Chinese Strategic Thinking and Cyber Security: Remaining Flexible

Chinese Strategic Thinking and Cyber Security: Remaining Flexible One really important concept for me, is that of avoiding fixed responses or “one-size-fits-all” approaches in most things we do in Cyber Security. A key aspect to that effect is to ensure we appreciate the nature of each of the problems we’re facing and that we apply […]

How Cyber Security can benefit from Chinese Strategic Thinking

How Cyber Security can benefit from Chinese Strategic Thinking This is likely to become a series of posts I’ll be doing over the coming months, as there’s no way I could write what I’d like to about this subject in a single blog post. Over the past year or so, I’ve been focusing a significant […]

“Why are many of your cybersecurity maps missing user considerations?” A fair challenge

“Why are many of your cybersecurity maps missing user considerations?” A fair challenge A few days ago, I had the privilege of running a session at MapCamp (an annual event for Wardley mappers where we learn from applications of Wardley mapping in both Government and Industry from some of the greatest minds I’ve had the […]

Mapping the Communication Problem in Cyber Security

Mapping the Communication Problem in Cyber Security Over the next few blogs posts, I’ll be posting some Wardley maps that I’ve been working on. My original goal and starting point was to use 2 maps as input, in oder to think about some of the problems that is currently affecting the Infosec industry in my opinion, […]

What is SABSA Enterprise Security Architecture and why should you care ?

What is SABSA Enterprise Security Architecture and why should you care ? Those who work and have conversations with me, eventually hear me mutter the words “SABSA” at some point in time. It’s no secret I’m a huge fan of the SABSA framework but even among security professionals and though the framework has been around since […]

‘Compliance as Code’: Getting started

‘Compliance as Code’: Getting started For many Compliance and non-technical stakeholders, it’s hard to even think about approaching something resembling code, as you may immediately get headaches or vertigo. You feel really out of your depth. If I had cookie every time I’ve heard Risk and Compliance professionals use the sentence “I’m not technical”, or the […]

What’s the fuss with ‘Compliance as Code’ ?

What’s the fuss with ‘Compliance as Code’ ? Today, I wanted o bring in a different topic to what we’ve been discussing so far in the blog, and that is the concept or idea of ‘Compliance as Code’. In recent years, and with the increased adoption of DevOps, another of the feedback loops that had to […]

Quantitative Risk Management with FAIR — Communicating Risk

Quantitative Risk Management with FAIR — Communicating Risk Now that we’ve been through the calculations to arrive at a number with regards to our risk exposure, we now discuss how to communicate it. Remember, you’re not on the land of “qualitative risk management” and all you’re being asked is to position a risk in a 4×4 matrix. […]

On Security Strategy: Reviving the case for Deception and Obscurity

On Security Strategy: Reviving the case for Deception and Obscurity Lately, I’ve become aware of a book called “Deciphering Sun Tzu” by Derek M C Yuen which I’m avidly going through currently. But even before finishing, I’m learning so much that I couldn’t wait to write about some of the insights I’ve been having from […]

Quantitative Risk Management with FAIR — Evaluate Loss Magnitude

Quantitative Risk Management with FAIR — Evaluate Loss Magnitude We’ve come very far in the last few blog posts, and have the second part of the Risk equation (the first being Loss Event Frequency which we’ve asserted in the last post) which is the Loss Magnitude in the FAIR Risk Taxonomy. It’s comprised of the following: Loss […]

Quantitative Risk Management with FAIR — Evaluate Loss Event Frequency

Quantitative Risk Management with FAIR — Evaluate Loss Event Frequency In FAIR, Loss Event Frequency refers to what is typically called “Likelihood” in qualitative approaches to Risk Management. Here we’ll be doing some of Stage 2 It’s defined as the probable frequency, in a given timeframe, that the threat agent or community we’re assessing ourselves against will […]

Quantitative Risk Management with FAIR — Stage 1 — Ransomware scenario

Quantitative Risk Management with FAIR — Stage 1 — Ransomware scenario In order to perform the risk analysis, we’ll need to work with some assumptions so it’s key that those are clear and documented, so they can be improved and challenged by those involved and that usually means both risk analysts, engineers and business owners. So for this example, […]

Quantitative Risk Management with FAIR — Sharing the journey

Quantitative Risk Management with FAIR — Sharing the journey Though I’ve known about FAIR (Factor Analysis of Information Risk) for many years and studied it for a number of different security certifications I’ve taken over the years, I never had the experience of using it on a day to day basis as always worked for organisations that had […]

Using MapScript for Wardley Mapping

Using MapScript for Wardley Mapping Yesterday, I had the pleasure of discussing with Adam B. about his development of MapScript to programatically create Wardley Maps. So, in good Wardley mapping fashion, I used MapScript to map MapScript 🙂 MapScript map of MapScript Right now, the tool is a bit basic and clunky (if we’re being honest) but […]

Reasonable Assurance against predictable Threats

Reasonable Assurance against predictable Threats I’m privileged to have been part of the security “scene” since the late 90s and security industry since early 2000s, when I was still a teenager. Due to this long exposure, and having had multiple types of roles including operations, engineering, penetration testing, marketing and product management, and governance, risk […]