An opinion piece in Forbes by two Cisco people wound me up today. To my jaundiced eye, they were just bleating on about senior management's lack of interest in, concern about, understanding of, and leadership in, IT security .  Seems to me they are naive, misguided, overly-cynical and/or disingenuous. I find overtly negative comments unhelpful and counterproductive. It saddens me that so many security pundits (especially those still locked in the introverted world of IT) continue pointing the accusing finger at senior management as if it's entirely their problem, while offering little if anything in the way of constructive advice or, for that matter, accepting any part of the blame for the situation in which we now find ourselves. Come on guys and gals, we can do better than that. The key question is why :  why should senior management be concerned about information risk? Why is this issue worthy of their attention?  Why is it so important that they show leadership in thi...

Various information security pundits are bleating about the evident lack of security in the Internet of Things, as if we should be both surprised and aghast. G et real guys! Consumers* don't buy IoT products because they are secure.  They buy them because they are shiny. Security is not shiny. It is an afterthought, at best. Worse still, since making IoT products secure means they cost more to manufacture, security is an anti- goal at this time. Companies attempting to sell relatively expensive, relatively secure IoT products now are unlikely to establish the market presence they need to make a success of the business,  unless they are foresighted enough to forgo short-term success in favor of a (long-term, risky) strategic investment.  Meanwhile, there is a premium on being first to market**. In due course, when insecure IoT products have infiltrated our lives and IoT incidents are both frequent and severe enough to become genuine concerns (which they aren't yet), then I...

Organizations that take information security seriously enough to adopt good practice standards such as ISO27k generally appreciate the need to integrate infosec with HR processes. They have pre-employment screening, on-boarding processes such as security induction sessions, continuous security awareness & training where appropriate throughout employment, and off-boarding/departure activities when the employment or service relationship comes to an end. The key controls are laid out in black and white in section 7 of ISO/IEC 27002:2015 . Most such organizations  have security-related policies and procedures, along with compliance activities plus enforcement and reinforcement. Very few organizations manage without employment or service contracts, codes of conduct etc., often mentioning compliance.  Despite all that good stuff and more, we are repeatedly told that 'people are the weakest links', in other words we're not home and dry. We haven't nailed it yet. Why? What...

The security awareness module this month concerns the physical aspects of information security including controlling physical access to information assets. Seeing a TV program last evening about the NZ police systematically stopping and searching visitors and their cars arriving at a prison, several things occurred to me:  Some prison visitors aren't exactly the crispiest crackers in the pack.  Despite the strict regulations, the warning signs, the obvious police presence on site and the primetime TV programs (!), they still roll up nonchalantly with barely-concealed drugs, weapons, pathetic excuses and bad attitudes. Some prison visitors and employees, in contrast, are probably a lot more on the ball ... and some are presumably more creative and ultimately more successful in their endeavours to smuggle in contraband since p risoners evidently have access to tobacco and other drugs, weapons, cellphones and so forth. What stops smugglers simply dropping contraband over the pris...

Over on CISSPforum lately, we've been discussing the use of motivational approaches to encourage desired information security behaviors, complementing the use of penalties to discourage undesirable behaviors - in other words, carrot-and-stick. Walt Williams said: "If I owned a antivirus company, I'd want all my employees to have my product freely available to them as a "benefit" ... An example that worked nicely at a past employer was use of the company's insurance (auto) at an employee discounted rate for life (even post employment).  Other items to add to consider adding to the list: Better than standard benefits; Better pay than industry averages; Extra pay for on call time; Time off to match on call time to restore work/life balance;  Ownership of service improvements (if you see a problem, with management approval, you're allowed to own fixing it). Amazing the job satisfaction this gives." I've used the free antivirus approach myself back i...