Monday, 3 October 2022

Trust is ...


 ... a "relatively weak but commonplace information security control in which supposedly trustworthy people, systems, programs, functions, organisations etc. are expected, anticipated or to various extents required to behave predictably, appropriately, responsibly, ethically and in the trusting party’s best interests." [SecAware glossary]

... a "relationship between two entities and/or elements, consisting of a set of activities and a security policy in which element x trusts element y if and
only if x has confidence that y will behave in a well-defined way (with
respect to the activities) that does not violate the given security policy"
[ISO/IEC 27036-1]

... placing your fortunes in someone else's hands

... built on a base of trustworthiness

... key to strong relationships

... ceding control to another

... a shared social construct

... climbing a slippery slope

... knowing it'll be alright

... losing independence

... a two-way street

... being dependent

... being vulnerable

... understanding

... custodianship

... fundamental

... a foundation

... dependable

... confidence

... being sure

... conviction

... assurance

... a ratchet

... verifiable

... certainty

... essential

... reliable

... no fear

... in care

... fragile

... safety

... belief

... faith

... hope

...

Sunday, 2 October 2022

Guiding the helmsman


Every so often, I find myself working with clients that "get it" - not just the individual people I'm collaborating with, nor even their functions/departments: I'm talking about entire organisations with a cadre of  supportive and enthusiastic managers who understand and appreciate the genuine business value of sound information risk management.

It's a real pleasure for me, a welcome relief from the usual slog.

In contrast to those who don't get it, the nature of my involvement as a freelance consultant changes from constantly cajoling, persuading and hopefully convincing them to put in the effort, any effort ... to encouraging them. They provide bags of energy: I simply help them direct it along the most productive outlets, using my experience to lead them swiftly through the maze while avoiding diversions and dead ends.

Instead of having to thrash the poor oarsmen down below, it is as if I'm piloting the galleon, quietly guiding the helmsman at the tiller through the treacherous ocean.

It has got to the point, now, that I consciously avoid assignments that I just know are going to be hard work with little reward. 

Maybe you think I'm getting lazy in my old age. Maybe you find my attitude arrogant and offensive. And maybe you're right. I'm simply expressing an observation here, a personal opinion that stems from 30 years' experience in the field. 

Unless management - particularly senior management - truly understands and appreciates the business value of information risk and security, they are less inclined to embrace it enthusiastically. Other than perhaps approving the infosec budget (or more likley some fraction of the requested amount), they prefer to deal with Other More Important Stuff - and that, in a nutshell, is the root of a serious problem. Sound information risk management doesn't just reduce the probability and/or impact of incidents: it also supports and enables the business to do more. It provides assurance, supports conformity and compliance, is demonstrably cost-effective, and frees up management time to push on with that Other More Important Stuff.

Monday, 26 September 2022

Authorisation is ...

 

... ideally formalised and explicitly documented, providing evidence

... the opportunity to check a proposed course of action

... deciding what should or should not be permitted

... deciding who should or should not be permitted

... one means of issue, incident or error detection

... often informal, implicit and undocumented

... a crossroads, where processes intersect 

... usually manual, sometimes automated

... the acquisition of privileges and rights

... an important process control point

... granting or withholding permission

... only effective if actually checked

... (mis)spelled with a zee 

... a management process

... a governance approach

... the removal of barriers

... the point of no return

... authority to proceed

... a mere formality

... a delaying tactic

... a business issue

... a policy matter

... the green light

... discretionary

... empowering

... sanctioning

... delegation

... go ahead

... approval

... red tape

...

Previous pontifications:

Grab the pencil below to doodle a response.

Monday, 19 September 2022

Information is ...

... exploitable (legitimately or not, authorised or not, effectively or not ...)
... more complex and convoluted than we imagined
... full of paradoxes and conundrums (conundra?)
... required for rational debates and decisions
... sometimes out of place
... the common basis of science and the arts
... passed down through the generations
... possible to secure (to some extent)
... independent of the form and format
... a source of competitive advantage
... the product of research and study
... impossible to secure (absolutely)
... dangerous in the wrong hands
... something to be challenged
... powerful in the right hands
... something to be cherished
... something to be despised
... something to be disputed
... of uncertain provenance
... competitive advantage
... the presence of data
... a body of knowledge
... in the public interest
... worth taking care of
... intellectual property
... the absence of data
... of uncertain vintage
... easy to accumulate
... naturally degrading
... of uncertain quality
... of unknown validity
... a means to an end
... extraordinarily rich
... subject to entropy
... of uncertain origin
... of unknown origin
... derived from data
... distinct from data
... what fills the void
... a class of assets
... for the sake of it
... food for the soul
... for coordination
... mind-mappable
... the booby prize
... why we're here
... hard to protect
... an end in itself
... communicated
... acknowledged
... understanding
... self-referential
... entertainment
... consequential
... untrustworthy
... collaborations
... out of context
... dependencies
... unanticipated
... a prerequisite
... embarrassing
... trade secrets
... architectures
... a by-product
... relationships
... raw material
... multifaceted
... unbelievable
... motivational
... inspirational
... fundamental
... appreciation
... disreputable
... matauranga
... for planning
... entertaining
... educational
... a belonging
... a technique
... untraceable
... educational
... perceptions
... fascinating!
... reputations
... perspective
... trustworthy
... threatening
... intellectual
... operational
... anticipated
... disclaimed
... destructive
... conceptual
... experience
... depressing
... incomplete
... misleading
... modulation
... ephemeral
... knowledge
... contextual
... disordered
... expressed
... sequential
... boundless
... inaccurate
... duplicated
... duplicated
... allegorical
... substance
... instructive
... innovation
... invaluable
... processed
... measured
... vulnerable
... streaming
... up to date
... quantified
... indifferent
... subjective
... calculable
... enhanced
... a weapon
... nonfiction
... sentience
... a product
... imprecise
... incredible
... humdrum
... corrupted
... emergent
... metadata
... intangible
... an output
... damaged
... irrelevant
... indistinct
... of no use
... life-blood
.. severable
... authentic
... complete
... disclosed
... reputable
... historical
... guidance
... degraded
... a liability
... shocking
... expertise
... concepts
... a liability
... meaning
... traceable
... worrying!
... historical
... 'ownable'
... creativity
... asserted
... structure
... evidence
... a prompt
... accurate
... outdated
... objective
... an asset
... pertinent
... the prize
... personal
... licensed
... an asset
... frangible
... withheld
... strategic
... dynamic
... complex
... timeless
... copiable
... beautiful
... sharable
... uplifting
... valuable
... learning
... inherent
... linkages
... forensic
... valuable
... credible
... an input
... tradable
... hearsay
... designs
... relevant
... a threat
... relevant
... claimed
... parallel
... precise
... sensed
... ordered
... tactical
... content
... trusted
... pirated
... sounds
... denied
... artistry
... refined
... factual
... topical
... worthy
... cloudy
... copied
... unique
... brands
... smells
... stories
... private
... stored
... boring
... partial
... timely
... signal
... useful
... costly
... fiction
... a tool
... public
... sights
... vague
... stolen
... fragile
... useful
... power
... words
... belief
... crude
... static
... plans
... novel
... finite
... good
... news
... stale
... tales
... data
... ugly
... fake
... free
... lost
... ties
... raw
... bad
... key
...

... very hard to pin down, define and describe comprehensively ... and despite the extraordinary length of this piece in the series, I freely admit I've failed: so what angles have I missed? What springs to your mind in relation to 'information'?

Prior pontifications to peruse:

Grab the pencil below to have your say.

Wednesday, 14 September 2022

Complete security is an oxymoron

An interesting Kiwi business startup caught my beady eye today. Without being too specific, they are offering a financial service, making me curious about the legal and regulatory hoops they presumably had to clear in order to do so.

Checking their shiny new website hasn't exactly inspired me with confidence. The home page claims to be using a completely secure platform ... which is, I suspect, a bit of a porky, an exaggeration, stretching the truth. Maybe they have been carried away by their own marketing. Perhaps they are just naive.

I have never come across a totally secure system, and seriously doubt there is such a beast. Sure, I've dealt with many highly secure systems, all of which were vulnerable in various ways. None of the organisations concerned had the nerve to claim they were totally secure however, since (with a little guidance from pro's like me!) management accepted that there were residual risks, despite all our efforts. 

Paradoxically, by claiming total security, they are painting a large target on themselves, setting themselves up for a fall - and that's a shame because, as I said, they are a Kiwi startup with an interesting business product that the founders have personally invested in getting to market. I'm not naming the company to avoid adding fuel to the fire. I would love them to soar, not crash and burn. I wish them well.

It gets worse: I can't find any further information about their security arrangements on the website, partly due to some broken links. That's not a good look for any business - ourselves included but we aren't offering financial services and don't claim to be totally secure. The security bar is set higher for them.

[Hint: integrity and availability are both core parts of information security.]

So, what next? I guess I'll try contacting them about this, softly-softly. I'd rather they considered me a friend than a threat. 

Monday, 12 September 2022

Accountability is ...


 

... in contrast to responsibility, a sticky property that cannot be unilaterally delegated or passed by the accountable person or organisation to another, in other words the buck stops here (SecAware glossary) 

... less ambiguous and yet, strangely, more confusing than other terms in this blog series

... being able to give a satisfactory reason or justification

... distinct from, but often conflated with, responsibility

... an inherent part of various jobs, roles or positions

... knowing that things must be done properly

... easily forgotten until an incident occurs

... both a threat and an opportunity

... the latitude to decide and act

... a token of respect and trust

... a governance arrangement

... a degree of independence

... beyond mere expectation

... having to explain oneself

... imposed by an authority

... a powerful disincentive

... invariably bad news

... the sting in the tail

... a niggling concern

... power, moderated

... having guard rails

... a strong incentive

... best avoided

... mandatory

... formalised

... obligation

... awkward

... personal

... squirmy

... sticky

...

Previous definitions in this weekly (weakly?) series:

Click the pencil below, comment on LinkeDin, or email me to have your say or propose terms to define.

Tuesday, 6 September 2022

Ten tips on tackling a thorny infosec issue

A member approached the ISO27k Forum this morning for advice:

"What would you recommend to do if our warnings as ISMS department specialists/auditors are not taken into account?"

What can realistically be done if management isn't paying sufficient attention to information risks that we believe are significant

This is a thorny issue and not an uncommon challenge, particularly among relatively inexperienced or naïve but eager information risk and security professionals, fresh out of college and still studying hard for their credentials. It can also afflict the greybeards among us: our passion for knocking down information risks can overtake our abilities to convince managers and clients.

Here are ten possible responses to consider: 

  1. First, consider that management might, in fact, be correct! Gosh! Perhaps, given the nature of the field and the personal interests and biases that led us to specialise in infosec in the first place, we are over-stating the risks, and underestimating the true costs of the controls we are proposing. In general, we tend to focus on the negatives. We see those little vulnerabilities that others don't even notice or disregard. We read of or know about threats and incidents that management probably doesn't appreciate. Our understanding of the potential impacts of incidents may be complementary or at odds with management's understanding of the likely business consequences and responses, other priorities and objectives etc. Either or both perspectives may be misguided or plain wrong, while the truth is probably somewhere in the middle. Few issues are as binary as we sometimes think. 

    Hinson tip: take a break to calm down, review your analysis, reconsider your options and recommendations. Study management's position more carefully. Seek other opinions from those involved and/or from trusted advisors. Try to establish whether there are genuine, valid objections, maybe 'an element of truth' in management's perspective that you have overlooked. Even if you remain convinced that management is plain wrong, you will be in a better position if you understand their perspective.

  2. Make even more effort to describe, explain and explore the risks and controls in terms our colleagues understand. Focus on specifics, matters that 'clearly' (in your considered opinion) should be priorities. Stop simply repeating the same lame arguments and rephrase things. Reapproach the risks from other angles. Use examples, particularly news of actual incidents from the business itself, or from the industry, the locales, or the news media, posing rhetorical questions such as "What stops us suffering something similarly damaging (or even worse) here?". Develop diagrams. Compare and contrast risks (information risks and maybe others). Somehow interest and persuade your colleagues to engage in the analysis and debate, truly considering the possibilities. If appropriate and available, use credible research reports and advice from acknowledged experts to support your position.

    Hinson tip: be careful, though. It is all too easy for us to come across as paranoid and ridiculous, over-stating the risks (see point 1) and losing credibility. Please don't become the dreaded "No Department"! At some point, further attempts to explain, persuade or force others to do what we want become counterproductive, so change tack ... 

  3. Develop some version of the 'information owner' or 'risk owner' approach. With their understanding and support, have the management/executive team identify 'owners' (middle to senior managers) who are expected/required to both protect 'their' information assets against harm and exploit the value of those assets for the good of the organisation. Emphasise the owners' accountability: if the risks that they are supposed to be protecting the business against actually materialise in the form of damaging incidents, have senior management hold the owners personally to account for their failings - more specifically, their mistaken decisions that evidently failed to avoid or mitigate the risks.

    Hinson tip: this is a strategic move, a cultural approach that can be valuable as an integral part of your ISO27k ISMS and approach to risk management in general ... 

  4. ... talking of which, actively forge productive relationships and collaborate more closely with your colleagues - not just other infosec pro's within your core team but also those in other risk-related functions (such as Risk Management, Finance, Management, Health and Safety, Product Safety, Compliance, Site Security, Facilities, Loss Prevention, Audit or whatever), since the fundamental principles of risk management are broadly applicable. Work as an extended team. Support each other. Gain respect, support and influence from management as a whole. Look for useful opportunities (such as collaborating on shared interests) and worthwhile suggestions.

    Hinson tip: developing strong professional relationships takes time and effort. You shouldn't expect much trust and support from people who don't know you and don't particularly care about you or your objectives.

  5. Look (even harder!) for points of common interest and alignment - for example where the infosec controls you are proposing would generate additional value and options for the organisation besides mitigating the information risks. Supplier assessments, for instance, can cover suppliers' capabilities, strategies, financial stability and other areas in addition to information risks and security and compliance aspects - areas that are worth monitoring on an ongoing basis, not just before contracting with them. Aim for workable compromises leading to a negotiated settlement, and more importantly progress.  

    Hinson tip: be realistic, n
    egotiating and working towards mutually-acceptable, pragmatic outcomes. You may not achieve exactly what you wanted (some risk will remain), but you will gain respect by tackling this in a business-like manner, rather than being dogmatic and stubborn about it. Any move in the right direction trumps stalemate or regression.

  6. Work on the incident detection and response aspects, given that (in your professional opinion) the risks are untenable, hence incidents are going to occur. Have appropriate backups in place - not just data backups but broader resilience, recovery and contingency arrangements to minimise the operational impacts and business harm caused by incidents. Bolster them, adding specific 'compensating' controls where appropriate.

    Hinson tip: if these are the very controls that management is resisting or refusing to implement, you have a problem! Be crystal clear in your assessment of the situation, giving explicit written advice to management, such that if the risks do eventuate and harmful incidents occur, you can at least say 'I told you so', evade the fallout and hopefully be more influential in future. Preventing management from being able to blame you for their failings leads to the next, more proactive suggestion ...

  7. Exploit corporate politics. Get Machiavellian. Manipulate and take advantage of weaker colleagues. Discredit and weaken your opponents. Engineer situations in which you shine in the limelight while others wilt. Use your friends in high places. Go dark. Pose a threat that demands to be taken seriously.

    Hinson tip: study Letter to a Prince despite Machiavelli's approach being alien to ethical professionals, strong on personal integrity. It is important to appreciate that our work colleagues may be adept at these underhand techniques, and things are not always as they seem. Know your enemy. Think of this as legitimate social engineering if that helps.

  8. Choose your battles wisely: if you have a specific example of someone patently refusing to address a substantial risk that is way beyond a reasonable level of risk tolerance (especially situations where you clearly advised that a risk needed to be addressed ... but it wasn't, leading to harmful and costly incidents), escalate it explicitly to senior management. If absolutely necessary, put your foot down: make this a point of principle, integrity and professionalism, something on which you will resign if no action is taken. This is obviously a hard line to take but there are occasions in which it is appropriate to push things as far as you possibly can, being prepared to walk away from incompetent, intransigent and unsupportive management.

    Hinson tip
    : way before you get to this point, you need to have worked hard over a substantial period to establish your credibility, competence and hence trustworthiness with management. In practice, this means either becoming part of the executive team, or at least having the genuine support of someone with the CEO's ear and the key to the executive washroom.

  9. If you simply can't or won't walk away from it, as an absolute last resort (perhaps following the previous suggestion, appreciating that you are burning your bridges and are unlikely to remain in post), blow the whistle: after fully considering your [naturally risk-averse] position, find an appropriate mechanism to escalate the issue as far as you possibly can. Raise it with senior, influential stakeholders such as internal and external audit. Notify the owners and regulators or other authorities. Raise it with relevant major customers. Go public through the social and traditional news media, in sheer desperation. Be prepared to explain and argue your position, dealing with the excuses and counterclaims typically made by management as they deny or downplay the issue and make a serious effort to discredit your opinion, challenge your competence and parenthood, and generally dismiss you as an ignorant, misguided fool, an obnoxious trouble-maker - possibly even a threat to society who should be locked up or shot. Seriously.

    Hinson tip: before igniting the blue touch-paper, engage your legal team. They will doubtless challenge you to prove your claims, meaning you will need credible evidence to support your assertions. They may also be able to help you find and negotiate a way out that doesn't involve nuclear meltdown and the end of your career. Listen carefully to their wise counsel: it's what they do.

  10. Having read this piece, reconsider your position taking everything into account. Aside from the 9 responses I've described above, I'm sure there are other possibilities, other approaches that may be more appropriate under your specific circumstances. This is not an exhaustive list, merely some guidance on approaches that have worked for me and my clients plus a few that we haven't (yet, thankfully!) had to take.

    Hinson tip: this is a cracker of a topic to debate with your colleagues and peers in the office, via social media, at conferences and infosec special interest group meetings (such as ISSA and ISACA). Many will appreciate the dilemmas and a few may well be facing this very issue right now. Talking things over shows that sufferers are not alone, and the infosec community can pull together. Comments and alternative suggestions are very welcome here too.  Simply grab the pencil below and have your say.   

Monday, 5 September 2022

Responsibility is ...

 

... an obligation placed on an individual person or organisation by an authority e.g. to ensure that an asset is properly protected i.e. a duty of care 
(SecAware glossary)

... an integral part of maturity, professionalism and competence

... acting in a socially considerate and adult manner

... a blend of specific and general requirements

... often informal, incompletely specified

... often confused with accountability

... expressing expectations of others

... complementary to accountability

... doing what's right and proper

... an inherent part of the job

... commonly misunderstood

... stepping up to the plate

... not having to apologise

... an opportunity to shine

... something one accepts

... a sign of being trusted

... doing the right thing

... playing by the rules

... something to duck

... self-determination

... doing things right

... a fragile control

... a heavy burden

... a guilty feeling

... an expectation

... not offending

... discretionary

... an obligation

... internalised

... more work!

... severable

... shirkable

... deniable

... serious

... intent

... will

...


Prompted?  Provoked?  Puzzled?  Good!  I'm hoping to exercise a few braincells. 

Other infosec-related bloggings along similar lines:

Click the pencil below, comment on LinkeDin, or contact me to have your say.

Strexecution

A provocative piece on LinkeDin about the gap between strategy and execution set me thinking. Paraphrasing the original poster, managers admit to being generally lousy at executing business strategies, which may well be true (for some at least) but it could also be that:

  • Strategies are unrealistic, infeasible or impracticable;
  • Strategies are more stretch than target, intended to motivate and drive up performance without necessarily achieving the stated objectives;
  • Strategies are literally unworkable, krazy, completely divorced from reality;
  • Available/allocated resources are overstreched, inadequate or simply unable to execute the strategy;
  • The timing is wrong or inadequate (implementing long-term strategies typically incurs short-term costs and inefficiencies - creative destruction);
  • People generally struggle with change, significant change especially, hence it is easier for everyone to continue the old ways than to strike out into something new;
  • The entire corporate structure and culture is so conservative, set in its ways and staid that even small changes are resisted or blocked, overtly and covertly;
  • There are other higher/competing priorities and constraints, some of which may not have been evident to the strategists (hinting at governance issues, hidden agendas and company politics, plus a measure of good ol' incompetence and ignorance);
  • There are conflicting messages, metrics and mandates from senior management - for instance 'Get cracking on these new initiatives ... but don't neglect ongoing activities' or 'Your bonus is derived from the old metrics, but we want you to do something different';
  • Strategies are misunderstood/misinterpreted, perhaps being so esoteric and finely wordsmithed that they only truly make sense to their cunning creators;
  • Strategies are relatively rigid, whereas the operational environment is dynamic, fluid and flexible due to all the stuff going on routinely and exceptionally within and around the corporation.
Some of those reasons (the final bullet point in particular) led me to wonder why they are considered distinct, quite separate activities. Is it simply that senior managers enjoy their occasional 'away days', sloping off to some swanky club or hotel for a 'strategy session'? Could strategy be developed or at least refined routinely in the course of execution? Shouldn't the realities of execution inform or modify strategy? Is it feasible to run both activities in parallel, within the same management team? Would 'strexecution' work - and if not, why not?

So, what are the differences between them?
  • Strategies deliberately take a broad perspective, the helicopter view, consciously stepping back from the daily grind to consider the bigger picture: what the organisation is about, what it is or rather should be doing (core business), what are its primary products and markets, what are its strengths and weaknesses, which business opportunities might be worth opening up and exploiting, what is likely to threaten the business going forward ...
  • Strategies are long-term (whatever that actually means: years, decades, centuries ...);
  • Execution is myopically focused on the detail, the here-and-now, with a limited perspective and short-term outlook;
  • Strategising is creative, free-thinking, hand-waving, blue-skies stuff, unconstrained by reality, whereas execution most certainly has to deal with the realities such as finite resources and conflicting priorities;
  • Strategies make assumptions and involve guesses that may not turn out as expected - leaving execution to deal with the fallout;
  • Strategies predict and address a cloud, a broad spectrum of potential futures, possibilities that collapse down to whatever actually transpires in practice, whether as predicted or not.  
I have some sympathy with the old saw: failing to plan is planning to fail, in other words the planning process, the analysis and consideration, is more valuable than the product, the plan itself. Plans almost always turn out to be wrong, but not planning means everything comes as a complete surprise, leaving the organisation a hostage to fortune, constantly on the back foot.

This is opportune. I am currently helping to design and document the governance arrangements and strategy for a new voluntary organisation. While the founders are excitedly developing ambitious strategies for rapid progress and expansion, execution will need a team of willing volunteers performing the associated donkey-work - much less glamorous but no less important. It's a tricky balancing act, harnessing the founders' creative energy while also putting in place the appropriate organisation structure and management controls to build and guide the operations team, delivering on their ambitions.
 
I'm also working with a tiny NZ tech startup client to design and implement the information security controls they need right now, with a view to extending them appropriately as the company grows. Establishing and operating the company is consuming most of their energy and resources, constraining the amount that can realistically be achieved in preparing for the corporate growth and changes ahead. The opportunity to start from scratch is both exciting and daunting.
 
Resource constraints are a common factor requiring a degree of pragmatism, progressing the stuff that must be done without losing sight of the bigger picture. Strategy and execution are related and complementary, not separate. They need each other. We need 'strexecution'.

Monday, 29 August 2022

Security is ...


... an illusion of protection against perpetual vulnerabilities being actively exploited (Philip Brider)
... the state in which one or more assets is adequately protected against risks (SecAware glossary)
... related to information, controlgovernance, compliance, riskresilience, continuity, privacy, assets, IT, society, technology, politics, systems,
networking, incidents, '
cyber', assurance, trust, people ...
... the NO Department - absolutely not, no way, forbidden, don't do that!
... the product of a safe, stable, supportive environment
... ensuring confidentiality, integrity and availability
... the apparent absence of incidents
... best avoided to get the job done
... having no exposed vulnerability
... the lull before the next incident
... no indications of compromise
... an architectural perspective
... achieved by controlling risk
... the Maybe IF Department
... the lull before the storm
... the absence of incidents
... the Yes But Department
... no apparent incidents
... relative, not absolute
... freedom from threat
... something to evade
... a temporary respite
... valuables protected
... difficult to achieve
... a business enabler
... costly to maintain
 ... more than cyber
... seldom specified
... hard to measure

... trustworthiness
 ... a state of mind
... an impediment
... merely a suffix
... hardened steel
... a moving goal
... a happy place
... multi-layered
... an objective
... an assertion
... our product
 ... a challenge
... asymptotic
... confidence
... soundness
... passwords
... ephemeral
... demanded
... a delusion
... protection
... a product
 ... a blocker
... padlocks
... strategy
... stability
... comfort
... the law
... a myth
... muscle
... guards
... chains
... safety
... a pain
... policy
... peace
... locks
... rules
... hope
... trust
... guns
... keys
... love
... MFA
...
  
 

Challenged? Confused? Contradicted? Other infosec-related elaborations so far:

Click the pencil below, comment on LinkeDin, or contact me to have your say.

Monday, 22 August 2022

Cyber is ...

... the science of communication and control theory that is concerned especially with the comparative study of automatic control systems (Mirriam-Webster)

... a jargon prefix/buzz-word, much abused by marketers, journalists,
politicians and widely misinterpreted (SecAware glossary)

... robotics, artificial intelligence and machine learning

... remaining operational despite serious incidents

... a muddle of paradoxes and contradictions

... protecting critical corporate infrastructure

... protecting critical national infrastructure

... whatever the speaker/writer thinks it is

... information risk, security and control

... only part of the problem space

... more than just technology

... recovering from incidents

... nation-state weaponry

... short for cybersecurity

 ... the modern battlefield

... only about technology

... a solid-gold buzzword

... unknown unknowns

... conveniently vague

... smoke and mirrors

... computer security

... six-figure salaries

... Internet security

... outsider threats

... cool as dry ice 

... deadly serious

... disinformation

... being resilient

... a sexy prefix

... data security

... where IT's at

... where it's at

... a hot button

... propaganda

... untargeted

... a diversion

... technology

... misleading

... IT security

... pentesting

... distracting

... newspeak

... superficial

... undefined

... defensive

... sabotage

... offensive

... targeted

... malware

... insiders

... hackers

... serious

... budget

... spooks

... scary

... spies

... deep

... hype

...

 

... all of the above, and more

... none of the above: something else entirely

... who cares?  Watch the hands, follow the ball, concentrate 


Wait, there's more:

Prompted? Puzzled? Provoked? What have I misrepresented, misunderstood, missed out completely? What other terms are worth exploring?

Click the pencil below to have your say.