Category Archives: Uncategorized

The Fear Mongers

“APT is your biggest risk.” “Public cloud cannot be secure, just look at CapitalOne.” “Insiders are your biggest threat.” “You must have a SIEM if you are going to pass your SOX audits!” Bah, humbug. Fear, Uncertainty, and Doubt (or … Continue reading

Posted in Uncategorized | Leave a comment

Better Late than Never: My First Foray into Real Metrics

Author’s Note, this blog was written back in 2013, but never made it this far. Forgive the delay and references to old presentations that may not be accessible. It’s been a while since my last post, and I’ll blame it … Continue reading

Posted in Uncategorized | Leave a comment

Three Key Patterns for Information Security Programs

After too many years witnessing the sham that are “security standards” and regulations, I feel like I have to be a bit of a grumpy old man. I’m not usually this way…well, I am old, but usually not terribly grumpy. … Continue reading

Posted in Uncategorized | Leave a comment

The Fallacy of Permanence

I’m sure Daniel Kahneman has defined this fallacy in better terms, but it is a good story to show one of the potential reasons why the concept of DevOps and Lean are so valuable. And also why certain types of … Continue reading

Posted in Uncategorized | Leave a comment

DevOps is dead, long live Dev!

Yes, it’s hyperbole.  But the headline is important.  In 2020 I still encounter companies who are moving into cloud, yet are immovable mired in their traditional way of doing IT.  They are somehow convinced that a group of infrastructure folks … Continue reading

Posted in DevOps, DevSecOps, Uncategorized | Leave a comment

I Love the Subject of Change Control

I love it not because it is wrapped in complexity, but for quite the opposite reason; it is (and should be) a perfect case of simplicity. Let me explain why with a quick story of bad change control. I watched … Continue reading

Posted in Uncategorized | Leave a comment

Unicorns (and how the Gene Kim challenges us yet again…)

I had the opportunity to read Gene’s new book The Unicorn Project last month. Like the Phoenix Project, I was riveted – nearly missing my tube stops on the way to work. My distractions came from usually as a result … Continue reading

Posted in Uncategorized | Leave a comment

Where should the CSO Report?

I was recently asked the question, “Where does Security belong in an organization?” It is an intriguing question, and one that I think about quite often.  Currently most CSOs report to the CIO or CTO.  In a few, rare cases, … Continue reading

Posted in Uncategorized | Leave a comment

Glass Houses…and Music Majors

First, a disclaimer…this post is *not* about bashing or ranting about Equifax’s security practices. Why? Because I do not have first hand knowledge of what they did or did not do, or what specific exploits and vulnerabilities were leveraged throughout … Continue reading

Posted in Uncategorized | Leave a comment

Shifting the Conversation (An SDLC Story)

I’d like to tell a story (a mostly real one) that can help you think through how to make your DevOps transition a little smoother, level set some over-exuberance, and ensure everyone feels they are getting a fair shake in … Continue reading

Posted in Uncategorized | Leave a comment