Concerns.
1. Lack of enterprise security architecture framework or Security Program Strategy. This is a methodology for addressing security concerns at every and each architecture domain. The existing enterprise architecture and security architecture frameworks are not quite there yet or non-existent.
The legislative arms of the government fall here too. If the architecture exist, then its is viewed as a panacea, no actioning is needed, e.g the password policy. It is general knowledge on how it should be done but implementation is shelf-based.

2. Lack of alignment with both business, IT, operations and regulatory,therefore,a need to transform the security organization, i.e placing the security capabilities as a subset of the business reference model to give understanding of how they fit within the strategy,organizational units, business functions and processes.

3. Legal regulatory and internal compliance(stakeholder business objectives and investment) conflicts . The increasing number and scope of regulatory requirements often can override business objectives or internal compliance and affects core business capabilities. Security is the viewed as hindrance.

4. A need for business-outcome-focused and risk-driven security reference architectures. In our enterprise security architecture framework, risk and business objectives are the key drivers for the selection of security controls. As this is a top-down approach, it ensures that all policies and controls are identified and owned.

5. Emerging trends and technologies, such as IoT,cloud, BYOD and mobility affect data privacy. The challenge is gaining knowledge around the relation to data privacy requirements, threat and vulnerability vectors and business objectives.

Having a proper security program/architecture sanctioned by the stakeholders and mostly importantly, the executive management and the government legislation(of course without the evident greed governments)   will trickle down to every unit and person. Verizon reports (http://www.verizonenterprise.com/DBIR/2015/) that 96 percent of attacks are not sophisticated and 97 percent are easily avoidable. Blowing your mind of is that, it is due to simple stupidity(my meaning), lax access policies and internal employees.

On Tue, Jul 21, 2015 at 12:00 PM, <skunkworks-request@lists.my.co.ke> wrote:
Send skunkworks mailing list submissions to
        skunkworks@lists.my.co.ke

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
or, via email, send a message with subject or body 'help' to
        skunkworks-request@lists.my.co.ke

You can reach the person managing the list at
        skunkworks-owner@lists.my.co.ke

When replying, please edit your Subject line so it is more specific
than "Re: Contents of skunkworks digest..."


Today's Topics:
------------------------------

Message: 3
Date: Tue, 21 Jul 2015 11:53:06 +0300
From: Mwendwa Kivuva <Kivuva@transworldafrica.com>
To: Jared Koyier <jaredkoyier@gmail.com>,  "Security Forum All
        information security discussions in Africa are done here (Hacking,
        Decryptions, Security management, physical security, Disastor
        Recovery, Security Assessments etc etc)" <security@lists.my.co.ke>
Cc: Skunkworks forum <skunkworks@lists.my.co.ke>, ISOC Kenya Chapter
        <isoc@lists.my.co.ke>, KICTAnet ICT Policy Discussions
        <kictanet@lists.kictanet.or.ke>
Subject: Re: [Skunkworks] [Security Forum] #KeIGF15 Online Discussions
        Day Two: Cyber Security and Trust
Message-ID:
        <CAEhPqwpvYfoLXV_siQ1tzndWW_Rrq=E9rSReTOoH7Ou=tdsTHw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

On 21 July 2015 at 11:00, Jared Koyier via Security <security@lists.my.co.ke
> wrote:

> The biggest  question is whether people responsible for CyberSecurity in
> government have the resources and technical capacity. Good example is the
> recent embarrassing hackingteam exposure in which one of the officers in
> the NSIS is captured seeking international help in defacing a simple blog.
>

Just for the record, here is the email transcript where Kenyan State House
operatives were allegedly seeking EXTENAL help to hack Kenya websites
https://www.wikileaks.org/hackingteam/emails/?q=kensi.org&mfrom=&mto=&title=&notitle=&date=&nofrom=&noto=&count=50&sort=0#searchresult
  a

and this his how Nation reported the story:
http://mobile.nation.co.ke/news/NIS-WikiLeaks-Hacking-Team-Surveillance/-/1950946/2784358/-/format/xhtml/-/yu87m6z/-/index.html

Of Interest is sometimes back, a Kenyan government agency was giving orders
that all websites should be hosted locally. From the Hacking Team fiasco,
we can clearly see why the government wants websites to be hosted locally.
So that they can just physically seize the computer box instead of having
to employ Hackers from Russia to do the dirty job for them.

I am surprised Civil Society actors have not come out very strongly to
question this move of internal hacking by government. After Snowden, we saw
how Civil Society in US came out very strongly to protest the violation of
basic rights by the State. The US government had to apologize for the
embarrassing revelations, and try to cover it's back. Of course the
argument I hear this days is there is no government that does not do cyber
espionage. Only that some governments are more adept in their skills than
others.

Regards
______________________
Mwendwa Kivuva, Nairobi, Kenya

"There are some men who lift the age they inhabit, till all men walk on
higher ground in that lifetime." - Maxwell Anderson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.my.co.ke/cgi-bin/mailman/private/skunkworks/attachments/20150721/340a0b71/attachment-0001.html>

------------------------------




--
Kind regards
Hosea Kandie
Mobile:0726798903
in: https://ke.linkedin.com/in/zeddarn
twitter: https://twitter.com/zeddarn