Archive for November, 2013

Follow the Money

When we talk about security with the business we need to talk about money.

I have occasionally run into colleagues whose answer to risk-based governance approaches and performance-based management approaches has been to say “Show me the money!”. I understood their desire to see security operate in the language of business but was always reticent to jump feet first into financially-driven security for a couple of reasons; firstly  I just couldn’t see how we could put a reliable value on what we did and secondly I was nervous about what that might expose. In hindsight I find myself increasingly becoming a financial fundamentalist for security.

Business is fundamentally the generation of profits to maximise the returns of investors. It is the result of one equation:

Profit = Revenue – Costs

(more…)

Cyber Exercising

Cyber Exercises are a powerful and valuable tool but it is easy to confuse what we mean.

I was a member of the Scenario Design Group for the Bank of England’s Waking Shark 2 cyber exercise this year. It was a fascinating experience, seeing how the top cyber/technology risk people at the banks view a massive cyber attack, what really concerns them as well as seeing the regulators and other government agencies engaging with industry.

Waking Shark 2 garnered a lot of headlines but little of real meat made it to the public domain. I signed up to the participants non-disclosure agreement so I won’t be  adding any details here. There will be a publicly published report from the Bank of England for that soon enough.

(more…)

Twitter RSS