security is about timing

Beside the who, the how and the where - security is a lot about the "when".

In the best of worlds, you will be able to deter an adversary from even trying to compromise your system.
If not, can you prevent the attack from succeeding?
If not, can you detect the intrusion in a timely fashion?
Once detected, can you contain the attacker and prevent a wider compromise?
Finally, can you swiftly restore your system to agreed service levels?

Better get the chronology straight. Security is a lot about timing.


obligatory quality

I'm reflecting on Business Continuity Planning. The ability to withstand the unexpected and carry on, serving customers as best you can.

Two observations.

The field is compliance-driven. Before the advent of regulation, interest was lukewarm at best. Whatever happened to self-preservation? Haven't we learned anything from 9/11?

Terminology is confusing. Guidance refer to several categories of plans. Relating them and putting them in context is left as an exercise for the layman. A challenge for us educators!


still blogging, a decade down the line

Ten years ago I got an idea. It was rather trendy in those days, having your own blog. One purpose soon emerged though. I wanted to practice my English. The topics have been widely varying, so picking a generic blog title proved useful.

I used to be interested in politics, as became apparent in the first posts:

In recent years I have shifted focus. When I got started within the security realm, I chose to devote the blog to precisely that:

As for the next ten years, who knows? What will be my perspective?