Security Strategy and the ‘Why of Purpose’ I’m a big fan of Wardley mapping, which includes a lot of elements which are influenced by Chinese strategic thinking into a framework that is easy to understand for us, Westerners. I’ll be doing some blog posts on how I think Security Strategy can be developed using Wardley mapping […]
On Feeling Whole: Wardley mapping, Stoicism and Maturity for Personal Development Almost a year ago, I created a Wardley map to capture all the things I value and how I perceived the maturity of my practices in living those some things I value. It was a great exercise to try and visualise everything that competes […]
Chinese Strategic Thinking and Cyber Security: Remaining Flexible One really important concept for me, is that of avoiding fixed responses or “one-size-fits-all” approaches in most things we do in Cyber Security. A key aspect to that effect is to ensure we appreciate the nature of each of the problems we’re facing and that we apply […]
How Cyber Security can benefit from Chinese Strategic Thinking This is likely to become a series of posts I’ll be doing over the coming months, as there’s no way I could write what I’d like to about this subject in a single blog post. Over the past year or so, I’ve been focusing a significant […]
“Why are many of your cybersecurity maps missing user considerations?” A fair challenge A few days ago, I had the privilege of running a session at MapCamp (an annual event for Wardley mappers where we learn from applications of Wardley mapping in both Government and Industry from some of the greatest minds I’ve had the […]
Mapping the Communication Problem in Cyber Security Over the next few blogs posts, I’ll be posting some Wardley maps that I’ve been working on. My original goal and starting point was to use 2 maps as input, in oder to think about some of the problems that is currently affecting the Infosec industry in my opinion, […]
What is SABSA Enterprise Security Architecture and why should you care ? Those who work and have conversations with me, eventually hear me mutter the words “SABSA” at some point in time. It’s no secret I’m a huge fan of the SABSA framework but even among security professionals and though the framework has been around since […]
‘Compliance as Code’: Getting started For many Compliance and non-technical stakeholders, it’s hard to even think about approaching something resembling code, as you may immediately get headaches or vertigo. You feel really out of your depth. If I had cookie every time I’ve heard Risk and Compliance professionals use the sentence “I’m not technical”, or the […]
What’s the fuss with ‘Compliance as Code’ ? Today, I wanted o bring in a different topic to what we’ve been discussing so far in the blog, and that is the concept or idea of ‘Compliance as Code’. In recent years, and with the increased adoption of DevOps, another of the feedback loops that had to […]
Quantitative Risk Management with FAIR — Communicating Risk Now that we’ve been through the calculations to arrive at a number with regards to our risk exposure, we now discuss how to communicate it. Remember, you’re not on the land of “qualitative risk management” and all you’re being asked is to position a risk in a 4×4 matrix. […]
On Security Strategy: Reviving the case for Deception and Obscurity Lately, I’ve become aware of a book called “Deciphering Sun Tzu” by Derek M C Yuen which I’m avidly going through currently. But even before finishing, I’m learning so much that I couldn’t wait to write about some of the insights I’ve been having from […]
Quantitative Risk Management with FAIR — Evaluate Loss Magnitude We’ve come very far in the last few blog posts, and have the second part of the Risk equation (the first being Loss Event Frequency which we’ve asserted in the last post) which is the Loss Magnitude in the FAIR Risk Taxonomy. It’s comprised of the following: Loss […]
Quantitative Risk Management with FAIR — Evaluate Loss Event Frequency In FAIR, Loss Event Frequency refers to what is typically called “Likelihood” in qualitative approaches to Risk Management. Here we’ll be doing some of Stage 2 It’s defined as the probable frequency, in a given timeframe, that the threat agent or community we’re assessing ourselves against will […]
Quantitative Risk Management with FAIR — Stage 1 — Ransomware scenario In order to perform the risk analysis, we’ll need to work with some assumptions so it’s key that those are clear and documented, so they can be improved and challenged by those involved and that usually means both risk analysts, engineers and business owners. So for this example, […]
Quantitative Risk Management with FAIR — Sharing the journey Though I’ve known about FAIR (Factor Analysis of Information Risk) for many years and studied it for a number of different security certifications I’ve taken over the years, I never had the experience of using it on a day to day basis as always worked for organisations that had […]