no silver bullet

There's an entire industry based on the assumption that Security Management is about fancy technology. The latest and greatest product, the silver bullet which will finally turn the tide and help us defeat adversaries once and for all.


To me, it's all about people. The folks who envision, design, build, deploy, operate, evolve, maintain and - when that day comes - decommission the system in a controlled fashion. Most importantly, the Owner who remains accountable throughout the system's life-cycle.


meanwhile, in a social channel

I've tested live-tweeting recent seminars, on BCM and Key Management.

Commenting as an event unfolds serves several purposes. It helps spread the word to absent friends. Taking notes publicly makes me concentrate on what might matter to others and gives me a chance to offer my value judgments.

Are there any cons? Nothing (even remotely) sensitive must get forwarded beyond the room. Then again, who would be sharing secrets in an open seminar?

Do you see other benefits or drawbacks with live-tweeting?


risk vs. compliance (2)

Policy is created to control risk exposure. Failing to establish coherent and adequate policy drives risk. Classify your assets, test your systems, educate your employees - says the policy. Risk reduction through compliance. 

And the other way round. Ensure that design decisions are explicitly risk-based, says the policy. Compliance through risk management.

Can you see other ways in which the risk (manage potential consequences) and compliance (do as we're told) perspectives are interrelated?


the rest is Risk

In the beginning there was Compliance.

Until our information systems grew complex and interconnected, the Compliance perspective served us fairly well. There was comfort in trusting that Knowledgeable Others had already foreseen what could possibly go wrong and devised clever rules to keep us safe. Do this or that and be secure.

Those were the days.

By now, we have more rules than ever and we still need to follow them. But complying is not enough anymore, we have to fend for ourselves.

The rest is Risk.


risk vs. compliance

Suppose you're driving along a country road. Imagine it's snowing and visibility is poor. You will be driving carefully to avoid an accident. This is the risk perspective. Managing potential consequences.

The next day is sunny and there's hardly any traffic. Accidents seem unlikely. However, by the roadside is a sign with the local speed limit. You will be adhering to this limit. (Right?) This is the compliance perspective. Doing as we're told.

These perspectives are different but also interrelated.


enter Knowledge Security

Philosophy informs us that knowledge requires belief, truth, and justification. Let x be an assertion, e.g. "Sweden is not Snowden", and suppose I claim to know x. If so, I have to believe x, x must be true, and my belief in x must be justified.

Knowledge appears to be information which is correct and which has been logically internalized. Information exists on its own but knowledge requires an actor. When would it be meaningful to talk about Knowledge Security, rather than Information Security?


motivation happened

Why did I grow to like studying?

It's about perspectives. Relating findings in one discipline to questions in another context, such as my work life. It feels more rewarding to theoretically explore current issues at work, rather than merely memorizing (seemingly) abstract stuff for an upcoming exam.

And it's about giving back. With the benefit of experience, I find myself in situations where I can contribute. Students and lecturers expect me to offer my input.

How could I not feel motivated?


enter The Alumnus

Once upon a time, I was busy taking notes. Sitting at the feet of lecturers, eager to inhale their accumulated wisdom, convinced that they had all the answers.

I got my exam and was fortunate to find challenging work among great colleagues. Years went by. Some scribbled notes never came to use. Certain concepts helped save the day.

The world has changed. So have I. By now, I know a thing or two about what works and what doesn't.

There comes a time for giving back. 'tis the season for an alumnus.


never again

To me, studying was always boring, bordering on burdensome. Never again, I told myself upon getting my exam in Systems Science.

That forecast seemed to hold water. 15+ years later did I hesitantly return for some Security Informatics. And some more. Plus a dose of Criminology. Followed by Decision-, Risk- and Policy Analysis...

And, guess what? Now, at long last, I enjoy myself. Lectures are interesting, assignments meaningful, interacting with other students often a delight.

So, what happened?


what did you trust?

Risk is connected to trust.

Daily life involves trust in many situations. Trusting your washing machine not to destroy your clothes. Trusting the bus to arrive on time and the driver to find her way. Trusting that the elevator is properly constructed and won’t collapse. Trusting the bank to take care of your savings.

Without trust, everyday life becomes impossible.

But we cannot trust blindly. When driving, you won’t trust a kid to take the wheel. Doing so seems unnecessarily risky.

Trust depends on risk. And unless properly handled, trust creates risk.

In whom - and what - did you trust today?