Safe UX - part of the InfoSec narrative

What happens "between" the strategic and technical Information Security layers in an organisation?

My recent Operativ informationssäkerhet course was fully booked with 19 participants and featured no less than six guest lecturers.

In the photo collage from top left - Sebastian Åkerman (Security Architecture), Henrik Kraft (Safe UX - a new session), Lars Åsander (Crisis Management), Andreas Sjödin (Continuity in a bank), Tomas Karlsson (Agile & Security), Nada Kapidzic Cicovic (Secure Development).


on the limitations of copy-paste


What does security mean for your organisation, and why does it matter? Who in the business is responsible for what aspects of security? How will you measure it, and who will?

Go check the policy.

A policy shouldn't merely exist (although that seems to have been the purpose with some copy-paste examples).

A well-adapted InfoSec policy can be immensely powerful. It is your vehicle for effectively delegating the responsibility for measurable security. Taking a second look at your policy can be time well spent.


no more course binders

This year's first Strategisk Informationssäkerhet course marked a departure from paper-based documentation. Farewell, course binders! We've used an online teaching platform for years but in the absence of printed material, the platform becomes a critical course component. Next time, we'll add a wiki for ideas and links to further reading/listening.

As always, Conny Larsson (in the photo collage) lectured on Security Law. Other guest lectures covered Influence Operations and Security Policy.


a handy handrail


InfoSec begins with knowing your assets. Some do not have a grip on what info they own, how valuable it is and why. They are not in a position to define security, much less implement it.

Some classify info for reasons of compliance, but all too often this is an isolated project activity and the result is not merged into a meaningful whole.

Information structure tends to be more static than organisation or routines. Your information model can be an effective handrail for all sorts of management purposes.


build - measure - learn


Measuring security isn't easy. There's a lot of building going on but we need to close a build-measure-learn loop in order to make sustainable progress.

How can we credibly argue for security investments, unless we quantify the current and desired future state? Metrics should be collectable, robust and meaningful. What do you wish to communicate? Base your narrative on facts that are relevant for stakeholders.

Without trying, it won't happen. Find a couple of simple metrics and start measuring now.


the strongest link


People are sometimes regarded the "weakest link". This is a mistake.

It is factually wrong. All that great technology which is supposed to save us has been created by... people.

Also, such labelling is counterproductive. Yes, people make all sorts of mistakes. But security is a holistic quality. Only motivated, knowledgeable individuals can orchestrate security mechanisms into a meaningful whole. So, build a pervasive quality culture, let your co-workers know they are the strongest link and watch them grow.


on clouds and testing

Good q on Twitter.

Assuming a public cloud with a mega provider, our focus evolves from learning how to build better to verifying functionality. The purpose morphs from educating our own devs to supporting trust in an external service offering "as is".

We will want assurance on how stuff works in "somebody else's computer" and we will need to focus on interfaces. In an ideal world, with perfect trust in the cloud provider, we might well end up with a smaller test budget. How do we spend it wisely?

My 2c.


challenging a definition of done

This year's final Teknisk informationssäkerhet course welcomed no less than four guest lecturers.

Lars Johansson stressed the importance of randomness when implementing cryptography.

Michael Westlund introduced the concept ot Digital Self-Defense and reminded us not to reuse passwords.

Tomas Karlsson revealed how seemingly independent agile teams can be subtly infiltrated by influencing their 'definition of done'.

And Åke Ljungqvist emphasised how a tested recovery plan can save tears as well as money.


InfoSec for IT Architects

DF Kompetens has a prestigious twelve-day curriculum for IT Architects which has certified 1200+ students by now. I was privileged to guest lecture half a day about Information Security.

This was the first time we did my group exercise in identifying and categorising Security Mechanisms with generalist students - as opposed to InfoSec pros. We learned that every technical mechanism has a process aspect.

Modern IT Architects have a holistic view where tech is just an ingredient, albeit important.