Home  |  Sarah  |  Services  |  Blog  Contact

Saturday, 05 Sep , 2020

Diana Initiative 2020 – Making space for security and data protection governance

Share this article

I was lucky enough to get to talk at the Diana Initiative 2020 conference. One particularly bright side to complement all the compromises we have been making this year. I have wanted to speak there since friends of mine took the original diversity friendly offshoot of the Las Vegas mega cons and evolved it into […]

I was lucky enough to get to talk at the Diana Initiative 2020 conference. One particularly bright side to complement all the compromises we have been making this year. I have wanted to speak there since friends of mine took the original diversity friendly offshoot of the Las Vegas mega cons and evolved it into the fabulous institution it’s become today.

Here I am communicating my very personal perspective on what I think governance, risk, and compliance takes to work in a big organisation. It focuses on my own way of weaving accountability through every part of ISO27001, NIST, COBIT or any other more general governance framework. It focuses hard on effectively scoping and scaling the work, usability and sharing the burden with all security and data protection stakeholders in an organisation. Plus, in the process, dramatically uplifting awareness of what the cybersecurity and data protection day job entails and the nature of the risks under management.

WARNING: Very slightly NSFW, but only during questions at the end


Note to self and apologies to those who view: That bump, bump, bump sound is me unconsciously tapping the desk to emphasise points (what can I say, I talk with my hands!), which is more or less distracting depending on how much bass you have on your audio – I usually have the mic on a boom arm. Lesson learned for next time.

Also, no prizes for spotting where I said “Percentage probability and dollar likelihood”. I think it was just the once. No matter how many creative and downright nonsensical ways I say it, we usually can’t estimate it.


Here, for all those trying and failing to squint at more detailed slides, is a better view of the ones presented on the day

[embeddoc url=”https://infospectives.co.uk/wp-content/uploads/2020/09/Testing-all-the-things-v4-Med.pdf” viewer=”google”]


Other content and resources mentioned in the talk

That tweet about the Horizon IT scandal


Some of the standards talked about that cover end to end risk management ground. As mentioned, my talk focuses on specific parts where I’ve found opportunities to make processes more sustainable and user friendly, but all of the biggest programmes will contain hooks related hooks as part of the bigger whole. The main part I excluded was specifics of control assessment. I have some strong thoughts on the relative value of monster questionnaires I can talk about another day.

  • The CSA STAR Program – To improve transparency about cloud vendor security, the CSA launched their STAR (Security Trust & Assurance Registry) program in 2011.  Suppliers voluntarily publicise information about their security controls and practices, so more and less risk averse firms can locate a provider matching their regulatory and local control requirements.
  • FedRAMP – FedRAMP is the US government run security assessment and accreditation program for cloud vendors, based on NIST security benchmarks 
  • NIST Special Publications 800-37 (the Risk Management Framework). The RMF is familiar to most US cybersecurity pros. It is a risk management wrapper to compliment the control sets and various standards for cybersecurity assessment and governance gathered together under the government FISMA implementation project here
  • ISO27001/22301 Certification – Certification against ISO standards is a good indicator that people have a mature approach to security risk management. However, it’s no guarantee that security controls are working.  They may diligently and cyclically assess controls, find many are broken, but get all the right security management documents and processes in place to make the certification grade. By the same token, their ISMS scope might just cover a showcase site, or only include physical security controls. Always ask for evidence of control effectiveness and check that services you plan to use and controls you want to rely on, are in scope. If not, it can come as a nasty post-audit surprise.


A couple of the blog posts that cover similar ground to the presentation:


Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...