A short post comparing an information asset led approach to cybersecurity vs a critical service and customer-led approach.
Tag: securitymanagement
Blueprint for Security in 2013
I’ve worked with a number of organisations this year that have been refreshing or redesigning part or all of their security function. It’s brought into focus for me the tension between new security practices and organisational inertia. These have all been organisations that cared greatly about security and were in…
Business Partner and Supply Chain Cyber Security
I’ve recently been involved in some strategic cyber security work in the UK financial services sector. The financial services sector is a complex and coupled system. While some components are clearly more important there are few components that are inconsequential if they cannot be relied upon. No financial services organisation…
Alignment vs Compliance vs Certification
I have had a series of conversations recently where the concepts of alignment, compliance and certification of ISO 27001 were very confused. Certification was seen as horribly costly and alignment was held out as a good enough goal that was entirely achievable. In this particular environment they were already ‘aligned’ and had…
Security defect triage in delivery projects
The guys at Recx asked me to look at a draft of their recent blog post ‘The Business v Security Bugs – Risk Management of Software Security Vulnerabilities by ISVs where they describe some of the business constraints and influences on security defect triage for Independent Software Vendors and make the…