The Institute of Directors has just released their Code of Conduct for Directors , promoting six principles: Leading by example. Integrity. Transparency. Accountability. Fairness. Responsible business. So far, so good ... although somehow I feel there's something missing. But what?

In a previous philosophical phriday post , I moaned about vendors of security compliance support/management tools and services over-promising and under-delivering - an admittedly biased, even cynical opinion piece about the compliance imperative . A recent article in Corporate Compliance Insights notes that "CISOs are not just defenders against cyber threats but also champions of compliance and operational resilience". Hmmm, are CISOs 'compliance champs', really? Today, I'm discussing alternatives to being compliance-driven. How else can organisations drive their information risk, security and related concerns in a positive direction?

  Today I asked Google's Gemini to rewrite yesterday's blog piece " in the style of a naive student of IT" : "Hey guys, so I was thinking about this weird thing that happens online. People get really mad about stuff, like really mad. They all start yelling at each other and saying the same things over and over again. It's like a big echo chamber, and it gets out of control. For example, there was this time people were freaking out about 5G towers. They thought it was going to hurt people, but scientists said it was totally safe. But the people who were mad kept saying it was bad, and they got other people to believe them too. It was crazy! When people get really mad like that, it's hard to talk to them. They don't want to listen to anything else, and they just keep shouting. It's like a big fight, and it can make things worse. So, what can we do about this? Well, one thing is to just wait for people to calm down. Sometimes, if we let them vent f...

For kicks, I prompted Google's Gemini AI robot to rewrite yesterday's blog piece "in the style of a professor or university lecturer".  This is wot it rote me: A fundamental challenge in contemporary society is the phenomenon of outrage , wherein groups of individuals exhibit disproportionate emotional responses to perceived threats or injustices. This often manifests in the form of echo chambers on social media, where like-minded individuals amplify and reinforce each other's concerns. Such amplification can rapidly escalate emotions to unreasonable levels, hindering rational discourse and critical thinking. Consider, for example, the contentious issue of 5G cell tower placement near schools. Outraged individuals may perceive this as a grave threat to public health, accusing authorities, scientists, and industry leaders of callousness and disregard for their concerns. The perceived risk is often amplified through groupthink, leading to a sense of collective out...

For decades, I have appreciated  Peter Sandman 's approach to outrage - the social phenomenon in which groups of people react strongly to some perceived threat, issue, concern or whatever, drawing-in other like-minded individuals via social media. The echo chamber (positive feedback loop) can rapidly escalate emotions to an unreasonable degree with a lack of reasoned, critical thinking - according to those allegedly responsible for the issue anyway.    In the case of, say, the placing of 5G cell towers in/near schools, the outraged can become furious that the risk (as they see it) is being 'callously ignored' by the equipment suppliers, site developers, authorities and scientists, and enraged that they are 'not being taken seriously'. From their perspective,  thanks to group think (social endorsement),  the  perceived   risks are portrayed and understood to be deadly serious .  Leaders within the outraged community gain notoriety, influence and p...

 

First, two definitions: " Certification " is the process of checking something against defined criteria, and if it passes (meets the criteria), issuing a certificate of compliance or conformity or assurance or whatever. Certification gives some assurance that the certified organisation or individual meets the criteria ... provided the certification body or person is competent and trustworthy, the checks were done properly, and the certificate itself is authentic. Hmmm, quite a few caveats there ... " Accreditation " is the process of confirming that whoever is checking and issuing certificates is properly qualified, competent and trusted to issue meaningful certificates by following prescribed processes. It adds credibility, meaning and value to the certification and issued certificates ... provided the accreditation body or person is competent and trustworthy, the checks were done properly, and the a...

The last of a dozen learning points I made in a post-incident review of the Crowdstrike incident was: "Unless changes are actually made as a result of an incident, the uncertainties (risks) remain. We have missed out on a valid learning and improvement opportunity." Although I accept that nobody is obliged to learn from incidents, make changes or improve, the Crowdstrike incident was Big News when it occurred back in July, and here we are in October. So it's fair to ask what - if anything - are we doing differently now? [I'm using Crowdstrike here simply as a well-known example. Even if the Crowdstrike incident had no material impacts on your organisation, you have undoubtedly suffered various incidents, possibly something serious or critical. As you read on, by all means substitute some other significant recent incident in place of "Crowdstrike" if that helps you relate to this piece.]  A cyberattack can be a devastating event for any organization. It'...

  Risk and security professionals typically believe that a company's risk tolerance or risk appetite determines whether risks are or are not acceptable. However, they seldom define the terms which are used loosely and interchangeably in practice. So what are they? If you accept ( as I previously asserted in this place ) that risk is uncertainty, risk tolerance implies a willingness to tolerate or put up with a certain amount of uncertainty, while risk appetite suggests a desire for a certain amount of uncertainty.  OK so far, but what is ' a certain amount of uncertainty '? That seems paradoxical.