Optimising Security

September 18, 2012 – 3:25 pm

Way back at university when i was studying Aeronautical Engineering, we covered one of the fundamental concepts in aircraft design; Safety.  It was summed up in an info-graphic which has stayed with me. In recent times, as I’ve moved over into IT security and up into solution architecture, I’ve been drawing on this educational background more and more. The analogous relationship between aircraft safety and IT security is safety = security.

I’ve put together a series of diagrams to illustrate how this aircraft design concept applies to IT security.

Firstly, the base concept; a cost vs security graph. The total cost to an organization being the union of two component cost categories. One, the cost of security measures implemented. Things like technology, people, processes, loss of agility, reduction in productivity. And secondly, the indirect costs due to all the security measures that have not been implemented. The lowest point in the total-cost curve is the optimum level of security that should be implemented.

But of course, things are always changing. Technology improvements, smarter people and better processes all give you more security for your $. Also, security incidents start costing you more money(too many reasons to list here).  As a result, the total cost curve will shift up and to the right.

and things are not always as well understood as you’d like.  The cost of security measures implemented is easy, but it’s not always certain how much security you’re actually getting.  The indirect costs are even less well understood, often almost not at all.  If you get the numbers wrong, and end up over the break even line, then you’re out of business or sacked.  The safer choice is err on the side of being too secure, trading off efficiency or cost effectiveness.

The takeaway is; you need good data and to know your two types of costs as well as possible.  Qualitative data is nice for understanding the concepts, but completely useless in practice.

If you aren’t moving towards finding your optimum security level, your competition most certainly is. That break-even line isn’t fixed either. It will start coming down.

UPDATE: A common mistake i see is for organizations to underestimate their indirect costs (red line). They only factor in what they know, assuming zero contribution from the unknown indirect costs.  Look for statistical data from other organizations to make an informed guess.  Preferably including companies that have both survived and failed due to catastrophic events.  Make sure the companies are comparable; industry, size, market. Be wary of vendors as a source of this info though. They are motivated to shift your security spend as far to the right as possible. That said, vendor data can be useful for the extreme/worst case.

alternative cloud magic quadrant

August 26, 2012 – 11:47 am

A Simon Wardley blog post

Do not covet your ideas

January 10, 2012 – 9:19 am

Cloud Security Alliance V3 Guidance and CCSK

December 9, 2011 – 2:15 pm

I’ll have to watch this closely. As soon as I hear about the V3 CCSK exam, i’ll need to jump right on it.

udpate from Jim Reavis;

I am sure many of you are wondering if the new version 3 of the guidance means we will have a new version of the CCSK test and what that means to existing CCSKs or those currently studying to be CCSKs. The CSA certification board that created the initial test will be providing definitive information about the plan soon, but I wanted to let you know about some things we know for sure, so you can plan appropriately.

– We do not have an exact time frame for the new test, but likely will be the middle of next year.
– Existing CCSKs will be able to take the V3 test when available at no charge.
– Existing CCSK tokens will be valid for the V3 test.
– It is possible that we may consider having a special V3 test for existing CCSKs that cover the difference.
– You should still be studying V2.1 of the guidance to prepare for the existing test.

If you have read both V2.1 and V3, you should be aware that key principles have not changed in the new guidance, but we have greater depth. From that perspective, we want to provide interested professionals assurance that you will not be penalized in any way for obtaining your CCSK now, and the effort will help you in gaining certification on an updated test. If you have questions or input, please respond to this post so we can make sure we update the website FAQ.

out of hiatus

November 29, 2011 – 10:07 am

I’ve neglected this blog for quite a while now. Various events and machinations that affected my career used up all my headspace. Things are calming down and becoming more sensible. More headspace for interesting technical architectural topics. fun!

I’ve started working on a product and service development program at eSecure. My interests and ambitions have found some nice synergies with eSecure’s business development goals.

All through my career i’ve dabbled in IT Security. However i’ve never really considered myself a “security guy”. But after landing in a security role almost accidently, i’ve come to realise that it’s really my true calling.

It comes down to the fundamental security triad; Confidentiality, Integrity and Availability. In the past in my telco jobs, it was predominantly about Availability, Integrity a close 2nd and not far behind, Confidentiality. Now i’m dealing with all three in roughly even amounts.

Certificate of Cloud Security Knowledge (CCSK)

September 4, 2010 – 1:17 am

The issues and opportunities of cloud computing gained considerable notice in 2008 within the information security community. It was at a security practitioners’ conference, the ISSA CISO Forum in Las Vegas, November 20, 2008, where the concept of the Cloud Security Alliance was born. Following a presentation of emerging trends by Jim Reavis that included a call for action for securing cloud computing, Reavis and Nils Puhlmann outlined the initial mission and strategy of the Cloud Security Alliance. A series of organizational meetings in early December 2008 that included Reavis, Puhlmann and industry leaders such as Dave Cullinane, Philippe Courtot, Alan Boehme, Izak Mutlu, Jay Chaudhry, Christofer Hoff, Paul Kurtz and Jean Pawluk formalized the founding of the Cloud Security Alliance.

That’s the introduction on the CSA website. Says it better than if I tried to paraphrase it.  I think I first heard about the CSA via posts on Chris Hoff’s blog which I follow.

The first thing the CSA came out with was their “Security Guidance for Critical Areas of Focus in Cloud Computing” whitepaper. It takes a whole raft of well established IT security methodology and applies it to the emerging world of Cloud Computing. It’s very good reading, and excellent reference material.

The next big release was the Certificate of Cloud Security Knowledge exam. It was announced at the end of July, and the exam made available on the 1st of September.  With timezones in Australia ahead of those in the USA, it was late afternoon Sydney when the exam went live. I had a free evening and thought, why not give the test a go. You get two tries for your exam fee.

Well, I passed, which was nice. But the surprise came later when i got an email from the CSA Executive Director, Jim Reavis. It turned out that I was the first in the world to pass and also the fastest to complete the exam during its first day. That gave the ol’ ego a boost. But the voice of reason in the back of my head started to speak up, and bring me back to reality. There are a lot of good people out there. Better than me. There’s lots I still need to learn.

But I think i’ll enjoy this for a bit 🙂

Two transitions, career and sport/fitness

March 27, 2010 – 8:59 pm

Almost two months ago, I started a new job. I left Verizon Business at the end of last year. It was a good two years there, i learned a lot. Verizon do a lot of things right, but they have their faults too, mostly due to their massive size. In short, Australia is not important to Verizon. On the other hand, Australia IS important to Telstra. My new role is the first proper Unified/Network/Utility Computing and Security solution architect in Telstra Enterprise and Govt. The Hosting product portfolio was not important until now, and thus was allowed to languish. With all the recent hype around Cloud Computing and the trend back to consolidation in the datacenter, the product set is being revamped. Interesting times ahead. Lots to be fixed, but there’s a lot of effort going into it. I’m along for the ride, to see where this takes me.

The other big change is in my fitness and sport training. I’ve been with Vision Personal Training for a bit over a year now. Huge progress has been made, but in recent months it’s tapered off. I finally figured out the problem, I’ve outgrown them (plus they’ve changed to be more weight-loss oriented). I did a lot of research and spoke to friends that are triathletes. I settled on STG. I’ve got a qualified tri-coach now, and have started on a program with him. STG also provides a squad to train with, which is really good for motivation. Obsession with counting carbs, protein and fat is out. the “go hard or go home” mentality too. In with more logical and customized coaching. No more “don’t be lazy! just do it!”. Now it’s “ok, why are you tired/sore? what did you do/eat/etc?”

I’ve got some big events coming up this year and next. Kinda exciting and scary at the same time. a month ago i wouldn’t have thought i could reach those goals. now, with the new training and coaching program, i reckon i’ll do it!

note: not going to jinx myself by saying what I’m aiming for. I was planning to do the half marathon in May, the old personal trainer was pushing me hard. I was trying to keep to a training plan, but kept hitting injury obstacles. I wasn’t confident. The new coach; “forget that, you wont be ready”. Dude is hardcore, but fair, and logical, and experienced….

I’m stoked. Life is good.

Christmas Dinner

January 3, 2010 – 9:46 pm

A while back we got lucky and managed to score four bottles of the ultra-rare and amazingly good Clonakilla 2007 Shiraz-Viognier. The first one got opened on Christmas day. We had it with my favorite pasta recipe from Sean Moran of Sean’s Panaroma; orecchiette pasta, pancetta, fresh peas, pecorino, basil, cream etc.


November 9, 2009 – 8:57 pm

I was in Japan recently for a holiday. This time it was longer than usual, 3 weeks. Chika went ahead of me and stayed an extra week too.  We traveled around together; 2 weeks in Osaka and 1 week in Tokyo. This was my first proper trip to Tokyo.  I love it!! I’d very happily live there.  Hopefully my career will take me there in the future.

I dusted the camera gear off and took it with me. I mainly focused photographing all the food we ate. For me Japan is food paradise.

I bought a new lens in Tokyo, the Canon EF-S 17 – 55 mm F2.8 IS.  This is a sensational lens for pics indoors without flash. Perfect for food pics 🙂

This time i was introduced to properly good Izakaya(s). Also, we visited Tsukiji markets in Tokyo.  Check out the pics in the gallery (also linked at the top of this page).

Here’s a sample



Dining at Quay

September 25, 2009 – 12:00 am

We are starting to form a bit of a tradition by going to Quay every year for a particular special occasion. Tonight was particularly good. Last time the wine we picked wasn’t ideal, but this time it was sensational.  Highlights for me were the wine and the lamb main. “Oh-my-god!” awesome.


We had;

1er Cru Champs Canet

Poached Western Australian marron,
seaweed jelly, cucumber, fennel, lime crème fraiche

Mud crab congee, hand shelled mud crab, Chinese inspired split rice porridge

Both of us:
Gently poached partridge breast,
bitter chocolate black pudding and walnut crumbs,
truffle custard, fresh palm hearts, white borage buds

Bass Groper, parsley crust,
slow braise of baby abalone, periwinkles,  sea scallop, winter melon, hasuimo,
green tea and seaweed consomme

24 hour slow cooked milk fed Suffolk lamb,
sheep’s milk fromage, heirloom baby carrots, Arbequina olives, capers,
nasturtiums and rosemary flowers

Both of us:
Eight texture chocolate cake
featuring Amedei ‘Chuao’ Chocolate

Dessert Wine
2007 Jurançon Uroulat Charles Hours, South West France
Tesseron lot 53 XO Perfection Grande Champagne