Accepting Risks

risksOne could argue that life is all a series of risks. Sometimes we remain in a state of ignorant bliss. Other times, we are aware of risks and take measures to mitigate it. But sometimes we choose to accept the risk.

Accepting risk is not a bad thing. Quite the opposite. Without risk acceptance, there would be no innovation. The reservoir of great ideas would dry up and bankers would have to make do make ends meet with mere six figure bonuses. Risk acceptance is the grown up thing to do. “We understand the risk, and chose to accept it. It’s the cost of doing business.”

But the question is whether some of the risks businesses accept are “unreasonable”. Like creating a toy that captures children’s information. Such as their name, address, birthday, photo, parents details, and allergies – then taking this information and putting it on an insecure website.  We don’t mean a website that is accessible over HTTP minus the S. But a website so insecure that it makes OWASP training websites look ‘military grade secure’ by comparison.

Thankfully though, whenever a company is breached and millions of customer records are exposed – a company can merely shrug and say sorry.  All the time while assuring they ‘take security seriously’.  Customers don’t like it.  Troy Hunt will upload the data to haveibeenpwned.com and the world will grit their teeth and take it.  This is the seedy world of corporate risk acceptance.  The terrifying underbelly of cyber-actuarial tables (if such a thing exists).

The point is that you can’t innovate and deliver new functionality to customers by building a secure website. Or waste precious time ensuring your hardware is hacker-proof. If you do, your competitors will have leapfrogged you.  Not to mention, no customer would want to pay a premium on your offering just because you say it’s more secure than the others.

Or maybe the real question is “how secure do I need it to be?”.

Host Unknown presents: Accepted the Risk (A Risk Management strategy for removing blockers to productivity)

Why waste time remediating when you can simply accept the risk?

@HostUnknownTV bring to life a Risk Manager who gets the balance of risk management very wrong.  Are the CISA auditors being inflexible or did Javvad skip a module on his CRISC?

Love it? Hate it? Leave a comment below!

http://hostunknown.tv

@HostUnknownTV

Produced by Mahmoud El-Azzeh @mantheycallmoo

Directed by Mahmoud El-Azzeh

Director of Photography – Caleb Wissun-Bhide

1st Assistant Cameraman – Iustin Filip-Mucenic

Editor – Lara Blanco

VFX and Colour Grading – Timothy Greenfield

 

Starring

Javvad Malik

Andy Agnês

Thom Langford

 

Dancers provided by Epika Dance http://www.epikadance.com/

Emiko Jane Ishii

Martha

 

Extras

Pauline Singh

Lee Munson

 

An Elazayan Films Production

https://www.facebook.com/Elazayan-Films-284223804977370/

Host Unknown Does the RANT Conference

RANT SmallPicture the scene… three men in their prime, fully prepared, well read, research done, market offering defined, sales patter practiced and an excellent floor stand ready for the conference.

The reason you are struggling to picture this, especially if you attended the RANT Conference, is that this is exactly the opposite of what turned up on the day. Three feckless fools turn up in yesterday’s clothes, unprepared and with a disastrous, incoherent cornucopia of swag and content for their stand. Regularly contradicting each other, sometimes it seems just for fun, our three ‘presenters’ muddled through the day with their shoddily spelt swag, poorly prepared patter and all round pretty poor presentation skills.

Still, nobody seemed to notice.

It was an excellent day all round, and Host Unknown would like to thank Acumin, especially Simon and Donna, for putting their personal reputations as well as that of the RANT Conference itself on the line and graciously allowing Host Unknown to play a part.

We hope you enjoy the film.

Is CISSP out of touch with modern information security?

cissp-logo1

“An issue for the industry, and for (ISC)2 in general, is that the membership may be seen as middle aged and out of touch.”

(Interview with Wim Remes & Dave Lewis, (ISC)2 Board Members)

Host Unknown disagrees.

To us, the CISSP has always been for people of varied backgrounds and skills, and like a good pair of flared corduroys, has never really gone out of fashion. Yet how could we demonstrate it’s appeal with the infosec practitioners around the world, let alone (ISC)2, and show that not only can you save the world with a CISSP but you also get the girl (or boy)? We turned to the learned works of Mr Cent (50) for inspiration, and in conversation over the giant mimosa we were sharing he said to us

“Forget all the CIA talk – you gots to get real on this CISSP shizzle”

Wise words indeed Mr The Cent.

Just as the A-Team makes an escape vehicle when trapped in a drug overlords shed, Host Unknown produces its best work when under pressure and locked in a panic room. Three weeks later, we present to you our answer to the CISSP being “out of touch”.

RSA Europe on the cheap, Host Unknown style

Unknown-1When we asked Javvad and Thom for their report from RSA Europe two months ago, they mumbled something about “Amsterdam has it now” and handed us their expenses (which were interesting to say the least). We left it at that; it’s not like we came to expect anything else from these people.

However, we received a package from the Dutch authorities with an evidence bag and a memory stick (along with a few other items that no amount of therapy will help us forget). Thankfully we don’t read Dutch, but we are pretty sure the phrase “Bewaar deze idioten van ons land in de toekomst” is not a good one.

How Andrew avoided being a part of this debacle defies explanation.

The memory stick did however contain their report. What can we say, it certainly wasn’t worth the expenses they filed.