No reference to the original research source?
No point pondering or pontificating then.
Posts by Roundtuit
13 publicly visible posts • joined 20 Jan 2015
UK businesses shockingly unaware of how to handle security threats
Say what you see: Four-letter fun on a late-night support call
If your org hasn't had a security incident in the last year: Good for you, you're in the minority
Thursday 3rd October 2019 05:23 GMT
Breach is such a loaded term
It's almost as bad as "cyber". Both are bandied about like, and worth as much as, election promises.
Good on El Reg for hitting the nail on the head though: "Details of exactly what constituted a "breach" were not made available by Carbon Black, which, like all vendors peddling these surveys, has a vested interest in talking up how insecure the online world is in order to sell more products and services."
And for those of us genuinely trying to hold back the tide in infosec, their rampant, selfsh, crass commercialism is doing us a disservice. Marketing tripe dressed up as "surveys" is a modern-day scourge.
Second-hand connected car data drama could be a GDPR minefield
IoT needs security, says Microsoft without even a small trace of irony
Electrician cuts wrong wire and downs 25,000 square foot data centre
Saturday 12th December 2015 08:09 GMT
Re: Wrong odds
Nope. There are permutations, combinations and variations e.g. cut neither wire; cut one only; cut the other only; cut one wire then the other; cut the other wire then the one; cut both wires together; fail to sever a wire completely; ... it's really not hard to think of many more possibilities.
It was a mistake to quote a probability figure, and a further mistake to ignore the business consequences ... and it's hard not to think of more mistakes in this scenario, with the benefit of 20/20 hindsight (or is that 50/50?).
Researchers say they've cracked the secret of the Sony Pictures hack
Friday 27th November 2015 08:16 GMT
If the hackers were subtle & sensible, they'd have gone to ground as soon as they got in to the network, immediately concealing their activities, going deep, and meddling with the security logs, alarms and alerts. Having done that, they could sit there for an indefinite period waiting for the logs of their initial access to be overwritten or discarded, and quietly watching for any signs of proactive security response. Then they'd have free rein, knowing that their activities were being neither monitored nor logged ...
7/7 memories: I was on a helpdesk that day and one of my users died
Friday 10th July 2015 06:29 GMT
Abiding memory of 7/7
Aside from the grizzly images and sheer horror of the whole event, the thing that sticks in my mind about that day was watching an amazing performance from the police commissioner (? The Top Dog anyway) giving a press conference live on TV before the dust had settled. He was immaculately dressed, and spoke coolly and calmly about the incident before the assembled mob of journalists, in a press room that I guess had been set up in advance. An astonishing oasis of calm if you think about the chaotic scenes and all the work that the emergency services were doing at that very point.
If YOUR organization had experienced anything on that scale, do you think your Top Dog, advisors and support krew would have been prepared to deliver such a virtuoso performance so quickly and efficiently? I still use this as an shining example of how crisis and incident management can/should be done.
I believe there had been an emergency exercise in central London just a week or two earlier, so all the emergency services were as ready for the incident as they possibly could be - another worthwhile lesson arising from an otherwise devastating mess.
Think server vulns are the IT department's problem? Think again
Sunday 17th May 2015 10:33 GMT
Re: Nothing new here...unfortunately
An excellent way to hone up on business skills and speak the same language as the MBA types is, of course, to study for an MBA and become an experienced manager. I consider my MBA the best information security qualification I hold. I also heartily recommend CISM from ISACA which emphasizes the governance angles of our job, plus risk management, compliance, business continuity and other stuff that IT security (and "cybersecurity") pro's tend not to appreciate. There is MUCH more to being an effective information security pro than knowing about vulnerabilities in IT systems.
[By the way, "death management ears" tickled me. Freudian slip?]
WW2 German Enigma machine auctioned for record-breaking price
Sony hack was good news for INSURERS and INVESTORS
Tuesday 20th January 2015 09:49 GMT 
"Co-chairs" might just be the root cause
If there's one thing I've learnt in life, it is that multiple bosses == bad news. Well, to be more accurate, it's not the bossing that matters, but the dilution of leadership and clarity of direction. If in fact the "co-chairs" were spookily aligned, why did SPE need them both? My guess is they were hedging their bets.
The reason that top brass are paid so highly is that (a) they have that rare combination of proven qualities (such as capabilities/expertise, experience, charisma, drive and motivation) to make good decisions more often than not, meaning that they are in high demand; and (b) they demand the $$$$$$ in return for their personal accountability when, almost inevitably, like gamblers they eventually make a seriously bad decision.
Biting the hand that feeds IT
