A very excellent article by David Lacey. He is behind the Jericho Forum and creator of the ISO27001 standard. David Lacey is a visionary.
Category: Information Security
Fixing security
Hear! hear! Are my thoughts when reading David Lacey’s blog post on software development, especially when I got to the last sentence.
“Security professionals should note these points, because the key to effective security is not reams of policies and tick-lists, but empowerment, effective solutions, large-scale collaboration and agile response.”
Innovate more
A really cool interview transcript with David Lacey. Go ahead and read, you will have fun just because it is cool to view security through his lens.
rethinking security
I’ve been thinking a lot lately. The way we do security today doesn’t work. In fact it has never really worked. We need to rethink bottom-up, inside-out how we do security. The problem is that for the majority this requires some major rethinking that is outside of their comfort zone. For myself and others that want to change how we do security, and we are many, but still much too few it is an uphill battle.
Mathematics, nature & security
I have been thinking quite a lot since reading a book from Margeret Wheatley who pulled together systems-thinking and nature to management and organization dynamics.
It really does not make sense that we apply the rules of tick-boxes to prove compliance equally to closed and open systems. ISO27002 control framework is designed for closed systems. Our security programs do not work because in most it is the open systems that are problematic. It is my opinion that if we follow the simplicity that is a gift from nature and just apply this to how we deal with open systems in security we would find new ways forward.
Watch the following on the Fibonacci sequence in numbers.
[youtube http://www.youtube.com/watch?v=gOzOB2rteMY?list=PL629B5753F5210908&w=560&h=315]
Then imagine that this pattern is repeatable to what is called fractals, smaller and smaller and smaller the same pattern. The follow video is computer animated, but gives Nature is amazing!
[youtube http://www.youtube.com/watch?v=BTiZD7p_oTc&w=560&h=315]
There is innovation outside of academia!
David Lacey has posted that he feels that the future of security lies in academia. I don’t agree entirely.
The reason being that I have been excited by the work done by HP Labs for example, particularly in the scope of trusted computing and the TPM module. Then Intel that have since 3-4 years been shipping chips with built-in security. I call it security bottom-up. From the top-down is products such as HP’s Arcsight, that can not only log everything that moves or not, but also correlate in a way so as to present otherwise unmeaningful data in a meaningful way via a compliance dashboard. This type of security is particularly interesting for military and any organization wanting to track (big or little brother) in an intelligent way everything happening within the boundaries of their world. Clearly this is against everything I believe in as a privacy advocate, but that is another post 😉
However I do understand where David is coming from. We are realizing that “ticking boxes” is not an effective way of proving you are secure, it doesn’t even prove you are compliant. All it does is shows you are following one or more processes that demonstrates “you have tried your best” nothing more. This is not the way forward.
The way forward is proving you are secure and this is only achievable by building security into the heart of everything digital, by doing this even the human-aspect of information security maybe obsolete in the future, especially as biometric form of authentication become more accepted, and contextual authentication key to achieving the vision of BYOD or what I prefer to call “any device anywhere” that is driving the type of security being implemented by some verticals such as telecommunications and healthcare today.
All of this is achievable today. Intel have as daughter companies McAfee and Nordic Edge. Both are, with the help of Intel building security at the “chip level” for their products. Go and take a look. Also check some posts I made in December, lots there on the cool security stuff going on in industry.
Security innovation
David Lacey made a post concerning the (lack) of innovation, in how decisions in cyber-security in government are taken, not only the amount of money allocated to this work but how it is spent.
Apart from what David discusses I see that one of the biggest challenges when it comes to being innovative or visionary is that often decisions are based upon where we are today and then making a plan forward. When in fact there is only one way to really innovate in whatever area it may be, and that is to take that quantum leap into the future, 5-10 years ahead is enough, and visualize how it will feel, what will be our experiences, challenges, and then look back to understand how we got there. There is a whole load if visionary videos and tools out there that one can use to aid the process.
This comes up with a completely different picture to what comes up from starting from today and planning forward, over the quantum leap forward and looking back.
Power of information
HP has been in the process of buying Autonomy an organisation that specializes in surfacing patterns in unstructured information and how it is used. Note, that I don’t say “organising”. What Autonomy does is different.
http://www.youtube.com/watch?v=UuG9rFyEUx8
Did you know that TPM is here today, and has been ….
Did you know that most PCs and servers being shipped today have a TPM?
But what does TPM mean in simple terms. Well it’s easy. TPM uses OpenID for single sign-on and a trusted chip, that has a trust relationship with a service, application or another hardware device (in the cloud for example). The user authenticates to the machine and the OpenID service provides single sign-on to trusted services. Authentication is provided at the hardware level. Listen on the following link…
http://youtu.be/h9YO8xtwoCg
Trusted Computing Module – a simplistic explanation
A simplistic description of what TPM does from the Trusted Computing Group.