Governance and Policy in Practice
Part 4. Rethinking cybersecurity from the viewpoint of risk There are two principles to planning good governance: you automate away toil to ensure reliability and quality, but you never automate decision-making. We always have to know and take responsibility for our basic intent. Having security policies (actually policies in general) is bread and […]
Policy Bow Ties and Risk Based Policy
Part 3. Rethinking cybersecurity from the viewpoint of risk Policy is the centrepiece of both cybersecurity and risk management. Having a policy, as well as knowing it and understanding it, is the way to be prepared for the inevitable–whatever that may be. If you don’t know your intentions well enough to be able to […]
Digital Risk Management By Promise
Part 2. Rethinking cybersecurity from the viewpoint of risk The ability to estimate risk presumes a certain level of insight into relationships, both technical and human. Yet, too much has been made of the idea that trust itself is our enemy. It’s a simplistic argument, pushed by cybersecurity hardliners, which leans on the trite Russian […]
Risk Paralysis and Cyber-insecurity
Part 1. Rethinking cybersecurity from the viewpoint of risk Did we get cybersecurity wrong? Thirty years after the infamous Internet Worm was loosed upon an unsuspecting world, ravaging the global computing network of 1988 in a matter of hours, we seem to have made little or no progress in protecting computer systems against intentional attack. […]