I'm at the 27k Summit for the Americas ISO27k conference  at the South Francisco Conference Center near the airport this week, hoping to meet you! The conference has several parallel themes and streams, including: Getting started with ISO27k - for people who want to get into this stuff Metrics - for people who need to measure and improve this stuff Cloud security and IoT - hot topics Compliance - a meta-theme since laws, regs and standards compliance is a strong driver for all the above If I have time I'll update this post with info as the conference proceeds .... Jim Reavis from the Cloud Security Alliance gave a keynote about the proliferating cloud and IoT systems, globally expanding. CSA's CCM compliance/controls mapping is well worth looking at, while the CSA STAR program is a popular certification scheme for cloud providers. Dan Timko from Cirrity explained the ISO27k ISMS implementation and certification process, including the pre-certification followed a few mon...

In researching and preparing October's security awareness module, we've wandered away from the well-beaten-track into what is, for us at least, previously uncharted territory. You could say we're going off-piste. Our topic concerns the human aspects of information security - a core area for any decent security awareness program and one that we bring up frequently, including a dedicated awareness module refreshed annually. We've always deliberately taken a broad perspective, exploring social engineering, social media, social networking and so on.  This year, along with the conventional awareness stuff on phishing (of course) plus other scams, cons and frauds, we'll be lifting the covers on how the criminal black hats and other adversaries exploit both their own and our social networks.  That train of thought leads naturally in to counteracting the power of criminal organizations through leveraging various white hat equivalents, both within our organizations ( e.g. th...

Today I've been nosing through the latest 6.1 version of the CIS Critical Security Controls for Effective Cyber Defense , described as  "a concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyber attacks". In reality, far from being concise, it is a long shopping list of mostly IT/technical security controls, about 100 pages of them, loosely arranged under 20 headings. There are literally  hundreds of controls, way more than the '20 critical controls' mentioned although obviously 'Implement the 20 critical controls' sounds a lot more feasible than 'Implement  hundreds of tech controls, some of which we believe are critical for cyber defense (whatever that is)'! The selection of controls is evidently driven by a desire to focus on what someone believes to be the key issues: The CIS Controls embrace the Pareto 80/20 Principle, the idea that taking just a small portion of all the security actions you could...

One of several excellent heads-ups in the latest issue of RISKS concerns an IEEE report on Facebook's live testing of their data center resilience arrangements . Facebook's SWAT team, business continuity pro's, tech crew and management all deserve congratulating on not just wanting to be resilient, but making it so, proving that it works, and systematically improving it so that it works well. However, I am dismayed that such an approach is still considered high-risk and extraordinary enough to merit both an eye-catching piece in the IEEE journal and a mention in  RISKS . Almost all organizations (ours included*) should be sufficiently resilient to cope with events, incidents and disasters - the whole spectrum, not just the easy stuff.  If nobody is willing to conduct failover and recovery testing in prime time, they are admitting that they are not convinced the arrangements will work properly - in other words, they lack assurance and consequently face high risks. About a ...

At first glance,  Andrew Storms dispenses good advice in   How To Talk About Security With Every C-Suite Member . He emphasizes that there's not much point talking tech to execs. "Communicating with C-suite leaders about the ongoing security threats your company faces can easily turn into an exercise in futility. Their eyes glaze over as you present metrics and charts that illustrate the current state of the business’s IT infrastructure, and your attempts to justify investments in additional security tools and systems end up being unsuccessful." Mmm, well, if you are indeed trying to justify investments in [IT] security tools and [IT] systems using [IT] metrics and charts concerning the IT infrastructure, then yes you are patently focused on IT.  Or, as Mr Storms put it, you are " failing to contextualize your data into terms that resonate with leaders who work outside of IT ", using sixteen words when three would do. "When speaking with leaders from across...