Monthly Archive January 2014

The Analogies Project – Giving us time to evolve our cyber senses….

I am pleased to have been able to contribute to the  Analogies Project once again. For those who have not come across it, this is an exciting initiative set up by Bruce Hallasto help demystify information security and its component parts.

The Analogies Project has a clear mission: To tackle the unintelligibility of information security head on and secure the engagement of a much broader audience. Its aim is to bridge the chasm between the users, stakeholders and beneficiaries of information security and those responsible for delivering it.
Through a series of innovative initiatives the Analogies Project will enable information security professionals to effectively communicate with their chosen audiences. The content will be delivered through a variety of alternative communication techniques, media and partners.  (Analogies Project)
This has added to previous contributions so the list now stands as follows:

For me the challenge that we face lies in the fact that in its native form, the cyber environment is intangible and invisible to human beings without the aid of tools.  This means that the senses that we have evolved so successfully to defend ourselves over millennia are unable to help us without complex tools to translate what is going on for us.   Our brains are not naturally tuned to deal with this environment.

In short, we have created a technological environment that we have not yet evolved, as a species, to survive in without help.

Simplistically, this is one of the reason why so many surprisingly poor decisions are made by otherwise sensible and often wise people (most security breaches are the result of one or more decisions made at some level, often in good faith, by people at some stage in a system lifecycle).   Most in the industry know that really good cyber operatives cannot be trained to be effective at anything more than a baseline level – they do need to be trained – but this is not enough.   They only become really good through intense experience and ongoing practice.  As an example, a really good penetration tester, consultant, log analyst or forensic investigator develops a 6th (or should that be 7th) sense which enables them to sense a problem or issue before they actually find it.  It is this instinct which enables those at the top of their game to sense what goes on.  Most of us don’t have this – as we spend most of our lives doing other things.

For the rest of us, it is merely important to acknowledge areas where we are vulnerable and attempt to manage them in as pragmatic a way as possible.  This is where the power of the analogy can be critical.  If we can equate security events to tangible and visible situations that we have the experience and ability to manage, we can go some way to engaging the incredibly powerful survival and risk management skills that we, as human beings, have evolved over millennia.

The Human Race have been fighting wars, farming and dancing (amongst other things) for millennia – and we have (in some cases) become pretty good at them.  I speak generically (knowing that there are many people reading this who may have issues with my assertion that their fathers are competent dancers!!).

If we can engage some of the native skills that we have evolved over generations and deploy them in this new and difficult environment, then we might just make our lives easier and safer.   For me, this is the point of the Analogies project and why I am thrilled to invest valuable time in supporting it.

These are pretty wide ranging in context though most have been used in client or public facing situations, to explain aspects of Information and Cyber security to people who have other priorities.For me, the principal challenge for for all of us working in this area is to enable everyone to play their part in the information security battle – and yes, we all have a part to play!  Contrary to initial appearances, It doesn’t need to be difficult, much of the time it is simply about understanding what is going on around us.

It will be interesting to see whether future generations develop a more intuitive understanding of information and cyber risk – only time will tell.  I suspect there is much scope here for those scions of the academic community to conduct extensive protracted research into this area(!)

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Taking control of your destiny: Managing the threads of life

Effective security risk management is grounded in real life.   This provides an interesting opportunity to take wider analogies and apply them to the security context.  Whilst this may appear somewhat gratuitous, I claim some validity on the basis that this context is so important to security.

I have a rather superficial but useful personal theory that I call the threads of life.  It helps me make sense of the confusing and contradictory situations that life gives us on a daily basis.

The ancient Greeks believed that the three Fates sat spinning the threads of life for each mortal.  They held a fatalistic view that our lives were, to a great extent, predetermined by these three aged spinners of fate.  I’m not sure that I agree with our Greek forbears, as I believe we can and do affect our own destinies, but I do find the thread analogy useful for a number of reasons.

As I see it, we all throw out threads (such as opportunities for synergy) as we move through life.  We are also surrounded by threads thrown out by other people and organisations, indeed by life itself.  These threads may be meetings, visits, projects ar a range of other actions or events, they may even be situations in which we find ourselves.  My writing this piece is a thread, as is your reading it.  Where threads cross, we may have potential for an opportunity.

Now, a number of things are necessary for a crossing of threads to develop into something useful:

Someone needs to see the threads and the crossings, to see the potential and be in a position to explore it and develop it.  We all have different abilities.  Some people are good at putting out threads, some are good at spotting crossings or identifying potential.  Some are good at developing opportunities, and some have the ability to sift out those that are worthwhile.  None of us are good at everything, though all of us can develop.

What has this to do with security?  For me, it is simple..information security is all about shaping our own environment and creating a space that is easy for us to defend but hard for others to compromise. If we see security management as a process whereby we actively put out threads that enhance our safety and control, whilst weakening our adversaries, we enhance our mastery of our chosen area of responsibility. We need to remain vigilant for threads that are useful to us, whether external links or internal opportunities to do things better.  Crucially, there is one mere thing… If we are tuned to watch for threads that an adversary may put out, then we have a valuable intelligence channel and may be in a stronger position to help us seize the initiative and control our environment.

The moral, if there is one:  We must be proactive in creating and seizing opportunities to manage our risk picture in an active way.  If we fail to do this, then someone else will and our destiny will follow someone else’s agenda!

A range of other security analogies can be found at the analogies project website.

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.