Threat is ...

... "any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through
an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service" 

[source: NIST SP800-30r1]

... "a person, situation or event (whether deliberate or accidental, targeted
or generic in nature) that is hazardous or dangerous, capable of causing

an information security incident" [source: SecAware glossary]

... "potential cause of an unwanted incident, which can result in
harm to a system or organization" [source: ISO/IEC 27000:2018]

... a competitor's unexpected shift of tactics

... an ominous promise to cause harm

... an accident waiting to happen

... the cause of a really bad day

... nature red in tooth and claw

... storm clouds on the horizon

... an active component of risk

... an unfortunate coincidence

... sometimes hard to detect

... intended to provoke fear

... advanced and persistent

... go ahead, make my day

... mitigated by deterrents

... a laser dot on the torso

... a stated intent to harm

... the catalyst for change

... a burst of testosterone

... external to the system

... all mouth and trousers

... retarded and tentative

... not always recognised

... what might go wrong

... part of the landscape

... dark and foreboding

... obvious in hindsight

... economic downturn

... when luck runs out

... bad consequences

... competitive intent

... a ransom demand

... coming tooled-up

... potential to harm

... marauding gangs

... an implied attack

... easily discounted

... over-emphasised

... impending doom

... adverse weather

... lack of oversight

... a nasty promise

... a nasty surprise

... static discharge

... unpredictability

... a show of force

... not when but if

... not if but when

... something bad

... hard to control

... a warning sign

... Freddy Kruger

... worth ducking

... the unknown

... a probability

... best avoided

... an oversight

... a possibility

... a prediction

... provocative

... a likelihood

... xenophobia

... generalised

... unintended

... a certainty

... intentional

... theoretical

... the enemy

... hazardous

... bad actors

... existential

... accidental

... a warning

... deliberate

... menacing

... or else ...

... uncertain

... fearsome

... outsiders

... expected

... criminals

... technical

... for show

... ominous

... coercion

... volatility

... left-field

... demonic

... violence

... physical

... directed

... mythical

... genuine

... looming

... bravado

... a worry

... a pitfall

... insiders

... disease

... a bomb

... obvious

... a scowl

... a tactic

... assault

... human

... spooky

... feared

... failure

... 'them'

... anger

... death

... social

... scary

... fake

...

'Breach cost per record' metric - BUSTED

 

Finally! Data in a report by Cyentia confirms my bias!

Oversight is ...

... "various forms of supervision and inspection used to ensure that important information security activities and controls are operating properly, and to identify any anomalies" [source: SecAware glossary]

... "forgetfulness, carelessness, neglect or incompetence, typically leading to errors, omissions and other information security incidents"
[source: SecAware glossary]

... absent from ISO/IEC 27002 except for one measly mention (clause 5.16)

... maintaining a watching brief

... an opportunity to review

... the four eyes principle

... the act of overseeing

... the prompt to revisit

... keeping a close eye

... hands off, eyes on

... something missed

... a sign of distrust

... an opportunity

... a vulnerability

... a sign of trust

... incompetence

... management

... carelessness

... an omission

... an accident

... an override

... supervision

... inspection

... ineptitude

... a problem

... assurance

... a mistake

... authority

... guidance

... a control

... checking

... freedom

... a threat

... skipped

... neglect

... caring

... a risk

... audit

...

Assurance is ...

... "provision of a certain level of trust, confidence, confirmation or proof of something, typically by reviewing, checking, testing, certified compliance or auditing it" [source: SecAware glossary]

... knowing when to stop climbing the ladder

... the absence of anxiety and doubt

... a necessary part of management

... the result of testing - pass or fail

... swimming out of the shark cage

... an integral governance function

... stepping into the shark cage

... packing your own parachute

... a friendly hand reaching out

... engineering the shark cage

... an underappreciated goal

... an undervalued objective

... certifying the shark cage

... welding the shark cage

... confidence in another

... an independent view

... holding all the cards

... a measure of power

... plausible deniability

... taking a space walk

... stacking the deck

... hitting the mark

... being confident

... a winning hand

... self-confidence

... not insurance

... being certain

... confirmatory

... bearing it all

... unnecessary

... nice to have

... checking-up

... baring it all

... naïve belief

... mandatory

... knowledge

... comforting

... reassuring

... being sure

... necessary

... insurance

... oversight

... essential

... checking

... a control

... valuable

... optional

... security

... a game

... testing

... costly

... audit

... valid

... trust

...

Security awareness month

Since October is cybersecurity awareness month in the USA, we've seized the opportunity to update SecAware.com with additional information on our security awareness material. 

SecAware's information security awareness modules explore a deliberately wide variety of individual topics in some depth:

Under starters orders

 

Like an expectant father, I've been anxiously filling-in time before the publication of ISO/IEC 27001:2022, due any day now.

Today, I completed the tedious process of reviewing/updating all our information security policy templates for SecAware.com. 

ISO/IEC 27001:2013 --> 2022 transition

SEE UPDATE 19th Feb 2023

The third edition of ISO/IEC 27001 will have a few changes in the main body text and a complete replacement for Annex A based on ISO/IEC 27002:2022.

 

 

The transition arrangements are still uncertain but this is my understanding at this point:

Audit is ...

... "a structured assurance process of examination, review, assessment, testing and reporting by one or more competent and trusted people who – crucially – are independent of the subject area being audited" [source: SecAware glossary]

... senior management's not-so-secret weapon

... how to use friends and influence people

... how to lose friends and alienate people

... proof that management distrusts us

... where failed accountants go to die

... seeing things through fresh eyes

... a massive and unnecessary cost

... "Go ahead punk, make my day"

... derived from the Latin audio

... forever re-opening old sores

... like a bear with a sore head

... the skin-hardening function

... watching your every move

... dependent on information

... bayonetting the wounded

... the bottom of the barrel

... the third line of defence

... something best avoided

... always late to the party

... policies and procedures

... asking dumb questions

... lurking in the shadows

... a governance function

... the four eyes principle

... part of the inner circle

... poking at the remains

... a service organisation

... generating assurance

... coming, ready or not

... resource-constrained

... divorced from reality

... rigorously controlled

... tracing relationships

... a corporate function

... bound by regulation

... a challenging career

... sampling selectively

... something to evade

... looking under rocks

... simply doing its job

... an agent of change

... modern and with-it

... grounded in reality

... sampling randomly

... wide-eyed naïveté

... incompetent fools

... a little black book

... a system function

... a service function

... digging in the dirt

... following its nose

... up with the times

... bloody hard work

... humour-impaired

... behind the times

... second-guessing

... part of the team

... always on guard

... hunting in packs

... hard to convince

... a necessary evil

... self-opinionated

... non-operational

... hard to manage

... a strong control

... counting assets

... evidence based

... much maligned

... unconventional

... misunderstood

... stock-checking

... grumpy as hell

... finger-wagging

... process-driven

... "Persuade me"

... "Convince me"

... following trails

... set in its ways

... fuddy-duddies

... highly trusted

... heavily biased

... a vulnerability

... hunting alone

... highly trained

... old-fashioned

... Chinese walls

... after-the-fact

... out on a limb

... out to get us

... a nasty smell

... bloodhounds

... retrospective

... under-valued

... conventional

... accountancy

... collaborative

... adding value

... incompetent

... uncontrolled

... independent

... unnecessary

... a backwater

... complicated

... the Gestapo

... a specialism

... a profession

... professional

... experienced

... trustworthy

... a technique

... assessment

... humourless

... insufferable

... challenging

... wordsmiths

... full of itself

... exceptional

... fresh-faced

... "Show me"

... compliance

... metrication

... methodical

... unwatched

... systematic

... a diversion

... challenged

... competent

... aggressive

... the enemy

... procedural

... conformity

... mysterious

... combative

... persuasive

... underhand

... competent

... risk-based

... unbending

... prejudiced

... evaluating

... inspection

... suspicious

... delusional

... structured

... self-aware

... respected

... distrusted

... a catalyst

... pragmatic

... necessary

... menacing

... checklists

... assessing

... a process

... legendary

... friendless

... observant

... the police

... obsessive

... rotational

... privileged

... masterful

... tooled-up

... persistent

... defensive

... a pentest

... obsessive

... evidential

... polarising

... malicious

... "Prove it"

... untainted

... repetitive

... repetitive

... blinkered

... well-paid

... specialist

... snooping

... sampling

... watching

... infamous

... pointless

... assertive

... proactive

... secretive

... objective

... tough-as

... offensive

... powerful

... unbiased

... hopeless

... listening

... paranoid

... overpaid

... suffered

... external

... doubtful

... required

... sporadic

... doubted

... red tape

... officious

... faceless

... deluded

... external

... scary-as

... post hoc

... admired

... rigorous

... periodic

... 'special'

... forensic

... focused

... dubious

... clueless

... a threat

... a brand

... ticklists

... periodic

... creative

... reactive

... too late

... pointed

... divisive

... tedious

... needed

... aligned

... distrust

... probing

... modern

... internal

... sinister

... I listen

... a team

... trouble

... special

... famed

... feared

... review

... cynical

... formal

... stilted

... lonely

... a tool

... a trail

... stuffy

... hated

... naïve

... fierce

... a log

... retro

... gruff

... dark

... sad

... fun

...

Trust is ...

 ... "a relatively weak but commonplace information security control in which supposedly trustworthy people, systems, programs, functions, organisations etc. are expected, anticipated or to various extents required to behave predictably, appropriately, responsibly, ethically and in the trusting party’s best interests." [source: SecAware glossary]

... a "relationship between two entities and/or elements, consisting of a set of activities and a security policy in which element x trusts element y if and
only if x has confidence that y will behave in a well-defined way (with
respect to the activities) that does not violate the given security policy"
[source: ISO/IEC 27036-1]

... "a belief that an entity meets certain expectations,
and therefore, can be relied upon"
[source: NIST SP800-160v1r1]

... placing your fortunes in someone else's hands

... built on a base of trustworthiness

... key to strong relationships

... ceding control to another

... a shared social construct

... climbing a slippery slope

... knowing it'll be alright

... sometimes misplaced

... losing independence

... a two-way street

... being dependent

... being vulnerable

... a precious gift

... understanding

... custodianship

... fundamental

... a foundation

... dependable

... confidence

... being sure

... conviction

... assurance

... a ratchet

... verifiable

... certainty

... essential

... reliable

... no fear

... in care

... fragile

... safety

... belief

... hope

... faith

...

Guiding the helmsman

Every so often, I find myself working with clients that "get it" - not just the individual people I'm collaborating with, nor even their functions/departments: I'm talking about entire organisations with a cadre of supportive and enthusiastic managers who understand and appreciate the genuine business value of sound information risk management.

It's a real pleasure for me, a welcome relief from the usual slog.