2014-07-21

accepted, how?

How does a risk get accepted?

Imagine the following conversation.
- why haven't we done anything about this issue?
- we decided to accept the risk.
- who did, when and why? where is this documented?

Risks are accepted every day when issues emerge in a conversation and we choose to move on, rather than do something about them. Such acceptance is informal and rarely traceable. Contrast this with formal risk assessments where acceptance is explicitly documented as the preferred treatment strategy.

2014-06-30

accepted, by whom?

Acceptance is often a reasonable strategy for InfoRisk.

Who does the accepting?

If you have one omnipotent Risk Manager who calls the shots, the answer is simple.

But, to create a risk culture, Risk Management will have to take place on multiple levels.

Suppose the Network Dept assess a certain risk, can they accept it on behalf of the organization? If yes, how are they in a position to judge (and accept) the business impact? If no, how can Risk Mgmt be scalable unless responsibility is delegated?

2014-06-14

Stockholm Criminology Symposium

This week I attended the 9th Stockholm Criminology Symposium. Not being a practitioner in crime prevention and having taken just an introductory course, some of the research stuff is way beyond me. So, why go there?

Applied InfoSec can use input from more mature fields. Preventing bad things from happening. Motivating individuals to choose the narrow track. Governing change.

Also, I enjoy venturing out of the silo, meeting people more knowledgeable than myself with entirely different experiences and tools.

2014-06-13

change is in the air

I've been an employee of the Swedish bank SEB since 1991, initially as a database specialist, then working with applied information security since 2006.

Having spent 23 good years in the financial sector, following this summer I will take up a position as consultant in the great team of Konsultbolag1 InfoSec AB.

As always in consulting, what I will be doing will be up to our customers, but I look forward to driving change within the field of security by means of teaching, coaching and mentoring.

2014-06-09

Inter-Organizational Information Risk

Information handling can be outsourced. Accountability can not. When things go wrong, the image loss remains with the owner.

Risk is managed at multiple levels.

Organization: clarify boundaries of responsibility, align policies and practices, establish process
System: assign risk ownership - what if our assets are transmitted through your infrastructure?
Individual: which person carries which role?

When systems transcend boundaries of organizations, how do we make sure the ball is not dropped?

2014-05-19

can Security Management be agile?

The waterfall approach to building systems has passed its prime.

How should Security Management deal with this?

Security is a quality of information. Structures for upholding quality must align with practices of the enterprise. If business calls for flexibility, Security Mgmt should enable robust systems through usable structures, in accordance with how the organization chooses to govern and manage itself.

Is this a challenge? You bet.

Can Security Mgmt be agile? To stay relevant, it must.

2014-04-28

awareness is never enough

We talk a lot about user security awareness.

But awareness is never enough.

I might be aware that you forgot to close the window on a rainy night. This won't help unless I care to close it or remind you. I might be aware that my password could be misused by a malicious individual. This won't help unless I care to make an effort to protect it.

I must care enough to do the right thing when it would be easier not to. I must be committed. So, let’s stop parroting awareness as an end goal. It’s not.

2014-04-24

applying principles for societal security

At a FoF seminar, The MSB today suggested 10 principles for societal security.
I interpreted eight of them for InfoSec Management.
  • earn and maintain trust among stakeholders
  • communication is an indicator of a safer organizational systems environment
  • readiness begins and ends with the individual coworker
  • incident prevention can be made more effective
  • critical services must remain available
  • information security is everybody's business
  • manage dependency on external suppliers
  • a system transcending trust boundaries can only be managed in a concerted effort

2014-04-07

no silver bullet

There's an entire industry based on the assumption that Security Management is about fancy technology. The latest and greatest product, the silver bullet which will finally turn the tide and help us defeat adversaries once and for all.

Yawn.

To me, it's all about people. The folks who envision, design, build, deploy, operate, evolve, maintain and - when that day comes - decommission the system in a controlled fashion. Most importantly, the Owner who remains accountable throughout the system's life-cycle.

2014-03-14

meanwhile, in a social channel

I've tested live-tweeting recent seminars, on BCM and Key Management.

Commenting as an event unfolds serves several purposes. It helps spread the word to absent friends. Taking notes publicly makes me concentrate on what might matter to others and gives me a chance to offer my value judgments.

Are there any cons? Nothing (even remotely) sensitive must get forwarded beyond the room. Then again, who would be sharing secrets in an open seminar?

Do you see other benefits or drawbacks with live-tweeting?
20140514