I was about to write an email to someone I respect deeply about how my thinking on information security had changed since we last met in the summer of 2013. Then I wondered if I’d actually written a blog post on this? I searched and found nothing, so surprised that it is not here. It is pretty straight-forward, on the verge of “obvious my dear Watson” 😉
Clearly security is broken, however hard we work, our security programs interlaced with security technologies are not effective. Our security programs are not watertight.
So here we go:
1. Security is only as strong as the weakest link – an obvious deduction even for the non-security geeks amongst us 😉
2. The weakest link in the chain is the Human Factor of Information Security, something David Lacey wrote a whole book on in 2009.
3. If the identity thing, you know the technology aspect of ‘the human aspect of information security’ had been architected correctly from the start, we wouldn’t be in the shit that we are today when it comes to a water-tight security programmes!
It’s been a chilling experience for Sony Pictures, and a little surreal for those observing. It could be one of their movies….
Bruce Schneier has some thoughts. The hacking incident has shocked many, although any of us in information security may not be particularly surprised.
After many years in information security I am continually disappointed by the lack of focus there is in securing an organisations information assets. This includes intellectual property (IP), and anything information that needs to be protected in generating IP. The focus on being ‘compliant’ and finding ways to get that tick-box without really being really serious about doing what is right, is worrying. I wrote a post in April this year that dives into this subject.
Of course if an organisation is not serious about protecting its IP, how can you expect it to protect your personal information, as employees, customers and partners? The lack of measures taken to secure employee personal information brings home the fact that when it comes to securing our personal data, and anything we generate, i.e. digital footprint, it is up to us all individually to take control. It seems that we can’t trust anyone else…
But how is this possible? Well take a look at Lequinox, they have turned the identity paradigm upside-down. See if you can get your head around this way of thinking? They are empowering the individual, each one of us is to take control over what belongs to us. You control (and legally own) your digital identity and your digital footprint, and every identity in the world controls their own identity. It is the Lequinox technology with its cryptographic black box of magic that makes this possible. If you understand this, you will see that in the future, potentially it is you that is in control…
So information security in financial reporting is unnecessary? So you think… I guess you’re not following the HQ-Bank saga in Sweden? Well the stars of this saga are going to prison to pay for falsification of financial information. It seems that even the KPMG auditor (Johan Dyrefors) approved 2009 and 2010 accounts. Credit to KPMG that it didn’t get approved internally. Evidence of malpractice started in 2009. It seems that this was just the tip of the iceberg of accounting malpractices for HQ-Bank.
You know information security is not purely about protecting the confidentiality of financial information, it is about protecting its integrity; ensuring absolute traceability back to the originating source, which is the identity in whichever role they are acting within when financial records are submitted. The financial reports that are submitted should be digitally time-stamped and digitally signed to protect integrity.
It is XBRL that gives transparency. XBRL gives a single language for all financial information from creation through to consumption. However in order to enforce Accountability, Responsibility and Traceability (ART), i.e. quality and integrity in financial reporting, you need information security. You know those deep cryptographic magical stuff that tells you if the financial information has been tampered with.
Lars Berlöf is going to be talking about this at the Nordic IT Security Conference on 5th November, I may even keep him company on stage, for a short time 😉 Lars knows about the challenges of transparency in financial reporting and is driven to enforce traceability hence, legality in all financial reporting, in Sweden, and across the whole world!
Here is a taster of what we will be talking about……