Recently I enjoyed a lecture by a bank's economist to local business leaders concerning the NZ economy. Observing the blizzard of graphs, I was struck by his short timeline , stretching to about a couple of years ahead. Now I'm sure the economist is earning his crust at the bank. Of course they need to keep on top of day-to-day and month-to-month fluctuations in the economic parameters, playing the markets. Equally, I'm sure the bank has other experts with a longer-term outlook, diligently modelling the implications of national and global issues including political, social, environmental and technological, for many years or decades ahead - for at least as long as the bank's mortgages and business loan periods anyway. Nevertheless, that prompted me to think about planning horizons in information risk and security management, within the broader context of budgeting and investment management in any commercial organisation - a pertinent topic as we plummet towards the new c

Objectives are king. If strategy is the organisational or personal journey ahead, we must truly understand our objectives to move ahead confidently in the right direction, systematically measuring progress towards those objectives.  If the objectives are uncertain, well, any path will do, and our measures are largely pointless: we may know how far we've come and how much fuel we've consumed so far but we're not sure how much further we need to go, nor in what direction and at what speed. That's sub-optimal. So far so good. But what if the objectives are hidden, in conflict, or not what they seem? There are clearly potential problems with objective-led approaches - a little seething cluster of problems in fact.  So, then, it seems objectives have objectives. 

We should congratulate and support colleagues around the world who have conceived, organised and promoted creative events for October's cybersecurity awareness month. Seriously, well done all of you. Thank you for your energy and efforts. Thank you for caring. Thank you for doing your bits. Thank you for taking time out of whatever else you were doing, perhaps even allocating some of your budget towards this. I am being 100% genuine here: this is not a sarcastic piece. I am truly grateful.

The Institute of Directors has just released their Code of Conduct for Directors , promoting six principles: Leading by example. Integrity. Transparency. Accountability. Fairness. Responsible business. So far, so good ... although somehow I feel there's something missing. But what?

In a previous philosophical phriday post , I moaned about vendors of security compliance support/management tools and services over-promising and under-delivering - an admittedly biased, even cynical opinion piece about the compliance imperative . A recent article in Corporate Compliance Insights notes that "CISOs are not just defenders against cyber threats but also champions of compliance and operational resilience". Hmmm, are CISOs 'compliance champs', really? Today, I'm discussing alternatives to being compliance-driven. How else can organisations drive their information risk, security and related concerns in a positive direction?

  Today I asked Google's Gemini to rewrite yesterday's blog piece " in the style of a naive student of IT" : "Hey guys, so I was thinking about this weird thing that happens online. People get really mad about stuff, like really mad. They all start yelling at each other and saying the same things over and over again. It's like a big echo chamber, and it gets out of control. For example, there was this time people were freaking out about 5G towers. They thought it was going to hurt people, but scientists said it was totally safe. But the people who were mad kept saying it was bad, and they got other people to believe them too. It was crazy! When people get really mad like that, it's hard to talk to them. They don't want to listen to anything else, and they just keep shouting. It's like a big fight, and it can make things worse. So, what can we do about this? Well, one thing is to just wait for people to calm down. Sometimes, if we let them vent f

For kicks, I prompted Google's Gemini AI robot to rewrite yesterday's blog piece "in the style of a professor or university lecturer".  This is wot it rote me: A fundamental challenge in contemporary society is the phenomenon of outrage , wherein groups of individuals exhibit disproportionate emotional responses to perceived threats or injustices. This often manifests in the form of echo chambers on social media, where like-minded individuals amplify and reinforce each other's concerns. Such amplification can rapidly escalate emotions to unreasonable levels, hindering rational discourse and critical thinking. Consider, for example, the contentious issue of 5G cell tower placement near schools. Outraged individuals may perceive this as a grave threat to public health, accusing authorities, scientists, and industry leaders of callousness and disregard for their concerns. The perceived risk is often amplified through groupthink, leading to a sense of collective out