Some time ago I wrote about using the Goal-Question-Metric (GQM) method for identifying useful and organisationally relevant measurements in order to have a clear view of some aspect of security. Often we think about metrics in terms of engaging security colleagues, executives and the board. However, occasionally in distributed organisations,…
Tag: cyber
Serious Business?
Regulating cybersecurity, and data protection in general, is driven by two needs; to clearly explain the expectations that society has for the organisations that society is increasingly dependent on, to provide a mechanism for the unmanaged externalities to those organisations (the societal and personal harm from breaches) to be realised…
Invest in the CIO, before the CISO
I’ve written before about how IT delivery is a crucial limiting factor for cybersecurity outcomes and on how cyber hygiene is mostly not in the security teams control. I’ve come to realise that I also don’t think that IT delivery quality is in the IT teams control either. I recently…
Making Sense of Cyber. Part Two.
In my previous post, I introduced the Cynefin framework. The Cynefin framework provides a lens to understand the best approach to making decisions and taking action depending on the environment or landscape in which you are operating. The Cynefin Framework immediately chimed with my experience of how we, as an…
Making Sense of Cyber. Part One.
I recently attended the Open Security Summit. While there, I met Dave Snowden, who introduced me to his Cynefin Framework, which has sparked a bit of a journey for me ever since. Cynefin is an interesting welsh word with no real English translation but has been described by “It describes…