Category Archives: Uncategorized

Shifting the Conversation (An SDLC Story)

I’d like to tell a story (a mostly real one) that can help you think through how to make your DevOps transition a little smoother, level set some over-exuberance, and ensure everyone feels they are getting a fair shake in … Continue reading

Posted in Uncategorized | Leave a comment

Random Favorite Quotes

The following are quotes or paraphrased notes taken from talks I have seen, podcasts, or general conversations with people I know.  If you feel you didn’t say these words, or wish to correct them, just contact me. ——— Microsoft gets … Continue reading

Posted in Uncategorized | Leave a comment

The Legacy of Controls (A DevOps Story)

I recently had a pair of encounters that have opened my eyes further to both the causes of our current messy state of IT affairs, and given me hope for a better future.  In both cases the issue that came … Continue reading

Posted in Uncategorized | Leave a comment

The Quantum Vulnerability Tunneling Effect

I know I had promised to talk about how to implement a risk management program in your small organization, but bear with me for a blog (or two).  Given that my brain has been wrapping itself carefully around risk management … Continue reading

Posted in CISO, CSO, Information Security, InfoSec, IT Risk Management, Uncategorized | Leave a comment

Do you have SOCD? (Security Obsessive Compulsive Disorder)

Are you SOCD? You have it if: You feel the constant need to force drastic security measures. You say: “This company really needs to revise all the (SOX) controls.  There’s absolutely no reason to have management involved in the process.” … Continue reading

Posted in CISO, CSO, Information Security, Information Security Governance, InfoSec, InfoSec Governance, IT Risk Management, Security Governance, Uncategorized | Leave a comment

Mentoring Outside the Echo Chamber

I have been incensed by certain “pundit” activities through a recent encounter that unfortunately mirrors the frustration I felt 20 years ago as a result of the actions of certain academics where I once taught.  The actions of which I … Continue reading

Posted in Uncategorized | Leave a comment

Sophisticated Analysis of Risk Management is Critical…don’t do Sophisticated Analysis Risk Management

There is a wonderful discussion occurring in SIRA (Society of Information Risk Analysts) these days. I missed the beginning of this group, and I regret it, because the messages coming out of the discussions are extremely insightful and critically important … Continue reading

Posted in Uncategorized | Leave a comment

Revolution or Evolution, Part II

The Security Officer I met recently told me in his “old age” he now knew that the key to security in an organization was Evolution.  Engage evolution. But what does evolution mean for us InfoSec professionals? Well, I’m going to … Continue reading

Posted in Uncategorized | Leave a comment

In the beginning…

…there was a goal of teaching people how to communicate, interact, and learn from each other.  When I wound up in InfoSec and IT Risk Management, my goal evolved into communicating to InfoSec professionals – IT Security Managers, CSO’s, Network … Continue reading

Posted in CISO, CSO, Information Security, Information Security Governance, InfoSec, InfoSec Governance, IT Governance, IT Risk Management, Security Governance, Uncategorized | Tagged | Leave a comment