I often hear calls for security to be treated as a business issue. This seems to vary from calls for the Board of Directors to take an increased interest in security to calls for CISOs to raise their gaze from the technology and consider the whole business. I have myself…
Category: Management
What is Likelihood?
In my previous post, I investigated the various definitions of Information Security Risk. Here I look at the first consideration for an information security risk analyst, how likely is the risk event to occur? What is it’s likelihood? Likelihood is commonly used in English as a synonym for probability, and…
Serious Business?
Regulating cybersecurity, and data protection in general, is driven by two needs; to clearly explain the expectations that society has for the organisations that society is increasingly dependent on, to provide a mechanism for the unmanaged externalities to those organisations (the societal and personal harm from breaches) to be realised…
Invest in the CIO, before the CISO
I’ve written before about how IT delivery is a crucial limiting factor for cybersecurity outcomes and on how cyber hygiene is mostly not in the security teams control. I’ve come to realise that I also don’t think that IT delivery quality is in the IT teams control either. I recently…
Value of Security
The role of security in business is constantly up for debate, a growing movement in the UK around adopting some of Simon Wardley‘s approaches to strategy to a security strategy has started some interesting conversations again. For years security was seen as the department of no or the guys that…