IRM – Page 13 – Maverisk / Étoiles du Nord

Rien vous ne pouvez plus …?

When business is about betting, hopefully educated guessing, the near and bit further future developments of <somethings>. Educated, of course with a pinch of theory — but then, only the parts that are actually true, and still valid, for the future, too so throw away all (seriously) but a few nuggets of the most absolute que sera, sera of economics / business administration (sic) — and a healthy dose of experience — but not too much as it would lead to a lachrymose same as the (true) theory and we still need Action, don’t we ..?

Then totalitarian bureaucracies, like the banking world (in a suffocatingly tight grip, including the regulatory-captured but also holier-than-thou regulators), will try to squeeze all involved so thoroughly that no business is feasible anymore. But will fail, as the spirit has been out of the bottle since the Apple; Original Sin is about being human, above animalistic sustenance-supporting instinctive compliance with the laws of nature. Again and again, the stupidity of belief that Apollo wins out over Dionysos ..! They’re equal in all respects, certainly in the spirit of Man, and remember that even Zeus was forced to break marital laws (what a player he was, by necessity …:) because at the End of Times, the titans, the powers of Chaos, will almost win out. A trope so powerful that all belief systems have it (but a few exceptions) so to be held for certain; until proven wrong…?

Even more: The higher the pressure (that the straightjackets on subjects can take), the more fluid everything becomes. The more zealous, zealotic, crazy (outright that word, yes) compliance efforts micromanage (lest the ‘manage’ part which is utterly ridiculous if used in this sense), the more devious and deceptional will the business be, caused by this very reason of compliance efforts. LIBORgate, anyone ..?

‘Trust, but verify’ is a lie. Since only the slightest hint of the latter, immediately completely destroys the former ..! As the former is a two-way street! Seek out those that support this lie, and you’ll find the true culprits of the above.

So far, so good for a Monday morning’s rant, right ..? I’ll stop now, with:
20151008_123437
[Rigid, but colourful, the max you can achieve; Nieuwegein]

Repeat: Trawling for noise

So… Legal developments go at glacial ‘speed’, thus mumbling critical oversight to sleep. Happened, once again, in NL. Mass collection (sic) of and trawling through all sorts of data ‘out there’ is free game for gov’t agencies.
NO the oversight committee will not do anything. Anyone saying so, plainly and simply lies under oath to overthrow the constitution (isn’t that high treason?)

But what will happen of course, is that those that in the past weren’t able to connect the dots (proven fact), will now be swamped in enormously bigger piles of noise data. At the very very best (??) they’ll find bucketloads of false positives — ruining perfectly normal, perfectly legally operating citizens’ lives, of course without any serious recourse or restitution of lost life’s pleasure and happiness…
And the false negatives will also explode, induced by the very ‘countermeasures’.
So, also those that propose and implement and work with such ‘solutions’ quod non, will be culpable to.

Oh well Or well was right. Plus:

[I don’t want or like, but do expect, a similar thing again; for different reasons but with no really different methods — Prinsenhof Delft ya’know]

Be-four you turn enthousiastic

[Warning: Long-read. Opiniated, and structurally your recommendations ~~may be~~ are needed, too]

About all of the banking industry, and other financials in their wake, have had to deal with loads of regulatory requirements. Justified, some say, for ‘they’ cause(d) so much misery beyond mere most temporary loss of bonuses that the ‘un’ should be (have been long before) detached from bridled. So, Basel II and -III regulations swooped in requiring much more explicit and detailed handling of financial business than ever before. The move from laissez-faire to regulation, to regulation with sanction schemes, to sanctions (possibly interpreted as ‘token’…), was extended with provability and then complete proof-demonstration as minimum requirement.

This all, however, has created a large, and in general even I would say quite overpaid [disclaimer: am profiting too] industry of consultants, quants, ‘risk managers’, reviewers, assessors, auditors, and scores of Toms, Dicks¹ and Harries of the GRC kind. That are all very likeable nice lads and lassies, but maybe not quite worth their salt, certainly not their bonuses, or even be sure to be worth much lending one’s ear to.

Since March, suddenly, there’s news. The Basel Committee on Banking Supervision has released a consultative paper on ideas for (much-needed, many know) simplification of the operational risk management part of regulations. For Basel-IV forthcoming.
Continue reading “Be-four you turn enthousiastic”

Crash’in the wings

… Thinking back of the Taleb’ian remarks, and truths, on Extremistan, and how some more or less closely watched parameters may lose their variance but not their uncontrol since such petering out of shock’lets are just the precursors of an asteroid impact scale collapse, I wondered what is about to happen in infosecland. Since for weeks, nay months already, there has hardly been any news… Apart from the usual suspects (#ditchcyber ..!), there hasn’t been anything serious, has there, by means of yet another class break or more comprehensive controllability breakdown?

Which is why everyone should sit more uneasily, in stead of the opposite sleeping better than ever.

But then, this was the message from your Wolf-crying boy …?

To which:

[Since last Friday, you know this isn’t a reindeer but an elk that is no moose, at least not everywhere]

Security so(m)bering

There’s this discussion going down on the merits of privacy versus security. Whether the one is part of the other, or the other way around, or both. Whereas the smarts are with considering privacy enhanced by good confidentiality settings ’cause they see that privacy is an issue of higher (abstraction) order than mere confi; achieved by it but only as infosec are the bricks and mortar when all you wanted is not bricks or so but a wall.
Through which you may reflect on compliance in infosec. Because hardly ever, is that taken to include compliance with the principles and business objectives and conditions that include being sparse with hinder to the business. Really, those that truly set only guiding rails not enforcement rails, are the unicorns of the trade. No, not those unicorns, those are just frauds anyway.
You may try to do better; really. It starts with risk … when properly applied, you would not get the remarks about ‘why, it has never happened to us before / what are the odds?’ but might even get better support for some slightly hindering process changes and better (but less end user detectable) ‘infra’ i.e., everything under the users’ level of visibility.
So, I’m not sombering or if, about the eager beaver pervasive prevalence. Because sobering up, wising up, may win the day and may be due…

We shouldn’t somber too much… Isn’t this a perfect opportunity to finally demonstrate how we do (… can …) link up information security to real business issues at the highest GRC levels. Since we shouldn’t be passive, and leave ‘privacy’ to be taken over by lawyers jumping into the current Privacy Officer void. Since we can translate all the operational and tactical work that we do on privacy, all the way up to strategic levels and still be very concrete. And not have to wait till ill-understandable “guidelines” (shackles) keep us from achieving something.
No more wannabe whining about ‘deserving’ a seat at the Board table or at least be heard; not asking to be allowed but matter-of-factly showing ‘Done.’ … if, not when, you did informtion security right all the way…

Just like that:

[“Na na nanana can’t hear you!”; Porto]

The ides of March

… aren’t today only, but are indicative of … well, a lot of what goes on in infosecland these days.
Who to trust, when your buddies and experts and both in ones, may carry knives or worse. Like, turning their your defenses against you behind your back. Like the Brutus’es and Ed S.’s did because their consciousness revived (true in both cases ..!), like the great many are doing without tipping you off already. Until it’s too late. And, in similar vein, how’zat for your backdoors built in ..?
But then, as long as you can sit there like a rabbit in the headlights … sleep now in the fire [insert appropriate link to RATM clip] because the Time Till Collapse may leave you less room for Après Nous la Déluge than ever before.

Just to wake you up, by the way; if you read the above as some kind of chagrain I may have achieved my aim of making you think beyond mere Mehhhh.
So, I’ll leave you with:

[Shifting politics, shifting alliances…]

Vindication …

With due respect, but vindication is a beautiful thing…
As I had delivered a lecture over five years on all the places that risk management of the Basel II/II style, using quants and all to model (an übercomplex combination of scores of) human behaviour thus sublimating one’s model errors and one’s misunderstanding of how the world turns, not even mentioning the risk of the 15.5 risk; necessarily (if you’d had got It) speculative about what’s next, the evaluation was heaviliy tilted from quite (UK style) positive to mediocre by one bad review, that had as only comment “not based in evidence”. See the latest pres’s in my LinkedIn profile; without much by way of speaker notes, the ones on e.g., Blind Alley et al. can be readily understood qua intent.
Recently then, finally, this arrived. Maybe spinning off in an adjacent direction; veering off or running in parallel? But definitely touching the sore spot.
To the point where the dish is sweetest served cold.
But hey, would have liked all the business (and ~travel…) opportunities that could’ve been…

Now, let’s all go study Basel IV’s methodology and learn (e.g., as in the above-linked article). Maybe there is a future for risk management. Even if not as a separate discipline; see my posts of management-in-general. Plus:
000003 (8)
[Once was my ‘work’ location; worth re-pursuing Trois Islets, Martinique]

Plusquote: You’re not perfect

Even at the Computer History Museum most of the devices on display stopped functioning many years ago.
This time, not one of my own but quoted from Ray. Pointing out that it’s not that bad if you fail at having the perfect IT management (systems/operations) in the universe — even if you’d had forever you wouldn’t succeed so take it easy on the minor non-compliancies.

So, this in a series inspired by this here Expert, some more of my own (heh) personal ramblings which I would dare to call motivational soundbites but you would consider to be as typically as this sentence to be my interpretation of brief, not necessarily positively motivational but that’s (yes I do use abbreviations to shorten the sentence even further) because that remains your interpretation but that’s not necessarily the right one being the one I intended.

Capice? And:

[Once – not forever – the newest, carved in / out of stone; Reims]

Ketenregie en legerkorpsvakgrenzen

Tsja en dan denk je terug aan de afgelopen decennia waarin het maar niet lukte om in semi-(quasi-? sub-? nep-?) overheidsland ketenregie op poten te zetten. Nee, nee, nee, er ‘werkt’ misschien hier en daar iets, maar dat komt niet verder dan een operationeel niveau van geen-nucleair-conflict met op tactisch en strategisch niveau een totalitaire koude oorlog.
En ja, in de private sector (op zich al bedroevend, dat er een aparte term bestaat voor wat toch 90+% van de economie zou moeten beslaan maar niet verder komt dan een procent of 30, hóógstens) is er wel iets tot stand gebracht, maar dan met geweld en keiharde afstraffing door failliet bij minder-dan-maximale totale opoffering aan de klant.

Ah, de klant. Van de keten, aan het eind van het productieverhaal.

En oh, er zijn wel modellen. Degenen die nog een kans hebben inzicht te hebben (opgedaan), pakken namelijk hun VS 2-1351 erbij. En lezen vooraf nog even hun IK2-25 ;-] en dan hoofdstuk 8 uit voornoemde. Maar dat terzijde, want de essentie is dat het de lessen terugbrengt inzake de kwetsbaarheid voor aanvallen vanuit het Oosten die zich, van die zijde de intelligentie erkennende die zich zal richten op exploitatie van de zwakke plekken aan onze kant, zal richten op de legerkorpsvakgrenzen.
Omdat daar de coördinatie zwakker zal zijn over de vakgrenzen heen, en de ‘eigen’ suboptimalisatie binnen de vakken tot verminderde aandacht voor de grenzen leidt.

En … dat klinkt bekend ja. En inderdaad, daarin ligt het knelpunt bij regie en toezicht over de hele, van achter, te doen hebbende met een tegenstander (sic) over de hele, tegenover. Die zo is naar interpretatie van de eigen doelen, nog niet in staat is tot tactische nucleaire actie (via de politiek) maar wel de eigen belangen onvoldoende tegemoetgekomen ziet.
En dan? Dan dus de oplossingen uit de door de eeuwen heen ontwikkelde praktijk ter hand genomen. Inzake dwang van hogerhand tot maximale coördinatie tussen de keteneenheden en opoffering van de eigen borstklopperij ten faveure van de totale prestatie, op straffe van degradatie. Zou dat niet boeiend zijn; de holste vaten vanuit de leiding verplicht voor de rest van de carrière in het call center tewerkstellen ..?

Ach, als, áls nou eens de Mexican armies van bureaucraatjes aan de FLOT zouden worden gedumpt… Page en Popla zouden de omzet fors zien stijgen. En het bewust worden van de eigenlijke opdracht zou na catharsis en vervanging door Echte leiders tot zo veel betere overheidsprestaties leiden…

Dromen mag, toch ..? En:

[Geschikt voor de ‘leidinggevenden’; Stockholm]

AnchoringThink

This might be a signal.
When reading up on mr. S. Godin’s blog (hah, does anyone call him that, these days?), I realised when reading this post that not only can anchoring sink you, it may also be a major contribution to groupthink and subservience to bureaucracy, which seems to be two facets of the same thing. Being, that the anchoring that the group process produces either by clinging to the most-anxiety-reducing interpretation of the opinion of the perceived Leader [with all the side notes of the duce only presenting him(sic)self as such, empty barrel and all] or by averaging out all peculiars and hence reaching an anchor point of political position — reminiscent of Ortega y Gasset style Masses.

On the flip side, this points to what it takes to be a great consultant indeed, as Godin pointed out: addressing the groupthink narrow-mindedness by revisiting the vastly wider potential scope of possibilities and options than can be seen by looking back too little. This might have been the edge that e.g., a McKinsey had — haven’t heard too much from them, the last decade; are they still around, shrunk or not?
So, to be a better advisor, by all means search back for the greenfields from which current ‘opinions’ evolved and take a fresh restart of evolution from there. Also, be a maverick. As I am, qua risk consultancy/management/audit. Hence the signal to hire.

And:

[Obvious shape, for a library ..? La Défense again]