You are currently browsing the monthly archive for July 2015.

So the results of the Mozilla Delphi project are out. I was one of the panelists – alongside some pretty well known names like Jane Hall Lute, Bruce Schneier, and some other big etc.’s.   You can find it here:

And some background here:

“Mozilla’s Cybersecurity Delphi 1.0 is a step to address this gap, by identifying and prioritizing concrete threats and solutions. Through the iterative structure of the Delphi method, we will build expert consensus about the priorities for improving the security of the Internet—infrastructure to protect public safety, sustain economic growth, and foster innovation. The Delphi method offers unique benefits in this context because it aggregates the input of a diverse, broad set of voices, using a discrete and defined process with a clear, fixed end point and a mechanism for non-attribution to encourage open and through engagement. “

Im still processing the results, many of which I adamantly disagree with, but what I think the report mainly shows is that “cybersecurity” isn’t a thing that exists outside of specific sets of contexts and perspectives and goals. It just goes…poof…and disappears as a concept if it’s not bracketed by material constraints. The all over the board nature of the responses seems to demonstrate that (even though Mozilla did a good job creating a narrative around them).

That said, I think there are some interesting points in the document and that it’s worth a read – at the very least you’ll get to see some of the filter biases of some very smart people (obviously including my own).  And those are worth knowing, because very often our human fears and backgrounds and perceptions are not reflective of actual risks and needs.



Today I saw an announcement for another cybersecurity leadership council filled with the usual suspects:

“When it comes to the cybersecurity of our networks, the private sector has the capabilities and the market has produced good solutions. Now we need to focus on mitigation of cyber risks through cross-sector information sharing efforts, public and private partnerships, and the improvement of cyber hygiene of businesses of all sizes,” said Howard Schmidt, a partner at Ridge-Schmidt Cyber, and chairman of the council.

Sigh. Let me give this to you all straight:

First, our cybersecurity exposure is fundamentally created by how businesses go about making money. It’s about corporate discipline, perception, culture, value chains, investment strategies, procurement, marketing, communication, trust, operational quality, etc. Cybersecurity state is NOT primarily a function of anything that happens in a CISO’s office, It has very little to do with Information Sharing (as typically defined in this conversation), and Public Private Partnership success depends on having some sort of comprehensive problem space model which precedes conclusions (and the language provided starts with conclusions without a consensus problem space model anywhere).

CISO’s activities are done as a result of a business’s actual exposure – created OUTSIDE of the CISO’s office – business perception of its risk – created by its culture – and actual threat actors – which neither the business nor the CISO’s office directly controls.  Therefore any conversation or effort centered on how to do “Cybersecurity” better will, almost by definition, fail.  “Cybersecurity”, if defined as “activities centered around the CISO’s office and levers to enable the CISO’s office”, has little to no influence or control over the business risk level created by ICT (Internet Connected Technology) use  because it neither controls nor influences ANY of the primary environmental factors.

The problem is, since coordinating solutions on the non-CISO’s office problem space (exposure creation) requires dealing directly with how businesses make money, it’s a really tough nut to crack (legally, politically, financially, culturally, etc) and few are willing to do it. It’s MUCH easier to focus on the CISO’s office – even at the expense of success. And, besides, we have a whole security industry telling us that another box or service will solve the problem.  (For those not following along, what they mean by “solve the problem” is “hold the line until you slowly drown in the cascading consequences of rising complex conflict interactions online”)

Further, technically, even if we did move the conversation to “how we do business in general and how that creates exposure” – which NONE of the language around the new group even smells like it might be saying – the way we build IT and OT infrastructure is not securable to the level we desire it to be for the cost we wish to pay. Full stop.  This is not a “security” problem, this is a mathematical complexity problem that has to do with error rate and organizational competency across time and disciplines.  Moving further on “cybersecurity” without changing the surrounding technical environment – transformationally, not evolutionarily – is an abject waste of time.

Anyone telling you different is selling you something, ignorant, or has unfortunate perspective blinders on.

Follow me on Twitter

My Art / Misc. Photo Stream