First, two definitions: " Certification " is the process of checking something against defined criteria, and if it passes (meets the criteria), issuing a certificate of compliance or conformity or assurance or whatever. Certification gives some assurance that the certified organisation or individual meets the criteria ... provided the certification body or person is competent and trustworthy, the checks were done properly, and the certificate itself is authentic. Hmmm, quite a few caveats there ... " Accreditation " is the process of confirming that whoever is checking and issuing certificates is properly qualified, competent and trusted to issue meaningful certificates by following prescribed processes. It adds credibility, meaning and value to the certification and issued certificates ... provided the accreditation body or person is competent and trustworthy, the checks were done properly, and the a

The last of a dozen learning points I made in a post-incident review of the Crowdstrike incident was: "Unless changes are actually made as a result of an incident, the uncertainties (risks) remain. We have missed out on a valid learning and improvement opportunity." Although I accept that nobody is obliged to learn from incidents, make changes or improve, the Crowdstrike incident was Big News when it occurred back in July, and here we are in October. So it's fair to ask what - if anything - are we doing differently now? [I'm using Crowdstrike here simply as a well-known example. Even if the Crowdstrike incident had no material impacts on your organisation, you have undoubtedly suffered various incidents, possibly something serious or critical. As you read on, by all means substitute some other significant recent incident in place of "Crowdstrike" if that helps you relate to this piece.]  A cyberattack can be a devastating event for any organization. It'

  Risk and security professionals typically believe that a company's risk tolerance or risk appetite determines whether risks are or are not acceptable. However, they seldom define the terms which are used loosely and interchangeably in practice. So what are they? If you accept ( as I previously asserted in this place ) that risk is uncertainty, risk tolerance implies a willingness to tolerate or put up with a certain amount of uncertainty, while risk appetite suggests a desire for a certain amount of uncertainty.  OK so far, but what is ' a certain amount of uncertainty '? That seems paradoxical.

Lately I've been pondering the thought that 'risk' is 'uncertainty' - it's not simply that risky decisions and activities involve some element of doubt, that they might work out extremely well or go horribly wrong, but that the lack of certainty is itself a critical factor. As well as the rational mathematical basis in probability theory and statistics , there is also an emotional aspect to uncertainty. It affects the way we perceive, prepare for and address issues. It affects our planning and capability. It can be debilitating, resulting in indecision and delay even though that may make things even worse: sometimes, it is better to make a decision now (despite the uncertainties) and press ahead in the belief that we will cope with whatever eventuates. Conversely, it may be better to delay a decision and hold back while gathering more information, building resources, preparing and aligning those involved, and considering various eventualities. Uncertainty ha

Someone who is actively involved in, or is managing, an activity is patently not independent of it. They may well make a conscious, rational and determined effort to be objective, dispassionately reviewing evidence etc ., but their subconscious/emotional biases/prejudices and beliefs/value-systems will inevitably influence what they do. With the best will in the world, they will struggle to challenge and assess their past decisions and activities, especially if they were "certain" or "determined" or genuinely believed they were "doing the right thing". Furthermore, it is very hard for anyone to review the things they did not do, decisions they did not make or options they did not even consider. Mostly, they remain out of sight or out of the question.

Title: Cognitive Hack - The New Battleground in Cybersecurity... The Human Mind Author: James Bone Part of the Internal Audit  and IT Audit series edited by Dan Swanson Publisher: CRC Press/Auerbach (2017) ISBN: 978-1-4987-4981-7 Price: US $100 ( hardback ) US $53 ( paperback ) GH rating: 50% Summary The author's core thesis is that we are expecting IT users and managers to make rational, risk-averse decisions and take appropriate actions in response to complex threats. The 'cognitive load' is such that people are bound to make mistakes. Therefore we  should be simplifying things ( e.g. by automating cybersecurity controls), thereby reducing the number of choices and hence taxing decisions we're asking people to make.

According to a vendor's promotional video interview I saw recently, the 'cybersecurity compliance burden' has allegedly become so significant that [customer] organisations are eagerly buying [their] software tools and services to help them manage and fulfil their obligations. The vendor's argument goes that, instead of accumulating a ragtag bunch of policies and other controls relating to user Identification and Authentication (I&A), for instance, it makes sense to:  Identify all the cybersecurity-related laws, regulations and standards that apply to the organisation; Examine them for any security control requirements relating to, say, I&A; Rationalise the I&A controls down to the smallest set that satisfies all the requirements - the lowest common denominator; Design, implement, use, manage and maintain those I&A controls; Have the I&A controls checked or audited to gain assurance that the compliance requirements are met.  OK so far? Sounds reasonab