Saturday, June 6, 2026

SF - 1.03.0 - metrics

SF - 1.03.0 - metrics

Metrics

I need to talk, at least a little bit, about metrics.  Firstly because an awful lot of security frameworks will either demand or provide you with metrics.  Secondly because of the close tie between security and management.  And particularly the statement that what you can't measure you can't manage.  I'm not really sure that I entirely agree with that statement, but it has a lot of merit to it.  An awful lot of people will want metrics to indicate that the security efforts that you make with regard to a certain security framework will in fact improve the security posture in some measurable way.

Of course, as soon as we talk about metrics we start to talk about KPI, or key performance indicators.  This is just really metrics by another name, but management types tend to really appreciate key performance indicators.

In regard to the key part of key performance indicators, I should recommend a book by the name of "PRAGMATIC Security Metrics," by Brotby & Hinson.  Pragmatic is not just a description in the title of this work, but an acronym, pointing out that the security metrics that you choose should be predictive, relevant, actionable, genuine, meaningful, accurate, timely, independent, and cheap.  I highly recommend this work as it points out that not everything that you can measure really gives you any information about how you should manage.  The book itself will provide more details on all of the terms that I have just listed, and I highly recommend it for anyone in really any field of management, but particularly security.

I really enjoy the game of curling.  I appreciate the complexity and strategy of the game.  I tend to tell people that it's like playing chess, if the chess pieces are forty pounds each, and you put them on the board by throwing them down a sheet of ice to a position over a hundred and forty feet away.  No, I am not changing the subject.  If you watch curling on television, the commentator will give you statistics for the players.  But what does it mean if someone has a hit rate of 67%?  What does it mean if a player has a draw rate of 73%?  Operationally, you should either place the stone where it's supposed to be, or not.  That's either a one or a zero.  But, I suppose tactically, have you hit the other stone at precisely the right spot to push it out of the way, or did you get it 67% close to the precise spot?  When you draw down the ice, have you placed the rock perfectly, or is it 73% likely, strategically, that your opponent will not be able to draw around your stone and mess up a subsequent activity?

In terms of management and communication of extremely complex technical information, in an extremely complex and difficult situation, I always recommend that the master class in regard to communication of this sort was the Dr Bonnie show during the pandemic.  The information was delivered, more or less on a daily basis during the high point of the pandemic, not just in terms of the numbers, but in terms of what they meant.  One example was the effectiveness of the vaccines, as they started to come along.  The Pfizer and Moderna vaccines were recommended, because they both had an effectiveness rate of 90%.  AstraZeneca was to be used only as a kind of a last resort, since it only had an effectiveness of 60%.  Presumably this meant that 60% of those who got the AstraZeneca vaccine did not contract the disease during the testing period.  However, AstraZeneca could, quite reasonably, have claimed an effectiveness of 89%, since 89% of those who got the vaccine, whether or not they got covid or not, did not become very ill and did not require hospitalization.  In fact, AstraZeneca could, also reasonably, have claimed an effectiveness of 100%, because no one who got the AstraZeneca vaccine, during the testing regime, actually died of covid, and therefore 100% of those who got the vaccine survived.

Hopefully this goes some way to pointing out that metrics alone, in isolation, are not necessarily the final word on the effectiveness of security.  Security metrics are indicators, and generally very valuable indicators of what is going on.  But you have to understand the implications of the particular metric.  Not everything that can be counted counts.




Security frameworks (SF) series:
Next: TBA
Posted by at No comments:

Security Frameworks SF - 0.00.0 - intro and ToC

Security frameworks
SF - 0.00.0 - intro and ToC

(You can thank the Technology Forum of the Chartered Professional Accountants of British Columbia for this one.  They asked me to do a presentation, and chose the Security Frameworks presentation [that I hadn't done in a while], which reminded me that I had never dictated the text and resources of this presentation out in full.  So, here it is.)

Security frameworks is a rather vague description, and advisedly so.  That is because there are so many different options in terms of security frameworks: so many different types of security frameworks.  All of them have advice or guidance that can be used to improve your security situation or processes.  None of them, unfortunately, are a one-size-fits-all perfect standard for the creation of a security program.

An awful lot of security frameworks are guidelines, or guidance, towards improving your security posture.  Some stick to the basic principles of security, reminding you of areas which you need to examine.  A number of the frameworks will be standards, of one type or another.  Some of them are fairly generic standards, and so it's hard to distinguish them between from guidelines and principles.  However, others are standards for particular operations or systems, such as the data security standards specifically for the payment card industry.

Some of the frameworks are actual frameworks, and are either structures, or breakdown structures, for examining your existing Enterprise and the security operations and processes within it.

There are a number of security frameworks which basically consists of checklists.  I tend to refer to the checklist style of frameworks as the "135 checklists," since, for whatever reason, most of them have approximately 135 items in the checklist.  There can be a bit of leeway with a few items either more or less, but it has been astounding, over the years, how many of these checklists clock in very close to the 135 item number.  A number of the checklists frameworks either originated as, or have been folded into software of some type, so that the software will walk you through the items on the checklist, and allow you to determine which of these items you have, and which you should examine for inclusion in your own security systems.

A number of the security frameworks will style themselves as either a collection of "best practice" items, or the "gold standard" in security frameworks.  Best practice tends to be the gold standard in terms of a buzz phrase for getting someone to buy into your framework, while gold standard tends to be the best practice in terms of convincing people that your framework is the top of the line.

Some of the security frameworks are targeted at a specific process, even though they may provide guidance for security as a whole.  Sometimes these particular security standards are audit guidelines or outlines.  Sometimes some security frameworks result from legislation or regulation mandated by the government.  Some are reporting standards for a particular industry or a particular process.  Finally there are certain security frameworks that relate to product evaluation.

As noted, all of these frameworks can provide you with guidance in a number of areas.  Unfortunately, none of them are able to provide you with a perfect security situation all on their own.  It is important to know the range and variety of security frameworks so that you can choose a security framework which will complement your existing security situation, and provide you with the greatest opportunity for improvement of your security situation.

In a number of these reference articles I will be including links to certain portions of the full CISSP workshop, which also functions as an introduction to the field of information technology in general.  This link is to the video on security frameworks.


Security frameworks (SF) series:
Introduction and ToC: https://fibrecookery.blogspot.com/2026/06/security-frameworks-sf-0000-intro-and.html (this one)


Security frameworks (SF) series:
Introduction and ToC: https://fibrecookery.blogspot.com/2026/06/security-frameworks-sf-0000-intro-and.html
Posted by at No comments:

Wednesday, June 3, 2026

Non-promotional announcement

Rob Slade is not necessarily proud, or ashamed, to announce that he is still retired.

He has not received a promotion.

He has not been a particularly long time in any position.

He has not been awarded any special citation or honour.

He is still enjoying sporadically researching stuff he finds interesting, and hopefully the postings he makes about it are either interesting or helpful to some of you.

You don't have to be jealous that you are not doing what he is doing.  He hopes that you enjoy doing what you are doing, and predicts that, if you keep enjoying your work and doing it, someday you can post a similar posting.



(Which is mostly about "highlights" and "best life" postings on social media.)
Posted by at No comments:

Wednesday, May 20, 2026

CoSMI - 1.0.1.22 - Authenticity - True Self - job interview tricks

CoSMI - 1.0.1.22 - Authenticity - True Self - job interview tricks


In a long lifetime, with many career changes, I have spent far too much time in job interviews.  I have also received a great deal of advice on job interviews, and how to affect them in your favour.  I have come to believe that an awful lot of this advice is absolute nonsense.

A great deal of advice that people give you about job interviews and about preparing resumes turns on the proposition that you should present yourself differently than you actually are.  People will tell you that companies are on the lookout for go-getters, and so, regardless of what you are actually like, you should present yourself as a go-getter!  Of course, if you present yourself in this way and the company hires you, thinking that you are a go-getter, then when you get the job, the company will expect you to go and get, regardless of what your skills actually are.

It's basically the same as if the company wants a morning person because they need somebody for the early shift.  You get the job by presenting yourself as a morning person, even though you are really a night owl.  On the job, you are continually coming in late or being absolutely useless for the first few hours of your shift because you are absolutely exhausted from being up late the night before.  It's not your fault that you are a night owl.  That is the way that you were made.  But it *is* your fault for presenting yourself incorrectly.  You're not happy, and the company's not happy.

One aspect of this problem is that it is not just the candidates for the job who are being told tricks for job interviews.  An awful lot of the job interviewers are also being told that they have to have tricks for the job interview.  They have to have group interviews, or confrontative interviews, or trick questions to fire at candidates at random times during the interview.  Tricks are always shortcuts, and a form of cheating, and cheaters never prosper.  Using interview tricks doesn't work any better for the companies than it does for the candidates. It just means that you end up with the wrong people in the wrong jobs, and then nobody is happy.

Really, this is just another way of saying the same thing that I have been saying all along.  Be yourself.  Be true to yourself.  Don't change just because somebody says you need to be something else.  If you need to be something else in order to do what you think you want to do, then you shouldn't be doing that.



CoSMI series:
Next: TBA
Posted by at No comments:

Monday, May 18, 2026

CoSMI - 1.0.1.21 - Authenticity - True Self - don't change

CoSMI - 1.0.1.21 - Authenticity - True Self - don't change

2 Corinthians 10:12
We do not dare to classify or compare ourselves with some who commend themselves.  When they measure themselves by themselves and compare themselves with themselves, they are not wise.


When I say "don't change," I don't really mean it.  It's impossible to stay the same: you're changing all the time.  Everything you do affects you, generally speaking.  Everything that you do teaches you something, so you are constantly learning, and therefore you are constantly changing.  So it is impossible not to change.

What I really mean is, don't change just because you are or are becoming an influencer.  Even that is impossible.  As you are becoming an influencer, you are learning things, and therefore you are changing, but be careful how being an influencer is changing you.  The first step, of course, is to know who you are.  Therefore, keep on with the exercises and efforts to ensure that you do know yourself, and that you are aware of how you are changing while you are learning to be an influencer.

I suppose that the best way to illustrate what I am trying to point out here is to go whole hog and take the most extreme form of influencers.  As far as I can tell, those who are doing the most outrageous things with regard to being an influencer on social media are those who are sharing how they live with their family.  They are sharing how they do their parenting.  They are sharenting, as one person put it.

Sharing tips and tricks about how to parent your children is quite okay.  Parents have an extremely difficult job, and they can use all the help they can get.  All of the valid tips and tricks that you can pass along to other parents is great, but that is not what sharenting does.  Or, at least, that is not the only thing that it does.

For one thing, you are displaying your children.  Your children don't have any choice in the matter.  You, at least, had informed consent from yourself, and presumably your spouse, when you decided to go into the share-hunting business.  You decided that you were going to give up your privacy in order to obtain celebrity and possibly an income, but your children don't have that choice.  You didn't ask them if they wanted to be on social media all the time.  You didn't ask them if they wanted to be filmed being born.  You didn't ask them if they wanted to be filmed having their diapers changed or being bathed or just living their lives while you film them.

But the thing is, is it really their lives?  Those family influencers who are at the top of the charts are known to bribe their children in order to play with the right toys that sponsors want to have filmed.  The children no longer get to choose which toys they play with or which games they play, but have arbitrary restrictions imposed upon them, or at least are bribed to do so.  If a child does something cute accidentally off camera, then maybe the child will have to re-do that for the camera.  Possibly when the children are older, they might have some choice in the matter of whether or not they are going to participate.  However, by this time, their lives have been molded by the fact that they are being filmed and are being presented.  In some cases, these children have known no other lives.  How can they be expected to make any kind of informed decision about whether or not they're going to be part of social media when they have never *not* been a part of social media?

Maybe you think you will never get to that point as an influencer.  Maybe you think that the type of reviewing and opining that you do is on a much lower level, but are you really allowing social media to dictate aspects of your life?  Do you really want to wear *those* particular clothes, or are they clothes that your sponsors want you to wear?  Is this particular fashion one that you chose, or that somebody else chose for you?  Can you really present your own opinions, honestly, when you know that sponsors may not send you anything more if you don't give a positive review for this particular product or service?

Be careful how you change yourself under social, and social media, pressures.


CoSMI series:
Posted by at No comments:

Friday, May 15, 2026

CoSMI - 1.0.1.20 - Authenticity - True Self - who you truly are

CoSMI - 1.0.1.20 - Authenticity - True Self - who you truly are

Galatians 6:3-5
If anyone thinks they are something when they are not, they deceive themselves.  Each one should test their own actions.  Then they can take pride in themselves alone, without comparing themselves to someone else, for each one should carry their own load.


The privilege of a lifetime is to become who you truly are.
― Carl Gustav Jung

Gloria was never interested in acting of any sort.  A lot of people tried to get her to participate in amateur dramatics, particularly musicals or light opera because of her singing voice.  Even when I was roped into a church Christmas pageant, she had no interest in participating in the acting herself.  She frequently said that she had spent so long figuring out who she was; why should she try and pretend to be someone else?

I suppose that I should have been more sympathetic to her position than I was.  As a teacher, I tend to use a fair amount of drama to make the material interesting, and I tend to do a fair amount of acting in order to present myself forcefully when I am, in reality, an introvert.  But I suppose that it is only now that I am trying to put this material together that I am recognizing how difficult it is, in our world, to be truly one's own self.  To be true to yourself and who you are.  To actually know who you are, in order that you can be yourself.  As Carl Jung said, it's a privilege to be yourself.  It is a privilege to know who you are, and to be able to behave in your own manner without interference from other people or society overall.  There are so many pressures on us to behave in some other way that is not ourselves.

But above all, in order to be, never try to seem.
― Albert Camus, Notebooks, 1935-1951

I suppose that it should not be a surprise that Albert Camus made such a statement.  He is, after all, the father of existentialism.  Trying to figure out the truth of your own existence, and not to add anything extra and false.  Be who you are, don't just pretend to be something.  Because if you aren't being who you are then you are trying to be something that is false.

This is all the more important when working in social media.  After all, there is the truism that on the Internet nobody knows that you are a dog.  Nobody knows who you are, so you can present yourself in any way that you want to present yourself.  You can, in fact, present an entirely false picture of yourself.  But, if you aspire to the position of an influencer, why would you do that?  You are trying to convince people to follow your advice.  Why would you start by start trying to get people to trust you by lying to them?

Find out who you are and do it on purpose.
— Dolly Parton

And, as has been previously pointed out in this series, finding out who you are is not necessarily easy.  It takes work.  Particularly since there are so many people, and so many pressures from society, that are trying to convince you to be something other than you are, and to behave in certain ways that aren't necessarily consistent with who you actually are.  So, do make the effort to find out who you actually are.  And then, be that person.

There is also the saying that you should always be yourself, since everybody else is already taken.  Yes, it's a bit of a joke, and it sounds silly.  But, in reality, it's very profound.  And also very important.

To thine own self be true

It's kind of weird that in the play Hamlet, it is the character of Polonius who gets one of the most powerful lines.  Polonius is a dried up old character, and doesn't seem to be too important, other than the fact that he gets killed while he's spying on someone, which is only important because it sets up an important fight at the end.  But he's the one who has the great line, "to thine own self be true."  This is so important.  And, yes, I know that I haven't said anything terribly profound in this piece, and just have repeated over and over again that you need to be your own self.  But it's just that important.  If you try to be someone else, you are going to fail.  You are going to be unhappy.  And you are going to be unhappy because you have tried to do the wrong thing.  You have tried to be the wrong thing, rather than being true to yourself.

To put it in Christian terms, God created you the way that you are.  You need to act the way God wants you to act.


CoSMI series:
Posted by at No comments:

Thursday, May 14, 2026

CoSMI - 1.0.1.11 - Authenticity - Know Yourself - psychological testing

CoSMI - 1.0.1.11 - Authenticity - Know Yourself - psychological testing

Jeremiah 33:3
Call to me and I will answer you and tell you great and unsearchable things you do not know.


There is one area of psychology that might be a little less susceptible to subjectivity, and that is standardized testing.  There are a number of tests in psychology that are standardized over a large population.  Some of these tests might be of limited use to you, such as intelligence tests, but there are also tests of character traits, as well as other tests that might help you to get to know yourself in a variety of different ways.

Sometimes a battery of these tests might be offered together for one fixed price.  Generally speaking, you will find these offerings if you search on things like career counseling.  Unfortunately, while the tests are standardized, the advice that you might get once you have the results of the tests may vary.

The results of some of these tests might be quite complex.  They might give you insights into your own character, but some of them can be very complex, and you almost need training in order to understand the results.  Some of them, on the other hand, can be quite simple.

One tool that I have found quite useful over the years is an extremely simple matrix that relies on you asking yourself only two questions.  The first question is would you rather deal with tasks (or problems), or would you rather deal with people?  The second question is, do you consider yourself to be an active person, or are you more passive?  The results of the answers to these two questions gives you four options, task active, task passive, people active, and people passive.  You can group the answers into a 2 by 2 four-part matrix, but you don't have to.  You can simply think of the four options.  The four options tend to tell you what type of person you are.  Task-active people tend to be managers and drivers of activities.  Task-passive people tend to be analytical and possibly researchers.  People-active personalities tend to be those who are entertainers or salespeople.  People-passive personalities tend to be the people who are the glue that holds society together.  They are those who care for others and make sure that others are feeling all right, without necessarily pushing themselves forward into a specific position in order to do so.

This matrix not only can identify you and tell you something about yourself, but it can also be used as a tool for resolving certain types of conflict.  For example, a task-active manager may be someone who is impatient with the details that a task-passive analyst may be attempting to provide to them.  In that case, there might be a conflict.  In order to resolve the conflict, the task-passive person should be prepared to reduce the facts and details to be presented to the manager into as small a space as possible.  They should also be prepared, as quickly and forcefully as possible, to explain why the details that they do have to present to the manager must be considered in order for the manager to make the proper, informed decision.  Similar types of conflicts can be addressed in the other quadrants of the matrix.

This matrix is extremely simplistic, and some would say that it is too simplistic to be effectively used as a guide to behavior and activities.  However, I am simply using it as an example of the type of psychological testing that I can here explain quite quickly, but which gives you an example of how psychological testing might be useful to you in a variety of situations.


CoSMI series:
Posted by at No comments:
Subscribe to: Posts (Atom)