build - measure - learn


Measuring security isn't easy. There's a lot of building going on but we need to close a build-measure-learn loop in order to make sustainable progress.

How can we credibly argue for security investments, unless we quantify the current and desired future state? Metrics should be collectable, robust and meaningful. What do you wish to communicate? Base your narrative on facts that are relevant for stakeholders.

Without trying, it won't happen. Find a couple of simple metrics and start measuring now.


the strongest link


People are sometimes regarded the "weakest link". This is a mistake.

It is factually wrong. All that great technology which is supposed to save us has been created by... people.

Also, such labelling is counterproductive. Yes, people make all sorts of mistakes. But security is a holistic quality. Only motivated, knowledgeable individuals can orchestrate security mechanisms into a meaningful whole. So, build a pervasive quality culture, let your co-workers know they are the strongest link and watch them grow.


on clouds and testing

Good q on Twitter.

Assuming a public cloud with a mega provider, our focus evolves from learning how to build better to verifying functionality. The purpose morphs from educating our own devs to supporting trust in an external service offering "as is".

We will want assurance on how stuff works in "somebody else's computer" and we will need to focus on interfaces. In an ideal world, with perfect trust in the cloud provider, we might well end up with a smaller test budget. How do we spend it wisely?

My 2c.


challenging a definition of done

This year's final Teknisk informationssäkerhet course welcomed no less than four guest lecturers.

Lars Johansson stressed the importance of randomness when implementing cryptography.

Michael Westlund introduced the concept ot Digital Self-Defense and reminded us not to reuse passwords.

Tomas Karlsson revealed how seemingly independent agile teams can be subtly infiltrated by influencing their 'definition of done'.

And Åke Ljungqvist emphasised how a tested recovery plan can save tears as well as money.


InfoSec for IT Architects

DF Kompetens has a prestigious twelve-day curriculum for IT Architects which has certified 1200+ students by now. I was privileged to guest lecture half a day about Information Security.

This was the first time we did my group exercise in identifying and categorising Security Mechanisms with generalist students - as opposed to InfoSec pros. We learned that every technical mechanism has a process aspect.

Modern IT Architects have a holistic view where tech is just an ingredient, albeit important.


from craft to engineering

Security Architecture implies plurality.

In our recent Operativ InfoSec course, my eminent colleague Sebastian Åkerman talked about nomenclature and a systemic approach with a toolbox of Security Mechanisms. If an organisation can agree on terminology, it can describe existing capabilities (as well as desired ones) with bidirectional traceability between business need and component.

When InfoSec deals with building systems one at a time, architecture can help security work mature from craft to engineering.


on the contested Digital Domain

When something concerns information as well as security, is it a matter of Information Security?

In our recent Strategisk Infosec course, I had the privilege to introduce a new chapter with guest lecturer Patrik Thunholm who gave a conceptual introduction to Influence Operations and Security Psychology.

Given the rapid digitisation, the Digital Domain is bound to become contested by various parties with an agenda. How can an organisation defend itself and how does this relate to classic InfoSec?


on requirements in Stockholm

Security Requirements (SR) is not a trivial domain. ("Svårt", according to this word cloud.)

One might be tempted to go consult the nearest expert. And that is part of problem. Because SR concern so many of us. Either we write them (or should be writing them), or we're part of their target audience. Or, we should at least be aware of SR for other reasons.

This is pretty much what my seminar "KRAV-märkt" is about and 5 September I was privileged to host a SR breakfast at DF Kompetens in Stockholm.


To Deceive and Mislead

The greatest victory is that which requires no battle, observed Sun Tzu.

Far from new, this idea is gaining traction in the social media era where source criticism is scarce and many "useful idiots" stand ready to share content with a thoughtless click. This is fertile ground for those who want to influence for reasons of politics, ideology or profit.

Starting next week, To Deceive and Mislead is a course I'm looking forward to. I'm particularly interested in the intersection between InfoWar and InfoSec.


lessons from Överhogdal

Imagery from Wikimedia Commons (link)

In a store-shed by Överhogdal church, artist Paul Jonze made a stunning discovery in 1910. Laying like a large rug on the floor was a long-forgotten tapestry.

This textile treasure has been dated to the Viking Age and is by far the crown jewel of the county museum Jamtli where I've been privileged to experience it several times. 

Textile artwork is certainly not my speciality but the Överhogdal tapestries are a great illustration of the challenges in preserving information. Archiving 101, if you will.