Sunday, October 11, 2009

Focus on securing business processes not the process of securing

The title comes from a list of conclusions I gave at a presentation called Does IT Security Matter? just before Christmas in 2007. The wonderful thing about the writing process is that every now and again you hit upon a pithy phrase like that which communicates so much. But it's like mining for gold - you have to move a lot of earth to find the nuggets.

The full presentation is available on Sribd as shown below. There have been about 1200 reads and 240 downloads. Re-reading it now, the presentation could do with an update, however the core messages are still valid. My main conclusions were
  • There is a dependency between IT and IT Security but not a strategic relation
  • IT and IT Security are good neighbours but not good friends
  • IT Security is one area competing for attention and funding, amongst many
  • If you don’t make IT security matter, it won’t
  • Focus on securing business processes not the process of securing
  • Excel is your new best friend - make your spreadsheets work with their (business) spreadsheets

Does IT Security Matter?

The Size of our Security World

I was sent a link from StumbleUpon that referred to a post which showed the relative sizes of planets in our solar system, then compared them to our Sun, and moved onto comparisons with much larger other stars. Surprisingly much larger stars - in fact in the final screen-size graphic our Sun is just represented as a single pixel as compared to the Antares, a red supergiant star in the Milky Way. My 15-year-old daughter was impressed by this, and if you have a 15-year-old, then you can appreciate what a momentous achievement this is.

I started out my post-university life working in cryptography, then I spent a long time in IT Security, then IT Risk and most recently in Enterprise Risk Management (ERM). When I look back at crypto now it seems of similar consequence to the proportions of the Sun and Antares - not merely because my professional interests have changed, but in the vast equation that constitutes ERM, crypto is a variable with minor weighting. Its gravitational force is largely exerted on specialists, and rapidly declines (much faster than the inverse square law) beyond that sphere. It's just a pixel on the football-field sized collage of ERM.

Tuesday, October 6, 2009

Risk Analysis Rising

In June I posted on a paper called A Risk Analysis of Risk Analysis, and from that post

The title of this post is taken from a both sobering and sensible paper published last year by Jay Lund, a distinguished professor of civil engineering at the University of California (Davis), who specialises in water management. The paper presents a discussion of the merits of Probabilistic Risk Assessment (PRA), which is a “systematic and comprehensive methodology to evaluate risks associated with a complex engineered technological entity”. PRA is notably used by NASA (see their 320 page guide) as well as essentially being mandated for assessing the operational risks of nuclear power plants during the 80’s and 90’s.

It  is a wonderfully insightful paper that I uploaded to Scribd, who recently informed me that the paper is now on their hotlist. You can get to the paper from the link below. Highly recommended!