When we talk about security with the business we need to talk about money. I have occasionally run into colleagues whose answer to risk-based governance approaches and performance-based management approaches has been to say “Show me the money!”. I understood their desire to see security operate in the language of…
Cyber Exercising
Cyber Exercises are a powerful and valuable tool but it is easy to confuse what we mean. I was a member of the Scenario Design Group for the Bank of England’s Waking Shark 2 cyber exercise this year. It was a fascinating experience, seeing how the top cyber/technology risk people…
Blueprint for Security in 2013
I’ve worked with a number of organisations this year that have been refreshing or redesigning part or all of their security function. It’s brought into focus for me the tension between new security practices and organisational inertia. These have all been organisations that cared greatly about security and were in…
Business Partner and Supply Chain Cyber Security
I’ve recently been involved in some strategic cyber security work in the UK financial services sector. The financial services sector is a complex and coupled system. While some components are clearly more important there are few components that are inconsequential if they cannot be relied upon. No financial services organisation…
Cyber’s Dirty Secret?
In 2011 the U.S. Securities and Exchange Commission (SEC) issued guidance on the disclosure of Cyber risks and Cyber incidents where they may significantly affect the risk of investing in the company reporting to the SEC. This was controversial at the time and has led to an interesting revelation recently; many of the biggest…