InfoSec Governance- Security Maturity vs Risk Based Security 24 March, 2024
- Mandatory versus Guidelines: A story of FUD 21 November, 2022
- A Little Tech – Reset Troubles with MFA 18 October, 2021
- The Fear Mongers 11 August, 2021
- Better Late than Never: My First Foray into Real Metrics 3 August, 2021
- Three Key Patterns for Information Security Programs 2 August, 2021
- The Fallacy of Permanence 16 June, 2021
- DevOps is dead, long live Dev! 7 August, 2020
- I Love the Subject of Change Control 17 December, 2019
- Unicorns (and how the Gene Kim challenges us yet again…) 27 November, 2019
Category Archives: Uncategorized
Where should the CSO Report?
I was recently asked the question, “Where does Security belong in an organization?” It is an intriguing question, and one that I think about quite often. Currently most CSOs report to the CIO or CTO. In a few, rare cases, … Continue reading
Posted in Uncategorized
Leave a comment
Glass Houses…and Music Majors
First, a disclaimer…this post is *not* about bashing or ranting about Equifax’s security practices. Why? Because I do not have first hand knowledge of what they did or did not do, or what specific exploits and vulnerabilities were leveraged throughout … Continue reading
Posted in Uncategorized
Leave a comment
Shifting the Conversation (An SDLC Story)
I’d like to tell a story (a mostly real one) that can help you think through how to make your DevOps transition a little smoother, level set some over-exuberance, and ensure everyone feels they are getting a fair shake in … Continue reading
Posted in Uncategorized
Leave a comment
Random Favorite Quotes
The following are quotes or paraphrased notes taken from talks I have seen, podcasts, or general conversations with people I know. If you feel you didn’t say these words, or wish to correct them, just contact me. ——— Microsoft gets … Continue reading
Posted in Uncategorized
Leave a comment
The Legacy of Controls (A DevOps Story)
I recently had a pair of encounters that have opened my eyes further to both the causes of our current messy state of IT affairs, and given me hope for a better future. In both cases the issue that came … Continue reading
Posted in Uncategorized
Leave a comment
The Quantum Vulnerability Tunneling Effect
I know I had promised to talk about how to implement a risk management program in your small organization, but bear with me for a blog (or two). Given that my brain has been wrapping itself carefully around risk management … Continue reading
Posted in CISO, CSO, Information Security, InfoSec, IT Risk Management, Uncategorized
Leave a comment
Do you have SOCD? (Security Obsessive Compulsive Disorder)
Are you SOCD? You have it if: You feel the constant need to force drastic security measures. You say: “This company really needs to revise all the (SOX) controls. There’s absolutely no reason to have management involved in the process.” … Continue reading
Mentoring Outside the Echo Chamber
I have been incensed by certain “pundit” activities through a recent encounter that unfortunately mirrors the frustration I felt 20 years ago as a result of the actions of certain academics where I once taught. The actions of which I … Continue reading
Posted in Uncategorized
Leave a comment
Sophisticated Analysis of Risk Management is Critical…don’t do Sophisticated Analysis Risk Management
There is a wonderful discussion occurring in SIRA (Society of Information Risk Analysts) these days. I missed the beginning of this group, and I regret it, because the messages coming out of the discussions are extremely insightful and critically important … Continue reading
Posted in Uncategorized
Leave a comment
Revolution or Evolution, Part II
The Security Officer I met recently told me in his “old age” he now knew that the key to security in an organization was Evolution. Engage evolution. But what does evolution mean for us InfoSec professionals? Well, I’m going to … Continue reading
Posted in Uncategorized
Leave a comment