Being an InfoSec Professional / Cybersecurity

The “Big” Risk Transfer

There is time between those risk management milestones.   During that time, risk is in limbo.   During that limbo, it’s the CISO that owns the risk.  Orchestrating the transfer of risk to the appropriate risk owner is one of the most under appreciated things that a CISO does. Here’s a hypothetical example: let’s say that there … Continue reading

Being an InfoSec Professional / Cybersecurity

I’m certain that too much certainty is certain failure

I’ve extolled the virtues of false positives before.  Talking about the Boy Who Cried Wolf, I’ve pointed out that the villagers who chose to ignore his false alarms rather than correct his behavior or replace him were taking an unnecessary risk.  The story and a pack of wolves bear me out on this. I still … Continue reading

Being an InfoSec Professional / Cybersecurity / Privacy

Security and Privacy walk into a bar…

There can be no question that Security and Privacy are strongly related.  It would be easier if they were the same thing.  But they’re not, of course; there are differences.   This blog has never shied away from stating the obvious. This post tries to enumerate the significant differences between privacy and security: I.                    They come … Continue reading

Being an InfoSec Professional / Cybersecurity

In Defense of Compliance

We read it everywhere: “compliance is not enough”.  “Security must be more than compliance.”  Granted.  When the phrase “checking the box” only means working from a compliance checklist and never looking at how your servers are configured, you are vulnerable. When security professionals point this out, they are responding to the well intentioned attitude of … Continue reading

Being an InfoSec Professional / Cybersecurity

The other shoe drops: NIST issues version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity

It’s ironic that the new publication from NIST does not have an 800 series numeric designation.   Not that it needs to, but here we all are using those numbers as shorthand (e.g., “I took an 800-30 July 2002 approach because revision 1 from 2012 just seemed too complex for the environment”, “We are looking to … Continue reading