Social Practice Theory and Cyber Security

Social Practice Theory and Cyber Security Let’s start with some housekeeping. If you came here looking for methods or answers you can apply tomorrow, I’m afraid you’ll be disappointed. I’m just very curious and this is something I’m currently exploring. In the last 6 months, I was introduced to Social Practice Theory by Marc Burgauer and […]

Social practices and Timespan of Discretion in Cyber Security

Social practices and Timespan of Discretion in Cyber Security If you’ve been following me for long enough, you’ll know I’m a massive fan of Jabe Bloom work, particularly on Sociotechnicity and Design transition. In this blog, I’d like to explore DevSecOps or Security in a DevOps environment from the point of view of practices viewed from […]

Why your security policies are a business liability and what to do about it

Why your security policies are a business liability and what to do about it I’ve been having quite a few conversations lately along these lines, making a case that many (if not most or all) of the security policies I’ve seen at organisations I’d categorise them as clear business liabilities. I appreciate these are strong words […]

Anthro-Complexity and Cyber Security

Anthro-Complexity and Cyber Security I’ve been meaning to write about Anthro-complexity and Cynefin framework and making a quick introduction to what it is, how it works and it isn’t. For that, I’ll position Anthro-complexity first and in future blog posts discuss Cynefin as opposed to focusing on the visualisation that most people come into contact with. […]

InfoSec view of the DSG Retail ICO fine

InfoSec view of the DSG Retail ICO fine DISCLOSURE: I used to work for Dixons Carphone Group (DCG) around the time of this second breach with a senior security role, however I had resigned the week prior to further commotion about an incident happened internally and as such wasn’t kept updated of any privileged information and […]

Hacking contracts for fun and profit

Hacking contracts for fun and profit One of the big challenges for Information Security, particularly in organisations which have major outsourced IT contracts from the global players such as IBM, Accenture, Wipro’s of this world is how you can do effective security when bound by such constraints. Security typically has its own schedule within such contracts, […]

Security process improvement or how I saved an org > £1M/year

Security process improvement or how I saved an org > £1M/year This situation I’m referring to happened about 7 years ago. I tell it not so much because of ‘the thing itself’ but as a tale of the type of waste that is commonly found in big organisations, that ends up being invisible until a value […]

Threat modelling in a post-C.I.A world — focus on D.I.E

Threat modelling in a post-C.I.A world — focus on D.I.E A while ago I created the following Wardley map of Threat Modelling. You can find the actual MapScript code for this map (where in the code I’ve added commentaries with the rationale for component placement here https://t.co/ex2aWDiXAk?amp=1) Mapping the Threat Modelling activity I then added more to detail […]

Security for the 2020s: The Skills and Talent problem

Security for the 2020s: The Skills and Talent problem If you’ve been following security news and any prominent security speakers for the past year or two, you’ll certainly have come across 2 differing views regarding skills and shortage. On one hand, there’s the media and corporate message that we have a serious skills and talent shortage […]

Security for the 2020s: Addressing the Engineering problem

Security for the 2020s: Addressing the Engineering problem “When you ask an engineer to make your boat go faster, you get the trade-space.You can get a bigger engine but give up some space in the bunk next to the engine room. You can change the hull shape, but that will affect your draw. You can […]

Security for the 2020s: Addressing the Management Problem

Security for the 2020s: Addressing the Management Problem “There is too much spending on the wrong things. Security strategies have been driven and sold on fear and compliance issues with spending on perceived rather than genuine threats” Art Coviello, RSA Chief Exec (2017) “No one ever got fired for spending their budgets according to Gartner’s […]

Sun Tzu’s Five Factors and Cyber Security Strategy

Sun Tzu’s Five Factors and Cyber Security Strategy I’m a big fan of Sun Tzu and also Wardley mapping, which uses Sun Tzu’s Five Factors. The way swardley summarises it and relates to the OODA loop is absolutely brilliant and how I like to think and navigate the business of defining a security strategy. Wardley mapping […]

Chinese dualism of attack and defence meets Rugged Manifesto

Chinese dualism of attack and defence meets Rugged Manifesto The Emperor T’ai-tsung (or Taizong) was the second emperor of the Tang Dinasty in China, and previous Prince of Qi which was the Province which culture highly influenced Sun Tzu and consequently the Art of War. He’s credited with saying: “Attacking and defending are one! If […]

Security Strategy and the ‘Why of Purpose’

Security Strategy and the ‘Why of Purpose’ I’m a big fan of Wardley mapping, which includes a lot of elements which are influenced by Chinese strategic thinking into a framework that is easy to understand for us, Westerners. I’ll be doing some blog posts on how I think Security Strategy can be developed using Wardley mapping […]

On Feeling Whole: Wardley mapping, Stoicism and Maturity for Personal Development

On Feeling Whole: Wardley mapping, Stoicism and Maturity for Personal Development Almost a year ago, I created a Wardley map to capture all the things I value and how I perceived the maturity of my practices in living those some things I value. It was a great exercise to try and visualise everything that competes […]