-
Recent Posts
Look at Categories
Archives
- March 2024
- November 2022
- October 2021
- August 2021
- June 2021
- August 2020
- December 2019
- November 2019
- October 2019
- December 2018
- September 2017
- October 2016
- March 2015
- February 2015
- January 2013
- September 2012
- August 2012
- March 2012
- October 2011
- June 2011
- May 2011
- February 2011
- December 2010
- November 2010
- September 2010
- August 2010
Search the Blog
InfoSec Governance
Author Archives: Daniel Blander
Security Maturity vs Risk Based Security
I have spent much of my career exploring various security frameworks, compliance regimens and standards. I have dabbled in most of them, primarily because I am curious to see what value can be derived, what benefit they bring, and why … Continue reading
Posted in Uncategorized
Leave a comment
Mandatory versus Guidelines: A story of FUD
I recently received a message in my inbox from a vendor (note the use of the word “mandatory”): Is it really mandatory? Too often people confuse the guidance that standards provide with what is mandatory. Too often vendors use a … Continue reading
Posted in Uncategorized
Leave a comment
A Little Tech – Reset Troubles with MFA
Recently I encountered a bug in one of my second factor authentication apps that caused me to lose all the registered tokens for multiple sites. As you can imagine, losing (or having destroyed) the second factor for important sites can … Continue reading
Posted in Uncategorized
Leave a comment
The Fear Mongers
“APT is your biggest risk.” “Public cloud cannot be secure, just look at CapitalOne.” “Insiders are your biggest threat.” “You must have a SIEM if you are going to pass your SOX audits!” Bah, humbug. Fear, Uncertainty, and Doubt (or … Continue reading
Posted in Uncategorized
Leave a comment
Better Late than Never: My First Foray into Real Metrics
Author’s Note, this blog was written back in 2013, but never made it this far. Forgive the delay and references to old presentations that may not be accessible. It’s been a while since my last post, and I’ll blame it … Continue reading
Posted in Uncategorized
Leave a comment
Three Key Patterns for Information Security Programs
After too many years witnessing the sham that are “security standards” and regulations, I feel like I have to be a bit of a grumpy old man. I’m not usually this way…well, I am old, but usually not terribly grumpy. … Continue reading
Posted in Uncategorized
Leave a comment
The Fallacy of Permanence
I’m sure Daniel Kahneman has defined this fallacy in better terms, but it is a good story to show one of the potential reasons why the concept of DevOps and Lean are so valuable. And also why certain types of … Continue reading
Posted in Uncategorized
Leave a comment
DevOps is dead, long live Dev!
Yes, it’s hyperbole. But the headline is important. In 2020 I still encounter companies who are moving into cloud, yet are immovable mired in their traditional way of doing IT. They are somehow convinced that a group of infrastructure folks … Continue reading
Posted in DevOps, DevSecOps, Uncategorized
Leave a comment
I Love the Subject of Change Control
I love it not because it is wrapped in complexity, but for quite the opposite reason; it is (and should be) a perfect case of simplicity. Let me explain why with a quick story of bad change control. I watched … Continue reading
Posted in Uncategorized
Leave a comment
Unicorns (and how the Gene Kim challenges us yet again…)
I had the opportunity to read Gene’s new book The Unicorn Project last month. Like the Phoenix Project, I was riveted – nearly missing my tube stops on the way to work. My distractions came from usually as a result … Continue reading
Posted in Uncategorized
Leave a comment