2018-06-21

on Information Risk Maturity in Östersund


From critical thinking to practical impact - returning from SRA Europe in Östersund. Not being a researcher, I'm obviously more of the "practical impact" type. My contribution was a talk about Information Risk Maturity.

I'd like to think this marks a new phase for me. From attending product conferences to attending academic conferences to giving presentations there as well.

There's no shortage of sophisticated theories on risk. I chose to share a low-entry approach from the industry. The slides are here.

2018-06-01

Teknisk informationssäkerhet - on crashes and prevention


Teknisk informationssäkerhet at DF Kompetens saw a large group of curious and knowledgeable attendants.

Using an airplane/mountain analogy, Åke Ljungqvist illustrated disk crashes with painful clarity.

Michael Westlund trained us in digital self defence.

Lars Johansson took us on a guided tour through the history of cryptography, from foundations to Tor networks.

We practiced threat analysis using the STRIDE model and ranked preventive InfoSec measures when travelling. Three jam-packed days went by quickly.

2018-05-27

more on Capabilities in Östersund

I was once again invited to guest lecture at the course Policy-Making During Crises in Society at Mid Sweden University.

We talked about what constitutes a crisis and how an organisation (given proper preparations) can adapt to adverse circumstances and thus continue delivering in the midst of a crisis. Students did a team exercise on designing a plan and we finished our afternoon with a fun quiz.

Good to see (below) that most of these future policy-makers already have experience from a private company.

on Risk Maturity in Östersund


I was privileged to present a seminar on Risk Maturity and Information Risk at Mid Sweden University in Östersund. It was good to meet a mixed group from academia as well as practitioners.

We talked about the importance of local ownership, not being dependent on that solo security expert on a pedestal. Security can become scalable if we foster a culture of risk maturity.

We also did a word cloud about Information Security. Vulnerability turned out to be a recurring term. Hard to disagree with that...

2018-04-20

Safe UX - part of the InfoSec narrative

What happens "between" the strategic and technical Information Security layers in an organisation?

My recent Operativ informationssäkerhet course was fully booked with 19 participants and featured no less than six guest lecturers.

In the photo collage from top left - Sebastian Åkerman (Security Architecture), Henrik Kraft (Safe UX - a new session), Lars Åsander (Crisis Management), Andreas Sjödin (Continuity in a bank), Tomas Karlsson (Agile & Security), Nada Kapidzic Cicovic (Secure Development).

2018-04-02

on the limitations of copy-paste

http://thebluediamondgallery.com/p/policy.html

What does security mean for your organisation, and why does it matter? Who in the business is responsible for what aspects of security? How will you measure it, and who will?

Go check the policy.

A policy shouldn't merely exist (although that seems to have been the purpose with some copy-paste examples).

A well-adapted InfoSec policy can be immensely powerful. It is your vehicle for effectively delegating the responsibility for measurable security. Taking a second look at your policy can be time well spent.

2018-03-16

no more course binders

This year's first Strategisk Informationssäkerhet course marked a departure from paper-based documentation. Farewell, course binders! We've used an online teaching platform for years but in the absence of printed material, the platform becomes a critical course component. Next time, we'll add a wiki for ideas and links to further reading/listening.

As always, Conny Larsson (in the photo collage) lectured on Security Law. Other guest lectures covered Influence Operations and Security Policy.

2018-03-05

a handy handrail

https://www.pexels.com/photo/contemporary-gradient-handrails-perspective-434645/

InfoSec begins with knowing your assets. Some do not have a grip on what info they own, how valuable it is and why. They are not in a position to define security, much less implement it.

Some classify info for reasons of compliance, but all too often this is an isolated project activity and the result is not merged into a meaningful whole.

Information structure tends to be more static than organisation or routines. Your information model can be an effective handrail for all sorts of management purposes.

2018-02-01

build - measure - learn

https://commons.wikimedia.org/wiki/File:Plastic_tape_measure.jpg

Measuring security isn't easy. There's a lot of building going on but we need to close a build-measure-learn loop in order to make sustainable progress.

How can we credibly argue for security investments, unless we quantify the current and desired future state? Metrics should be collectable, robust and meaningful. What do you wish to communicate? Base your narrative on facts that are relevant for stakeholders.

Without trying, it won't happen. Find a couple of simple metrics and start measuring now.

2018-01-30

the strongest link

https://www.flickr.com/photos/86530412@N02/8253443979

People are sometimes regarded the "weakest link". This is a mistake.

It is factually wrong. All that great technology which is supposed to save us has been created by... people.

Also, such labelling is counterproductive. Yes, people make all sorts of mistakes. But security is a holistic quality. Only motivated, knowledgeable individuals can orchestrate security mechanisms into a meaningful whole. So, build a pervasive quality culture, let your co-workers know they are the strongest link and watch them grow.

2018-01-22

on clouds and testing

Good q on Twitter.

Assuming a public cloud with a mega provider, our focus evolves from learning how to build better to verifying functionality. The purpose morphs from educating our own devs to supporting trust in an external service offering "as is".

We will want assurance on how stuff works in "somebody else's computer" and we will need to focus on interfaces. In an ideal world, with perfect trust in the cloud provider, we might well end up with a smaller test budget. How do we spend it wisely?

My 2c.
20180527