Political reporters/analysts have taken to using the word “firewall”. To which we as cybersec geeks can only respond “huh”? To be bi-partisan about it, I provide two examples. Writing about the South Carolina Democratic Party primary, CNN says “At the heart of Clinton’s strategy to sew up the Democratic nomination is the notion that minority … Continue reading
Category Archives: Being an InfoSec Professional
The “Big” Risk Transfer
There is time between those risk management milestones. During that time, risk is in limbo. During that limbo, it’s the CISO that owns the risk. Orchestrating the transfer of risk to the appropriate risk owner is one of the most under appreciated things that a CISO does. Here’s a hypothetical example: let’s say that there … Continue reading
Bookish Security
My latest article in Security Current, No Book to Be By, mentions that when it comes to security, there’s no such thing as “by the book”. But I don’t go into it in that article. There I am writing about how a task-based CISO (i.e., a PM promoted to the role) might be the worst … Continue reading
I’m certain that too much certainty is certain failure
I’ve extolled the virtues of false positives before. Talking about the Boy Who Cried Wolf, I’ve pointed out that the villagers who chose to ignore his false alarms rather than correct his behavior or replace him were taking an unnecessary risk. The story and a pack of wolves bear me out on this. I still … Continue reading
Security and Privacy walk into a bar…
There can be no question that Security and Privacy are strongly related. It would be easier if they were the same thing. But they’re not, of course; there are differences. This blog has never shied away from stating the obvious. This post tries to enumerate the significant differences between privacy and security: I. They come … Continue reading
In Defense of Compliance
We read it everywhere: “compliance is not enough”. “Security must be more than compliance.” Granted. When the phrase “checking the box” only means working from a compliance checklist and never looking at how your servers are configured, you are vulnerable. When security professionals point this out, they are responding to the well intentioned attitude of … Continue reading
How to lie with risk analyses
How to lie with statistics was written by Yale Professor Darrel Huff in 1954. Now, 60 years later, many things he described as misuse of statistics are common place. He considered it ridiculous, for example, to take the combined years of work experience of the people at a company and add them together and say that the … Continue reading
Best…Practices…Ever
Just like common sense isn’t always common, best practices aren’t always. The best. This matters when describing security controls. And since it seems to be a professional trade secret, I want to come clean about it. There are at least three qualitative ways to describe a security control: How much it complies with something How … Continue reading
The other shoe drops: NIST issues version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity
It’s ironic that the new publication from NIST does not have an 800 series numeric designation. Not that it needs to, but here we all are using those numbers as shorthand (e.g., “I took an 800-30 July 2002 approach because revision 1 from 2012 just seemed too complex for the environment”, “We are looking to … Continue reading
Customer service, distilled
Even security folks serve customers. Perhaps they’re other people that work in the company or they’re the company’s clients. But there is a simple reality to serving customers that is often lost on people because they focus too much on their role within the organization. This chart, a bit exaggeration and a bit parody, is … Continue reading
{Cyber Security} 