The ISACA Disgrace

Why I believe ISACA board and leadership team must resign.

By Ehden Biber

Forward:

My mother, who was born in a Gulag in Russia, never warned me about anything in her whole life. Last week she did. “Don’t talk. It’s dangerous. It would be really hard to find a job if you speak out”. I understand my mother, but I remember what another survivor of one of the Russian gulags have written:

In keeping silent about evil, in burying it so deep within us that no sign of it appears on the surface, we are implanting it, and it will rise up a thousand fold in the future. When we neither punish nor reproach evildoers, we are not simply protecting their trivial old age, we are thereby ripping the foundations of justice from beneath new generations.” (Aleksandr I. Solzhenitsyn, The Gulag Archipelago 1918–1956)

I owe my mother, my maternal grandparents, and everyone who ever lived under a regime based on lies the commitment of speaking out when I feel truth is not being told.

Here is my truth.

Disgrace: embarrassment and the loss of other people’s respect, or behaviour that causes this” (Cambridge dictionary)

I have been a member of ISACA for a long, long time. My first certification was CISA, which followed by CISM and CRISC. I have been a director in the London chapter of ISACA, I have many friends who are ISACA members, and therefore I am aware that it will make many of those whom I worked with and love very uncomfortable, but I feel there is no other option: I believe ISACA board and/or leadership team must resign, as they have betrayed the Code of Professional Ethics of the organisation.

Continue reading

Un-SANSible Orgasms…

What is the REAL issue with the SANS data breach…

By Ehden Biber

SANS has been breached and everyone seems to be missing the real issue. The real issue with the data breach is not that it occurred but it’s the way SANS acted afterwards, which makes one wonder… where is the awareness?

So OK, SANS has been hacked, and there was a data breach that included Personal Identifiable Information, impacting various data subjects, perhaps also Europeans.

Pretend you’re shocked. I mean, what’s new in the kingdom of cyberspace?

What really worried me was the way the incident has been communicated so far. SANS train its employees, I am sure, but how does it measure them? How many other attacks that failed took place in the last quarter or the last year? How many of them failed due to measurable improvement in the performance of the individual who stop it? What were the individual cybersecurity awareness metrics of the person that has been hacked, and were they providing any indication? If not, why? And what about the security of the system themselves – why did the people who designed the solution which was used (office365) did not prevent it from happening? Could that incident be prevented based on the current score of the Software Assurance Maturity Model that SANS (I hope) following? Was that a deviant of normal security performance of the individual? Was the vulnerability a result of a failed project, and if so, what is the TRUE root cause of the failure? Was there any privacy impact assessment relating to the service that was being used? If it failed to identify the risk, why? What was the quality of the assessment? Did the risk registrars of both the privacy and the security teams identified it? if so, was the risk measured correctly? was it communicated? at what forum? I can really go on and on and on here…

What the incident so far has demonstrated is that even organisations which provide professional services in the domain of cybersecurity awareness are failing to demonstrate that their own models provides a “good fit for understanding, predicting or changing cyber-security behaviour” (Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity”, ENISA, 2018).

Here is a quote that summarises how I feel about the current approaches:

“Here’s the funny part. Imagine a conference where the world’s top experts on human sexuality are convened. One after another these doctors, and specialists in human behavior, and research psychologists, go to the podium to deliver scholarly lectures on the subject of orgasm. As the conference goes on, it might become obvious that none of these experts have actually experienced orgasm themselves: it’s all intellectual. ‘After long years of arduous research and many austerities I can now tell you that I have finally achieved full orgasm. And I can confirm what all the ancient texts have said: that the very essence of orgasm consists of getting red in the face and screaming, after which you become a perfect person and everybody thinks you’re wonderful.’

Huh? But wait: nobody in the audience has experienced orgasm either, so how would they know that the speakers are all hot air? After all, these specialists are presented as the ‘experts,’ and another ‘expert’ has certified their expertness, and they certainly sound impressive, so… they must be right! So everybody asks questions and takes notes. And later they all sign up for the advanced seminar, in which it is promised that they too (for a few hundred dollars) can learn the disciplines necessary to get red in the face and scream; at which time they will enter the ranks of those who have been certified as having attained full orgasm and become perfect wonderful people.

Of the thousands in attendance at the conference, there are just two people in the back of the hall, with absolutely no scholarly qualifications at all, but with a different kind of knowing; who look at each other, laugh, and walk out.”

From “Perfect Brilliant Stillness”, David Carse, 2006

Or, as I’ve written in 2015:

“What most of us are doing is measuring the surface of awareness, the signals, rather than investigating the real nature of awareness. Our measuring attempts are similar to the way Franz Joseph Gall, who invented phrenology did in the 19th century while trying to solve the mystery of the mind. First named “cranioscopy” by Gall, and later changed to “phrenology” by his followers, this method was supposed to allow the scientist who used it a way of understanding the state of mind by measuring the scalp. Driven from Greek words phrēn (“mind”) and logos (“knowledge”), Phrenology claimed that certain brain areas have localized, specific functions or modules and thus by measuring the scalp one can have an understanding of the performance of the brain and the mind…What we do isn’t measuring awareness at all.”

The good news (at least for me) is that it opens up a space for new ways of approaching this problem. More on that in … my upcoming dissertation. Stay tuned… 😊

Till the next now,

Ehden Biber

© All rights reserved 2020

The Secret to Cybersecurity Awareness

How a 5½ weeks experiment helped me discover the secret of awareness. Cyber Autism, Redux.

 

By Ehden Biber

 

I have been investigating the nature of awareness ever since Rephael autism took his ability to communicate with us, when he was about 18th months old. This beautiful boy, the youngest of our 3 siblings was disappearing in front of my eyes and I didn’t know what to do. The impact of his autism on my understanding of how much I cannot perceive what another human being is perceiving came a few years later, when he was still a young boy. One day, when he and his two siblings were at my place, Rephael came to me crying his heart out, but I had no idea why he is crying. That realization, this experience of disconnection between my personal experience and the perception of reality someone else is having was one of the most profound moments of my life. Before that, I was busy trying to fix Rephael. After that, I was busy trying to fix myself. My moment came when I realized there wasn’t anything in my son that prevented him from communicating with met, but it was something in my own perception of reality which prevented me from communicating with my son. I was the root of my own suffering.

Fast forward to summer 2019.

Continue reading

Becoming Stephen Hawking

Truth is the only thing that stands between us and a cyber nightmare. Dedicated to the 2019 October Cybersecurity Awareness Month.

By Eh’den Biber

 

Virtual Insanity

Futures made of virtual insanity, now
Always seem to be governed by this love we have
For useless, twisting, all that new technology
Oh, now there is no sound, for we all live underground

(Jamiroquai, “Virtual Insanity”, from the album “Travelling Without Moving”)

 


There is a reason why people in the west can’t grasp how the disappearance of privacy and the total exposure of our most intimate states is a part of a dystopian nightmare, and it has to do with who we are.

Continue reading