We're slaving away this month on November's awareness materials about the information security aspects of cloud computing - an approach that was new and scary when we first covered it just a few years back.
These days, cloud computing has become an accepted, conventional, mainstream part of the IT and business worlds. Some of the information risks have materially changed but most are simply better understood today, meaning we are better able to predict their probabilities and impacts.
Hence I am re-drawing the generic Probability Impact Graph for cloud security, shifting the identified risks around, checking and adjusting the wording and hunting for any new ones.
Those 'new ones' include information risks that:
- We simply didn't identify when we last performed the risk analysis - oversights, failures in our risk identification process;
- We identified but didn't include explicitly on the PIG, most likely because we didn't understand them well enough to figure them out, thought them too trivial even to mention, or considered them to be part of the risks shown;
- Were literally not present at the time of our original risk analysis but have come into being subsequently.
The same thing happens routinely in our field due to frequent innovation - IoT being an obvious current example. When we next revise the IoT PIG, I wonder how the picture will change and what risks we'll add to the graph that didn't even feature before?
In addition to changing information risks, the information security controls also change over time. Some are completely new, others are refined or re-purposed, and some are downplayed or retired, perhaps replaced by different (hopefully more effective!) ones. And, behind all of this, the world around us is constantly moving on. The bigger picture of society, business and culture is also shifting.
... which all makes information security and security awareness both challenging and fun. There's always something new to raise, new perspectives, new angles to explore. Never a dull moment!