make it fun!

Involve users and build motivation rather than relying on paragraphs. Create simple plans. Try to frame quality as fun. In the October edition of Operativ informationssäkerhet, Andreas Sjödin made the case for driving sustainable change in Business Continuity.

Our sextet of guest lecturers also covered Safe UX, practical Crisis Management, Security Architecture, Agility & Security and Secure Development.

Participants did an assignment on Privacy by Design plus team exercises on OWASP Top 10 and ISO 27002.

Compliance as Code in Banking

How can Compliance as Code and Continuous Delivery be cornerstones of applied Information Security in the financial sector? In the September edition of Strategisk Informationssäkerhet, Mark Strande of Klarna was one of five guest lecturers sharing their insight.

Other guest sessions covered Security Law, Influence Operations, educating co-workers and Information Cognizance (Informationskännedom).

Nineteen participants equals a fully booked course, hence I will host an extra edition in November.

courses behind the scenes

I'll be doing a bit of course blogging, sharing ideas and occasional glimpses of draft material from upcoming courses.

I will be using tweets (mostly in Swedish, unusual for me) and collect these in Twitter Moments - a format I have yet to explore. My goals are to "think aloud" when developing new material, while being more transparent about course content.

Consider it an experiment, we'll see how it turns out. As always, your feedback is welcome. The "Strategisk" Moment (below) will be updated.
Strategisk informationssäkerhet

understanding uncertainty

If you throw a fair dice, you don't know the result in advance. Throw a thousand dices, and it's a different game. Each outcome is associated with a known probability.

When you assess Information Risk, you also don't know what will happen. (Risk is about the future, right?) Worse still, probabilities are unknown. You can guess of course, and so people do: "likelihood 40%" and so on.

What we have is genuine uncertainty. This is an aspect of risk assessment that needs to be better understood.

on Information Risk Maturity in Östersund

From critical thinking to practical impact - returning from SRA Europe in Östersund. Not being a researcher, I'm obviously more of the "practical impact" type. My contribution was a talk about Information Risk Maturity.

I'd like to think this marks a new phase for me. From attending product conferences to attending academic conferences to giving presentations there as well.

There's no shortage of sophisticated theories on risk. I chose to share a low-entry approach from the industry. The slides are here.

Teknisk informationssäkerhet - on crashes and prevention

Teknisk informationssäkerhet at DF Kompetens saw a large group of curious and knowledgeable attendants.

Using an airplane/mountain analogy, Åke Ljungqvist illustrated disk crashes with painful clarity.

Michael Westlund trained us in digital self defence.

Lars Johansson took us on a guided tour through the history of cryptography, from foundations to Tor networks.

We practiced threat analysis using the STRIDE model and ranked preventive InfoSec measures when travelling. Three jam-packed days went by quickly.

more on Capabilities in Östersund

I was once again invited to guest lecture at the course Policy-Making During Crises in Society at Mid Sweden University.

We talked about what constitutes a crisis and how an organisation (given proper preparations) can adapt to adverse circumstances and thus continue delivering in the midst of a crisis. Students did a team exercise on designing a plan and we finished our afternoon with a fun quiz.

Good to see (below) that most of these future policy-makers already have experience from a private company.

on Risk Maturity in Östersund

I was privileged to present a seminar on Risk Maturity and Information Risk at Mid Sweden University in Östersund. It was good to meet a mixed group from academia as well as practitioners.

We talked about the importance of local ownership, not being dependent on that solo security expert on a pedestal. Security can become scalable if we foster a culture of risk maturity.

We also did a word cloud about Information Security. Vulnerability turned out to be a recurring term. Hard to disagree with that...

Safe UX - part of the InfoSec narrative

What happens "between" the strategic and technical Information Security layers in an organisation?

My recent Operativ informationssäkerhet course was fully booked with 19 participants and featured no less than six guest lecturers.

In the photo collage from top left - Sebastian Åkerman (Security Architecture), Henrik Kraft (Safe UX - a new session), Lars Åsander (Crisis Management), Andreas Sjödin (Continuity in a bank), Tomas Karlsson (Agile & Security), Nada Kapidzic Cicovic (Secure Development).

on the limitations of copy-paste

http://thebluediamondgallery.com/p/policy.html

What does security mean for your organisation, and why does it matter? Who in the business is responsible for what aspects of security? How will you measure it, and who will?

Go check the policy.

A policy shouldn't merely exist (although that seems to have been the purpose with some copy-paste examples).

A well-adapted InfoSec policy can be immensely powerful. It is your vehicle for effectively delegating the responsibility for measurable security. Taking a second look at your policy can be time well spent.