There is a growing appreciation, perhaps even consensus in the field that information risk management - or indeed risk management in general - is not simply a matter of predicting or controlling the future, at least not in a rational and deterministic manner. Given that the future is inherently complex and uncertain (= risky!), the best we can reasonably hope for is to reduce somewhat the number and negative impacts of disruptive events and incidents, while simultaneously hopefully increasing the chances and value of positive, beneficial outcomes. Both objectives are asymptotic: the effort and investment required to progress increase exponentially as we get ever closer to those two goals, ultimately putting them both beyond our means given finite resources (oh and one or two other things to pour our money into!). In other words, despite our best intentions, we know we are doomed to fail at some point. That's not merely a pessimistic outlook: I'm an optimist by nature. In this c...

Truly effective deception isn't even recognised as such - it passes completely unnoticed.  There is no shortage of now-recognised examples that the deceived didn't spot at the time and maybe still haven't noticed. Here's a sample: A stick insect appears to a predator to be an inedible stick, not a tasty insect Spotted from an enemy's reconnaisance biplane, an inflatable tank or field gun may appear solid, a credible threat at least While an accomplice distracts a resident by knocking at the front door on a pretext, the cunning thief slips around the back Phishers emulate the look and feel of legitimate emails, senders and websites to dupe victims into visiting and disclosing their credentials, using spurious urgency to shortcut or bypass checks, specific timing and wording, and sheer volume to exploit the offguard vulnerables

Recently I enjoyed a lecture by a bank's economist to local business leaders concerning the NZ economy. Observing the blizzard of graphs, I was struck by his short timeline , stretching to about a couple of years ahead. Now I'm sure the economist is earning his crust at the bank. Of course they need to keep on top of day-to-day and month-to-month fluctuations in the economic parameters, playing the markets. Equally, I'm sure the bank has other experts with a longer-term outlook, diligently modelling the implications of national and global issues including political, social, environmental and technological, for many years or decades ahead - for at least as long as the bank's mortgages and business loan periods anyway. Nevertheless, that prompted me to think about planning horizons in information risk and security management, within the broader context of budgeting and investment management in any commercial organisation - a pertinent topic as we plummet towards the new c...

Objectives are king. If strategy is the organisational or personal journey ahead, we must truly understand our objectives to move ahead confidently in the right direction, systematically measuring progress towards those objectives.  If the objectives are uncertain, well, any path will do, and our measures are largely pointless: we may know how far we've come and how much fuel we've consumed so far but we're not sure how much further we need to go, nor in what direction and at what speed. That's sub-optimal. So far so good. But what if the objectives are hidden, in conflict, or not what they seem? There are clearly potential problems with objective-led approaches - a little seething cluster of problems in fact.  So, then, it seems objectives have objectives. 

We should congratulate and support colleagues around the world who have conceived, organised and promoted creative events for October's cybersecurity awareness month. Seriously, well done all of you. Thank you for your energy and efforts. Thank you for caring. Thank you for doing your bits. Thank you for taking time out of whatever else you were doing, perhaps even allocating some of your budget towards this. I am being 100% genuine here: this is not a sarcastic piece. I am truly grateful.