InfoSec Governance- Security Maturity vs Risk Based Security 24 March, 2024
- Mandatory versus Guidelines: A story of FUD 21 November, 2022
- A Little Tech – Reset Troubles with MFA 18 October, 2021
- The Fear Mongers 11 August, 2021
- Better Late than Never: My First Foray into Real Metrics 3 August, 2021
- Three Key Patterns for Information Security Programs 2 August, 2021
- The Fallacy of Permanence 16 June, 2021
- DevOps is dead, long live Dev! 7 August, 2020
- I Love the Subject of Change Control 17 December, 2019
- Unicorns (and how the Gene Kim challenges us yet again…) 27 November, 2019
Author Archives: Daniel Blander
BSides San Francisco Presentation
So I did a little talk at BSides San Francisco 2012. Its a pre-quel to my book “So You Want to Be the CSO…” The talk was recorded so you can view it at your leisure. Just pity the poor … Continue reading
#SecBiz or The Better Answer to Martin’s Question
I had the good fortune of a long drive (12 hours to be exact) which allowed me time to catch up on four months of backlogged Martin McKeay’s Network Security Podcasts. My fortune improved when I listened to the June … Continue reading
Do you have SOCD? (Security Obsessive Compulsive Disorder)
Are you SOCD? You have it if: You feel the constant need to force drastic security measures. You say: “This company really needs to revise all the (SOX) controls. There’s absolutely no reason to have management involved in the process.” … Continue reading
Mentoring Outside the Echo Chamber
I have been incensed by certain “pundit” activities through a recent encounter that unfortunately mirrors the frustration I felt 20 years ago as a result of the actions of certain academics where I once taught. The actions of which I … Continue reading
Posted in Uncategorized
Leave a comment
My Take Away Moment from BSidesSF
I won’t attempt to rehash the conference, except to say, if you have a chance to attend a BSides event, do so in great haste. Despite being free, they are worth every penny you could invest in visiting one. What … Continue reading
Posted in CISO, CSO, Information Security, InfoSec
Leave a comment
Sophisticated Analysis of Risk Management is Critical…don’t do Sophisticated Analysis Risk Management
There is a wonderful discussion occurring in SIRA (Society of Information Risk Analysts) these days. I missed the beginning of this group, and I regret it, because the messages coming out of the discussions are extremely insightful and critically important … Continue reading
Posted in Uncategorized
Leave a comment
Handing Back Responsibility for Security
There is a great lesson that unfolded at one of my customer’s sites during an audit. It is a great story to tell, but more importantly, it lets me illustrate that as Security Professionals, we need to design security to … Continue reading
Posted in CISO, CSO, Information Security, InfoSec, IT Risk Management
Leave a comment
Data Facts vs. My Bias…how I am losing (and why its good)
I have to admit as I listen to the sages on collecting data (Alex Hutton, Mike Dahn, Josh Corman…) I am getting more and more conscious of my own biases about security (guilty as charged!). Ever since Alex’s post a … Continue reading
Posted in Information Security, InfoSec, IT Risk Management, PCI
3 Comments
Sustainable Security by Showing Tangible Benefits
I spent a large part of my involuntary layover in Atlanta last month thinking about PCI, Control Objectives and Maturity. Sometimes interruptions to our business lives like this are good, since stepping back and interrupting our non-stop business life for … Continue reading
They Just Don’t Get It
“They just don’t get security!” As InfoSec professionals we often curse our management, our users or our customers (or all three) because they have done something “stupid” which either creates or nearly creates a security incident. We howl, we complain, … Continue reading
Posted in Information Security, InfoSec
Leave a comment