Earlier this year I wrote a retrospective on Y2K and said that I'd be back to talk about what is surely the biggest cluster of information risks facing the world over two decades on, namely those associated with the Internet.   Well OK, so it has taken me a couple of months to get around to it but anyway here goes. Threats Malicious individuals Malicious groups Accidents and natural events Vulnerabilities Shared resource Insecure base Naivete  Impacts Extreme dependence Cascading effects Catastrophic outages Preventive controls Detective controls Corrective controls Technical controls Procedural controls Administrative controls  

Other than the classic "Show me", here are a bunch of generic questions to consider, select and refine if you are conducting an ISMS internal audit, IT audit, ISMS management review etc. looking into 'X' (an ISMS, situation, system, process, control, incident or whatever). Hopefully these are thought-provoking, helping you consider and explore X from different perspectives.  Are there any legal, regulatory or contractual compliance implications of X? Are there any other things about X that I/management should know about? Can I do some audit tests on X, please? Compared to Y and Z, how risky/valuable/reliable is X? Does anything strike you as strange or worrying about X? Explain the controls relating to X … Has X ever hurt anyone? What happened? Have you or anyone else raised concerns about X? How big is X - how wide, how heavy, how numerous, how often? How come previous efforts did not fix X? How costly was X?

Information is clearly a valuable yet fragile corporate asset that must be protected against a wide range of threats. Protecting information is complicated by its ubiquity, plus its intangible and ephemeral, dynamic nature, on top of which the information risks are also constantly changing. Furthermore, information risks have to be managed alongside all other risks facing the business, of which there are many. Information risk management is a tough challenge, made still harder if management lacks sufficient, relevant and reliable information concerning the status of information risk management activities, processes, information security etc .   "What  should  we be measuring?" is a common refrain, along with "What are the most common security metrics?". At face value, these are perfectly reasonable and sensible questions. However the first is impossible to answer without knowing more about the organization's situation, while the second is trickier still: scie...

I have railed repeatedly at the vague and often inappropriate or misleading use of 'cyber', in particular cyber-risk and cybersecurity (inconsistently hyphenated, as shown). Usually, cyber simply means IT - all the usual humdrum risks and controls relating to IT systems and networks. This is everyday stuff, nothing special. Plain IT covers it. Sometimes cyber  alludes to far more extreme and sinster threats associated with highly competent and resourceful adversaries sponsored by governments, organised criminals or terrorists attacking critical national or global infrastructures - the sorts of things that might be experienced during war. Those using the term in this way tend to speak in riddles, trying hard to avoid admitting or disclosing vulnerabilities while denying knowledge of any involvement in such activities. 

 Security awareness program can be planned and prioritised on the basis of risks Leave room (flexibility) to respond to opportunities that arise off-plan

It goes with the territory: professionals working in information risk and related areas are, of course, highly aware of risks within our specialism. It's what we do.  Furthermore, many of us would admit to being naturally risk-averse: people outside the profession seem to take chances that we would prefer to avoid or shy away from, whether through plain ignorance or failure to appreciate the risks.   Risk-aversion is a personal characteristic or bias that varies from mild caution and pessimism up to extreme, debilitating paranoia. It doesn't necessarily mean that we are timid, scared or weak, rather that we tend to place more emphasis on the possibility of problems or incidents compared to non-risk-averse people.    

  Yesterday, I wrote about preparing and promoting your budget proposal, strategy, programme of projects or an individual initiative, gaining management support and negotiating for approval. Today I'd like to emphasis a fleeting, easily overlooked step in your journey, an opportunity to do even better. At the very moment when the negotiations are completed and management finally agrees your infosec budget, their interest, motivation and support for it is high ... so, before the dust settles, why not seize the moment: a window of opportunity has opened. Before long, the wave of enthusiasm will subside and management's focus will turn to other matters. 

  Are you responsible for your organisation's information risk and security or cybersecurity budget? Are you busily putting the finishing touches to your FY 2023 budget request? Budgeting is a stressful management task, figuring out the figures and anticipating tough battles ahead leading (usually) to a disappointing outcome and yet more problems resulting from inadequate investment. With  clear signs of another global recession looming (as if COVID, climate change and the war in Ukraine weren't challenging enough already), tightened belt-buckles are the order of the day*.

... “a related set of IT equipment and software used for the processing, storage or communication of information and the governance framework in which it operates” [source:  New Zealand Information Security Manual ] ... "all connected parts of the organisation that may be at risk of a cyber attack" [thanks Steven Os] ... a set of computers plus their software, users, administrators and managers, the associated policies and procedures, plus the links to connected systems, plus the operating environment, all of which are required to deliver services ... ... “ a combination of interacting elements organised to achieve one or more stated purposes ” [source:   ISO/IEC 27036-1 , notes omitted, also  NIST SP800-161r1 & SP800-53r5] ... a black box within which inputs are mysteriously converted to outputs ... "an integrated suite of related items and processes forming a discrete operating or functional unit, such as a management system" [source:  SecAware glossary ] ...

Two and a half years ago in March 2020 as we were fast approaching our first lockdown, I published the following P robability I mpact G raph depicting my analysis of the information risks relating to COVID: The PIG reports the information risks I identified at the time, thinking about COVID from the general societal perspective as opposed to a personal or organisational perspective.

  We're on a mission to convince every organisation that managing information risks properly is more than just a compliance imperative.  It's good for business. Is your organisation looking to raise its security game? Are managers worried about ransomware, privacy breaches and intellectual property theft, especially now with so many of us working from home?  What about the business continuity risks with supply chains stressed to breaking point by COVID, recession and war? Are your suppliers cutting corners on privacy and security, hoping nobody will notice? Are desperate competitors taking advantage of the disruption to undermine your cyber-defences? Worse still, is management blissfully unaware of the issues, with everyone heads-down, rowing hard, too busy to notice the icebergs dead ahead? ... Or is there a strong drive to secure  and  exploit information as an integral part of operations? Does being trusted by customers and stakeholders equate to brand value,...

I can think of eight key advantages and opportunities in adopting the new third edition of ISO/IEC 27001 as opposed to the second edition nearly a decade old: