Security Management: Newsletter - Apr 2023
Security Management
Protection, guarding, defence and management of assets from the realm of threats such as natural, human and operations
Of the 291 posts published to the?Security Management ?showcase page during April 2023, which generated 122,059 views, 32,471 clicks and 1,109 likes, and 448 reposts, here are the top 12, based on volume.?Tony Ridley, MSc CSyP MSyI
Members and Subscribers get more at Patreon. Check it out:
Also, don't forget the?Risk Management ?newsletter . Of the 289 posts published to the?Risk Management ?showcase page during April 2023, which generated 140,286 views, 33,984 clicks and 1,110 likes, and 233 reposts, here are the top 10, based on volume.
Collectively, these two showcase pages generated nearly 300,000 views last month, generating approximately 70,342 clicks and 2,240 likes. Notwithstanding, the independent newsletters from both these showcase pages have over 13,000 international subscribers.
"The decreasing separation between the physical and the cyber means that security issues can no longer be siloed. Increasingly, if security measures are to be effective in addressing the range of risks, a multi-layered approach that includes consideration of personnel, physical and cyber security, as well as good governance, is required. This can assist in:
"Depth" has become synonymous with 'security'. Security-in-Depth, Defence-in-Depth and Protection-in-Depth. However, 'depth' with regard to security is often a proxy for history, accumulation, randomness, and layers of decay, resulting in vulnerabilities, risk and insecurity. That is, there is lots of 'stuff' done, installed, practised and documented regarding security, but these layers are neither coordinated, planned, integrated, nor optimised, leaving countless opportunities for exploitation across digital and physical realms, often in concert or simultaneously.
"Security in depth is an approach where holistic treatments to security protection and resilience are provided based on the contextual threats and risks, cognizant that layers of protection are insufficient in some circumstances. "p.684
"For an organization, security in depth is the ‘sum of all security layers, physical and logical, which stand between an adversary and a protected target’ extended to integrate governance, policies and procedures, continuity and management of the security function. " p.684
"In contrast, defence in depth is the concept that to accomplish their goal intruders are required to avoid or defeat a sequential number of protective devices or layers. " Brooks, D. (2022) Intrusion Detection Systems in Physical Security, in Gill, M. (ed) 3rd ed, The Handbook of Security, Palgrave Macmillan, p. 685
Mud, trash, dirt and complexity all come in layers. It doesn't mean they are planned, neat, hygienic or non-hazardous. Security is the same. That is, layers in and of themselves aren't 'security', and it has to work in unison, planned by professionals, maintained and supported. If not, waste, risk and vulnerability accumulate instead. Therefore, do you have planned protection, security and defence in depth... or just layers of activity, decay, muck and visual reward for expenditure and championing of 'security', dearth of specific threats and tactics?
"This publication describes a basis for establishing principles, concepts, activities, and tasks for engineering trustworthy secure systems. Such principles, concepts, activities, and tasks can be effectively applied within systems engineering efforts to foster a common mindset to deliver security for any system, regardless of the system’s purpose, type, scope, size, complexity, or the stage of its system life cycle. The intent of this publication is to advance systems engineering in developing trustworthy systems for contested operational environments (generally referred to as systems security engineering) and to serve as a basis for developing educational and training programs, professional certifications, and other assessment criteria.?"
"‘How to assess and gain confidence in your supply chain?#cybersecurity’ is aimed at procurement specialists, risk managers and cyber security professionals wanting to establish (or improve) an approach for assessing the cyber security of their organisation’s supply chain.
It’s particularly suitable for medium to large organisations who need to gain assurance that mitigations are in place for vulnerabilities associated with working with suppliers. It can be applied ‘from scratch’, or can build upon any existing risk management techniques and approaches currently in use.?'
#Crime ?and crime prevention within organisational, community and public settings remain complex phenomena informing security risk management practice(s). That is, in order to prevent, mitigate or reduce crime, individuals and organisations must understand what leads to crime in the first instance. Particularly when it comes to the criminality of place, the concentration of crime and/or harm.
It is therefore concerning and conspicuous where 'security' measures have been applied, installed or adopted in the absence of detailed, structured and professional criminal analysis or criminological input(s). This includes, policy, procedure and practices. And a few simple slogans, diagrams or schematics simply don't cut it either.
"...nobody expects the training of medics or architects to be built on a few slogans or elementary diagrams - why should security?" - Ekblom, P. (2014) . Securing the Knowledge, in Gilll, M. (ed) 2nd ed, The Handbook of Security, Palgrave Macmillan, pp. 510
What crime, safety, security and risk 'knowledge' informs your security ideology, security management practices or corporate, private, public or commercial security undertakings? Is your 'defence' based on evidence or just what is expected of you or what everyone else is doing? Or do you just follow the vendor's advice and marketing claims? Does your security vary according to the offender, adversary and threat... or is it more a 'one-size-fits-all' for all things physical, cyber, travel, safety and workplace security? Does it include a dynamic measurement of society too?
"The rate at which API's are developed today exceeds the rate at which our organisation can ensure the security of each of these API's"
"The Threat Landscape: Threats abound. Companies worldwide rely on Application Programming Interfaces, or APIs, to facilitate digital experiences and unleash the potential energy of their own data and processes. APIs are a critical link in blending proprietary data with assets from third parties. They also serve a critical role in the race to modernize applications, fueling interoperability and, in turn, efficient functionality.
But the proliferation and importance of APIs comes with a risk. As a gateway to a wealth of information and systems APIs have become a favorite target for hackers.
Our research confirms the widespread impact of these threats. We surveyed over 500 technology leaders in the United States. Half of them report experiencing an API security incident in the past 12 months. That percentage is higher or lower depending on who you ask. 62% of C-Suite executives surveyed indicated that they’ve had a security incident in the past 12 months while only 37% of those who are a couple levels removed from the C-Suite said the same.
This could point toward the limited purview of functional IT teams, or it could be an indication of how salient the issue is for those with greater responsibility. Or both.?"
The pursuit of a standardised, collective model for rating and ranking risks at an individual level will remain forever elusive because try as we may, people, an individual's actions, their variances and contributing personalised factors don't fit into neat little boxes nor remain fixed for very long.
The absence of specific and inflexible people risk categories paradoxically indicates the presence of significant risk, including ignorance, and a lack of inclusionA simple comparison of gender or sexual orientation immediately demonstrates how improbably people at scale (when it comes to threat, harm, danger and risk) conceal far too many variables to be even reasonably accurate.
Not only are fixed state variances major contributing personal risk factors, but so too are transient factors such as behaviour, choice and activity which further confound fixed models and broad risk status declarations for people in one location, let alone mobile individuals or those between geographical and social cohorts.
"Security is an essential element of any project concerning the creation (encompassing planning, design and construction), modification, improvement or disposal of a built asset. Expertise may be required to support in the development and review of: risk assessments; a security strategy; a security plan; and security aspects of the project design, as well as to provide assistance in the procurement, technical design and construction phases. Where the necessary expertise is unavailable in-house, the security or project manager of any significant built asset venture will need to consider procuring the services of one or more specialist security consultants.?"
领英推荐
Many 'security' measures (physical & cyber) are implemented in the name of crime prevention. However, most 'security' practitioners and professionals are not criminologists or have specific criminological education or training. Yet security countermeasures are often derived from intelligence and criminological research or analysis, which require unique means of qualitative and quantitative selection. So what rigour or process is used in separating 'good' from 'poor' crime prevention measures? Even questionable ones?
"The volume of research relating to crime prevention is enormous, but of varying quality. Policymakers and practitioners who want to improve their decisions by drawing on evidence thus face a variety of problems. These include, for example, finding the evidence, assessing its quality, working out which evidence is relevant to their issues, and persuading stakeholders that policy and practice should accord with what the evidence suggests. " - Johnson, S.D., Tilley, N. & Bowers, K.J. Introducing EMMIE: an evidence rating scale to encourage mixed-method crime prevention synthesis reviews. Journal Experimental Criminology 11, p.460
Poor evidence results in poor results. Public safety and security included. Therefore, risk management applies to the process upon which security measures are researched, chosen and implemented. Well beyond just economic factors, which come last in the process, not first. A simple audit or review of existing 'security' measures, may find they are little more than myths, group thinks, vendor narratives or 'past' solutions to legecy threats, no longer effective or valid. As a result, harm, loss, insecurity and unsafety may be the likely outcome(s).
"Cyber security breaches and attacks remain a common threat. However, smaller organisations are identifying them less than last year. This may reflect that senior managers in smaller organisations view cyber security as less of a priority in the current economic climate than in previous years, so are undertaking less monitoring and logging of breaches or attacks."
"The toolkit helps boards to ensure that cyber resilience and risk management are embedded throughout your organisation. It will help you to make informed cyber decisions that are aligned to your wider organisational risks, and ensure cyber security is assigned appropriate investment against other competing business demands.
As a board member it is important to view cyber resilience strategically. Cyber security risk should have the same prominence as financial or legal risks in board discussions. Crucially, cyber security is not just ‘good IT’; it underpins operational resilience and when done well, enables your organisation’s digital activity to flourish.?"
#Crime ?is possibly the worst primer for action when it comes to security and risk management. Because what constitutes crime or is reported as crime is far from real-world realities and the occurrence of criminal activity (including harm, loss and violence) that are reported and captured by either law enforcement or the justice system.
In other words, crime as a number or reported event is an exceptionally incomplete and inaccurate lag indicator for the consideration of security and risk management measures, inclusive of protection of assets.
Remembering that security and risk management is a?pre-emptive, preventative?pursuit of?protection?of assets, not reactionary, which remains the dominant function of law enforcement.
As a result, over-reliance or exclusive measurement of crime as a metric for security and risk management action exposes people, information, processes, resources and profits to real-world threats, harms, danger, harm and risk.
"Criminals are taking advantage of the fear and uncertainty that many citizens are experiencing because of the pandemic. We are witnesses to a marked increase in malicious emails, phishing attacks, scams and malware related to the COVID-19 crisis, In addition there is an increase in the number of cyberattacks targeting specific industries already under strain, such as hospitals, healthcare providers, and medical research facilities. Criminals are also targeting SMEs as they are aware many SMEs now have staff working remotely, have deployed systems quickly rather than securely in order to continue to serve their customers, and many do not have adequate cybersecurity defences in place.?"
"At the core of everything we teach is “The Rule of the Stupids”: Don’t do stupid stuff, with stupid people, in stupid places, at stupid times of the day, especially at night. Late nights in bars, unfamiliar parts of towns, being with people who have bad judgment: These all fuse to potentially get you into trouble. Any one of the “stupids” by itself can have some consequence, and by adding multiple stupids together, your risk begins to multiply exponentially. So mitigate your risk by avoiding the stupids. See the appendix for more information.?"
"This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. Typically, the organization looks to the program for overall responsibility to ensure the selection and implementation of appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. The topics within this document were selected based on the laws and regulations relevant to information security, including the Clinger- Cohen Act of 1996, the Federal Information Security Management Act (FISMA) of 2002, and Office of Management and Budget (OMB) Circular A-130. The material in this handbook can be referenced for general information on a particular topic or can be used in the decision-making process for developing an information security program. National Institute of Standards and Technology (NISTIR) Interagency Report 7298 provides a summary glossary for the basic security terms used throughout this document. While reading this handbook, please consider that the guidance is not specific to a particular agency. Agencies should tailor this guidance according to their security posture and business requirements.?"
"This publication provides security and privacy control baselines for the Federal Government. There are three security control baselines (one for each system impact level—low-impact, moderate-impact, and high-impact), as well as a privacy baseline that is applied to systems irrespective of impact level. In addition to the control baselines, this publication provides tailoring guidance and a set of working assumptions that help guide and inform the control selection process. Finally, this publication provides guidance on the development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation.?"
The guiding safety, security and risk management strategy is typically only critiqued in detail following a significant failure, shortfall or public outrage.
That is, for the most part, strategy remains an unassailable assurance and declaration that all is well and being managed when it comes to safety, security and risk management.
In other words, strategy is seen to be the saviour...until it fails, which it routinely does but few people bother to adequate analyse the actual strategy, what was actually done and the specified outcome/s.
In short, strategy conceals many things and is rarely measured as a priori or posterior influence on safety, security and risk management. In particular, where safety, security and risk management not only mean the same thing, they overlap, share characteristics and become indiscernible from each other one more than one occasion.
"Success has many fathers whereas failure is an orphan"
Risk, Resilience, Safety, Security & Management Sciences (Applied)
Next Trend Realty LLC./wwwHar.com/Chester-Swanson/agent_cbswan
1 年I'll keep this in mind.