Welcome to NBlog, the NoticeBored blog

I spy with my beady eye ...

Dec 10, 2019

NBlog Dec 10 - a brutal lesson in risk management

Yesterday's volcanic eruption on White Island is headline news around the globe, a tragedy that sadly resulted in several deaths, currently estimated at 13.  

Also, yesterday in NZ there were roughly 90 other deaths (as there are every day), roughly two thirds of which were caused by cardiovascular diseases or cancer:


 

So, yesterday, the proportion of deaths in NZ caused by "Natural disasters" spiked from 0% to 13%. Today, it is likely to fall back to 0%. 

"Natural disasters" will have caused roughly 0.04% of the ~33,500 deaths in NZ during 2019 ... but judging by the news media coverage today, you'd have thought NZ was a disaster zone, a lethal place - which indeed it is for ~33,500 of us every year. Very very few, though, expire under a hail of molten rock and cloud of noxious fumes, viewable in glorious Technicolor on social media.

Those 13 tourists who perished yesterday chose to see NZ's most active volcano up close, real close. You may be thinking "Ah but if they'd known it would erupt, they wouldn't have gone" ... but they did know it was a possibility: for at least some of the 13, that was the very reason they went. It's euphemistically called "adventure tourism". The possibility of death or serious injury is, perversely, part of the attraction, the thrill of it. Recent warnings from geologists about the increased threat of eruption on White Island would, I'm sure, have been carefully considered by the tourist companies involved, plus I guess they may have noticed changes in the amount of steam and sulfur lingering in the air. Tourists are explicitly warned about the dangers and instructed on the safety aspects. I gather one of the dead was a local, an employee of the tourist company. Aside perhaps from the geologists, it's hard to think of anyone more aware of the risk.

Having weighed-up the risks and rewards, the 13 enjoyed an amazing spectacle, doing the equivalent of 'clicking the go-away button' to dismiss computer security warnings despite facing, in their case, the ultimate impact. While I suspect their final moments would have been literally petrifying, hopefully the extra-special buzz leading up to it made it worthwhile. At that point, having made their decision to go, they were committed to their fate.

No doubt those who escaped the island alive will be thinking themselves lucky. They 'cheated death', coming as close as possible to being wiped-out ... and I'm sure they'll be telling everyone they can about it, some excitedly spreading the idea that near-death experiences are the ultimate thrill. The grieving relatives and friends of the dead, on the other hand, will have plummeted into the pit of despair, a very introspective and sad place. Some might be spreading the word that "adventure tourism" is lethal and crazy, but do you honestly think this incident will materially change the way it is promoted and advertised in future? Will "adventure tourism" and "extreme sports" operators go bust in short order?

Conceivably, some tourists decided not to take the fateful trip yesterday on safety grounds, or because they determined that it was "too expensive" and hence "not worth it". Although usually framed as a value judgment, to me that's a risk decision. Clearly they chose correctly, regardless of their analysis. The risk outweighed the benefits. I'd be interested to learn more about their thought processes.

So there we have it: ultimate impact or ultimate thrill. The uncertainty is part of the package, part of the attraction for some. It's something I've seldom seen discussed in relation to information risk, specifically, although risk-acceptance is part of the professional lexicon. There are legitimate business reasons for knowingly getting into risky situations. We advise and assist our corporate colleagues to identify and evaluate the risks, to reduce them where cost-effective and prepare to deal with incidents and disasters when they eventuate. Risk, incident, disaster, safety and business continuity management are all part of the same process. Risk avoidance is often a viable option, one that should not be simply dismissed out of hand. There's a reason that "wise old men" are old.

Dec 9, 2019

NBlog Dec 9 - ISO27k security awareness

Our two-hundred-and-first security awareness module concerns the ISO27k standards.

◄ The quotation from ISO/IEC 27000 is right on the button: information is worth securing because it's valuable, essential in fact. Inadequately protected organizations hit by ransomware incidents know that only too well, with hindsight ... which is of course 20/20 ...

... And that reminds me: as the NoticeBored service draws to a close, I'd like to think we'll be leaving the world in a better state in 2020, but to be honest we've made little impression. 

Pundits have long advised that security awareness is important. An increasing proportion now recommend regular awareness activities. A few even suggest a continuous or ongoing approach. Perhaps they've been listening. I've been banging that drum for 20 years.

As we hand over the reins, I hope the information security management and awareness pros will finally come to recognize the value of not treating their awareness audience as one amorphous blob, disparagingly called "users". As far as I know, NoticeBored remains unique in addressing two discrete audiences within "users" (we much prefer the term "workers") with distinct information needs: managers and professionals. Given their markedly different concerns and responsibilities, its hardly surprising (to me!) that they find little of value in conventional security awareness content and fail to participate in the usual awareness activities. They are largely disinterested and disengaged, substantially weakening the organization's security culture, like a three-legged milking stool missing two of its legs. 

ISO/IEC 27002:2013 section 7.2.2 takes a page to say not very much about security awareness: I must take a close look at the awareness section in the draft update to '27002, currently extruding its way through the ISO/IEC sausage machine towards publication at the end of 2021. 

Dec 3, 2019

NBlog Dec 3 - infosec driving principles

In an interview for CIO Dive, Maersk's recently-appointed CISO Andy Powell discussed aligning the organization with these five 'key operating principles':
"The first is trust. The client has got to trust us with their data, to trust us to look at their business. So we've got to build trust through the cybersecurity solutions that we put in place. That is absolutely fundamental. So client trust, client buy-in has been fundamental to what we tried to drive as a key message. 
The second is resilience. Because you've got to have resilient systems because clients won't give you business if you're not resilient ... 
The third really is around the fact that security is everybody's responsibility. And we push that message really hard across the company … be clear about what you need to do and we train people accordingly. ...
The fourth one really is accountability of security and I have pushed accountability for cyber risk to the business. ... 
And the final piece, and this has been one of the big call outs of my team to everybody, is that security is a benefit, not a burden. The reason I say that is people's perception is that security will slow things down, will get in the way ... the reality is that if you involve security early enough, you can build solutions that actually attract additional clients."
Fair enough Andy. I wouldn't particularly quarrel with any of them, but as to whether they would feature in my personal top-five I'm not so sure. Here are five others they'd be competing against, with shipping-related illustrations just for fun:
  • Governance involves structuring, positioning, setting things up and guiding the organization in the right overall direction - determining then plotting the optimal route to the ship's ultimate destination, loading up with the right tools, people and provisions. Corporate governance necessarily involves putting things in place for both protecting and exploiting information, a vital and valuable yet vulnerable business asset;
  • Information is subject to risks that can and probably should be managed proactively, just as a ship's captain doesn't merely accept the inclement weather and various other hazards but, where appropriate, actively mitigates or avoids them, dynamically reacting and adjusting course as things change;
  • Flexibility and responsiveness, along with resilience and robustness, present more options, opportunities to make the best of whatever situations occur, including novel hazards that weren't anticipated. If the Titanic's captain hadn't been steaming quite so fast through icy seas at night, or had thought further ahead, or was at the helm of a more nimble vessel, maybe he could have turned hard enough to avoid the iceberg that ripped open the hull of his supposedly unsinkable and apparently difficult to steer ship;
  • Making the best of available resources implies a blend of knowledge and skills, particularly in leadership and motivation of people: people remain central to information risk and security management. Even as technology grows in importance within information security, it's more tool than device. In the hands of a master mariner, a sextant becomes a valuable instrument rather than an ornament;
  • Assurance is a valuable product of oversight, monitoring, testing, reviewing and auditing activities, allowing management as well as third parties to have faith in the information risk and security management arrangements. The extent and quality of assurance activities correlates strongly with an organization's capabilities and maturity, largely because assurance supports the need for improvements and demonstrates progress.  That seaworthiness certificate isn't just a ticket to leave port: it gives confidence that things are in order down below.