The EU’s efforts to define a right to be forgotten and the recent U.S. Supreme Court decision about how privacy is protected on cell phones go hand in hand. They remind us that the medium is still the message and that there is a new role in discussing data access and control. Why connect these … Continue reading
Tag Archives: Cybersecurity
Best…Practices…Ever
Just like common sense isn’t always common, best practices aren’t always. The best. This matters when describing security controls. And since it seems to be a professional trade secret, I want to come clean about it. There are at least three qualitative ways to describe a security control: How much it complies with something How … Continue reading
The other shoe drops: NIST issues version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity
It’s ironic that the new publication from NIST does not have an 800 series numeric designation. Not that it needs to, but here we all are using those numbers as shorthand (e.g., “I took an 800-30 July 2002 approach because revision 1 from 2012 just seemed too complex for the environment”, “We are looking to … Continue reading
Customer service, distilled
Even security folks serve customers. Perhaps they’re other people that work in the company or they’re the company’s clients. But there is a simple reality to serving customers that is often lost on people because they focus too much on their role within the organization. This chart, a bit exaggeration and a bit parody, is … Continue reading
That’s what I’m talking about
There it was in the Times this morning. A piece by Professor Peter Ludlow of Northwestern University. Dr. Ludlow is right there doing just what this blog tries to do. The professor is far more articulate than I of course. But he’s read Schneier and Hobbes (and no doubt many others) and sees how they … Continue reading
Dedoméno
Socrates happens on his old friend, Dedoméno. He makes a new friend and has a conversation. DEDOMÉNO: Socrates, it is a pleasure to see you on line SOCRATES: Dedoméno, it is a surprise to see you. I thought you were away. DEDOMÉNO: Just so, Socrates. But I am visiting my friend Clapper. SOCRATES: Clapper? The famous … Continue reading
Adequately, revisited
(re: what a “senior-level defense official” said about Mr. Snowden) Those who speak for large entities, governments, corporations, etc., even when they speak anonymously, tend to make some assumptions that most of us cannot make. The first is that they can state the obvious as if it is a tremendous revelation because denying the obvious … Continue reading
Let’s stop measuring risk
Ok, I don’t quite mean that. What I mean is let’s stop using residual risk as the final product of the risk measurement calculation. Let’s consider a more pragmatic formula. This is going to seem sacrilegious to NIST and the VERIS guys will probably just think I am being quaint, but I am serious. I … Continue reading
Don’t Blame the Boy Who Cried Wolf
Another story about false positives and what they really teach us. The traditional story is of a boy who is given the responsibility to guard the village herd of sheep. He is supposed to scream for help to notify the villagers when the sheep are threatened. He decides he wants company and screams “wolf” so … Continue reading
A change is gonna come
This will start with the first law of thermodynamics and end up with change management. All the while, we will keep information security in focus. So, simply put, the first law of thermodynamics says that the amount of energy in a closed system cannot be increased or decreased. If we substitute “effectiveness of security controls” … Continue reading
{Cyber Security} 