Archive for the ‘Other’ Category

Long tails and poverty lines; cyber risk in the supply chain

This week I’ve been attending the third cybersecurity roundtable hosted by the Institute of International Finance (IIF) at their 2018 IIF G20 Conference. The roundtable itself included a good discussion with regulators and firms as well as a summary of the IIF paper on cyber regulatory fragmentation. This paper is not yet published but will be available here.

Some of the side meetings I have had with regulators and other firms have highlighted some interesting issues; the Deutsche Bundesbank described some work they had undertaken from a macro-financial stability perspective on modelling cyber risk across the German financial services sector. What was interesting was that they had started to extend their view beyond the financial services firms to include the ‘cyber network’ of suppliers and outsourcers that underpin the sector.

The value of supply chains in cybersecurity risk management is something I have written about before. In my opinion, the third party assurance ‘industry’ that we have all created doesn’t wash its face regarding risk management outcomes versus the cost and effort required to send and complete all these interminable questionnaires. One of my concerns was that we are hugely exposed to aggregation of cyber risk in the supply chain, and this crystalised when the APT 10 / Cloud Hopper campaign was identified in 2017.

Portfolios of Risk

I’ve been thinking, and worrying, about portfolio risk and especially cross-portfolio risk in federated environments. In federated environments or extended enterprises it is not unheard of for strong programme management to have a good clear view of the risks in their scope of activity and in some more effective enterprises the dependencies that different activities within their scope have on each other but it is rare to have a coherent and complete view of external dependencies between portfolios and as the pace and variety of change increases this could be a problem.


Misinterpreted policy?

A couple of months ago I was home ill from work and frankly a little bored.

While idly reading my twitter feed I reflected on a challenge I had been facing at work; a very technology-focused, agile, team that seemed to move faster than the security team could handle. I had some time ago realised that short of a herculean hiring effort we needed a combination of automation, delegation and good engagement to achieve the security outcomes we desired.

At about the same time as addressing that challenge I had also been involved in the production of updated acceptable use policy to meet some PCI DSS requirements which had been a lightly bruising affair. The business is a startup culture where freedom and good sense are valued much more highly than rules. The noticeably positive culture of the organisation was rooted in this and as a result the managers resisted the imposition of new rules. It was also the case that the staff cried out for information and knowledge so they could make their own minds up about security, they wanted security awareness training as long as it explained why security mattered and how it worked.

The combination of a fast moving technology team, the startup culture and the positive results of just good security communications and engagement was that a written policy seemed anachronistic and almost fossilised.

I posted the following provocative, somewhat tongue in cheek, but honest question:

Questioning security policies

ORGCon 2012

I attended the Open Rights Group Conference (ORGCon) this year.

We are at a weird moment where the Internet and the associated digital technologies it has spawned and supported are wreaking changes to the social, cultural and economic environment that don’t easily fit the current models of law and governance. Cory Doctorow makes this point more completely and more eloquently here (Lockdown: The coming war on general purpose computing).

As a result we are seeing law and regulation that is driven much more by lobby groups rather than politicians. The politicians that understand these changes are few and far between and made more notable for that irrespective of their party allegiance (For example Tom Watson and Francis Maude). I am heartened by the ORG as they represent the other side of the coin from the industry lobby groups.

Protected: Black Swan Security Dinner

This content is password protected. To view it please enter your password below:

Twitter RSS