This is from today's Times. The report quoted is officially published on 12 November, worth a read but I don't see any governments picking up on the recommendations so it's more an intellectual exercise than anything practical...: A jargon jungle and alphabet soup await anyone navigating internet governance. The technology is baffling. So is the plethora of watchdogs, commissions and committees. But few things matter more. The internet has become, piecemeal, civilisation’s c
Given the anecdotal evidence from my clients, I'd say that '75' is a very low number of security tools for a large enterprise. I've seen clients with more than 400. I'm going to name a new class of tools: Metatools. These are tools that manage your current tools. We're all fed up of vendors talking about SIEM as a 'single pane of glass'. How about a panopticon that looks at all of your current tools and attempts to make sense of them (we sell Axonius for this very reason)?
A PR nightmare for Samsung, far worse than the FaceID 'twins' problem. This case highlights the need to have a security mindset ("I wonder what happens if I do this...") during product development, or at the very least engage some cynical field testers before signing off the product for launch. We see a lot of articles about DevSecOps for the software development lifecycle (SDLC), what about introducing DevSecProd for product development?...: Samsung has promised to provide
There are a few terms we all use (yes, myself included) that make me cringe. "Shift left" is one of them. But... the obvious time to identify threats and build security controls is during the development cycle. So why don't we?...: [...] “It’s no secret that developers and security teams have a history of butting heads,” said Mick McCluney, Technical Director, Trend Micro ANZ. “We want to help businesses breakdown those barriers by providing technology and solutions that wo
I have a different perception of the CISO/CSO struggle. Information security and, especially, privacy are seen as a 'cost of doing business' rather than an integral part of the value proposition by many organisations. If you are investing in keeping your clients' data safe, it's good marketing to tell them and helps differentiate you from the competition. As an example, take a look at how Apple distances itself from Google...: Evaluating the value of IT-security initiatives
In a nutshell...: "Every couple of years, the FBI rears its ugly head and tells us they need to have access to end-to-end encrypted messaging," said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, a digital-rights advocacy group. "You cannot make a backdoor that only good guys can go through."...
My conversations with infosec professionals gives a different picture. They are heartily fed up with having to manage multiple security 'solutions' that don't integrate well and the so-called 'single pane of glass' approach hasn't worked either. How's this for a radical suggestions: if someone wants to introduce a new security technology, they have to be able to retire two existing systems...: [...] Respondents to the survey said they employed a wide variety of security tool
"To see ourselves as others see us...". This academic paper examines the portrayal of cybersecurity to the general population.No, I don't wear a hoodie (not often)...: Cybersecurity experts foster a perception of cybersecurity as a gloomy underworld in which the good guys must resort to unconventional tactics to keep at bay a motley group of threats to the digital safety of unsuspecting individuals, businesses, and governments. This article takes this framing seriously,
Stats like this in isolation don't actually tell us much, but they do generate engagement for the insurance market. For example, how much time do boards spend on other big issues like climate change, or gender diversity, or geopolitical risk assessment? I'd be more interested in some metric of how much notice boards take of recommendations from their cyber risk management team...: [...] While 65% of organisations identified a senior executive or the board as a main owner of
It's not just companies outside the EU that are struggling. I find a lot of misconceptions even in in-region organisations. The most annoying is when I see something labelled as 'GDPR Compliant'. I'll say it (yet) again: you don't comply to GDPR, it's not a set of tick-boxes, you make sure you align to the principles...: Enterprises across the world are still struggling to comply with the new rules enshrined in the GDPR that came into effect more than a year ago. The regulat