Category Archives: CSO

Loving the John In All of Us

I found myself in one of my least favorite moments a few weeks ago.  I was having a discussion about the build out of a new environment.  Someone brought up the subject of how people should access the environment and … Continue reading

Posted in CISO, CSO, Information Security, InfoSec | Leave a comment

The Quantum Vulnerability Tunneling Effect

I know I had promised to talk about how to implement a risk management program in your small organization, but bear with me for a blog (or two).  Given that my brain has been wrapping itself carefully around risk management … Continue reading

Posted in CISO, CSO, Information Security, InfoSec, IT Risk Management, Uncategorized | Leave a comment

BSides San Francisco Presentation

So I did a little talk at BSides San Francisco 2012.  Its a pre-quel to my book “So You Want to Be the CSO…”  The talk was recorded so you can view it at your leisure.  Just pity the poor … Continue reading

Posted in CISO, CSO, Information Security Governance, IT Risk Management, Security Governance | Leave a comment

#SecBiz or The Better Answer to Martin’s Question

I had the good fortune of a long drive (12 hours to be exact) which allowed me time to catch up on four months of backlogged Martin McKeay’s Network Security Podcasts.  My fortune improved when I listened to the June … Continue reading

Posted in CISO, CSO, Information Security Governance, InfoSec Governance, IT Risk Management, Security Governance | 1 Comment

Do you have SOCD? (Security Obsessive Compulsive Disorder)

Are you SOCD? You have it if: You feel the constant need to force drastic security measures. You say: “This company really needs to revise all the (SOX) controls.  There’s absolutely no reason to have management involved in the process.” … Continue reading

Posted in CISO, CSO, Information Security, Information Security Governance, InfoSec, InfoSec Governance, IT Risk Management, Security Governance, Uncategorized | Leave a comment

My Take Away Moment from BSidesSF

I won’t attempt to rehash the conference, except to say, if you have a chance to attend a BSides event, do so in great haste. Despite being free, they are worth every penny you could invest in visiting one.  What … Continue reading

Posted in CISO, CSO, Information Security, InfoSec | Leave a comment

Handing Back Responsibility for Security

There is a great lesson that unfolded at one of my customer’s sites during an audit.  It is a great story to tell, but more importantly, it lets me illustrate that as Security Professionals, we need to design security to … Continue reading

Posted in CISO, CSO, Information Security, InfoSec, IT Risk Management | Leave a comment

Model for Building PCI Control Objectives

Maybe it’s the excitement of getting re-Tweeted today, or maybe it’s just the outpouring of love and emotion I felt when I watched the video of the Mike+Josh hug, but I thought I’d provide a bit more thought around how … Continue reading

Posted in CISO, CSO, Information Security, IT Risk Management, PCI | Leave a comment

The One-Hundred-Zero-Fifty Rule

I had a employee in a security department that I was running come to me and say “We have a problem, and we need to take care of it right away!”  Now we were in the midst of several major … Continue reading

Posted in CISO, CSO, Information Security Governance, InfoSec Governance, IT Risk Management, Security Governance | Leave a comment

Revolution or Evolution

I recently had a meeting with a well placed Security Officer.  He made a comment that I thought really summed up the view that I hold as well regarding transformation of Information Security at a company…. “When I started working … Continue reading

Posted in CISO, CSO, Information Security, Information Security Governance, InfoSec, InfoSec Governance, IT Risk Management, Security Governance | Leave a comment