the OSSTMM model defines Trust as being an entry into or out of a system/component (objects, processes). The thing you may do when you are trusted. Literally, not the protection wall but the hole in that wall. Which isn’t some opinion thing the holder has of the visiting tourist. Interesting, but troublesome in its unsettling powers.

Dang. Running out of time again to delve into this deep enough – in particular where I wanted to link this to a previous post about identity and authentication … (this post in Dutch). OK. will move on for now, and return later. Already, if you have pointers to resolution of the differences (the whole scale (?) of them), don’t hesitate.

Welcome to Hotel SV

Just a short note; tinkering with more ‘cybersecurity’ songs (to support (or not) #ditchcyber), I came across the following snippets…:

“Welcome to the Hotel California”
“Such a lovely place”
Such a lovely face
Plenty of room at the Hotel California
Any time of year
You can find it here”

“Bring your alibis”

“Mirrors on the ceiling”

And she said “We are all just prisoners here, of our own device”

Last thing I remember, I was
Running for the door
I had to find the passage back
To the place I was before
“Relax, ” said the night man,
“We are programmed to receive.
You can check-out any time you like,
But you can never leave!”

How’zat (sorry (no I’m not Canadian) USofA, culturally you’re still 99% British so you should get that reference) for the famous search engine’s approach ..?

And, of course:
000022 (13)[Yeah Breck is CO not CA, about two decades back]

Crowdjustice

Wellicht zullen gevestigde belangen (weer ten onrechte … DNB-kneuterpietluttigheid-waarschijnlijk-uit-doodsangst-uit-onbegrip (hoewel dat d… terecht, en gewenst?) vs California State…) gaan waarschuwen voordat de vergelijking met de huidige feitelijke situatie voldoende fundamenteel en objectief is gemaakt, maar dit is natuurlijk een interessante nieuwigheid; crowdsourcing justice. En voor degenen die jury-rechtspraak iets engs vinden wat wat de boer niet lust, leze nee bestudere dit werk eens.
Plots komt zo veel samen… Vreugde alomom zo veel culturele vooruitgang.

[Edited to add: Zie de post van 25 augustus 2014…]

En dus een vrolijk:
000013 (17)[Kan dubbel zijn, swa]

COPE a Nope

Hm, this piece seems to miss the point entirely…

Because the move to BYOD had/has (sic) nothing to do with operability. But all with power. And speed. COPE will be much more of the same, but with an even more inexplainable awkward speed/flexibility/functionality trade-off. With nothing of (e.g., the European current and forthcoming Regulations’ and practices’) privacy in mind, just pipe dreams of regained totalitarian control. Heh, if that floats your boat, everyone’s including or except your boat has left the harbor because ships are safe there but it isn’t what ships are for. If you can’t see the analogy … you’ll be sunk.

And then, there’s a pic:
000004 (5)[Great for learning gaff rigging but for serious yachting…?]

Bewijs van legitieme identiteit

Bij wijze van vraag aan @iusmetis / @ictrecht …:
In het dagelijks Nederlands taalgebruik kennen we nog (…) het verschil tussen legitimatie en indentiteit, als in -bewijs respectievelijk -sbewijs. De laatste ook nog equivalent gezien met ‘ID’.
Waarbij de vragen komen:

  • Bestaat er ook juridisch (nog) verschil tussen beide ..? Waar komt dat verschil if any vandaan, hoe wordt het (nog) toegepast?
  • Hoe is de ‘mapping’ naar (identificatie,) authenticatie en autorisatie zoals die termen in de ICT van vandaag worden gebruikt..?

Met name dat laatste lijkt me bestuderenswaardig omdat a. de juridische termen lang hebben gehad om uitgekauwd te raken, en ‘dus’ nog relevante verschillen naar voren kunnen brengen met de relatief pas oh zo kort geleden ontwikkelde ideeën over toegang tot systemen/gegevens.
En het verwarren van de functie van ‘elektronische’ ID met ware identiteit en de dubbelrol van b.v. een ‘user-ID’ is ook nog wel wat beschouwing waard.

Maar goed, eerst maar eens e.e.a. definitietechnisch helder naast elkaar zien te krijgen.

En uiteraard het plaatje van de dag:
DSCN9834[Hey kèk nâh ze hadden hier in Lucca al heel vroeg Starbucks…?]

Quick note: Privacy is about Info, not Data

Just a quick note to drop it, here, already before my holiday. May elaborate on the subject later, in a much extended form. The idea being:

Privacy is about Information, not about Data. Privacy sits on the divide, or jump, from data to information, as in this previous post.

Data doesn’t mean a thing. And yes there’s use in protecting data, but that’s only part of the picture. To discuss ‘directly or indirectly identifying data’ one needs to understand the value, and information, in data combinations. So you’ll have to keep the information value in mind always.

Which also means that if you discuss topics with various categorically-not-understanding-anything-other-than-bonuses stakeholders under the common header of personal data protection, you have lost connection to them. By giving up before you started; they will not ‘get it’. They know ‘data’ only in the abstract, as something to stay away from. If you don’t keep the (distinction AND connection) in mind and exepelainify it extensively ‘externally’, you lose.

Same, if you don’t bridge the gap ‘internally’ in your in-group. Only when an exhaustive search for all meaning of any combination of data has been completed, would one know what data elements could possibly be necessary for identification and hence are privacy-sensitive.
This would probably set the threshold very low indeed. But hey, that’s your problem right there. Offer perfect protection of get sued into oblivion.

I’ll return on this. Thank you:
20140306_151133[1]
[Kei-good design.]

Postdictions 2014-II

A progress report on the Predictions 2014 I made in several posts here, at the end of Q2.

First, of course, a picture:
DSCN1023
[New then, outdated now, La Défense]

So, there they are, with the items collected from several posts and already updated once before in this:

Trust Bitcoin may be in this corner, covering a lot of this subject [edited to add: it’s now legal in California ..!]. Also, Heartbleed pointed out our dependency on ‘anyone but us’ in actually checking/testing open source software like OpenSSL, and the trust placed in the great many low-level bits and pieces that make up ‘the’ Internet (connections).
[After publishing, I’ll cross-post my ISSA Journal column on this, as a post] —> [Here it is]
Identity Facebook allowing anonymous (fake) identities. Users deleting posts from socmed, and switching to ephemeral messaging (Snapchat et al.). The European Court ordering Google to delete histories at request. (The semantics of) identity proceeds to being manageable…
Things Moving into a focus, vanguard of Sensors. And the Glass successors are surfacing. Earables here …
Social Movement all around; with a focus on privacy as in my May 30th post.
Mobile See Things.
Analytics Wow, this one’s moving into the Through of Disillusionment quickly! Now get it to jump out at the other hand, as quickly.
Cloud Mehhh, indeed. Still. The focus shifts towards actual security implementations, and control over that. On the Slope of Enlightenment, I’d say.
Demise of ERP, the Dude, these platforms aren’t even audited otherwise than by the most boring of boring routines – anyone interested in things other than pure dry deadwood, are working on other things.
InfoSec on the steep rise Even if we haven’t seen enough on this!

On APTs: We’ve seen Heartbleed come. And not go. This being just a mere incident, incidental symptom…
On certification vulnerabilities: See the previous. Check.
On crypto-failures, in the implementations: Some minor Bitcoin stuff, not too much else.
On quantum computing: – still not too much –
On methodological renewal; as it was: I blogged about this (re Rebooting CIA and OSTMM). Some progress here and there, but no ✓ yet.
Deflation of TLD Really out of sight even in the most dull accountant’s circles.
   
Subtotal Already clearly over 80% as we speak, when discounting for some fall-back here and there.

The faint of heart wouldn’t necessarily want to speak the bold characters out loud.
See you at the end of Q3 ..!

[In repeat, to add:]
Missed in the predictions ahead of time, but still worthwhile to watch: Google’s move towards banking via Gmail … as per this story, as commented ‘ere.

Maverisk / Étoiles du Nord