Tag: IRM

3+ bodies found in business

… just about everywhere. Of course I refer to the n-body problem set with n > 3 as here.
Because it is so dismally known, and applied. Most starkly (#loveofwords) in ‘business’ ‘strategy’, where the lack of wisdom is clearly demonstrated in the lack of inclusion of all (sic) potential (sic; including chance function estimations) competitors’ moves. Name any market where the latter s doesn’t apply, and report it to (anti-?)cartel authorities.

I.e., the Problem applied to strategy means: Strategising is futile, all your course belong to us. On a side note:
DSCN0447
[Alignment; Vienna]

Summarily: yolosec

Yes that’s the summary title at once describing the sum total result of all your humongous efforts to ‘secure’ … whatever scope, in infosecland. HT to @thegrugq
To which we may add the find of yeauleau for francophones. Of course.

That’s it for today. With:
DSCN8135
[Fashionable Without A Cause, too; (i.e.) Milan. Look to the left (shop) and shiver…]

Signalling healthy process

Yet some more cross-over ideas from the IoT world into the administrative bureaucratic office world: Streams of transactions as signals.
Of the health of the process, of course. To be defined, obviously, as the fit to the surroundings. The fit may be off, either intentionally (wanting to let the world adapt to the process, enforcing (?) change) or unintentionally left blank                i.e., having to cope with exceptions to what was envisaged as transactions’ content or form.

Now apply yesterday’s first picture of process control.
Now, too, consider what one could do with sampling theory (as a subset of ‘Shannon’, if properly elaborated, possibly skirting with ‘classical’ statistics ..?). Taking 2log(n) samples (where n is the number of transactions ..?? Just a wild guess) and being able to reconstruct the ‘signal’ then taking its integral (discrete transactions … just summing it up ..?) for the total. Or Fourier-transforming it all and … get your basic theory straight before dreaming of moving on so don’t start at the other end as ‘accountant’…! And/or treating exceptions (as e.g., found by the sort of analysis that these girls/guys are so good at; that not even being meant as a cynical qualifier) as noise to the signal. Never fully suppressable, but useful to pick up secondary signals, stacked in their variation of frequencies, amplitudes an wavelet transformations. That all tell you something, if you listen. Whether you want perfect, over-HiFi replay [intermission: Ugh I’m getting old, even knowing that HiFi was a thing…], or lively veracity, actual fullness of music. And take in again the ole’ industrial process control with its recipe / derivative function(s), et al., and be able to better control it all from the ‘dashboard’ in the control room. When all of the routine stuff, the routine 80%, of business is done by … ‘robots’. Humanoid or digital-machines, IDC.

And hey, while we’re at it, why not throw in attempts to include in bookkeeping not only discrete numbers (arbitrarily rounded to hunderds, of random currencies) but Real numbers or even Complex numbers as well ..? The latter, e.g., to indicate VAT surcharges, etc.; leading to tuples-as-single-‘numbers’ in bookkeeping. Maybe somewhat harder to track that all is booked correctly, but also maybe powerful in capturing singular transactions and some processing rules/logic, and controls, in one tuple (‘record’).

Where AI may then be applied to do sanity checks. Not on this author; no AGI or ASI would suffice…

OK, for now:
DSCN1436
[“What a shoe box” but yes that *is* the Bata shoe museum, Toronto]

Here, First

Integrity at any level is the Yggdrasil of any CIA or other quality of the layers on top of it.

I.e., if at the platforms level the integrity of software (à la Turing, engine/programs and data) cannot be fully 100,000…% be guaranteed, no extreme of measures op top of it can restore the missing percentage, only (somewhat) limit further deterioration of the stack on top.

Okay, this being a bit abstract, a somewhat more simple and extensive explanation will follow.
Till then:
DSCN6859
[No base, no glory; Sevilla]

IR-L or 0 (BC)

The spectre of BCM has been haunting ‘business’ departments of about any organization for too long. It needs to go away – as spectre, and take its rightful place in ‘Risk’ ‘Management’. The latter, in quotes, since this, this, this, this, and this and this.
Much link, very tire. Hence,
DSCN4069
[Opera! Opera! Cala at Vale]

Which actually brings me to the core message: ‘Governance’ [for the quotes, see the last of the above link series again] fails for a fact (past, current, future) if it doesn’t include risk management, and when that doesn’t take this into account:
Turf wars
[Here, highlighted for InfoSec as that’s in my trade portfolio…]

First, a reference to that RM-in-Gov’ce mumbo jumbo: Here. (In Dutch, by way of crypto-defeating measure vis-à-vis TLAs… (?)) Listing among others (diversity, sustainable enterprise, external auditor role) the need to do more about risk management at ‘governance’ levels. Which might of course be true, and how long overdue after COSO has been issued and has been revised over and over again already.

But then, implementation … No strategic plan survives first contact with the enemy (ref here). And then, on turf are the wars that be, in all organisations. Among the great multitude of front lines, the one between Information Risk (management) the Light brigade [of which the Charge wasn’t stupid! It almost succeeded but because the commander wasn’t a toff so supporting a brilliant move by such an upstart wasn’t fashionable, he was blamed – an important life lesson…], being overall generic CIA with letting A slip too easily on the one hand, and the all too often almost Zero Business Continuity (management) on the other, outs the lack of neutral overlordship over these viceroys by wise (sic) understanding of risk management at the highest organizational levels. As in the picture: It’s all RM in one way or another. And (though the pic has an InfoSec focus) it’s not only about ICT, it’s about People as well. As we have duly dissed the ‘Process’ thinghy as unworthy hot air in a great many previous posts.

Where’s this going …? I don’t know. Just wanted to say that the IR-to-BC border is shifting, as IR becomes such an overwhelming issue that even the drinks at Davos were spoilt over concerns re this (as clearly, here). But still, BC isn’t taken as the integral part of Be Prepared that any business leader, entrepreneur or ‘executive’ (almost as dismal as ‘manager’) should have in daily (…) training schedules. Apart from the Boy Cried Wolf and overly shrill voices now heard, the groundswell is (to be taken! also) serious: IR will drive much of BC, it’s just that, again, sigh, the B will be too brainless to understand the C concerns. Leaving BC separate and unimplemented (fully XOR not!) next to great ICT Continuity.
Or will they, for once, cooperate and cover the vast no-man’s land ..? Hope to hear your success stories.

Postdictions 2014-IV and Final

A progress report on the Predictions 2014 I made in several posts here, at the end of the year. So, going for final verdicts. And quite a score and end result…
I gathered some evidence, but probably you have much more of that re the items below. Do please raise your hand / comment with links; I’ll attribute my sources ;-]

First, of course, a picture:
20141027_131258_HDR[3]
[Yes this one one more time, as the future’s the flip side of the past …]

So, there they are, with the items collected from several posts and already updated several times before hence I’ll just highlight a few things:

Trust ✓ And double-check. Maybe the issue slowed in attention over the course of the year, but… intermediate and final kickers make this one a true ✓
Identity Hmmm, recurrent issues with strength of pwd methodologies, but for the rest… oh there’s XYZcoin with its trust-through-maximum-distribution-and-maximum-anonymity …! ✓
Things Oh absolutely ✓ Or you’re surfing blind. Is that an expression, yet ..?
Social Ello, Viv, etc., and for the rest, it has all been Business As Usual. Which makes it a ✓
Mobile Has truly gone to the Expired phase when all-platform(-agnostic) design has come and gone as a hype and has turned into a basic requirement. ✓
Analytics After the evangelists, now into the BAU lands. ✓
Cloud Mehhh! ✓ It’s Docker that will be next year’s Thing. Note that.
Demise of ERP, the Have almost heard nothing let alone ‘exiting’ about this. So ✓
InfoSec on the steep rise Even if we haven’t seen enough on this!

On APTs: Almost the only interesting thing aaround, still. ✓
On certification vulnerabilities: In hiding. Still there. Ssssht, will hit. Suddenly. ✓ without you knowing it.
On crypto-failures, in the implementations: Quite some news in the underwires… you may not have noticed, but the in-crowd has. Definite ✓
On quantum computing: – still not too much – which is something of a surprise. No ✓ here. Despite this late entry.
On methodological renewal; as it was: Some progress here and there, close to a ✓
Deflation of TLD As per ERP above. ✓ as the logical and methodological failures have prevented anyone to attach oneself to it for risk of looking dumb. Except for the ones still clinging to it, where the risk has materialized…
Subtotal Well, let’s call it an off the cuff 95%+, being an A+ indeed.

The faint of heart wouldn’t necessarily want to speak the bold characters out loud. And my nerw predictions are out there already; see the December 9th post.
Which leaves me to a link that you may want to get for me, for ‘winning’ my own predictions contest. Thank you!

Players, sides, too many – where’s the (over)view?

Apart from the #ditchcyber aspects, in the (sometimes somewhat sportsy, even) battle about control, or is it temporary one-upmanship, over the world’s communications, so many parties play a role, in such varying sizes, and operating for so many sides, sometimes multiple sides at the same time, sometimes without even knowing that, with the interactions playing at various topics and levels of abstraction and with varying scopes, time horizons, strategies and plans (quality), I could really do with some clarity. Some mapping, interactive or not.
Which all was triggered by this post on yet another singleton developer taking on, inactively!, some well-funded TLA.

Will have to dive into the detail of it all, but know that I’ll end up losing the helicopter view. How many similar developments are out there, known or not? What stages of development, of deployment, of maturity, of starting to crack and leak are they all ..? It’s a hard life, this keeping up thing.

Hence, you deserve:
DSCN8926[As if moulded by a genetic algorithm, Porto]

At least, you can have your PIA

Privacy Impact Assessments are treated much too much as an assumption in (new European regulations’) privacy-anything these days. Yes, PIAs are a critical step, on the very critical path towards compliance in substance. Since when they aren’t done well if at all done with any true attention and intention, your compliance effort will fail, if not formally then in practice – with equal serious break-your-business high-probability risks.

First, this:
20140905_201502[Heaps upon Sea again indeed]

The point being; PIAs should be done with an actual interest in privacy (of stakeholders) protection. When done less than full-heartedly, the results have hardly any value. Because that would demonstrate one doesn’t understand the ethic imperatives of privacy protection in the first place. From which would follow all required (other) policies and measures would be half-hearted, ill-focused, and sloppily implemented ‘as well’. Which isn’t the stretch of reasoning you picked up on first reading this…

And then, a great many organisations don’t even start with PIAs, they just jump in at all angles and steps. With PIAs still being required, not full-heartedly carried out somewhere during or after the fact,where all the rest is implemented on assumptions that will not be met.

To which I would add: In the above, ‘you’ regards the ones in control (“governance”, to use that insult) at organisations that would have to be compliant. Not you the advisors/consultants, internally (in 2nd and 3rd LoDs) or externally, that push organisations. [Don’t! Just tell, record, and after the disaster ‘told you so’ them. There’s no use at all kicking this dead horse.]
But oh well, why am I writing this? Why am I hinting at ethics in your governance? That’s an oxymoron at your organization – do you claim to have the one or the other?

Feel free to contact if you’d like to remedy at least this part of your Privacy non-compliance…

Postdictions 2014-III

A progress report on the Predictions 2014 I made in several posts here, at the end of Q3.
I gathered some evidence, but probably you have much more of that re the items below. Do please raise your hand / comment with links; I’ll attribute my sources ;-]

First, of course, a picture:

[Iron fist, not often seen (by tourists anyway), Pistoia]
So, there they are, with the items collected from several posts and already updated once and twice before in this:

Trust Well, there’s this, and this on the financial penalties of trusting your assurance provider…
Identity See previous re the value of certificates. Otherwise, not much news this quarter.
Things The hackability of all sorts of home appliances has already become some sort of Mehhh… And apparently, there’s a spin-off in the IoBT …?
And there’s progress in the auxiliary channels/architectures… as here and here.
Social Not much. Some Ello bits, though. And more in the AI arena, as this shows.
Mobile Has gone to the Expired phase.
Analytics Wow, this one’s moving into the Through of Disillusionment quickly! Now get it to jump out at the other hand, as quickly.
Cloud Mehhh, indeed. May be in the Through of Disillusionment, or has gone into been there, done the grit work, no-one’s interested anymore.
Demise of ERP, the Turns out it’s very hard to fill vacancies in this arena, isn’t it? Due to the boredom to death surrounding them.
InfoSec on the steep rise Even if we haven’t seen enough on this!

On APTs: Only the most interesting hack attacks get into the news these days. Turns out they’re all this kind.
On certification vulnerabilities: In hiding. Still there. Ssssht, will hit. Suddenly.
On crypto-failures, in the implementations: Not much; passé.
On quantum computing: – still not too much –
On methodological renewal; as it was: Some progress here and there, but no ✓ yet.
Deflation of TLD See second link of Trust; Fourth line didn’t work, even.
Subtotal Already, with the previous follow-ups, clearly over 80% as we speak, when discounting for some fall-back here and there.

The faint of heart wouldn’t necessarily want to speak the bold characters out loud.
See you at the end of the year ..!

Be quick at Making or be like dead

When I noted an article (is it?) on Baidu Eye (all of you will certainly know by now what I mean…!?), it finally dawned on me: ‘we’ in the West (let’s say for purposes here, the 300M of Europe plus the 300M of North America) just don’t do enough rapid prototyping yet.
Because that’s the trade we have left to e.g., the Chinese when ‘we’ shipped our (rapid) product(ion) development to them.

Now, the sweatshop structure that sprang up to the side of that, is one huge landscape of rapid prototyping facilities. Which, if not ‘stealing’ (don’t start the legaleeze that’s way too dependent on cultural notions) product ideas before launch, or just slapping a different brand tag after (over)production, allows copycatting of products (commonly, of less quality or functionality) or of sparks of innovation (not taking a product as ideal model but as inspiration).

This somewhat fits the model of the Maker movement that springs up in the West. Is still springing up a bit, here and there. Was mentioned here and there, sparsely, and may have whittled into almost-oblivion already again ..?
Whatever; the Maker movement has a different focus, not on extremely-rapid prototyping to mass produce, but to keep it as close to one-offs as is feasible. Quite an opposite horizon!
And also leaving a vast playing field open for … others.

How can we change business / production culture to get, beside a Traditional and a Maker movement, a Happy Go Lucky Production movement where improvement-on-the-production-fly-cycles are much more rapidly learned from? (Much faster even than e.g., Samsung’s (and others’ like Apple!) fast-introduction-perfect-in-next-versions approach. But also taking this into account, for this reason!) No, just shouting around about tearing down bureaucratic rules won’t work; those rules are there to regulate the current rogues (big business, oligopolising everywhere) – I mean a real cultural shift. Is that what’s happening (or should happen) in some backwater country now that the 0.001% with help from the 1% has killed the previous mainstay power the Middle 80% ..?

Seriously, how can we rig, ground, lay the foundations, for such a Third Way ..? To get, e.g., this sort of initiatives far more widespread.

[Huh, since I wrote the above (couple of weeks ago), this came to light…]
[And this, the caveat you wanted …]

You (somewhere in the #=0 to #=3 range) have been such kind readers to even visit… hence I’ll leave you with:
DSCN7516[Freedom to consume; the mediocre! – Good, more authentic stuff, close by but elsewhere]

Maverisk / Étoiles du Nord