What’s next? is being asked by Porto Business School

And Porto Business School is in Portugal, and myself (with Privasee of course ;)) are spending some time together… and it’s quite exciting. This School is on its way up in the global rankings, and they are just buzzing with energy that is terribly exciting.

Here you can listen to a series of podcasts geared to innovation and business, the podcast with myself is clearly on privacy and GDPR… in a run-up to their new executive programs starting in the fall this year targeted at executives. However, you should listen to them all, they are interesting.

Bringing LEGALITY into digital interactions

#HPDiscover 2014 was amazing! HP Invent is back! I am so excited by what I saw and experienced during this week in Barcelona. I even got the chance to shake hands with Meg Whitman ­čÖé

Why was I there though? After all I’m not working for HP anymore. Well apart from the fact I still love the company that has got it’s spirit back, excited by their new energy and wave of innovation, I am part of a start-up┬áthat is launching applications into the HP Helion cloud.

The ART of Compliance is about bringing legality into digital interactions. It should mirror how business processes work in the real world, legality should be preserved. In fact if you have legality in your digital interactions, then you have more than what is possible in the physical world; as increased transparency and absolute traceability is possible.

Nordic Security Summit 2014

There is a great conference coming up in Stockholm on 5th November. Apart from the fact I am speaking there, I will be in the company of a great speaker lineup. Last year was very good!

If you want to go, you can register here (http://www.nordicitsecurity.com).
Look forward to seeing you there. I will probably be posting more on this later!

Mathematics, nature & security

I have been thinking quite a lot since reading a book from Margeret Wheatley who pulled together systems-thinking and nature to management and organization dynamics.

It really does not make sense that we apply the rules of tick-boxes to prove compliance equally to closed and open systems. ISO27002 control framework is designed for closed systems. Our security programs do not work because in most it is the open systems that are problematic. It is my opinion that if we follow the simplicity that is a gift from nature and just apply this to how we deal with open systems in security we would find new ways forward.

Watch the following on the Fibonacci sequence in numbers.

[youtube http://www.youtube.com/watch?v=gOzOB2rteMY?list=PL629B5753F5210908&w=560&h=315]

Then imagine that this pattern is repeatable to what is called fractals, smaller and smaller and smaller the same pattern. The follow video is computer animated, but gives Nature is amazing!

[youtube http://www.youtube.com/watch?v=BTiZD7p_oTc&w=560&h=315]

There is innovation outside of academia!

David Lacey has posted that he feels that the future of security lies in academia. I don’t agree entirely.

The reason being that I have been excited by the work done by HP Labs for example, particularly in the scope of trusted computing and the TPM module. Then Intel that have since 3-4 years been shipping chips with built-in security. I call it security bottom-up. From the top-down is products such as HP’s Arcsight, that can not only log everything that moves or not, but also correlate in a way so as to present otherwise unmeaningful data in a meaningful way via a compliance dashboard. This type of security is particularly interesting for military and any organization wanting to track (big or little brother) in an intelligent way everything happening within the boundaries of their world. Clearly this is against everything I believe in as a privacy advocate, but that is another post ­čśë

However I do understand where David is coming from. We are realizing that “ticking boxes” is not an effective way of proving you are secure, it doesn’t even prove you are compliant. All it does is shows you are following one or more processes that demonstrates “you have tried your best” nothing more. This is not the way forward.

The way forward is proving you are secure and this is only achievable by building security into the heart of everything digital, by doing this even the human-aspect of information security maybe obsolete in the future, especially as biometric form of authentication become more accepted, and contextual authentication key to achieving the vision of BYOD or what I prefer to call “any device anywhere” that is driving the type of security being implemented by some verticals such as telecommunications and healthcare today.

All of this is achievable today. Intel have as daughter companies McAfee and Nordic Edge. Both are, with the help of Intel building security at the “chip level” for their products. Go and take a look. Also check some posts I made in December, lots there on the cool security stuff going on in industry.

Proving you are secure over compliance

I am a follower of David Lacey and his school of thought. He was an initiator for the BS7799 standard later adopted as ISO27001/2 in the EU. Beginning of September I participated in a telepresence conference with him and many others from the BCS around the globe. This was organized by David Misell. In the telepresence many influentials in thought leadership in information and cyber security.

This one meeting has influenced much of my thinking since. It is impossible to prove you are compliant, even if you follow the rule book, you cannot prove you are 100% compliant even with the best and most dedicated security consultants in the world, especially on large accounts that I am normally exposed to. Moreover, even if you could, proving you are compliant does not prove that you are secure.

So what is the answer, well as David Lacey believes smart use of technology is a part of a way forward. For example did you know that over 85% (maybe more) of PCs shipped today have a chip that supports trusted computing (TPM) and that Intel has acquired companies such as McAfee (DeepSafe and DeepCommand) and Nordic thern Edge (One-Time-Password, OTP). They are placing security at the chip level.

Now if you can prove your organization is secure by implementing secure technologies (note that I don’t say security). This is almost getting close to what the Common Criteria is trying to do, but never really succeeded wide scale because it just became too complicated, and customizations made by individual organizations, each with special needs made any CC status assigned void. I believe that secure at the chip level is an amazing step forward, and more companies should be looking into this, particularly when they are finding their existing IAM infrastructure is just getting too complex.