Tag: Risk Management

No surprises here; qua attribution

Is anyone surprised that apparently, “there’s traces of North-Korean involvement” in the WannaCry hiccup ..?
As yesterday’s post (below) already noted; no-one cares about WannaCry1.0 anymore hence ‘hiccup’. Has 2.0 come ’round already?
But how much repudiation by the North-Koreans would reach our general news …? So, how easy it is to blame the NKs for anything that goes wrong ..? Like,

Whereas, … Russia did claim it was also ‘hit’ by WC1.0 [oh the abbrev], but no damage ensued because they were able to stop it at the front door. Right. By lack of actual true snippets from 1600 Penn Ave, we now consider anything that comes out of Russia to be tru-er than what comes from DC, just like that ..? Because that would indeed leave ‘North Korea’ the only reasonably believable/unsurprising culprit.
On the other hand, the embedded tweet indicates Russia actually stole something. Until now, wasn’t it that the exploitable was leaked? Quite different … What is Russia’s involvement now, that those that have info of leakage only, don’t have intel on ..?

[Edited pre-press to add: there… ]

Oh, I’ll just leave it for you to ponder. And weep. And:

[Yes from that ridge, Gettysburg…]

Notnews

Remember it’s a two weeks flashback already
Monday morning’s watercooler discussion: Did you hear about this WannaCry attacks all around the world? The sky is falling! And what a hypecycle the ‘solutions’ vendors piled onto it immediately and oh hey look cat pics how cute oh now it’s Friday again how time flies CU on Monday for more cat pics.

So true it’s sobering; appropriately. And:
[Will never learn. NY]

Having a Coboll

Just when you thought that some problems had come and gone to be never heard from again, it turns out that it’s not that easy but big-time help is here.
Got tipped by a peer that flagged one particular company for help. No endorsement outright, no financial or other interest whatsoever [maybe I should, for the odds are with them], just plain ol’Hey Look That’s Interesting.

Because you didn’t get it; they help converting COBOL (and other mummyfied LoC) to New stuff.

On that note, I leave you with
[Images of volcanic activity keep blubbering out of your new systems infra, too; Zuid-As Ams]

GDPR is just a legal attempt at Y2k

Suddenly I realised, as one who profited handsomely (not in money but in perks’ way), that the whole GDPR compliance thingy is becoming quite similar, all too similar, to the hype that was called The Millennium Problem … too bad we now know how that ended, otherwise an illustrative movie could be made of the latter – now only (?) a documentary review is worthwhile, as history writing. Too bad it isn’t out in the open that despite all efforts then made, actually quite a lot of companies ended up having to hire temps to do all sorts of manual corrections in their administrations due to e.g., spreadsheets [the very things the toughest, most important business decisions hinged, and still hinge on!] going heywire over date fields.

To come back to the Issue … Are you not hit by that, almost sudden, avalanche of GDPR compliance warnings lately, like, the past couple of weeks ..? Is it not a warning that you need to do loads of things now, starting with hiring consultants (call to action; they’re Sales messages of course) this time not of the tech kind – engineers that see a problem, craft a solution and we’re done –, but of the legal kind – profiting only from prolongation of your insecurity.

And ah, there’s the snag! Multifaceted it is;

  • One: With some deadline suitably near to instill fear of lurking deadlines but suitably far to be able to still write you up with many, many ticks (per 6 or 3 minutes ..!?) at ridiculous rates, will be written;
  • Two: Unlike the patching that was the core solution (after Inventory – you did keep that in appropriate order in your wide-scope CMDB ever after 31/12/00, right ..? Even with some global outpost in the corner writing that down as 12/31/00. What stupid value loss if you didn’t! We’re only 17 years on! Did you really think legacy problems would have gone away by now …!?), we now see there is no solution but just getting compliant with all sorts of stupidly unprofitable, inefficient (and might we add, ineffective! yes if you are realistic, that’s what it is) good-for-nothing overhead;
  • Three: The good-for-nothing part — maybe not fully nothing, but oh so limitedly good for anything that you should’ve done already long ago not only for any ‘privacy’ compliance but for effective and efficient IT, -security included.

Following on this Lotus list, indeed there’s a lot of work to be done to become compliant … on the Legal side. On the IT side maybe also, but what needs to be done there, is (re)implementation of sound practices that should have been common daily practice anyway, and when implemented as such, ready; done.

The legal side on the other hand, sees all sorts of enduring challenges, like many cultural changes; no leaning back and await questions for advice to be answered out of hand with “It depends…” / “Come with a proposed solution and I’ll tell you whether it may or may not be permissible”, but for once being actively engaged and delivering definitive answers, and designing, implementing, and carrying out your (Legal) selves reams of procedural stuff. Acting on assessments, acting in communications, acting in control(s), etc.

You get it — the GDPR brings many problems for many organisations, the biggest of the problems being how to manage back the (Legal) consultancy fees… Remember, when data leakage isn’t preventable (as some dunces might still believe, many on the Legal side of GDPR compliance among them – hey they even think pseudonymisation amounts to anything), bad things are bound to happen. When (not if) not already via the avalanche of information requests

I rest my case now, for you to have time to process the above, get it, and leave you with:

Your GDPR compliance looks much, much worse (this is actually quite good!); Toronto]

GoTo Statement Considered Political

Bear with me; this is a mindstretcher.

Desperately few (still alive) have ever really fully read The Original (no, not that one).
And now I realise It (not it) was, and is, very valid today, as the opposite – at a meta(?)physical, quasi(?)(in)formal-logic level of abstraction – of what latter-day politicking looks like, in so many places around the world. Dangerous, that is, the latter.

Where the danger of GoTo is in its contextless jumping, ripping away the checks and balances that govern it, keep the oversight. In BASIC and others (JMP anyone?), at least there’s a form of kernel ‘hyperviser’/BIOS sort-a function, as underpinning foundation or supervisor to fall back to in last resort. [Yeah, I know one could program to wreck that but that’s not the point, and often disallowed by technical cast-in-concrete barriers.]
Where the danger of presidentiality-, morality- and common decency-less lies and alternative fact mumbo jumbo, is in its destruction of the checks and balances that govern that, keep the oversight. In reality, there’s no over/underpinning control mechanisms. They get destroyed.

’nuff said. And:
[Looks so real it’s ridiculous! But Fake!; Barça]

Decision time for informational priv

When discussing Privacy, a lot of attention goes to informational privacy, easily tautologised with person-possibly-indentifying data.
If that reads mixed-up, it’s because it is.
But that’s for another session series. Of series.

What today’s post title is about, is the distinction between the two sides of the house; informational privacy (which is about information about you, or which you generate) versus decisional privacy (commonly defined in terms of your right to freely decide over your body’s integrity). As you read that, clearly the latter needs an update; a heck of a long KBxyzuvw article attached.
Because both the

  • Outright choice limitation through covert or overt profiling and covert or overt automated decision making, sometimes limiting your choice to none when you get rejected (from the ability to even decide) for something, or get no service proposition at all, a.k.a. the Hobson’s choice of socmed,
  • Covert choice limitation through filter bubbles – which would more accurately be called filter fish-trap,

can result from a lack of informational privacy. But both aren’t well covered in the definition of decisional priv whereas that infamous thing with The Freedom of the Pursuit of Happiness or whatsitcalled I don’t care you get it, Freedom, should be guaranteed.
So tightly coupled with all sorts of metaphysics, ontology, and topology of Privacy. Like, the feeling and understanding y’all have when you hear that word. It’s not only ‘bugger off nothing of your interest here’ privacy but also ‘get off my back‘ privacy; no weighing down.

Oh well. This being among my interests but not really my training, so I’ll go read up the latest qua this all. Pointers appreciated. And:
[For no reason whatsoever, totally unconnected; Riga Jugendstil]

Note to self: GDPR scrum with or without the r

Just to remind myself, and you for your contributions, that it’s seriously time to write up a post on Agile development methods [OK, okay, I mean Scrum, as the majority side of the house]; how one is supposed to integrate GDPR requirements into that.
Like, we’re approaching the stage where the Waterfall model      of security implementation, will be Done for most organisations. Not Well Done, rather Rare or Pittsburg Rare, at your firm [not Firm …]. But then, we’ll have to make the wholesale change to Maintenance, short-term and long-term. And meanwhile, waterfall has been ditched for a long time already in core development work, hence we have a backlog (huh; the real kind) qua security integration (sic; the bolt-on kind doesn’t work anyway) into all these Agile Development methods of which word has it everyone and their m/br-other seems to make use these latter days.

But then, the world has managed to slip security into that. Which is praiseworthy, and needs more Spread The Word.

And then, there’s the GDPR. May we suggest to include it in ‘security’ as requirements flow into the agile development processes ..?
As said, I’ll expand on this l8r.
If only later, since we need to find a way to keep the DPOs out of this; the vast majority (sic) of them, with all due [which hence may be severely limited] respect, will not understand to a profound level they’ll try to derail your development even without the most basic capability to self-assess they do it, in ways that are excruciatingly hard to pinpoint, lay your finger on.

But as written, that’s for another time. In the meantime, I’d love to see your contributions (if/when serious) overflowing my mailbox… Plus:
[Lawyers lurking next door…; Zuid-As Ams]

Emergent logic

Some time ago I posted something(s) on how the audit community could become relevant again, veering away from compliance(-only or -not even a bit by the disclaimers that destroy a rainforest on every occasion) and moving into the world of ‘ethicality audits’ on autonomous decision( system)s.
Now with the insight that until now, the humans in the loop, the big loop with many steps of analysis to be taken, were as a matter of fact complicit in drafting and applying patterns and pattern matching techniques.
Which is no news, but when we see now the automated-logic type of decision making that is no more than a black box, the question is: How can we analyse what happens inside ..? Answer: Use the tools that Big Data analysts use; extend them to cover specific cases / transactions and see how the argumentation flow was.    ..?

Still, there may be progress in this way. E.g., by the ‘decision’ or behaviour of the system, being emergent. So that we don’t focus on the bits (almost literally) of the case at hand but on the meaning of those bits. Because that’s the level that ‘conscious’ reasoning works on, seeking the nous from the lower and material levels, working on the ‘machine’ at the higher level, and then translating it back to the material outcome.
Which is similar to the analysis that is Process Analysis, if done properly.

I’ll expand, later. And:
[Aranjuez to impress; same]

Glee because of support

All the mavericks of the world rejoice (and Maverisk among them, of course, already); finally there’s new [howzat for a typifying contradictio..?] evidence-of-sorts that the below that had popped into my mind a couple of days ago, is still, more, valid than ever. Being, related but in an angled/vector-transposed way, not about rebels but about other mischievings in general business management culture(s).

[Should I note that the ‘evidence’ already is worth much study and implementation? Yes I should.]
[Edited to add: Be ware of the other side, too; too many mediocre men just drift upwards by lack of weight: here.]
[Yup that’s a re-post from yesteryears, like, 12 March 2015 …]

Two points to make:
* Middle management will be.
* Secretaries should be.

The discussion regarding middle managers being superfluous or not had a slight uptick the past couple of months. With the latter voice having been a bit too quiet. Yes, middle management is under threat. It has always been; only the (history-)ignorant will have missed that. And Yes, all the Disruption things and similar empty barrel half-baked air by a lot of folks who have hands-on experience in the slim to none bin with (real) management altogether let alone this kind, have predicted over and over again that the disruption by Server-with-algorithm-app-that-schedules-day-laborers will make middle management redundant, as the believed task was only that.

Quod non. And as if just an algorithm will capture the full complexity (and incoherence, inconsistency, internally and externally contradictory ..!) of the requirements and work of the middle manager.

OK, we’re not discussing the drone administrative clerk that has Manager on his card (huh?) and sits in an office passing top-down orders and bottom-up reports back and forth. We’re talking the real, 24/7 problem firefighter here. The coordinator of chaos. The translator of lofty (other would say, ‘airhead’) ‘governance’ (quod non) mumbo jumbo into actual work structure and tasks, and translatereporting back. That survives and in doing so, shows great performance. The other ones, will be weeded out anyway, every time there’s an economic cycle downturn. [If the right ones would be kept, and the wrong ones ‘given growth opportunities elsewhere’. Seldomly the case; offing is by the fte numbers, and the wrong ones have being glued to their seats as their core competence, through sucking up or otherwise.]
So, the middle manager stays for a long time to come as (s)he does the kind of non-predictable work that will remain longest. If start-ups don’t have them, see them grow: They will.

Secretaries deserve a come-back. In similar vein as above, the vast majority of managers office clerks (from the shop floor (even if of knowledge workers…) all the way to near the top) these days have to do their own typing, scheduling, and setting up socializing things. Whereas before, economies of scale were many, and there were additional benefits because the good (sic, again) secretaries would e.g., know the best, unrenown restaurants all around and could get you a table even when they would be fully booked, and they would manage (massage away) some internal friction as well, often very discreetly and efficiently. Now, vastly more expensive (by hourly rate, productivity (think switching costs in the managers minds …, and utilisation), cost of ineffectiveness (sic again) and opportunity costs re their actual objectives (if these would be achieved; good/bad manager discussion again)) managers must manage their way around. An impoverished world it is indeed.

To bring back some joy:
DSCN8592[Some colour, but it’s down there… Zuid-As]

Maverisk / Étoiles du Nord