Tag: IRM

Your valued info at risk

Ah, just noted: A great many of you may have switched (or, c’mon don’t be a laggard or too late, will soon switch) to self-assessments of risks, even to the level of detail of data security (as part of information security, part of IRM, part of ORM, part of ERM, part of just-freakin’-perfectly-normal-or-are-you-kiddin’-me mundane run-of-the-mill average daily management of which ‘governance’ is the most preposterous windbag label).
Which is all very well, to determine at the shop floor levels, that apparently are the last hold-outs of actual business knowledge beyond the mumbo-jumbo of meddle management (sour joke intended), what the risks, and particularly also, Value of information (data…) processed might be.

But … You’d miss half or more of the picture, then. The value you attach to the info, may very well be what you’d be prepared to fork out to protect it (balancing estimated frequencies of intermittent losses versus continuous costs flying out the window), but you then forget that the attacker isn’t after the value you attach, but the value to the cracker. Which may be completely different. Think, e.g., Sony (and the many others alike): comparatively, there was hardly a nickel value in the ‘stolen’ (exfiltrated, or egressed since it was lying around so obviously) data from the Sony perspective. But the value was enormous from the hacker perspective — whatever the innocuous data was, the mere exposure was of such import that APT’ ing around apparently was worth it.

Now, how’zat (women have deliveries, men have Balls) for all the other info throughout your glocal enterprise/empire ..? Similar to same, I presume.
So, … what about the budgets to be made available to counter data theft/robbery/whatever comparison to physical-world expropriation you’d like to use? And still not trying to overshoot in comparison to the value you yourselves establish for yourselves by yourselves, or you’d run the risk (chance close to 1) of splattering any flexibility and usability under tons of ‘controls’ (quod non, BTW). But then, not protecting ‘regular’ data enough, might expose it too easily — which might be rational but will cost you, e.g., through EU data protection fines … ;-|

So, you’ll not only have to do the multiplication of this and this, but extend in other dimensions as well…
Oh well, the world gets more complicated every day… and:
DSC_0115
[Your data protection; Noto]

Information does(n’t) Matter

Another consequence of the analysis mentioned before about answers flowing upward through infosystems and command and inquiries/questions flowing down: When the latter get viewed as anti-data or even anti-information, we see Information Theory in action.

Where without the creation of potential (difference) by an inquiry standing ready at, say, a sensor [abstracting for a tiny moment away from the complexity that could be in any sensor, assuming it a math point] to capture some data it may produce, the potential may not pull away the data created by a Heisenbergian creation (-by-measurement ..!?) of the data/anti-data pair. Leaving the anti-data, the uncertainty behind. Is this the creation, the maintenance, or the destruction of a Schrödinger’s measurement ..?

More operationally: In what way does this interpretation induce metaphoric (?) insight into the connection between physical world, ‘signals’ (as in Shannon and other Info Theory), and continuous (!?)/discretised sensor-data streams..?
[For once skipping the bullying of those not understanding the fundamental nature of the continuous/(math-)discrete divide]

Well, there’s also this:
DSC_0478
[The gift of far-sightedness. SE Sicily you recognize of course]

RCSA is close to BAU

Close, as in no cigar yet (has the US ban on Cuban import been lifted already?).
But definitely, Risk Control Self-Assessments would, if carried out properly, be that major part of management’s daily (sic) chores that wouldn’t need annual get-togethers coaxed by outsiders (sic) but would be Business As Usual in operational practice. Maybe needing some periodic (weekly? monthly? certainly more than as now weakly annually) departmental review gathering but not a stage show as if this is the holy grail of business information flow. After which the ‘second line’ (as the back not even middle office function) receives the (right) info and acknowledges that the ‘first’ line has so much better sensors since they’re the first line par excellence, integrates the info into the upward report flow and reverts to fine-tuning the tools they provide to first-liners, and furthermore does … nothing. Second line is helpers, not dictators-by-soft-smothering. When it would turn out that all the high-quality hence qualitative (the reverse for quantitative) risk pics cannot be easily integrated into one pic, that’s too bad for the integrators but an appropriate (!) reflection of reality.

And if, on the other hand, first-liners need to be taken away from their actual productive work to sit in some song-and-dance by second-liners because it was so decreed by ‘governance’ levels (emperor’s clothes!), the very objectives will not be achieved. Since the ‘do something’ by deep-lying incompetence has lead to the wrong turn into a blind alley whereas the broad avenue (something like Younge Street) between wilderness and high (?) culture.

[I scheduled this post a couple of weeks ago for release in a couple of weeks but new developments seem to speed things up. For my many posts against Form over Substance … just search this blog for ‘TLD’ or bureaucracy …]
Won’t rant (too much) on; keep it to RCSA = BAU + quite some ε still, and:
DSC_0015
[Distorted? Only your picture is, here for a change, by standing too close; true reality is  not at the Edinburg Royal Mile!]

Prediction16

Yawn. Or not. The following will get real serious in 2016. Like,

Well, for the list with everything and their dog:

  • Some Exits: Green Egg, ‘Cyber’everything, disruption/uberization, privacy, and, certainly and very much hopefully, “Like us on Facebook” … and very, very certainly hipsters let alone their ‘beards’ (quod non).
  • Entrat to replace the latter, hopefully, some actual non- or anti-bureaucratic frameworks of mind.
  • Also out, to be replaced by … [as yet unknown]: Vlogging or what have we, in socmed space, with 100k-1M+/++ followers as being he thing to aim for. As it becomes clearer and clearer in 2016 that only the 10M+/++ leaders (??) can make a dime from it, or barely a living. Who are the big winners, in all of this? User data / experience farmers?
  • Risk Management 3.0 will grow to be the Next Thing in managementspeak. If you’d need any proof, go read back the ton of posts on your perennial Truth site.
  • Also, we might get a last blip from SMAC(T) as a trend summary.
  • All of the points made by The (some) Man. Obviously. And some of this as well though this may all show to be overblown.
  • Still a wave of interest in Rise of the Robots. Combined with AI through and through, like in this. With support at an angle, from this.
  • A further blend of cloudsourcing and deperimetrisation putting your infra and all of your data naked and out there in the cold.
  • Oh almost forgot: A lot more on APTs, 3D printing (when will we finally get 4D printing …!?), MehhDrone stuff, blockchain, IoT, et al.
  • But we may hope, the latter two get much more innovative applications; one the one hand with simpler explications, on the other, truly innovating e.g., into the DAO realm.
  • Ah, DAOs; let’s first see more of this in 2016.
  • Offering a simple list copy from HBR:
    • Algorithmic personality detection: Yes
    • Bots: Yes
    • Glitches: Mwah; we indeed will see scores of them, ever bigger and more impactful (also b/c complexity explosions of the mixed e and physical worlds), but they’re somewhat of the mehhh category for the purpose of Here.
    • Backdoors: See APTs et al; much more of them yes but again, mehhh
    • Blockchain: As mentioned
    • Drone lanes: Hmmm, interesting…
    • Quantum Computing: Probably hung in there from previous (many) years’ lists; mine, too. May, might, but for the same token may not
    • Augmented knowledge: Definitely. Hopefully, in a good way. But maybe even hopefully, steered towards safe use, after a hopefully indicative but small-enough dystopian-style mishap ..?
  • CloudIAMming. IAM, renewed, for federated use in ‘the’ cloud. Yes, this will have a whole new lease of life, as a management field, and a consultancy field as well.
  • This just in: Forgot to mention VR as a thing in 2016. Definitely.
  • I may want to do an update halfway through the year…
  • Oh, and of course our motto for 2016: A CEO with you, is still a CEO.
    #gosubstitute[ _X, _Y | fool, a tool ]

After which there’s only:
DSCN7943
[Purposefully unsharp. Berlin, some years ago.]

Common meltdown

Ah, indeed a meltdown is approaching; maybe not even of the common kind of just something breaking down in ‘IT’ — the inverted s… hits the fan scenario — but a larger-scale one. Being the lack of budget / approval for IT staff to do continuous education of all sorts. [As in here, in Dutch.]
Which will inevitably lead to ever larger of the small- to midsize collapses mentioned, possibly one triggering the other till past the critical point where the chain reaction feedback loop switches from negative to positive.

By which time it will be too late, much too late, to hyperventilatingly engage in counteractions. Both against the root cause problems in IT, as in the edjucayzional category within those. Because, au fond, so many of IT’s ails were and are, increasingly, driven by lack of (continued) education. Causing problems in the user’s specs (at the highest levels) and subsequently, 2nd Law of thermodynamics, spawning all of the subsequent complexity developing into unmanageability, and error stacking that breeds like viruses.

Even more poignantly in InfoSec corners. You know, the outposts of IT — yes, yes, I know that the I is of so much greater import than the T but get real, instead of 20% InfoSec is 85-95% T still, these days ..! — where the real commandos and fancy-dancy ‘Delta teams’/SEALs operate.

Can we all please get our act together ..? If we don’t turn this supertanker around quickly, we don’t even need to bother about global warming because we’ll have no industrialised world to worry about…

Après nous la deluge …
DSC_0196
[Mosquito hunt; Edinburg]

Hard coating emaille

If you’re well-seasoned, you may have turned a bit sour by all the silver bullet news even when that was targeted at point problems/solutions. And, you may even be old enough to recall Why Johnny Can’t.
Seems there’s a new version of the latter, with a similar conclusion. Too bad for all of us.

Oh well…:
DSCN0414
[Also ‘old’, also of a ‘no photo allowed inside’ site. Guess which]

C’est arrivé près de chez vous; LoRaWAN

Yet another major building block of the Future … in place. [And, not a ref to some City of Light atrocities]
Where’s the Privacy and (OR) Security experts …? For certainly, though almost out of public view, the undercurrents develop fast, into a maelstrom — I’d like it even more in this form — of possibilities; to be abused before being controlled, as has always been the case throughout history.

Oh well, can’t stop Progress, certainly not of the Technology kind… But one can hope we (sic or huh?) the Concerned will be in sufficient numbers to be able to and to be allowed to insert the appropriate controls into the whole shazam.
Like, you know,
DSC_0752
[Or is this an Tocqueville’ian opposite ..?]

Privvezy Protrection

An off the cuff — where’s gentlemens’ style, these days? — remark hit a nerve. When an interesting company had some very interesting speakers and me. On IAM, data leakage and … well, what was it, data protection XOR privacy …?

Because the little collateral remarks was about Privacy being the ethical imperative, but being implementable straight away, would need translation to operational Data Protection.

Yes, where the core of legislation is about the latter, in an attempt to achieve the former… to the degree feasible, achievable, and wanted.
Demonstrating that all legalese, even of the EU kind, is just about white washing whatever you’d want to get away with.

A sore reminder that when one would want (hypothetically, for the sake of the argument that such would be theoretically possible) Privacy, one’s still on one’s own. Against all that is formally formed or not as Institutions, against the windmills that all want you to believe don’t exist or have power over you…

But hey, I’m a happy bunny so I’ll leave you with:
DSCN0770
[When Penzance would be at Bergen On The Beach]

Define ‘Risk’…

This should be an easy one, by pointing at ISO 31000 and its definition the effect of uncertainty on objectives. But that same easy def also raises more questions than it answers, e.g.,

  • How to define [ hence | and ] classify effects,
  • How to define [ hence | and ] classify uncertainty (a biggy …!),
  • How to define [ hence | and ] classify objectives,
  • How to establish measurement of effects,
  • How to establish measurement of uncertainty,
  • How to establish measurement of objectives

that all have an impact on, and are impacted by, the definition. Hopefully, I don’t have to elucidate define hence classify, define and classify or establish measurement regarding effects, uncertainties or objectives. I’ve been at the subject before (here and many posts since) so much that it hurts, me too. But still, many won’t listen and remain stuck in their proven (sic) mistaken belief that the World we’re dealing with, can be caught in models to ‘predict’ the future and/or at the same time remain stuck in, by now approaching hilarious, classifications like Basel II-IV’s… or the slowly but steadily outdating of the classical information security mantra of CIA — those three classes of objectives don’t cut it anymore.

For the more advanced reader (approx. 90% by now — hopefully), the question remains: How to define and classify uncertainty, effect(s!) and objectives ..? Standard classifications all had their stab at it, but failed for the fuzzy nature of those phenomena. Some leaned to the Uncertainty side, trying foremost to classify threats. Some, to the effects side with their vulnerabilities-first approach — via the Impacts classification. Some even had Objectives in mind when pondering the downside potentials of loss-of-upside potential, including scour-for-opportunities to any (0-100%) degree. And then, there’s the abovementioned surefire laugh over ‘Event’ driven analysis… yes consistency, completeness and orthagonality remain essential.
But above all, none captured the time-fluctuation confluence of causes, effects, impacts, … [what have we] that all have such unanalysable structure. Due to their continuous nature; contrasted to the discrete nature often but cannot-be-more-false’ly assumed. [If you don’t get the fundamental difference between discrete and continuous phenomena, go study core math in depth, length and breath. Which is helpful against so great many ills of mind…] And due to the enormously-over-three body problem of interactions [link is about grand business not the petty risk analysis kind but the link therein is valid for the above, too].
Modeling in order to understand may work, but only to understand the exaggeratedly dumbed-down model, the conclusions of which if normative are (in this case, there is such a thing as absolute) certain not to apply or work so why bother. Oh, maybe you may bother, to get a feel of your inadequacy. [Note: I don’t feign to be above that. But I don’t allow you to assume you are as that is both a theoretical and practical logical error.]

Yesy, yes, I know; there very probably is no One Classification Fits All, then. But we may dream, and strive for it, don’t we ..? And at least be very, very clear about it — it being the approach we do take, and what it might potentially (with the probability being above zero but certainly being far off 100%) achieve. Aren’t GUTs, like the Standard Model or the hyperdimensional string theories, the dreams that stuff are made of, too ..?
As always, your suggestions, please. And:
DSC_0643
[Just wait till Etna Says Boom. Or don’t.]

The Bureau of Chaos, by Theory

As a side note to, e.g. this here masterpiece…:
The tendency of bureaucracies to ever further detail its rulesets, that quickly become so burdensome [apart from other ills, ethically much graver], that is evident wherever (top-down) principles are translated in quasi- (not even semi-) mathematical ways, algorithmically almost, to the level of pervasive implementation, stems from the ultimate control approach to life clashing with the ultimate finest-grain detailed descriptions of the universe. Intentional, and definitely normative, description (in order to control! Man over Nature!) banging heads with extensional description.
Which will petrify, then fail because it creates its own Chaos structure, as described here. Where ‘repairs’ to the System are attempted over and over again since the initial values were not infinitely exactly known, can never be. So, one builds rulesets than behave like fractals (zoomed into), in particular when studied to understand and maybe subsequently fight.

Still, the Why of latter-day Bureaucracies (for once, I tried to avoid the overly negative, accurate and pejorative ethical (and esthetical) qualifications I commonly give to these totalitarian, inhumane structures — the latter qualification because of the Will to un-humanize it all) remains in doubt, as the Man over Nature thing (setting rules, hence achieving predictability) is somewhat less valid than otherwise; a bleak reflection of what we feel is a better description of motive.
[Intermission: Be aware as you were, that the b rulesets might be the spelled-out kind but the unwritten rules- social group kinds are also included.]
Ah, back to Maslow, maybe? Yes,yes, was dissed over the past couple of years; attempted to — and failed, probably due to unawareness of its deep values and not only superficial Meaning. Exceptions, the uncontrolled (by definition, and as the Outside is by definition, too), are threats to the achieved in that pyramid. ..? Though the higher up one is, the better one can handle ambiguity, uncertainty, the unexpected, black swans and Extremistan.

Just wanted to put it down for you. And at at last a somewhat positive turn, I’ll leave you with:
DSC_0023
[Royal waiting (room) for Godot (i.e., National Railways everywhere), Amsterdam — notice the almost perfect horizon .. little less perfect but hanging in there … whoops! of the horizontal orientation]

Maverisk / Étoiles du Nord