Learning from Safety – Concepts (1)
If you follow me on Twitter, you’ll have seen that I’ve recently been doing a lot of reading on Safety and how the practices have been evolving in the past 30 years. There are 3 authors in particular that I’m finding fascinating, Erik Hollnagel, Sidney Dekker and Nancy Leveson. This post will mostly rely on […]
Hello World
I finally moved away from my Medium blog and created my own hosted blog instead. Main driver is regarding access to it as Medium is particularly badly known for limiting how many posts people can see, and that is in direct tension with my main objective for having a blog which is to democratise access […]
Social Practice Theory and Cyber Security
Social Practice Theory and Cyber Security Let’s start with some housekeeping. If you came here looking for methods or answers you can apply tomorrow, I’m afraid you’ll be disappointed. I’m just very curious and this is something I’m currently exploring. In the last 6 months, I was introduced to Social Practice Theory by Marc Burgauer and […]
Social practices and Timespan of Discretion in Cyber Security
Social practices and Timespan of Discretion in Cyber Security If you’ve been following me for long enough, you’ll know I’m a massive fan of Jabe Bloom work, particularly on Sociotechnicity and Design transition. In this blog, I’d like to explore DevSecOps or Security in a DevOps environment from the point of view of practices viewed from […]
Why your security policies are a business liability and what to do about it
Why your security policies are a business liability and what to do about it I’ve been having quite a few conversations lately along these lines, making a case that many (if not most or all) of the security policies I’ve seen at organisations I’d categorise them as clear business liabilities. I appreciate these are strong words […]
Anthro-Complexity and Cyber Security
Anthro-Complexity and Cyber Security I’ve been meaning to write about Anthro-complexity and Cynefin framework and making a quick introduction to what it is, how it works and it isn’t. For that, I’ll position Anthro-complexity first and in future blog posts discuss Cynefin as opposed to focusing on the visualisation that most people come into contact with. […]
InfoSec view of the DSG Retail ICO fine
InfoSec view of the DSG Retail ICO fine DISCLOSURE: I used to work for Dixons Carphone Group (DCG) around the time of this second breach with a senior security role, however I had resigned the week prior to further commotion about an incident happened internally and as such wasn’t kept updated of any privileged information and […]
Hacking contracts for fun and profit
Hacking contracts for fun and profit One of the big challenges for Information Security, particularly in organisations which have major outsourced IT contracts from the global players such as IBM, Accenture, Wipro’s of this world is how you can do effective security when bound by such constraints. Security typically has its own schedule within such contracts, […]
Security process improvement or how I saved an org > £1M/year
Security process improvement or how I saved an org > £1M/year This situation I’m referring to happened about 7 years ago. I tell it not so much because of ‘the thing itself’ but as a tale of the type of waste that is commonly found in big organisations, that ends up being invisible until a value […]
Threat modelling in a post-C.I.A world — focus on D.I.E
Threat modelling in a post-C.I.A world — focus on D.I.E A while ago I created the following Wardley map of Threat Modelling. You can find the actual MapScript code for this map (where in the code I’ve added commentaries with the rationale for component placement here https://t.co/ex2aWDiXAk?amp=1) Mapping the Threat Modelling activity I then added more to detail […]
Security for the 2020s: The Skills and Talent problem
Security for the 2020s: The Skills and Talent problem If you’ve been following security news and any prominent security speakers for the past year or two, you’ll certainly have come across 2 differing views regarding skills and shortage. On one hand, there’s the media and corporate message that we have a serious skills and talent shortage […]
Security for the 2020s: Addressing the Engineering problem
Security for the 2020s: Addressing the Engineering problem “When you ask an engineer to make your boat go faster, you get the trade-space.You can get a bigger engine but give up some space in the bunk next to the engine room. You can change the hull shape, but that will affect your draw. You can […]
Security for the 2020s: Addressing the Management Problem
Security for the 2020s: Addressing the Management Problem “There is too much spending on the wrong things. Security strategies have been driven and sold on fear and compliance issues with spending on perceived rather than genuine threats” Art Coviello, RSA Chief Exec (2017) “No one ever got fired for spending their budgets according to Gartner’s […]
Sun Tzu’s Five Factors and Cyber Security Strategy
Sun Tzu’s Five Factors and Cyber Security Strategy I’m a big fan of Sun Tzu and also Wardley mapping, which uses Sun Tzu’s Five Factors. The way swardley summarises it and relates to the OODA loop is absolutely brilliant and how I like to think and navigate the business of defining a security strategy. Wardley mapping […]
Chinese dualism of attack and defence meets Rugged Manifesto
Chinese dualism of attack and defence meets Rugged Manifesto The Emperor T’ai-tsung (or Taizong) was the second emperor of the Tang Dinasty in China, and previous Prince of Qi which was the Province which culture highly influenced Sun Tzu and consequently the Art of War. He’s credited with saying: “Attacking and defending are one! If […]