This blog is moving to a new home. Future blog postings will appear as if by magic at:   https://secawareblog.blogspot.com/   To continue receiving this stuff, please update your bookmarks and blog aggregators accordingly.   Rest assured: the bloggings will continue until morale improves.   We have migrated the content as far back as 2007 to the new URL just in case it remains of interest or entertainment value to anyone.  Paleontologists maybe. You can browse and search for keywords at the new URL just as here. It's the same, only better-er. If you've had enoug ..read more

    ... technical, physical, procedural, legal, social, mechanical, economic, political ... ... applied to processes, systems, machines, people, quality ... ... a volume knob that goes all the way to 11 ... automated, semi-automated or manual ... an illusion induced by acquiescence ... preventive, detective or corrective ... avoiding or preventing badness ... defining and applying rules ... what happens in the tower ... an availability challenge ... an engineering solution ... local, remote or hybrid ... hitting the sweet spot ... keeping within limits ... about mitigating risk ..read more

The business benefits of developing an information security strategy and accompanying security architecture/design include:   Being proactive, taking the lead in this area - more puppeteer than puppet; Designing a framework or structure to support the organisation's unique situation and needs; Positioning and guiding the management of information risk and security within other aspect of the organisation's architecture/design e.g. its IT and information architecture (showing information flows, networked systems, databases, services etc.), complementing and supporting various other bus ..read more

  ... when threat exploits vulnerability causing impact ... tough to measure, express and control ... the product of probability and impact ... the gap between theory and practice ... the root of pessimism and optimism ... the once-in-a-hundred-years event ... needing seatbelts and airbags ... a hair's breadth from disaster ... the possibility of exploitation ... mitigated but not eliminated ... a factor to be borne in mind ... inevitable in the Real World ... not going entirely to plan ... outcome =/= prediction ... rarely good, usually bad ... rarely bad, usually good ... necessary to ..read more

A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to b ..read more

... the arch-enemy - not the polar opposite - of resilience ... a natural consequence of complexity and dependence ... when threat meets vulnerability exceeding control ... not knowing whether, how and when it will break ... being unable/unwilling/afraid to rely on it  ... untrustworthy, inadequate controls ... pushing too far, too fast, too hard ... exceeding the breaking strain ... passing the point of no return ... an engineering challenge ... inevitable at some point ... hanging on by a thread ... often revealed too late ... a propensity to failure ... being on a knife-edge ... goin ..read more

This cold Winter's Monday morning, we woke to problems accessing our server and websites. The usual turnitoffandonagain approach let us down ... and this time so has downforeveryoneorjustme dotcom ..read more

This morning I bumped into a marketing/promotional piece announcing PageProof’s certified "compliance" (conformity!) with "ISO 27001" (ISO/IEC 27001!). Naturally, they take the opportunity to mention that information security is an integral part of their products. The promo contrasts SOC2 against '27001 certification, explaining why they chose ‘27001 to gain some specific advantages such as GDPR compliance - and fair enough. In the US, compliance is A Big Thing. I get that. It occurs to me, though, that there are other, broader advantages to ‘27001 which the promo could also have mentioned, f ..read more

... depending on others and being there for them when they need us most  ... the rod bending alarmingly ... while landing a whopper ... an oak tree growing roots against the prevailing wind ... taking the punches, reeling but not out for the count ... demonstrating, time after time, personal integrity ... willingness to seize opportunities, taking chances ... coping with social distancing, masks and all that ... accumulating reserves for the bad times ahead ... the bloody-minded determination to press on ... disregarding trivia, focusing on what matters ... a society for whom this piece ..read more

While arguably better than nothing at all, an unstructured approach to the management of information security results in organisaitons adopting a jumble, a mixed bag of controls with no clear focus or priorities and – often – glaring holes in the arrangements. The lack of structure indicates the absense of genuine management understanding, commitment and support that is necessary to give information risk and security due attention - and sufficient resourcing - throughout the business.    It's hard to imagine anyone considering such a crude, messy approach adequate, even those who coy ..read more