This is something I have talked about before.

Having been in roles in previous lives that has seen me oversee IT as a whole and IT Security (separate roles), I am of a firm belief that a good CSO has what it takes to be a good CIO, if not a better CIO than most out there. I went from the former to the latter (IT head to CSO) but I believe it can work effectively the other way. It’s not a regular thing though and I haven’t to be honest, seen it happen from memory in recent times – ie; a CSO becoming the CIO.

It’s horses for courses and case by case but more and more, I am seeing competent CSOs out there that have a better picture about IT within their business than the CIO does. Now this will upset some CIOs, but as you know, I don’t mind upsetting those that I think are not up to it. (A recent example here and here). And there’s a heap of CIOs out there, that really are not up to it. Can’t recall figures I have posted before but I’ll throw 80%+ out there as a starter now.

I’ve been working with the CSO of a relatively large business and good global brand in recent times. He’s been on board with his organisation for just over 12 months but in that time, has made some amazing inroads in regards to how this organisation views and works in regards to IT security and risk management overall. But, he’s now hit that time that body builders call the “plateau”, and every little “gain” now takes a mountain of effort – far more effort than gains took in his first 6 months at the organisation. He’s almost ready to move to “greener pastures”… on:


By SGirl:

Who will I upset this time? Though the support far outweighed the few negative comments. But, I digress…..

It is interesting the information that you can find when you look really hard and spend a bit of time to get results.

As a bit of background, to me, IT security is not just all about technical solutions, hacking and latest marketing terms like the “Cloud”. It is also about management, strategy, compliance (not the dirty version). It’s many areas that for some reason, the media don’t really report nor focus upon (unless your compliance means PCI DSS). It’s the less “sexy” part of the industry, but for much, the parts that hit the coalface of the business.

In Australia, there are things happening that you hear little to nothing about – things that are affecting businesses and compliance considerations now. They aren’t being focused upon and far from hot topics like PCI DSS; “Ooh merchants might start being fined soon and let’s start talking about what PCI DSS is, and means to you and how vendor X is going to help you”! We only hear about what a few decide is “sexy” but for most part and as recent conversations here in this blog and forums have shown, what those individuals are deciding as “interesting” seems not to be what is floating the boats of many in the industry. Drazen Drazic gets most of his news from blogs he says.

Let have a look at a few things:


Worth a read. We’ve been disecting this and it’s quite interesting. More soon….most of this is not hitting the media….wonder why?

Still not convinced I haven’t missed the section that makes this article “for the laugh”: We’ve been blind to attacks on our websites from Computerworld. Checked date – current! Re-read article to look for the hints of sarcasm and potential wit beyond the means of my comprehension – nothing (….I would not have picked it up anyway in that case I suppose). So what have I missed?

Well okay, I’ll play along – pass it on……your website is probably under attack and may have been for a while. *Shock* Now what do we do Computerworld?

Everyone (schemes, banks, press etc) tries to spread the care factor for any significant data breach of cardholder information.

Reality is that from an individual’s perspective, it really doesn’t matter whether it’s 20 million cards “exposed” or 1. As long as that “1″ does not belong to the individual…….And if does, in most cases, the individual is protected against their losses.

Just a philosophical question/view. :)

Must have been a week or two for lists:
- Anton’s “Security Information Trust Pyramid“. Why? Why not! Related to this thread on Australian IT Security Media?
- Matt on “What do you need to know to work in infosec?” A view from inside a Big 4? What do you think?

Kiwicon 2K9 is in the planning. Follow the site for updates, or on Twitter @kiwicon if that floats your boat.

@SecurusGlobal has been setup on Twitter. Follow us for news, updates and goings on. Awesomely exciting…..Ha….but just as exciting as most of Twitter. :) See you also at @DDrazic.

AISA is also on Twitter: @AISA_National, @Melbourne_AISA, @Perth_AISA.

Discussion on Policy Frameworks here from the Forums section.

Some new updates to the Australian IT Security Blog Directory. Check it out and support the local guys. If we’re missing someone, please let us know.

Posted in: Research, Too cool, WTF

In any strategic planning cycle, performance and strategy re-assessments are a vital component in keeping a strategy effective and up to date.

One way to measure the performance of the Information Security strategy is to develop a set of metrics that include benchmarks across the various phases and sub-phases of the strategy. The goal of the metrics is to help; define the strategy framework, communicate the strategy (by specifying performance measures), track performance (by collecting valuable information pertinent to the phase of strategy), increase accountability (by linking metrics to performance appraisals and business plans) and to align objectives of individuals, teams and the organisation itself.

In most cases this is easier said than done but investigation should still be undertaken into the creation of a metrics and strategy re-assessment process that covers at a minimum (thanks Rayport and Jaworski for the inspiration):

•    Articulation of the Security Strategy.
•    Translating Strategy into Desired Outcomes.
•    Devising Metrics.
•    Linking Metrics to Leading and Lagging Indicators.
•    Calculating Current and Target Performance.

How complex an exercise is this? In recent weeks I have done a couple of presentations to boards and senior management of organisations who are keen to evaluate the effectiveness of their current strategy(s)?

Are exercises like this 12 month+ plus projects ala Big 4 massive undertakings (costing millions) or can an experienced eye provide the same end results in a fraction of the time? Read on.


Almost missed it again…..E-Security Awareness Week. Here’s the details and awesome video with great security tip for all:

Computerworld reports that; “Govt preaches security to slack business“. Anyone have a copy of the presentations? Be interesting to find out what was spoken about.

Still keen to know what the Government itself is really doing as posted here. More probing into the Government’s role was this post by SGirl here. It copped a bit of criticism but more support than anything else.

CNVA Program “suspended” as reported here.

Movement on the E-Security strategy front I hear??!!….But how does it all relate to the above and what information is going to be provided to those who made submissions to this piece of work? Is it all finally coming together or just becoming more disjointed?

This is one that probably needed updating in recent times when you look at what’s happened since then in many of these fields. This was not related to IT security; Mind-blowing awesome ideas, music and great things (off topic). One of my favourite all-time posts. You could write a book on this I reckon. Some one should.

The WTF and Dumb Security sections – have a look. Has much changed over the years? :) I enjoyed posting many of these. Though my CIO posts still rate up there as favourites also.

Great to see the list of Australian IT Security Bloggers growing slowly also. If you are not on the list and want to be, let me know.

Posted in: Dumb Security, WTF

I’ve seen a few discussions around the Net recently on this topic of “market forces” being the drivers of better IT security practice versus “regulation” so I thought I would resurrect some recent posts for discussion.

- Crime Insurance – Implications of bad business IT security practices: Could swing to either side of the debate.
- Regulating IT Security Practices – PCI DSS too tough?: It doesn’t have to be seen as impossible.
- Workaround, accepted mediocrity and questionable future benefits/improvements: Giving up and taking the “easier” paths?
- Regulation is Bad! Let the market solely dictate things!….What a load of BS!: A response to some recent posts posted a few months before the recent posts.

Keen to get your thoughts.

Older Posts »