Security is ...

... "freedom from those conditions that can cause loss of assets with unacceptable consequences" [source: NIST SP800-160v1r1]

... "the state in which one or more assets is adequately protected against risks" [source: SecAware glossary]

... "an illusion of protection against perpetual vulnerabilities being actively exploited" [source: Philip Brider]

... related to information, control, governance, compliance, risk, resilience, continuity, privacy, assets, IT, society, technology, politics, systems,
networking, incidents, 'cyber', assurance, trust, people ...

... the NO Department - absolutely not, no way, forbidden, don't do that!

... the product of a safe, stable, supportive environment

... ensuring confidentiality, integrity and availability

... the apparent absence of incidents

... best avoided to get the job done

... having no exposed vulnerability
... the lull before the next incident

... no indications of compromise

... an architectural perspective
... achieved by controlling risk

... the Maybe IF Department

... the lull before the storm
... the absence of incidents

... the Yes But Department

... no apparent incidents
... relative, not absolute
... freedom from threat

... something to evade

... a temporary respite

... valuables protected

... difficult to achieve

... a business enabler
... costly to maintain

 ... more than cyber
... seldom specified
... hard to measure
... trustworthiness

 ... a state of mind

... an impediment
... merely a suffix
... hardened steel

... a moving goal
... a happy place
... multi-layered

... an objective
... an assertion

... our product

 ... a challenge
... asymptotic

... ephemeral

... confidence

... soundness
... passwords

... demanded

... a delusion

... protection

... a product

 ... a blocker
... padlocks
... strategy
... stability
... comfort

... the law

... a myth
... muscle
... guards

... chains

... safety

... a pain

... policy
... peace

... locks

... rules
... hope

... trust
... guns
... keys
... love

... MFA
...

  

Cyber is ...

... "the science of communication and control theory that is concerned especially with the comparative study of automatic control systems"
[source: Mirriam-Webster]

... "a jargon prefix/buzz-word, much abused by marketers, journalists,
politicians and widely misinterpreted" [source: SecAware glossary]

... robotics, artificial intelligence and machine learning

... remaining operational despite serious incidents

... a muddle of paradoxes and contradictions

... protecting critical corporate infrastructure

... protecting critical national infrastructure

... whatever the speaker/writer thinks it is

... information risk, security and control

... only part of the problem space

... more than just technology

... recovering from incidents

... nation-state weaponry

... short for cybersecurity

 ... the modern battlefield

... only about technology

... a solid-gold buzzword

... unknown unknowns

... conveniently vague

... smoke and mirrors

... computer security

... six-figure salaries

... Internet security

... outsider threats

... cool as dry ice 

... deadly serious

... disinformation

... being resilient

... a sexy prefix

... data security

... where IT's at

... where it's at

... a hot button

... propaganda

... untargeted

... a diversion

... technology

... misleading

... IT security

... pentesting

... distracting

... newspeak

... superficial

... undefined

... defensive

... sabotage

... offensive

... targeted

... malware

... insiders

... hackers

... serious

... budget

... spooks

... scary

... spies

... deep

... hype

...

 

... all of the above, and more

... none of the above: something else entirely

... who cares?  Watch the hands, follow the ball, concentrate 

The all-new SecAware blog

Welcome to the all-new SecAware blog!

Well OK, perhaps 'all' is over-stating it.
In truth, it's the same old same old
with a shiny new URL and look.

I have migrated the historical content
from blog.NoticeBored.com to here,
and will continue adding to it
for as long as I remain sentient.
 

I will be as surprised as you
to see the next piece.

You can still browse this stuff,
or filter by keywords and search for
anything using the panel on the right. 

As always, your comments, feedback,
suggestions and complaints are very welcome. 
Alternative realities fascinate me.
Criticisms spur me on.
Just about anything beats stony silence
and that dreadful feeling that
I'm shouting plaintively into the void ...

- Over -

Control is ...

 

... "something which prevents or reduces the probability of an information security incident, indicates that an incident may have occurred and/or mitigates the damage, harm, costs or other adverse consequences caused or triggered by or simply following on from an incident" [source: SecAware glossary]

... "the exertion of influence over a subordinate by an authority or assertive figure" [source: SecAware glossary]

... technical, physical, procedural, legal, social, mechanical, economic, political ...

... applied to processes, systems, machines, people, quality ...

... a "measure that maintains and/or modifies risk
Note 1 to entry: Controls include, but are not limited to, any
process, policy, device, practice or other conditions and/or
actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the
intended or assumed modifying effect."
[source: ISO 31000]

... a volume knob that goes all the way to 11

... automated, semi-automated or manual

... an illusion induced by acquiescence

... preventive, detective or corrective

... avoiding or preventing badness

... defining and applying rules

... what happens in the tower

... an action/adventure game

... an availability challenge

... an engineering solution

... local, remote or hybrid

... hitting the sweet spot

... about mitigating risk

... keeping within limits

... a means to an end

... binary or analogue

... providing direction

... setting boundaries

... negative feedback

... power superiority

... being in charge

... being resilient

... an impression

... management

... containment

... proportional

... governance

... oppression

... confidence

... constraint

... regulation

... assurance

... an illusion

... unreliable

... imperfect

... influence

... valuable

... coercion

... mastery

... the key

... stability

... a belief

... a state

... power

... fragile

... costly

... a key

... finite

... rules

... key

...

The business case for security strategy and architecture

The business benefits of developing an information security strategy and accompanying security architecture/design include:

 

• Being proactive, taking the lead in this area - more puppeteer than puppet;
  
  
• Designing a framework or structure to support the organisation's unique situation and needs;
  
  
• Positioning and guiding the management of information risk and security within other aspect of the organisation's architecture/design e.g. its IT and information architecture (showing information flows, networked systems, databases, services etc.), complementing and supporting various other business strategies and architectures such as cloud first, artificial intelligence, IIoT, big data, new products, new markets ...);
  
  
• Providing a blueprint, mapping-out and clarifying the organisational structure, governance arrangements and accountabilities for information risk and security relative to other parts of the business such as IT, physical security, Risk, legal/compliance, HR, operations, business continuity, knowledge management ...;
  
  
• Defining a coherent sequence or matrix of strategic initiatives (projects, investments, business and technology changes ...) over the next N years, embedding information risk management ever deeper into the fabric of the organisation and strengthening the information security arrangements in various ways (e.g. systematically phasing-out and replacing aged/deprecated security technologies while researching, piloting and then adopting new ones such as blockchain and post-quantum crypto);
  
  
• Driving the development and maturity of the information risk and security management function, covering its priorities, internal structure and external working relationships, governance etc.;
  
  
• Bringing clarity and direction (focus!), reducing complexity and uncertainty associated with myriad 'other options' that are discounted or put on hold;
  
  
• Seizing opportunities to align and support various departments, processes, systems, partners, projects/initiatives, budgets, plans etc., finding and exploiting points of common interest, avoiding awkward conflicts and gaps;
  
  
• Identifying key objectives for information risk and security - important for ISO/IEC 27001 and security metrics;
  
  
• Motivating yourself and your colleagues to think beyond the immediate task list, broadening perspectives and extending timescales.
  
  

A full-blown multi-year security strategy and architecture can work nicely, particularly in larger, more complex and mature/stable organisations whose senior management appreciates or needs the long-term grand view, the bigger picture - provided they have access to the particular expertise needed to do justice to this topic anyway. Strategy is perhaps the most difficult and risky part of information risk and security, as it is for other aspects of enterprise management. 

 

If you're still not convinced, consider that not preparing a security strategy and some form of security architecture/design may be even riskier and costlier in the long run. Failing to plan is planning to fail. Maintaining a state of 'creative chaos' - meaning a purely reactive event-driven approach - is suboptimal. However, with no clear objectives in mind, it may seem OK to those in the thick of it, far too busy treading water to scan the horizon for land. 

 

Can I throw you a lifeline? 

 

Google! Study hard. There are tools and techniques to help with strategy and architecture, just as there are for information risk and security management. Seek professional help if you need it. 

You might for instance start simply by (literally!) sketching out whichever areas of information risk and security management matter most to your organisation, exploring the relationships among them and the obvious links with other areas such as IT and HR. Think about the security processes/activities and systems, paying special attention to the organisation's pain points. Gradually refine and extend the rough sketch into a blueprint encompassing broader aspects such as business objectives and resources ... and pretty soon things magically emerge from the mist. 

Now comes a vital step: debate it with your colleagues. Talk it through. Listen carefully to their questions, objections and concerns, pushing back a little by exploring their strategies, architectures and ideas, steadily refining yours. This is a team game. Take your time.

As the vision takes shape, raise the discussion to senior management levels ... and at that point I'll slip quietly away, job done. 

 

Must dash: others adrift, gasping.

Risk is ...

 

... "the predicted or projected frequency and magnitude of future loss if a threat exploits an exposed vulnerability to cause an adverse business and/or personal impact" [source: SecAware glossary] 

... "a relative term, implying degrees or levels of risk, or absolute value if the frequency and magnitude are calculated credibly, with some precision"
[source: SecAware glossary]

... "a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of the adverse impacts that would arise if the circumstance or event occurs, and the likelihood of occurrence"
[source: NIST Cybersecurity Framework]

... "any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems" [source: ENISA]

... "effect of uncertainty on objectives ..." [source: ISO Guide 73]

... when threat exploits vulnerability causing impact

... tough to measure, express and control

... the product of probability and impact

... the gap between theory and practice

... the root of pessimism and optimism

... the once-in-a-hundred-years event

... known and unknown unknowns

... needing seatbelts and airbags

... a hair's breadth from disaster

... the possibility of exploitation

... mitigated but not eliminated

... a factor to be borne in mind

... inevitable in the Real World

... what keeps us up at night

... not going entirely to plan

... surprisingly complicated

... rarely good, usually bad

... rarely bad, usually good

... outcome =/= prediction

... looking down the barrel

... necessary to get ahead

... expectation <> reality

... stepping into the dark

... walking the tightrope

... imperfect knowledge

... inherent uncertainty

... exciting (to a point)

... white-water rafting

... being on the brink

... throwing the dice

... tricky to manage

... adventure sports

... skipping a check

... bungee jumping

... poking the tiger

... about causation

... taking chances

... unseen danger

... chances blown

... what might be

... warning signs

... unanticipated

... best avoided

... a card game

... being brave

... de-masking

... opportunity

... lion taming

... life lessons

... hazardous

... adventure

... possibility

... ambiguity

... investing

... gambling

... black ice

... no limits

... complex

... dynamic

... thrilling

... thin ice

... relative

... danger

... doubt

... I.C.E.

... luck

... fun!

... life

...

CISO workshop slides

A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning.

The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):