On CISSPforum, Walt Williams suggested a novel security metric: "If your organization has customers that ask you to complete questionnaires before engagement, track those against logos added or better revenue brought in. You’re now tracking your return on investment and a key risk of if your security is not good enough, those are the businesses you loose.Do the same with each customer that asks for your ISO certification or SOC 2 report. You have an excellent metric that allows you to track that return on investment and shows security as a revenue generating part of the organization. My organization’s last quarter internal company meeting had the Senior Revenue officer publicly acknowledge and thank InfoSec for our role in landing their biggest customer. It doesn’t get much better than that." So, inspired by Walt's intriguing idea, I prepared a conventional metric specification using a combination of the G oal- Q uestion- M etric approach (as ably described by Lance Hayd...

My next book will be a 'hyper-glossary' of terms relating to information security, including closely related aspects such as information risk management, governance, compliance ... and more ... and there's the rub: I'm struggling to catch up/keep up with developments in the field, not least because of the rate at which novel concepts are introduced and new terms are coined. Here's an example of a definition originally added a couple of years ago and most recently amended today: There I've defined "Deep fake", one of several terms washed up in the AI tsunami. The underlined terms are hyperlinked to their definitions ... and so on forming an extensive web within the document.

'Bias' is generally considered a negative human trait with both practical and ethical implications. Paradoxically, however, that negativism can itself be considered a form of bias. Bias can - sometimes - be positive, beneficial, even necessary, and is to some extent an inevitable consequence of our biology. BoardOfInnovation blog In Darwinian terms, 'cognitive bias' comprises a fairly diverse set of behavioural traits that have evolved over the millennia, such as: Confirmation bias : a tendency to seek out and place greater emphasis on information that appears to confirm what we already believe, while avoiding, ignoring or downplaying contradictory information; Anchoring bias : initial information (no matter how accurate) provides a basis for comparing and evaluating further information; Observation bias : the mere fact that something is being observed, investigated, discussed, measured, focused-on  etc . increases its apparent importance or value; Balance bias : human...

Among all the other bad news in the excellent Cy-Xplorer 2023 report from Orange Cyberdefense , this nugget of threat intelligence poked me in the eye: I've become increasingly concerned about the information risks relating to professional services in recent years. They seem obvious targets for malicious cyber attacks, given:

The second edition of ISO/IEC 27032 "Cybersecurity - Guidelines for Internet security" has just been published. The introduction to the new edition commences: "The focus of this document is to address Internet security issues and provide guidance for addressing  common Internet security threats, such as: — social engineering attacks; — zero-day attacks; — privacy attacks; — hacking; and — the proliferation of malicious software (malware), spyware and other potentially unwanted  software." Notice the standard is focused on " Internet security issues " which, in practice, means it covers active attacks perpetrated via the Internet. However:

Yet again this morning, something on the ISO27k Forum caught my imagination, firing-up my sleepy caffeine-deprived neurons.  We have been chatting lately about what is expected of the C hief I nformation S ecurity O fficer role - namely an exceptional mixture of knowledge, skills and competences possessed by  the 'SuperCISO'.  Today, Nigel Landman referred us to an interesting article by JC Gaillard at Medium.com .    JC's repeated assertions that 'cybersecurity is not purely technical' caught my beady eye: the 'cyber' bit clearly suggests that it  is  100% purely tech ... but those of us who have swallowed the ISO27k pill recognise that  information  security requires more than just securing the bits-n-bytes. This is yet another example of the confusing use of language - specifically 'cyber'. Many professionals immersed in the field take 'cyber ' implicitly to include technology  plus  other aspects but the general perceptio...

Once again, my day kicked off with a stimulating and fruitful debate on the ISO27k Forum as members responded to a request for help to find accredited I nformation S ecurity Management S ystem certification auditors who will add value to the organisation above and beyond the ISO/IEC 27001 conformity certificate. The original poster copped some grief from the forum in appearing to seek certification auditors who would be kind on the organisation, supporting its business objectives more strongly than its conformity with the standard ... but a follow-up message clarified the position. Aris confirmed to us that he sought:  "advice on where (in cases of an ISO audit) and how (in cases of an Internal audit) our ISMS could/should be improved, but I need that advice to be meaningful, grounded, and delivered in a way that has the best probability it will be absorbed by the business. In other words, I would like this process to offer real value to the business, besides just bein...