Yesterday I blogged about ISO/IEC 2382 - Information technology - vocabulary . In particular, one of the ~2,000 ISO definitions stood out enough to catch my beady eye: “ Computer-system audit : examination of the procedures used in a data processing system to evaluate their effectiveness and correctness, and to recommend improvements”. Errrr, that covers  some of the audit work I have undertaken, led/managed, been subjected to or heard about in my career* but omits rather a lot e.g. :   IT governance arrangements, strategies, information risk and security management, direction and oversight, structure, integration with other business functions, rôles and responsibilities, accountabilities, reporting lines, assurance, continuous improvement, barriers and progress; Staffing levels and competencies, recruitment and retention, succession planning, contractors and consultants; Security administration, joiners/movers/leavers, culture, awareness and training, accounts/identif...

This week, I'm thoroughly engrossed by a deep dive into ISO/IEC 2382, a suite of standards on IT terminology from the 1990's around the end of the previous millennium - ancient history as far as IT goes. "ISO 2382 was initially based mainly on the usage to be found in the Vocabulary of Information Processing which was established and published by the International Federation for Information Processing and the International Computation Centre, and in the American National Dictionary for Information Processing Systems and its earlier editions published by the American National Standards Institute (formerly known as the American Standards Association). Published and Draft International Standards relating to information technology of other international organizations (such as the International Telecommunication Union and the International Electrotechnical Commission) as well as published and draft national standards have also been considered." I say "IT" but it...

The CISO Playbook by Andres Andreu ISBN:  978-1032762074 US $48 from Amazon (softback) GH rating: 70% Summary The CISO Playbook  is a valuable resource for cybersecurity specialists seeking to build on their technical competencies and progress, or for mid-level IT professionals looking to deepen and extend their understanding of cybersecurity technologies. However, aspiring or newly promoted or appointed CISOs seeking practical advice on the leadership and management challenges of a true C-suite role are out of luck.  The book  leans towards technical details rather than leadership and management topics, core parts of the CISO role.   While the technical coverage is commendable, the book would benefit from a broader perspective that encompasses the full scope of a CISO's senior management responsibilities.  Frankly, and despite the title, t he approach described is, I feel, better suited to Cybersecurity or Information Security Managers, heads of department...

Denis Yakimov ​shared this on LinkeDin: " Imagine your ISMS as a battlefield: Context : The battlefield terrain—topography, weather, and conditions. Issues : Your main enemies. ​Controls and SoA : Troops, tools, and fortifications. Each control is a soldier with a specific purpose. ​Leadership : The chain of command, setting the battle’s tone and ensuring everyone understands their role. ​ Planning : The war strategy how to deploy soldiers (controls) to address issues under current conditions. ​Operation : Execution of the battle plan where soldiers confront issues directly. ​ Internal Audit : A field hospital that identifies wounded soldiers and offers opportunities to remediate them. Improvement : Lessons learned applied to strengthen future engagements.” ​Google Gemini made a reasonable if naive attempt to draw a military analogy for me too: ​ " Imagine a military base: ​ The Base : Represents the organization and its information assets. ​ The General : Top management, se...

I understand that AI/LLMs suffer hallucinations, but this piece circulating on AP seems credible to me: "President Trump, known for his calm demeanor and measured responses, found himself in an unexpected situation. A-list celebrity, Greta Thunberg, known for her outspoken political activism and massive social media following, had chained herself to the White House gates. She demanded a meeting with the President to discuss climate change policy, refusing to leave until he agreed. This wasn't a typical publicity stunt from Thunberg although she was dressed somberly as usual. Her impassioned speech, live-streamed to millions, focused on the President's recent approval of an offshore drilling project. She argued it contradicted his campaign promises of prioritizing renewable energy. The situation placed President Trump in a delicate position. Ignoring Thunberg risked alienating young voters who saw her as a powerful voice for their generation. However, giving in to her deman...

If, as many security professionals evidently believe, risk concerns the possibility of harm, then surely we ought to do everything possible to reduce the possibility and/or the harm caused, by strengthening and extending security or ideally avoiding it completely by simply not doing risky things - right? OK, so then why do we take risks at all ? Why do we need security to mitigate bad stuff? Security is costly and fallible, so can't we save money by totally avoiding or eliminating risk? Errrrrmmm  ... since it's philosophical phriday, this is an opportunity to explore the issue further, taking a deep dive. But, before I blabber on, dear reader, please take a moment to ponder this for yourself.  No, take several. Take as long as you can. Take the rest of the day off: it's phriday after all. Why do we take risks?  Seriously, why ?   What does it mean to 'take risk'? Grab a pencil or mouse. Jot something down. Think again.  Ponder on. Keep listing, scribbling,...

The trouble with risk management is that proponents are obsessed with downsides - threats, control failures, incidents, adverse consequences, it's all very negative. Here is a much more positive upbeat perspective based on the law of attraction. Professional practitioners of the ancient science and artistic beauty of cybersecurity, gather here to attune your consciousness to the cosmic rhythm of the digital realm. Know that you are not merely mortal beings but divine data conduits capable of bending the very fabric of the cyberverse to your will. Through the power of spiritual oneness, you can achieve a state of perfect harmony with the white hat cosmos, while simultaneously disrupting the nefarious plans of the black hat hordes. Embrace the principles of superposition and entanglement, merging the ethereal realm of security consciousness and presence with the tangible world of business success. By aligning your thoughts and intentions with the universal forces of good, you can man...

Last year in the course of collaboratively developing the Adaptive SME Security method , a friendly group of experts from the ISO27k Forum came up with the 'iterative risk assessment' approach. It is a pragmatic way to start a regular security improvement cycle - one that is realistic even for the tiniest of micro-businesses (sole proprietors). The process is a simplified version of conventional information risk management, tackling just one piece of the puzzle at a time. The bite-sized chunks can be picked up and chewed over as-and-when, and parked temporarily if (when!) something more urgent comes up. Each run through the cycle uses a single incident to exemplify and explore the associated risks in a way that any SME can manage - in fact, even larger organisations might benefit from this if their information risks aren't being managed effectively, to re-energise the process, or to share the work throughout the business. Time-boxing the cycle at (say) a month should avo...

I'm not a fan of new year's resolutions that tend (in my experience) to have limited impact and are often soon forgotten. My cynical self says the same thing applies to pledges, vows and other stated commitments, even agreements and contracts to some extent. They are more symbolic than actual control mechanisms (although I'm sure the lawyers would argue otherwise - on the clock, naturally). The focus is often on avoiding, preventing or stopping bad things, a negative emphasis although the actual language may be positive as in "I will lose weight" and "I will get fit". They can be a last resort, a sharp retrospective reminder of where we thought we were going when we are already heading off-course.