Privacy and the Smart Grid

Although much of the focus in the SPARKS project, for which I’m the technical director, has been on cybersecurity’s role in minimizing the risks and costs of power disruption, the project has also been concerned with identifying and mitigating risks to privacy that may be entailed by the deployment of Smart Grid.  One of the…

“I am an imposter.”

I was invited to give a keynote at the Cloud Security Alliance (CSA) Congress in Dublin recently, on behalf of my EMC colleague Said Tabet. Two years before, I had spoken at the CSA Congress in Rome about the EU-funded SPECS and SPARKS projects and their relevance to cloud in terms of GRC and security analytics.…

Enabling the Advantaged Enterprise

I was in my 36th floor hotel room in Las Vegas one afternoon last week, after a day of presentations at EMC World, when I was startled by something banging the side of the building above my window. A man in a rope sling winched slowly into sight, swaying from side to side, twirling slightly.…

Reversing the Drift into Failure

In his January 2016  Cryptogram newsletter, Bruce Schneier reprinted an essay on “normalization of deviance”: the process of divergence from defined policies and procedures into increasingly risky practices. Explored in detail by Dr. Diane Vaughan, as well as by other researchers and practitioners seeking to explain catastrophic failure events, it bears great relevance on cyber…

The Defining Issue of our Time

In his acceptance speech for the Lifetime Achievement Award at RSA Conference, Art Coviello once again, as so many times in the past, showed the exceptional insight and leadership that has been his hallmark throughout his career. There have been many discussions this week about the interrelationship of privacy and security, particularly in the context…

The Risks of Root Causes

I spoke recently at a workshop organized by the Alan Turing Institute in London to identify areas related to cyber security in which major research is needed. Though I focused on security analytics, I also talked about the need to develop more effective models for understanding and managing risk, citing the work that my colleagues…

The Innovator’s Dilemma in Cybersecurity

Our final keynote at RSA Conference Abu Dhabi 2015 was given by Richard Clarke, always an interesting and challenging speaker. As I listened to his discussion of responding to cyber threats, however, I was struck by his strong emphasis on preventative measures and the relatively little discussion of the essential role of ongoing visibility and…

Communities of Action against Cyber Risks

One of the major themes in the London Gartner Security and Risk Management Summit and the Washington DC Borderless Cyber summit, both of which I attended recently, was the transformative nature of shared information in combatting cyber threats. Richard Struse, chair of the OASIS Cyber Threat Intelligence Technical Committee, spoke of the goal of that…

Cascading Risk: Lloyd’s “Blackout Report”

(image from Lloyd’s “Business Blackout” report) In early July, Lloyds published “Business Blackout: The insurance implications of an cyber attack on the US power grid,” a study of the financial impact of a hypothetical electric grid failure scenario in the US. Developed jointly with the University of Cambridge Center for Risk Studies, it is an…

The On-going Threat of Social Engineering

I spoke recently at a meeting of the Dublin, Ireland chapter of ISACA about the continued (and increasing) use of social engineering in cyberattacks discussed in several recent reports, including the joint report by ISACA and RSA that documents the results of a survey of cybersecurity professionals, conducted in the first quarter of 2015. Those…