Adult Behavior

February 8, 2018

John Perry Barlow, a co-founder of the Electronic Frontier Foundation (EFF) died yesterday.  Many of us haven’t had the opportunity to meet him, but it would have been difficult in our business to avoid being touched by some aspect of his work.  His diverse accomplishments suggest that he was an extremely curious, intelligent, sensitive, and energetic individual.

For decades he was influential across a number of dimensions of Internet evolution.
His work and that of the EFF have been valuable risk management enablers for decades.

In addition, Mr. Barlow shared some guidance on adult behavior that seems like excellent input for anyone engaged in or hoping to join Financial Services risk management.  In the presence of a diverse spectrum of pressures we all work within, and under a non-stop rain of security product/service marketing, it is easy to get overly-focused on technology and process.  While they are essential, they are also insufficient.  Global Financial Services enterprises are complex, dynamic entities that — for long term success — seem to require those of us in information security & risk management strive to exhibit the behaviors that are succinctly summarized in Barlow’s Principles, and to be called out by our peers when we fail.  Make some time to read them.

REFERENCES:
Barlow’s “Principles of Adult Behavior
https://www.mail-archive.com/silklist@lists.hserus.net/msg08034.html
John Perry Barlow:
https://en.wikipedia.org/wiki/John_Perry_Barlow
EFF:
https://www.eff.org/
EFF Background: https://en.wikipedia.org/wiki/Electronic_Frontier_Foundation
Barlow’s still thought provoking 1996 “A Declaration of the Independence of Cyberspace:”
https://www.eff.org/cyberspace-independence

Advertisements

Cloud Risk Assessment Challenge Thoughts

February 3, 2018

Technology is often at the center of efforts to sell new business models. From some perspectives, “Cloud” is more about new business models than about technology-enabled capabilities. Over the last decade or more, “cloud” marketers and hypists have constructed intricate structures of propaganda that trap the unwary in a matrix, a fog, a web of artifice and deceit.[1]  I think that a “cloud first” belief system is misused in ways that sometimes results in excessive risk-taking.  Belief systems are tricky to deal with and can cause some to dismiss or ignore inputs that might impact core tenets or dogma.

My reading and first hand experience lead me to believe that many are willing to migrate operations to other people’s computers — “the cloud” — without clearly evaluating impacts to their core mission, their risk management story-telling, and risk posture. Too many cloud vendors remain opaque to risk assessment, while leaning heavily on assertions of “compliance” and alignment with additionally hyped ancillary practices [containers, agile, encryption, etc.].

None of this rant implies that all Internet-centric service providers are without value. My core concern is with the difficulty in determining the risks associated with using one or another of them for given global Financial Services use cases.  That difficulty is only amplified when some involved exist within a reality-resisting “cloud first” belief system.

Because some “cloud” business models are exceptionally misaligned with global Financial Services enterprise needs and mandates, it is critically important to understand them. A given “cloud” vendor’s attack surface combined with a prodigious and undisciplined risk appetite can result in material misalignment with Financial Services needs. Again, this does not invalidate all “cloud” providers for all use cases, it elevates the importance of performing careful, thorough, clear-headed, evidence-informed risk assessments.  In our business, we are expected, even required, to protect trillions of dollars of other people’s money, to live up to our long and short term promises, and to comply with all relevant laws, regulations, and contracts.  And we are expected to do so in ways that are transparent enough for customers, prospects, regulators, and others to determine if we are meeting their expectations.

  • Evidence is not something to be used selectively to support beliefs.
  • Research is not hunting for justifications of existing beliefs.
  • Hunt for evidence. Use your cognitive capabilities to evaluate it.
  • Soberly analyze your beliefs.
  • Let the evidence influence your beliefs.
  • When needed, build new beliefs.[2]

Effective risk management has little room for anyone captured within a given belief system or abusing the power to create one’s own reality.

This remains a jumbled and unfinished thought that I will continue to evolve here.

What do you think?

[1] Derived from a phrase by Michelle Goldberg.
[2] Thank you Alex Wall, Johnston, IA. Author of a Letter to the Editor in the Feb 3, 2018 Des Moines Register.


%d bloggers like this: