Cyber Exercises are a powerful and valuable tool but it is easy to confuse what we mean. I was a member of the Scenario Design Group for the Bank of England’s Waking Shark 2 cyber exercise this year. It was a fascinating experience, seeing how the top cyber/technology risk people…
Category: Management
Blueprint for Security in 2013
I’ve worked with a number of organisations this year that have been refreshing or redesigning part or all of their security function. It’s brought into focus for me the tension between new security practices and organisational inertia. These have all been organisations that cared greatly about security and were in…
Business Partner and Supply Chain Cyber Security
I’ve recently been involved in some strategic cyber security work in the UK financial services sector. The financial services sector is a complex and coupled system. While some components are clearly more important there are few components that are inconsequential if they cannot be relied upon. No financial services organisation…
Cyber’s Dirty Secret?
In 2011 the U.S. Securities and Exchange Commission (SEC) issued guidance on the disclosure of Cyber risks and Cyber incidents where they may significantly affect the risk of investing in the company reporting to the SEC. This was controversial at the time and has led to an interesting revelation recently; many of the biggest…
Alignment vs Compliance vs Certification
I have had a series of conversations recently where the concepts of alignment, compliance and certification of ISO 27001 were very confused. Certification was seen as horribly costly and alignment was held out as a good enough goal that was entirely achievable. In this particular environment they were already ‘aligned’ and had…