Sharks and Coconuts Again!

It was a balmy evening in Balmbay as I made my way to the Airport, replete with all the learning for the past two days at the ISACA-CACS at Mumbai. The learning event was quite useful although my head is still heavy from all the Knowledge/Information/Data/Facts/Opinions that have been crammed into my little brain. Well, I suppose I have to digest it at leisure. After all Knowledge is not about Memory, its about Retrieval, right?

Hugh Penrie Williams began his session with a promise that he came to make us Think, Not Teach.

Surprisingly he used the Sharks and Coconuts example to talk about Risk. But his take is that we should be more worried about Pigs and not Coconuts. I think more people are going to be harmed by speakers giving the Sharks and Coconut analogy than both these hazards put together.

He rightly pointed out that there is no point in talking about Risk unless you "know" more about the "asset" being protected. In an Information Systems Security Concept the more valuable assets are the Data and Applications.

Instead of asking why a disater happened, we should be asking why it didn't happen more often. Then, the good systems and processes in place become obvious. Failures and vulnerabilities are seen with more clarity.

Another quote I loved in this session was,"The average is inconsequential or useless as we are forced to live with the constraints actually imposed on us."

Threats are in the Environment. Vulnerabilities are potential weaknesses in our protective measures. A threat that has exposed a vulnerability leads to an incident.

He mentioned that Risk need not have negative connotation. This is something I've always been telling students in my Securities Analysis programmes. In the last GMCS, a gentleman Mr. Prabhu vehemently argued otherwise. I wish he had been there to hear Penrie Williams!

Risk simply indicates that Anything can happen.

So, what we are really talking here is about degrees of uncertainty. A continuum that ranges from absolute certaintyof occurance of an event (Zero Risk) to to absolute uncertainty of an occurance. A probabilistic approach anchored in Business sense may be the solution.

The post lunch sessions on Cloud Computing and Wirelss Network DSecurity were quite technical thougfh the respective speakers Mardikar and Gibbs de-mystified much.

One unresolved issue in Cloud Computing seems to be the reason for including an entirely privately deployed system under cloud systems as a Private Cloud. Muti Tenancy of Infrastructure/Application seems to be a basic criterion in clouds. Take this away and where is the Cloud in Private Clouds.

A Final Thought:

I have a feeling that ultimately whether its Cloud Computing or IT Governance or Risk Management, or Wireless Network Security, the basic issue is Perimeter level security both at Physical as well as Logical levels. For example Nelson Gibbs on WiFi suggested we keep the Wireless Access Point (WAP) outside the Firewall.