If you work for a large organization, especially public or otherwise regulated companies, then you may well have faced the prospect of developing a risk appetite statement. You might have been enthusiastic about this or possibly compelled by a Board member, a regulator or auditor to do it. This can end up being a "check the box” exercise to develop some abstract statement that no one really uses or values. But it doesn’t have to be this way. Risk appetite, or more specifically, definitio...| Risk and Cyber
This is the second of two posts about interviews (the first post is here). In this one I’ll focus on interviewing candidates and the main attributes to look for when selecting potential security leaders - at any level. Both posts are general tips rather than very specific points about interviewing for particular skills or roles. For the tips for deep technical interviews, coding skills tests and other types of assessments then take a look at the myriad of great articles already out there. ...| Risk and Cyber
This is the first of two posts about interviews. In this one I’ll focus on interviewing for a role. In the next one we’ll look at how to conduct better interviews. I’m going to make both of these posts more about general tips rather than specific points about particular skills or roles for which there are plenty of great resources already.I suspect many of you reading this might be well practiced but many more of you might be starting out in your career and hopefully will pick up some u...| Risk and Cyber
I wrote the original version of this post over 4 years ago. In revisiting this it is interesting to note that not much has actually advanced in the field. Yes, there have been more products and tools developed to apply FAIR or FAIR-like quantitative methods - some successful and some less so, usually indexed on the degree of effort it takes to set up the tooling to get more value out than you put in. As with other areas of risk there’s a Heisenberg-like quality to much of the approaches. Th...| Risk and Cyber
Security training is often considered a bit of a waste of time. Maybe this is unfair, but unsurprising in the face of the worst forms of training like flicking through the computer based training equivalent of a slide show or even the ritualized gotcha of the phishing test. But, training our employees, vendors and customers on important topics to help them protect themselves is important. Even the correct strategy of creating ambient controls so that people are intrinsically protected by the...| Risk and Cyber
One of the many paradoxes of security is that when you have invested appropriately (sometimes at significant expense) and you have less and less incidents, then some time later, someone somewhere might ask: “Why are we spending so much on security when we don’t have any issues?” If this becomes an accepted view then cuts happen, upgrades and maintenance don’t get incrementally funded, or investments to mitigate new risks are not made. You know what comes next, slowly but surely crack...| Risk and Cyber
We’re getting it wrong on the messaging for incentives to do security - and people are pretending it’s landing when it isn’t. There are 5 main categories of security incentives:1. Loss avoidance. The problem is many losses don’t outweigh the potential accumulated actual or opportunity costs of the mitigations that would have been needed to avoid the loss.2. Reputational risk / brand protection. The problem is most people forget these issues, and are acclimated to it (e.g. identity ...| Risk and Cyber
Every major technological change is heralded with claims of significant, even apocalyptic, risks. These almost never turn out to be immediately correct. What often turns out to be riskier are the 2nd order effects that are a result of what is done with the new technology. No matter what, we do have to care about AI risks. Many past technological warnings of disaster have been avoided precisely because we did care. But the bigger risks come with what comes after what comes next. This is inhe...| Risk and Cyber
There are many well known, so called, laws of technology. Moore’s law being particularly emblematic. Let’s look at some of them and see what the security implications have been for each and what might further develop as a result. [Definitions of the laws are from Wikipedia or other linked sources.]1.Moore’s LawMoore's law is the observation that the number of transistors in an integrated circuit (IC) doubles about every two years. Moore's law is an observation and projection of a hist...| Risk and Cyber
A few weeks ago The White House published our PCAST report on cyber-physical resilience. Thank you for all the positive reactions to this. There is already much work going on behind the scenes in public/private sector organizations to implement various of the recommendations. One of the things we were going to put in the report was a “Letter from the Future”. I like such things, despite them being a contrivance, as it paints a more vivid picture of what might be. However, we had a lot of...| Risk and Cyber
We still have plenty of open problems in information and cybersecurity (InfoSec). Many of these problems are what could easily be classed as “hard” problems by any measure. Despite progress, more research is needed here. While there is much academic, government and private sector sponsored research underway I wonder if some alignment between all these efforts to focus on a smaller set of foundational problems would be more fruitful. The challenge is to agree on what these are. There was ...| Risk and Cyber