"If your organization has customers that ask you to complete questionnaires before engagement, track those against logos added or better revenue brought in. You’re now tracking your return on investment and a key risk of if your security is not good enough, those are the businesses you loose.Do the same with each customer that asks for your ISO certification or SOC 2 report.You have an excellent metric that allows you to track that return on investment and shows security as a revenue generating part of the organization.My organization’s last quarter internal company meeting had the Senior Revenue officer publicly acknowledge and thank InfoSec for our role in landing their biggest customer.It doesn’t get much better than that."
Friday 28 July 2023
Using security enquiries by customers as a security metric
Thursday 27 July 2023
Hyper-glossary nearing completion (?)
My next book will be a 'hyper-glossary' of terms relating to information security, including closely related aspects such as information risk management, governance, compliance ... and more ... and there's the rub: I'm struggling to catch up/keep up with developments in the field, not least because of the rate at which novel concepts are introduced and new terms are coined.
Here's an example of a definition originally added a couple of years ago and most recently amended today:
There I've defined "Deep fake", one of several terms washed up in the AI tsunami. The underlined terms are hyperlinked to their definitions ... and so on forming an extensive web within the document.
Monday 17 July 2023
The biology of bias
'Bias' is generally considered a negative human trait with both practical and ethical implications. Paradoxically, however, that negativism can itself be considered a form of bias. Bias can - sometimes - be positive, beneficial, even necessary, and is to some extent an inevitable consequence of our biology.
In Darwinian terms, 'cognitive bias' comprises a fairly diverse set of behavioural traits that have evolved over the millennia, such as:
- Confirmation bias: a tendency to seek out and place greater emphasis on information that appears to confirm what we already believe, while avoiding, ignoring or downplaying contradictory information;
- Anchoring bias: initial information (no matter how accurate) provides a basis for comparing and evaluating further information;
- Observation bias: the mere fact that something is being observed, investigated, discussed, measured, focused-on etc. increases its apparent importance or value;
- Balance bias: humans are curiously obsessed with achieving balance, equilibrium, parity, fairness, moderation, neutrality, centrism etc. in all manner of situations, despite 'balance' generally being a costly, fragile, often temporary and potentially risky state - in other words, imbalance (a.k.a. bias) is natural whereas balance is unnatural and takes effort, but for some strange reason we seek, strive for and value it anyway.
The fact that these traits exist today strongly suggests that they confer evolutionary advantages. Biases evidently have their biological utility and value, helping biased individuals survive, prosper and procreate somewhat more efficiently than the unbiased.
I repeat, bias (imbalance) is natural.
Pro services under attack
Among all the other bad news in the excellent Cy-Xplorer 2023 report from Orange Cyberdefense, this nugget of threat intelligence poked me in the eye:
I've become increasingly concerned about the information risks relating to professional services in recent years. They seem obvious targets for malicious cyber attacks, given:
Sunday 16 July 2023
Internet security guidance
The second edition of ISO/IEC 27032 "Cybersecurity - Guidelines for Internet security" has just been published.
The introduction to the new edition commences:
"The focus of this document is to address Internet security issues and provide guidance for addressing common Internet security threats, such as:— social engineering attacks;— zero-day attacks;— privacy attacks;— hacking; and— the proliferation of malicious software (malware), spyware and other potentially unwanted software."
Wednesday 12 July 2023
A pragmatic alternative to the SuperCISO [L O N G]
JC's repeated assertions that 'cybersecurity is not purely technical' caught my beady eye: the 'cyber' bit clearly suggests that it is 100% purely tech ... but those of us who have swallowed the ISO27k pill recognise that information security requires more than just securing the bits-n-bytes. This is yet another example of the confusing use of language - specifically 'cyber'. Many professionals immersed in the field take 'cyber' implicitly to include technology plus other aspects but the general perception Out There is very strongly and perhaps exclusively technical.
For the majority, cybersecurity equates to IT security or, more specifically still, it refers to hacker attacks and malware infections via the Internet. For that reason, the recently revised and reissued standard ISO/IEC 27032, formerly on 'cybersecurity', was re-titled to clarify that it covers Internet security, specifically - an important part of the information security landscape and cyber area, but not the whole thing. It falls short on intellectual property protection, for instance, plus insider threats and plan ol' fashioned accidents that cause a significant number of incidents, despite not being 'attacks'.
Wednesday 5 July 2023
What do auditors do, and for whom? [L O N G]
"advice on where (in cases of an ISO audit) and how (in cases of an Internal audit) our ISMS could/should be improved, but I need that advice to be meaningful, grounded, and delivered in a way that has the best probability it will be absorbed by the business. In other words, I would like this process to offer real value to the business, besides just being seen as a transactional, bureaucratic overhead."
... which seems entirely appropriate and ethical to me. Nicely put!
Fuelled by two strong coffees, I've been mulling over a further response from my pal Chris Hall - an experienced and respected auditor and consultant who expressed the opinion that the role of a certification auditor is:
"... simply to assess whether the organisation conforms to the requirements of clauses 4 to 10 of ISO27001. That is all. And to report on it, pointing out where the ISMS does not conform ..."
I see things a little differently and (as usual!) more complex/nuanced in practice than Chris indicates.