Security culture remains an elusive amorphous ‘thing’ that we all aspire to improve but don’t really understand why or how. This is not unusual in organisations and institutions who try to understand why the interactions and communication between the people who make the goals of the group happen take on…
Tag: management
Invest in the CIO, before the CISO
I’ve written before about how IT delivery is a crucial limiting factor for cybersecurity outcomes and on how cyber hygiene is mostly not in the security teams control. I’ve come to realise that I also don’t think that IT delivery quality is in the IT teams control either. I recently…
Value of Security
The role of security in business is constantly up for debate, a growing movement in the UK around adopting some of Simon Wardley‘s approaches to strategy to a security strategy has started some interesting conversations again. For years security was seen as the department of no or the guys that…
Good security is a conversation, not an argument. Part One.
Successful security teams are in a conversation with the rest of their organisation about managing security risk; unsuccessful teams are always in an argument. Security risk management has to be a conversation. No one individual or group can own or fully control this risk due to the complex, interdependent and…
Don’t over think cyber risk
I have been overthinking cyber risk. I’ve been trying to build a reliable model that I could rely on to mechanism my risk assessments. I’ll continue to refine my ideas because I enjoy the intellectual challenge. However, I am of the opinion that until we have the cybersecurity equivalent of…