motivated we stand

In order to limit (hopefully avoid) InfoSec risk, we use controls. These can be technical or administrative.

Either way, they will involve humans who need to understand and accept the controls. In general, we may require people to wear seatbelts, pick complex passwords or quit smoking at work. Co-workers will find ways to circumvent controls that they’re not motivated to accept.

Any technocrat can pick the strongest control. A wise leader will consult and motivate his team before implementing it.

Read more about employee disengagement at Sonia Jaspal's RiskBoard.


learning from incidents

In Infosec, there are risks (what could happen) and incidents (what has happened).

We deal with risks proactively by asking questions. Identify, describe, quantify and so on. We treat the risks, hopefully avoid them.

Incidents call for a reactive posture. How can we recover?

A mature organization prefers to be proactive as opposed to reactive. One way is to interconnect the two approaches. Analyze your incident history so that recurring issues can be addressed. Don't forget that rear mirror.

Read more about distinguishing between risk and issue at The Innovation of Risk.