Blog

29 - When is risk management not risk management?

A theme I've seen recently is a reluctance by organisations to take certain actions to reduce risk because they either aren't perfect, they don't totally remove the risk, or they contain too many unknowns.

28 - Whats next for digital government?

This week had a bunch of interesting themes for me, but two in particular stand out.

27 - We're all human after all

A lot of cybersecurity and digital maturity models tend to assume that high performing teams are what economists call "rational actors". We assume that people will follow procedures, that they like rules, and that they don't take decisions that would cause them personal harm, or secondarily that would cause them long term harm.

26 - Small steps to knowledge, taking each one at a time

I enjoyed following a conversation this week about the value of a philosophy degree in infosec. The conversation quickly descended into discussions about which philosopher would be more fun to have a beer with, which I didn't really follow (I still don't really know who Wittgenstein is, or whether I'd want a beer or not with him), but one of the things that the conversation reminded me of is that we have very poor interpretations of the real world.

25 - Digital supply chains should be giving you nightmares today

2018 could be remembered for a lot of things, it’s been quite the year after all, but I think its the year in which software supply chain issues came to prominence. From the Ticketmaster hack to British Airways to SiteCounter, we are seeing increasingly that digital systems are using JavaScript from a variety of sources and nobody has a good grip on how to secure that supply chain, or in many cases, even visualise and understand the supply chain.

24 - How can we set a security strategy if we don't know what's going on?

Lots of the stories this week show that organisationally, senior leaders are out of touch with the reality of the security strategy that they write or sponsor.

23 - Is risk management the right approach

I'm a big believer in risk management. I think that security does depend on the context, and risk management is supposed to help you understand your context and take appropriate risks.

22 - A new methodology needs a new set of practices

I've been thinking a lot about serverless recently. I know that I'm years behind the cutting edge here, but I'm bullish that serverless is going to take off soon. I'm hearing more and more that greenfield development should be starting with serverless architectures.

21 - When is a breach not a breach?

This week, Google announced that they had found a vulnerability in GooglePlus, but hadn't told anyone. There was some discussion online about whether they had broken the law, in particular GDPR, and whether they had acted responsibly.

20 - China, Russia, Facebook, Conservatives... It's been quite a week

Phew.

19 - Patching everything all the time might be too expensive

It's interesting that we know that almost all breaches that get reported are because of unpatched software. It's pretty rare that we actually see 0-day vulnerabilities in use and breaching networks, primarily because most attackers don't need to use them given how poorly patched our infrastructure is.

18 - Are we getting better?

This week, I'm keynoting at Agile Cambridge 2018 https://agilecambridge.net/2018/ on the topic of "Does Agile make us less secure" which has led to spending a lot of the past few weeks wondering whether we are actually getting any better at security.