<![CDATA[Opinion for hire - Are we feeling secure?]]>Wed, 10 Feb 2016 11:14:13 +1100Weebly<![CDATA[Who Owns the Risk]]>Tue, 09 Feb 2016 20:31:51 GMThttp://www.david-heath.info/are-we-feeling-secure/who-owns-the-riskSome time ago, my colleague Joseph Reele wrote of the risk implications of various data centre choices that might be made.
In that article Reele identified a (possibly simplistic) trade-off between features and cost; observing that there were significant risks in a cheaper option which may or may not be apparent when attempting to reduce implementation costs.
But the key question here is “who owns that risk?”
In any large organisation there are a significant number of “coal face” IT workers who work to minimise harm to corporate infrastructure.  They might be working in hardware service, in software assurance/testing or perhaps in Internet threat mitigation.  Or somewhere else entirely.  No matter what, from an IT perspective, these people are the first line of defence against any and all risks to the business.
Their work will serve to identify and reduce risk.  But they don’t own that risk.
Middle management will recruit suitable “coal face” staff, they will engage in support and maintenance contracts to protect their facilities and to have alternates available in the case of outages.  They will also enter into a variety of insurance-based risk minimisation strategies.
Their work will serve to identify and reduce risk.  But they don’t own that risk.
Senior management and CxOs will oversee all this activity and ensure that the work to ameliorate risk does not cost more than the risks being defended against.  Frequently however, they don’t necessarily understand the risks they are managing.
Their work will serve to identify and reduce risk.  But they don’t own that risk.
The risk is owned by the Board of Directors.
Of course the board is delegating the management of the risk back down through the layers I described previously, but it is only the management of that risk; not the ownership.
The problem is that there is very limited understanding of IT-based risks at such a senior level.  In many cases, those people making significant decisions have no comprehension of the more subtle implications of their decisions.
In the past, a large mine might spend a few million dollars on some 200 tonne dump-trucks.  The risks were easy to understand and to manage.
But spend the same money on a new web-based server application (software, servers, connectivity etc.) and the risks are much harder to understand.  They are well outside the expertise of the average company director.
Principally, this is an education problem; and a problem that is only going to grow.
]]>
<![CDATA[Cyber security for Directors and CxOs]]>Sat, 06 Feb 2016 18:01:47 GMThttp://www.david-heath.info/are-we-feeling-secure/cyber-security-for-directors-and-cxosIn mid October, the New York Stock Exchange published a free book called "Navigating the Digital Age" subtitled, "The definitive cybersecurity guide for directors and officers."

It draws together a lot of wisdom from all over the computer security and business consulting industries.  In particular, the second article in the book may be of greater interest, called "The three Ts of the cyber economy." By Michael Chertoff and Jim Pflaging.  The three Ts being Technology, Threat and Trust.

The book is available here: https://www.securityroundtable.org/the-book/

I think that (probably) the most important aspect of this book is not so much it's content, which is very useful, but more that it exists and has been published by the NYSE.  This means that ignorance of the issue is no longer an acceptable excuse for boards of directors and senior executives.]]>