Rasmussen’s Systemic Risk Modelling and Cyber Security

I first became acquainted with Rasmussen’s work at the beginning of last year by watching Dr. Cook’s talk on Velocity 2013 (links at the bottom). But had to be told about 3-4 months ago to review it to actually click on me, and more than that pique my curiosity to go look for the original […]

Why aren’t we learning from (security) incidents – views from resilience and complexity

It’s been way too long since I last blogged, and this particular post has been on my mind for weeks now so decided today was the day to get it out. I’m privileged to be part of a community of Safety and Resilience Engineering experts from whom I learn a lot, and as some of […]

Learning from Safety – Concepts (1)

If you follow me on Twitter, you’ll have seen that I’ve recently been doing a lot of reading on Safety and how the practices have been evolving in the past 30 years. There are 3 authors in particular that I’m finding fascinating, Erik Hollnagel, Sidney Dekker and Nancy Leveson. This post will mostly rely on […]

Hello World

I finally moved away from my Medium blog and created my own hosted blog instead. Main driver is regarding access to it as Medium is particularly badly known for limiting how many posts people can see, and that is in direct tension with my main objective for having a blog which is to democratise access […]

Social Practice Theory and Cyber Security

Social Practice Theory and Cyber Security Let’s start with some housekeeping. If you came here looking for methods or answers you can apply tomorrow, I’m afraid you’ll be disappointed. I’m just very curious and this is something I’m currently exploring. In the last 6 months, I was introduced to Social Practice Theory by Marc Burgauer and […]

Social practices and Timespan of Discretion in Cyber Security

Social practices and Timespan of Discretion in Cyber Security If you’ve been following me for long enough, you’ll know I’m a massive fan of Jabe Bloom work, particularly on Sociotechnicity and Design transition. In this blog, I’d like to explore DevSecOps or Security in a DevOps environment from the point of view of practices viewed from […]

Why your security policies are a business liability and what to do about it

Why your security policies are a business liability and what to do about it I’ve been having quite a few conversations lately along these lines, making a case that many (if not most or all) of the security policies I’ve seen at organisations I’d categorise them as clear business liabilities. I appreciate these are strong words […]

Anthro-Complexity and Cyber Security

Anthro-Complexity and Cyber Security I’ve been meaning to write about Anthro-complexity and Cynefin framework and making a quick introduction to what it is, how it works and it isn’t. For that, I’ll position Anthro-complexity first and in future blog posts discuss Cynefin as opposed to focusing on the visualisation that most people come into contact with. […]

InfoSec view of the DSG Retail ICO fine

InfoSec view of the DSG Retail ICO fine DISCLOSURE: I used to work for Dixons Carphone Group (DCG) around the time of this second breach with a senior security role, however I had resigned the week prior to further commotion about an incident happened internally and as such wasn’t kept updated of any privileged information and […]

Hacking contracts for fun and profit

Hacking contracts for fun and profit One of the big challenges for Information Security, particularly in organisations which have major outsourced IT contracts from the global players such as IBM, Accenture, Wipro’s of this world is how you can do effective security when bound by such constraints. Security typically has its own schedule within such contracts, […]

Security process improvement or how I saved an org > £1M/year

Security process improvement or how I saved an org > £1M/year This situation I’m referring to happened about 7 years ago. I tell it not so much because of ‘the thing itself’ but as a tale of the type of waste that is commonly found in big organisations, that ends up being invisible until a value […]

Threat modelling in a post-C.I.A world — focus on D.I.E

Threat modelling in a post-C.I.A world — focus on D.I.E A while ago I created the following Wardley map of Threat Modelling. You can find the actual MapScript code for this map (where in the code I’ve added commentaries with the rationale for component placement here https://t.co/ex2aWDiXAk?amp=1) Mapping the Threat Modelling activity I then added more to detail […]

Security for the 2020s: The Skills and Talent problem

Security for the 2020s: The Skills and Talent problem If you’ve been following security news and any prominent security speakers for the past year or two, you’ll certainly have come across 2 differing views regarding skills and shortage. On one hand, there’s the media and corporate message that we have a serious skills and talent shortage […]

Security for the 2020s: Addressing the Engineering problem

Security for the 2020s: Addressing the Engineering problem “When you ask an engineer to make your boat go faster, you get the trade-space.You can get a bigger engine but give up some space in the bunk next to the engine room. You can change the hull shape, but that will affect your draw. You can […]

Security for the 2020s: Addressing the Management Problem

Security for the 2020s: Addressing the Management Problem “There is too much spending on the wrong things. Security strategies have been driven and sold on fear and compliance issues with spending on perceived rather than genuine threats” Art Coviello, RSA Chief Exec (2017) “No one ever got fired for spending their budgets according to Gartner’s […]