Security – A Misleading Concept?

Currently I am creating a presentation on cyber security as a competitive advantage. It looked like a simple task, but ….

When building a presentation I feel that the content should be meaningful. Starting to think about a good starting point, the fundamentals I need/want to transport and a good starting point i thought it would be a good idea to start with a definition of cyber security.

Defining both words, Cyber and Security I found a definition which is a little bit strange but it was taken from William Gibson’s Novel 1984:

„Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts… A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding.“ 

Source for the artwork:×1080/61/artwork_neuromancer_william_gibson_1920x1080_60671.jpg

Another one I found good and better suitable for business purposes was given by the university of maryland

The interdependent network of information technology infrastructures, that includes the Internet, telecommunications networks, computer systems and embedded processors and controllers.


I believe this one has a better fit for purpose. Nevertheless it gives a limited view on security issues. Cyberspace is meant to be digitally. But what does that mean related to intellectual property that people have. Information written or printed on paper. Proof of concepts doming from a machine and so on. Short story: What is the representation of non digital Information? From what I found non digital information is not covered by the term “cyber”!

What is the better term to provide a holistic view on security?

To be honest: I didn’t find one. Information is written on paper, stored in brains, computers. Sometimes it is tangible, sometimes not. Sometimes it is related to buildings and other forms that might represent information or a value. The next question deriving from these thoughts:

Is there anything of value that is not related to information?

If you find something please tell me!

Security in general is meant to be a concept that implies protection from harm to any asset.

That is also the reason why we find numerous security functions in enterprises:

  • Corporate security
  • Facility security
  • Information security
  • IT security
  • Cyber Security
  • Data protection

When talking to clients about their security functions I very often hear that there is a wish to add new skills to the organization to cover new threats! When doing this organizations tend to look for reasonable compromises which are more likely to be trade offs. Usually existing structures are maintained (e.g. the IT Security Officer) and new functions like a Cyber Security Department is added to the organization with newly defined responsibilities and different reporting lines.

Looking at the cyber definition again the conflict is obvious! IT security deals with infrastructures. The information protection officer deals with information stored anywhere and the Cyber Security Defense Service feels extremely hip because it is something new, really important having excellent budget and sits on the territory of the CISO, IT SecOfficer and others.

I started to write down where security applies and found numbers of issues and security functions. Most of them have an overlap which I feel that it is ok.

Detection is the new Prevention

In another article I already presented my view on Detection versus Prevention. I believe Detection is key! A huge misunderstanding is that looking at the concept of security the spotlight is on prevention. This might be true but detection is the new prevention. In order to avoid harm to your organization you need to know your enemy and be prepared against almost everything that can happen. You will have to accept hackers to jump into your networks and you will need to be prepared to detect them and fix the damage asap.

What happens here: It is RESILIENCE!

Organizations need to be better prepared to fix security incidents no matter if they are related to buildings, employes, VIPs, IT infrastructure, paper based information etc.

When I came to this conclusion I felt that any security function in an organization is an important feature. It is preventive feature. It helps to detect issues. But recovery from incidents will be more important than we have ever believed.

I feel that a Business Resilience Function in any organization is the key to eliminate conflicts between different security functions and helps to align them to a powerful organization helping with prevention, detection and recovery!

What do you think? I do not know if I am right or wrong! I am really interested to read your views on this! Please share your thoughts with me and the rest of the community!

The link Between a Company’s Supervisory Board and its Security Strategy

Companies Need New Security Strategies

With regard to cloud computing, Bring Your Own Device (BYOD) or Social Networks companies have to think about their security strategy. Whereas the principle of prevention was effective for a long time it is not effective any more. Having a huge number of mobile devices in place, using various storage systems within the enterprise or outside and the demand for flexible and fast collaboration with clients, partners and suppliers nobody is able to predict where a certain piece of data is right now, how often it has been copied or will be tomorrow.
It is just a fact that business critical information does not reside within the perimeters of the enterprise any more.
Given this fact a company can protect its perimeters with huge efforts and be almost save, a weak system outside the enterprise like a social network or a pubic cloud system destroys all efforts of protecting the assets by preventing intrusion in the own infrastructure. The enterprises are simply not in control of prevention system any more.
Another challenge is the complexity of of attacks against enterprise infrastructures. Nowadays more often zero day exploits and strongly customized malicious code is being used, applying advanced persistent threat techniques which leads to the situation that most of the high sophisticated attacks are not recognized by any prevention system like antivirus, intrusion detection / prevention system or firewalls.
These attacks are simply below the radar screen of the traditional security systems.

What are the new Security Strategies to be applied better today than tomorrow?

The prevention of the future is detection! What does that mean? This means that enterprises have to improve their ability to register anomalies in the data flows leading to a more reliable and faster detection of security incidents. There are two main areas of improvement:

  1. Time to detect a security incident caused by APTs or other high sophisticated techniques
  2. Time to fix the issue

Especially the time to detects requires companies to have intense monitoring capabilities in place to ensure reliable detection. By building these capabilities not only the requirements of companies are in scope but also the personal rights of employees are affected. A company going this way will need to have trust within their working councils and from my perspective it is even better to integrate the employees to build trust that these facilities are not only a requirement to secure the enterprise but also the individual.

Any requirement for the supervisory board?

With respect to the supervisory boards requirements to monitor and give advise to C-Levels, a few questions have to be clarified:

  1. Does the internal control system of the enterprise reduce the risk of exposure of employees and management against threats from the outside (e.G. Use of eMail, websites, unknown documents)?
  2. Is a reporting system in place to to indicate potential threats and suspicious activities?
  3. Does the enterprise have a stable detection system in place to uncover security incidents?
  4. Did the company test the effectiveness of detection techniques and includes the results in a continuous improvement process?
  5. Are security incidents adequately reflected in the board of management’s report on the business situation of the company?


In the end this means that companies have numerous options in place to improve security, deal with liabilities of board members and the supervisory board and drive efficient security measures.

I would suggest to keep an eye on two work streams:

  1. Switch of non effective security measures that simply address prevention – Just talk to me and I will assist you to go this way based on a success fee.
  2. Establish a process too ensure that materiality and severity of security incidents becomes transparent to board members and their supervisory boards to ensure conformity to financial reporting standards.

Just in case that you do not believe that security is to be reflected in the financial reporting you should read the Corporate Finance Disclosure Guidance No. 2: Cybersecurity issued by the SEC. You might also want to use Google to find out who was already addressed by the Regulators of the US to have not properly addressed this issue!

What is the bigger threat? Employees or hackers?

Years ago I read an FBI survey on security incidents and a root cause analysis. I didn’t find it again (if you have it – please send it to me) but I can still remember that it said something like almost 70% of security incidents have been caused by employees.

The last survey I found from the United States Secret Service named “2013 US State of Cybercrime Survey” says that only 21% of cybersecurity incidents have been caused by current and former employees (There is a summary availabe from PwC in the US that helps you to avoid reading all this stuff).

Nevertheless I found it really difficult to qualify these information and have a more solid foundation of sources that helps me to better understand and to better argue with my peers.

But as time went by and big data is not just a buzzword but real applications are available I found a website I desperately want to share with you. They analyzed hacks and other security incidents and built categories to classify these hacks.

The result is a really meaning- and beautiful visualization of security breaches and their sources. What strikes me is the possibility to slice and dice industries sources and size of the incident and get a visual presentation.


I believe that this is one of the most advanced ways to present these figures without leaving room for arguing if the numbers are correct or not. They are simply based on press releases!

My suggestion: Read it and play with it! Click on the graphics and you are forwarded to the website. Enjoy it!

Btw: They also disclose the source of information that leads to this fantastic visualization: Click me!

World’s Biggest Data Breaches & Hacks – Information Is Beautiful

See on Scoop.itGraphics from my #factsandfiguresday

Data visualization of the world biggest data breaches, leaks and hacks. Constantly updated. Powered by VizSweet.

Joerg Asma‘s insight:

I like the way information is presented. I am personally a very analog guy which is perfectly addressed here.

The titel "Information is Beautiful’ says it all! What’s your opinion? Tell me!

See on

Paradigm Shift in Information Protection: Moving from Prevention to Detection

Key Elements of Security

All of us (at least of the security specialists) believe that security consists of three key elements:

  1. Prevention
  2. Protection
  3. Response

Security Incidents: Externally vs. Internally Caused Incidents

Furthermore we all believed that most of  the security incidents, around 70% say an older FBI survey, have been caused by employees and at least people from the inside of an organisation without mentioning if these have been fraudulent activities or if these incidents had been caused by accident.

Now things have changed. I do not have an exact number from a survey but now a lot of people believe that the ratio is now 30% from inside and 70% from the outside.

What is the conclusion? Looking at this a lot of people believe that the reduction in the inside caused incidents are a result of better prevention and awareness campaign.

Looking at the information available on the internet we need to come to the conclusion that the absolut amount of security incidents from the inside are still the same while the number of externally caused security incidents increased dramatically.

Advanced Persistent Threats

The acronym APT was not used till 2005 but then created by the US government. I do not want to describe the nature of an APT in detail – that has been done often enough – but I would like to point out that it becomes more and more difficult to prevent your infrastructure from being penetrated. Due to the fact that APT result in slow and low intrusions it is also really difficult to detect them.

When it comes to an intrusion there are two key elements you can deal with:

  1. Time to Detection
  2. Mean Time to fix

The ultimate goal is to reduce both times to a minimum which means reducing your information leakage.


Let’s gather some facts I described in my posting:

  1. Threats from the outside (cyber threats) are increasing dramatically
  2. Intrusion Techniques evolve – APT is reality
  3. Prevention is not effective
  4. Detection is the only solution against APT

The only conclusion I can come to it that organization that want to achieve a reasonable “amount” of security need to focus on detection and shift their capabilities.

 You might want to walk trough the Prezi attached

Happy New Year

It is now approximately 10 months ago that I announced to relaunch my blog and restart writing about security. What I didn’t know at that time is that this year became my personal nightmare.

I lost my grandma and my brother in law. My grandma died at the age of 96 and my brother in law at the age of 46. This is something  you can’t prepare yourself! This knocks you out!

Driven by my brother in law’s sudden death I decided to change the way I live. Pay more attention for my family, get rid of the weight I gained in more than 11 years of KPMG. I started running again and lost already 14 kilos of my weight. Another 14 are to go now!

Another thing I will change is the place where I live. Something what came pretty quick was changing my working life. I am now not any more part of the KPMG partnership, and will start something new in the area of information protection during this year I am preparing myself for and I may tell you that it will be great!

These changes have been massive but it is a really good starting point for my “new” life. I got rid of all the add on roles that consumed a lot of power and time and I can now focus on people that matter to me and my profession again.

One of those things that helped me after these massive changes was that a big part of my physical and virtual social network supported my very intensively. That was great and gives my a lot of power and inspiration to go for my future projects:

Building my new house started last year and will hopefully finalized in 2014. I will think about certain aspects in security and take some time to write about them. Maybe I will start to write a book of my own (I already have something in my mind). I will continue working on the 4th edition of the cloud computing book together with Tobias and some others I now know for many years. Doing my first half marathon this year and hopefully my first marathon next year. Last but not least I will really relaunch my social media activities on facebook and twitter.

One event that made me so positive is a speech that I heard given by Jim Lawless – Tame your Tiger ( on FB: . I heard it 3 or 4 years ago and it was a very important impulse in my private and business life. At that time I was not successful in changing my life. My tiger was too big! Jim gave us postcards and asked us to write down which is the tiger each of us wants to tame. My tiger was changing my working life! Now others “helped” me to tame this tiger and helped to make things come true I was not prepared for.

I hope that you now have a better understanding of the situation I was in for the last 10 months. But now it is time to look forward again going for a fantastic year 2014 with a lot new experiences, new people and environment.

The “traditional” Software Industry is loosing their key to the Internet

Those of you who already read one of my articles might have already realized that I am looking at the pain points of our environments with a focus on security. One thing that is driving me crazy is what is happening in the internet with regard to its usability and convenience having an impact on our social structures, society and industry in terms of authentication.

In my articles “Next Generation Security” and “Theorie about securing passwords” I have written about social networks being the authentication provider of the future. I still believe in this statement and I am even more convinced that there is a remarkable development when considering the impact on the software industry.

I believe that authentication is the key for the use of the internet. Everybody is talking about  personalized content, user generated content, tagging and much more. All these mechanisms need to rely on a good and strong user authentication. Facebook, Twitter, linkedin and all the other usual suspects are there to offer their services.

I don’t exactly know the numbers of managed user accounts by traditional IAM (Identity and Access Management) suites but when it comes to the use of the public authentication providers I believe there are more users on the internet managed by Facebook & Co. than in private environments.

It is absolutely surprising that all the big names in the IAM market have failed to develop services delivering a strong and reliable authentication to internet users. They failed to realize that consumerization of IT increases the demand to also deliver authentication services to end users. If you want you may name it Infrastructure or Software as a Service. Very quickly we realize that we are talking about cloud computing services. Almost every bign(and traditional) IAM provider has also a cloud service offering which could have been a key to those customers that now need to rely on Facebook & Co.

If you may follow my line of argumentation you will agree that the key to internet applications is already in the hand of the big social networks.

Let’s try to anticipate what happens if nation states succeed to establish authentication services for the Internet Protocol stack. This means building global authentication systems for each and every device with access to the internet.

What would this mean to private in-house authentication systems? Right now I can’t imagine who might be able to deliver these services which I would name “Key to the Internet“. Right now the traditional software industry has not even tried to get this key into their fingers.

But stop – that’s not correct. Microsoft tried to established an authentication service – and failed due to the lack of value added services.