In the traditional parlance of infosec, we've been taught repeatedly that the C-I-A triad (confidentiality, integrity, availability) must be balanced in accordance with the needs of the business. This concept is foundational to all of infosec, ensconced in standards and certification exams and policies. Yet, today, it's essentially wrong, and moreover isn't a helpful starting point for a security discussion.
It's that time of year again: time to update the policies! This annual exercise is always a source of great enjoyment for me (no, not really). After all, there's nothing like having the non-technical flailing about as they try to force-feed technical requirements down the throats of IT without explaining, justifying, or providing any factual basis for asking. If there's something most techies love, it's an over-the-top policy recommended by external auditors.
Quite frankly, policies are the precursor to, and embodiment of, the checkbox-compliance mindset. We all know how well that's worked out for us thus far. I mean, looking at all the data breaches we're not having thanks to compliance and policies, right? Hahaha... oh.
From January 2015...
As you've undoubtedly heard by now, President Obama renewed calls for increased cybersecurity legislation, all apparently because Sony Pictures Entertain (SPE) got hacked? If you've not heard, check out the mainstream press coverage here...
From January 2015...
Now that we can soundly close the book on 2014, it's perhaps a good time to take a quick think back as we consider our best path forward. 2014 was indeed the year of infosec insanity, based on the sheer number of large breaches, number of breaches, number of "major, earth-shattering" vulnerability disclosures, etcetera etcetera etcetera (if you didn't read that last bit in the voice of the King of Siam, then check it out here).
Things That Aren't Risk Assessments
In my ongoing battle against the misuse of the term "risk," I wanted to spend a little time here pontificating on various activities that ARE NOT "risk assessments." We all too often hear just about every scan or questionnaire described as a "risk assessment," and yet when you get down to it, they're not.
Discussing RA Methods with CERT
In follow-up to our paper, "Comparing Methodologies for IT Risk Assessment and Analysis" (GTP subscription required), Erik Heidt and I were given the wonderful opportunity to be guests on the CERT Podcast to discuss the work.
Incomplete Thought: The Unbearable "Bear Escape" Analogy
"You don't have to run faster than the bear to get away. You just have to run faster than the guy next to you."
The problem with this analogy is that we're not running from a single bear. It's more like a drone army of bears, which are able to select multiple targets at once (pun intended). As such, there's really no way to escape "the bear" because there's no such thing. And don't get me started on trying to escape the pandas...
Fatal Exception Error: The Risk Register
I read this article a few weeks ago and set it aside to revisit. In it, the author states that "Risk management used to be someone else's job." and then later concludes that "...in a global business arena that is increasingly unforgiving when it comes to missteps, the message is clear: Everyone--including you--now has to be a vigilant risk manager." Yes, well, sort of, maybe, kind of... hmmm...
New Research on IT Risk Assessment and Analysis Methods
I'm pleased to announce that our new paper, "Comparing Methodologies for IT Risk Assessment and Analysis," is now available to Gartner for Technical Professionals subscribers! This research represents a few months of work, including many interviews with method owners and method implementers. The research process was quite fascinating and led to some unique insights.
My latest post...
3 Things I Think I Know About "Cyber" RiskFirst, a note: when I say "cyber risk" here, I'm doing so knowing it's a somewhat equivocal term. I'm using it generically to be inclusive of IT risk, information risk, technical risk, and anything else along these lines that would roll-up under operational risk. More could be said, but I'll save it for another time...
