a roadmap for a people-centric approach to security In July of 2017, I published “What is at the Center” on the website Security Current. I made the argument that even though risk, networks, data and compliance can all be the center of a security program, it really should be people. At the time, I suggested … Continue reading
Category Archives: Being an InfoSec Professional
People are hardly the weakest link in security
What started as a sales pitch turned into a slogan and is now axiomatic in some circles. “Your people are the weakest link.” More and more people are recognizing how wrong-headed that is but in the hopes of accelerating the demise of this phrase, let’s actually look at it. Consider the technical controls most organizations … Continue reading
Forget your password
One of two posts to end the year regarding authentication. This one is about that link on on-line logon screens that is almost always labeled “Forgot Password” or “Forgot your password.” Go ahead, check every on-line relationship you have and see what the link is labeled. Well, what if I didn’t forget and I still … Continue reading
The Engineers get busy: the Spectre/Meltdown patch roller coaster
The aspect of the latest Spectre/Meltdown vulnerability that interests me is not how wide-spread it might be. Not that it is down below the OS level. And while I am thankful I cannot find reports of it being exploited in the wild, not even that is what really interests me (though I am of course … Continue reading
A recent REALLY BIG breach: reporting relationships and college degrees
We are somehow hearing about what the Equifax CISO studied in college and not about when the firm’s last pen test was. We are hearing about how heads rolled at Equifax but not if the reporting relationship between IT and Security has been revised. Since the interim CISO seems to be reporting to the interim … Continue reading
Patch yours!
Security professionals feel no great joy in being right about patching. The past two months have been a period of “I told you so” moments for anyone who has ever had to have the conversation with a sys admin about the importance of patching (it’s been a long time for me but the memory lingers). … Continue reading
Awareness training always has an attitude
A lot depends on why you think you’re training people. That motivation comes through in the attitude. And that attitude has a lot to do with how successful the training is. By my estimate, there are any number of nuanced attitudes but they more or less gravitate to one of three motives: We’re training you … Continue reading
Depends what you mean by “guest” and other musings about WiFi
This is not primarily about the security of attaching to a wireless access point (WAP). But since communication is a two way affair, let’s start with the endpoints and get them out of the way: You are more likely to have your purse snatched at a train station than in your living room. And the … Continue reading
The CISO’s Oxymoron
Is there such a thing as a “hands off CISO”? No. There is no such thing. In the debate around what the CISO does and does not do, what they are and they aren’t, there is no room for a choice between “hands on” and “hands off.” This is isn’t an issue of who punches … Continue reading
The internet is not a highway, but security is like driving a car
I think it is safe to say that the internet is not an information superhighway anymore. Maybe it was once, but now the interstates are threatening to become toll roads, the blue highways have sponsors and so many things are on the internet that if you do make a wrong turn you could literally end … Continue reading
{Cyber Security} 