Day: April 8, 2016

ISACA Now recently spoke with Mark Stevenson, the closing keynote address for EuroCACS in Dublin 30 May-June 1 2016. Stevenson is the founder of We Do Things Differently, and the author of An Optimist’s Tour of the Future and the upcoming We Do Things Differently. He is also an advisor to the Virgin Earth Challenge, Atlas of the Future, Comic Relief and Institution of Mechanical Engineers.

ISACA Now:  In Principle 7 of your 8 Principles for Thinking About the Future, you discuss how pragmatic optimists will experience significant rejection and ridicule when starting new endeavors. What practical advice do you have for getting through all that rejection without becoming defeated and cynical?
Stevenson:  By understanding that you will lose more often than you will win until half way through the game—and that’s OK. Persistence (driven by the optimism that a better future is possible) is the secret sauce of success. Cynicism by contrast is just a recipe for laziness dressed up as wisdom. Every great leader you can think of is an optimist. As the saying goes, “The road to success is littered with corpses, but they’re all suicides.” Also remember that that rejection is often a sign you’re on the right track. As the computer scientist Howard Aitken sagely remarked: “Don’t worry about people stealing your ideas. If your ideas are any good, you’ll have to ram them down people’s throats.”

ISACA Now:  For many, cynicism is deeply embedded. How is it possible for those long-term cynics to kick out their cynicism?
Stevenson:  By looking in the mirror and asking themselves if they want to continue being unhappy. Cynicism is obedience. As the author Richard Bach put it, “Shop for security over happiness and you buy it, at that price.” Cynics reinforce the status quo they complain about by refusing to imagine it can be different. But the antidote is doing something bigger than you for which the dividends emotionally (and often financially) are handsome. It’s a choice. Comfortable miserable cynicism, or uncomfortable happy optimism? It’s your life.

ISACA Now:  Your pragmatic optimist’s view of the future should come in handy for cybersecurity professionals as they work to address the avalanche of cybercrimes and criminals. What is your advice for those who may be growing weary of the world’s seeming inability to overcome cybercrime? What historic parallels can you draw from this?
Stevenson:  The question is what are we protecting? One has to ask what the roots of crime are, and they are based in scarcity and distrust. In a world of abundance and transparency, crime and war are far less likely (indeed history teaches us this time and time again). The cybersecurity profession has to ask itself whether it is on the side of people, or Mossack Fonseca (the Panamanian law firm that recently had 11.5 million confidential documents leaked) and its clients. Who are you paymasters and what are their morals? We overcome violence and addiction by being more connected, not less so. We will overcome cybercrime most effectively by working to reduce inequality. So, the question is, what are you doing about that and whose side are you on?

ISACA Now:  You will be speaking at the EuroCACS conference 30 May-1 June 2016 in Dublin. Give us a brief preview of what you’ll discuss and what attendees will take away.
Stevenson:  I’ll be explaining why all bets are off, how the next 30 years will be some of the most turbulent in history and how to navigate that in the service of making the world better for your children.

[ISACA Now Blog]

Many of you will know that (ISC)² is hosting a major event this month – in downtown Tampa, Florida – and I’m sure that you’ve also heard the phrases ISO and SC27. But what does this all mean?

ISO is the International Standards Organisation, set up in 1947, which oversees the creation, publication and maintenance of standards covering everything from acid-free paper to quality management systems, smart cities to information, and cybersecurity. ISO has committees of experts – drawn from around the world – who volunteer their time and share their knowledge to create and maintain standards. Each committee has a particular subject area or topic it specialises in and JTC1/SC27 (or SC27) is the committee that specialises in information security. Standards help set the bar for organisations by defining good practice and setting targets to be met.

Many cybersecurity professionals have used, or at least are familiar with, ISO standards produced by SC27 (for example, ISO/IEC 27001) and (ISC)²’s CBKs reference standards as part of the knowledge required by a security professional. But we don’t just passively write about ISO standards in our textbooks. (ISC)² is a ‘category A liaison organisation,’ which carries significant influence and allows us to propose new standards, provide comments, draft text for inclusion in standards and suggest changes to existing standards. (ISC)² staff regularly attend ISO meetings and we invite our members to the same meetings; as a result, we actively share knowledge and expertise to ensure these standards reflect good practices. Our contributions help form the basis of these standards; build processes and frameworks using real world experience; and assist with the writing of text to help individuals implement the standards. So our contributions – in person or in written submissions – help form the foundations on which information security can be built. Our work with ISO shows our commitment to a safe and secure cyber world.

The creation and maintenance of new standards follows a set pattern, in which face-to-face meetings are held twice a year. These meetings – such as the one (ISC)² is hosting– bring together experts from around the globe who collaborate, share insights and experience, codify good practices and draft the text that will become part of a new standard, or modify and enhance an existing one. In the time between the face-to-face meetings, experts are invited to comment on the outputs of the meeting and prepare for the next meeting. ISO experts are drawn from industry, academia and from other standards organisations (such as NIST or BSI). ISO experts can also be appointed as ‘editors’ for an international standard. This role is fundamental to the standards process and editors are ultimately responsible for project managing, writing, collaborating and delivering the international standard. Being an editor is a voluntary role and requires tact, diplomacy and the ability to synthesise agreement from varying opinions. An editor also has to be able to write using the, sometimes arcane, language of international standards.

So, what are the meetings like? They can be great fun, insightful, difficult and procedural in turn or at the same time. They are a great forum to learn, share and network as these meetings draw around 400 experts together for a week.

It’s worth remembering that much of the discussions this month will eventually find their way into information security practice, how we deploy information security in our own offices, our members’ work and (ISC)² educational materials. — Dr. Adrian Davis, CISSP, Managing Director, EMEA, (ISC)²

[(ISC)² Blog]