Anyone else notice that the ISO/IEC 27000-series is exploding. First we had 27001 for managing security (ISMS), then 17799 was renamed to 27002 for consistency with 27001. Now, OMFG:

# ISO/IEC 27000 – an introduction and overview for the ISMS Family of Standards, plus a glossary of common terms
# ISO/IEC 27003 – an ISMS implementation guide
# ISO/IEC 27004 – a standard for information security management measurements
# ISO/IEC 27005 – a standard for information security risk management
# ISO/IEC 27007 – a guideline for ISMS auditing (focusing on the management system)
# ISO/IEC 27008 – a guideline for Information Security Management auditing (focusing on the security controls)
# ISO/IEC 27011 – an ISMS implementation guideline for the telecommunications industry (also known as X.1051)
# ISO/IEC 27031 – a specification for ICT readiness for business continuity
# ISO/IEC 27032 – a guideline for cybersecurity (essentially, ‘being a good neighbor’ on the Internet)
# ISO/IEC 27033 – IT network security, a multi-part standard currently known as ISO/IEC 18028:2006
# ISO/IEC 27034 – a guideline for application security
# ISO/IEC 27799 – an ISMS implementation guideline for the healthcare industry

What happened to 6? Perhaps I should be pleased with this laundry list of options, but in fact it makes life quite a bit more complicated right now. I just had to explain 27003 even though it is still in draft form, just because someone wanted to work on ISO compliance for 27002. If you live in a country, let alone a state, that has compliance governance of its own, will you deal with the ISO? Something tells me if you do business across national boundaries this may be your only path of communication, and that is what the ISO is banking upon. On the other hand, I have already met a few people who think international standards are somehow an insult to their sense of national pride and want nothing to do with them.

The BBC advises us to avoid being upbeat in our business speak. The last thing you want to say, apparently, is that you are going forward

…the really lethal thing about the whole language of business – is that it is so brainlessly upbeat. All the celebrating, the reaching out, the sharing, and the championing in fact grind one down. Several decades too late, it is as if business has caught up with the linguistic spirit of 1968. The hippies got over it, but businessmen are holding tight.

Funny stuff and very prescient.

It seems that the less one has to say, the more likely one is to reach for a going forward as a crutch. Politicians find it comforting for this reason. “We are going forward” poor Hillary Clinton said just before the last, fatal primary last month when it became indisputable that she was going nowhere of the kind.

I have met many executives in America who hate the term “failure”. They think it lowers spirits and becomes an obstacle to success. Unfortunately, it actually is the lack of communication about failures that let them linger.

Blue sky thinking, pushing the envelope – the problem with office-speak is that it cloaks the brutal modern workplace in such brainlessly upbeat language…

Presumably it is ok to upbeat, just not brainless about it.

Ok, preventable is one thing, but what about predictable?

That is the tougher argument to make in the board room, in my experience. The CxOs know that things can be prevented, but they are not phased unless the security team can accurately predict failures ahead.

In other words, you can tell someone they should prevent getting wet by carrying an umbrella but good luck expecting them to carry their umbrella unless you can convince them that there is more than a 70 percent chance of precipitation.

The Verizon Report and their PR release clearly try very hard to establish a benchmark in quantitative analysis:

Some of the findings may be contrary to widely held beliefs, such as that insiders are responsible for most breaches. Key findings include:

* Most data breaches investigated were caused by external sources. Thirty-nine percent of breaches were attributed to business partners, a number that rose five-fold during the course of the period studied.

* Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.

* Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.

* Nine of 10 breaches involved some type of “unknown” including unknown systems, data, network connections and/or account user privileges. Additionally, 75 percent of breaches are discovered by a third party rather than the victimized organization and go undetected for a lengthy period.

* In the modern organization, data is everywhere and keeping track of it is an extremely complex challenge. The fundamental principle, however, is quite simple – if you don’t know where data is, you certainly can’t protect it.

I do not see any of these as a surprise. In fact, I think most security practitioners know these issues by heart. The opportunity is for those in the security space to now have third-party validation of their concerns. This is much cheaper than hiring a big-four audit firm for six figures and then trying to beat some sense into the inexperienced students they assign to your project so you can get a report similar to this one. Thank you Verizon!

American Banker uses this perspective

Here’s one the board of directors won’t want to hear: nine out of 10 corporate data breaches could have been prevented; this according to a report by Verizon Business that looked into 500 forensic investigations.

I disagree with this analysis, but I know why it happens. They employ a past-tense to the “prevention” as in “we could have prevented those losses”. That confuses the reality of security and risk management. If incidents have already happened, then (assuming impact is significant) a board of directors will want to hear why it happened and what will be done to prevent it again. However, and this is a big however, if these incidents have not happened yet then it is very likely the board will have absolutely zero interest in hearing about preventing them. The only caveat is if there is a high probability OR if there are regulations demanding that they take preventative action. If you can not speak to the predictability of risks, then the prevention of them becomes a moot topic at the executive level.