Even security folks serve customers. Perhaps they’re other people that work in the company or they’re the company’s clients. But there is a simple reality to serving customers that is often lost on people because they focus too much on their role within the organization. This chart, a bit exaggeration and a bit parody, is … Continue reading
Category Archives: Being an InfoSec Professional
Let’s stop measuring risk
Ok, I don’t quite mean that. What I mean is let’s stop using residual risk as the final product of the risk measurement calculation. Let’s consider a more pragmatic formula. This is going to seem sacrilegious to NIST and the VERIS guys will probably just think I am being quaint, but I am serious. I … Continue reading
Don’t Blame the Boy Who Cried Wolf
Another story about false positives and what they really teach us. The traditional story is of a boy who is given the responsibility to guard the village herd of sheep. He is supposed to scream for help to notify the villagers when the sheep are threatened. He decides he wants company and screams “wolf” so … Continue reading
A change is gonna come
This will start with the first law of thermodynamics and end up with change management. All the while, we will keep information security in focus. So, simply put, the first law of thermodynamics says that the amount of energy in a closed system cannot be increased or decreased. If we substitute “effectiveness of security controls” … Continue reading
Where Chicken Little Went Wrong
This is about the fundamental formula for assessing risk. I saw a post on a LinkedIn Group the other day, a group where myself and about 39,000 of my closest colleagues (more on them later) exchange ideas around IT Governance and related issues, and I made a comment which led to a discussion which brought … Continue reading
Why isn’t this blog more technical
I am getting a fair amount of questions (which is blogger speak for the more introspective “I keep asking myself”): why isn’t this blog more technical? Why aren’t I persistently advancing threads about advanced persistent threats? Am I intentionally filtering out packet filter discussions? (note to self: do not turn into cyber security’s answer to … Continue reading
The Winter of our discontent
Can information security professionals be satisfied? Ever? Yes. But should they be? Ever wonder if Advanced Persistent Threats came into the world in part because the information security profession became more and more predictable? Or worse: commoditized, as I will discuss below. Lately, as corporate web sites from multiple industries in virtually every continent are … Continue reading
Cyber Security professionals need to help stop cyberbullying
Protecting data confidentiality, integrity and availability are not enough. We also must promote the ethical use of cyber space. And that starts by making sure it is not a place where anyone, especially children, can be harmed and exploited. An organization in Ireland does a great job of promoting this important effort: http://www.stopcyberbullies.ie/ Continue reading
CISO as consumer
There is no question that a large part of being an Information Security professional is using your judgement to keep your organization secure. And, as with any profession, that means using and evaluating products (once they’re installed, they’re “tools”). Sometimes, you get asked about such things. See the link. http://healthitsecurity.com/2013/02/11/how-a-healthcare-ciso-uses-his-iam-product/ Continue reading
Patient privacy monitoring: where health care IT and Compliance collaborate
Or at least, an area where they really should. Here’s a webinar I presented where I discuss how Health Care Compliance and IT Departments can work towards becoming a full fledged partners. https://fairwarningevents.webex.com/ec0606l/eventcenter/recording/recordAction.do?theAction=poprecord&AT=pb&renewticket=0&isurlact=true&recordID=6114642&apiname=lsr.php&rKey=d8f463f82c5a8c80&format=short&needFilter=false&&SP=EC&rID=6114642&siteurl=fairwarningevents&actappname=ec0606l&actname=%2Feventcenter%2Fframe%2Fg.do&rnd=4743042061&entappname=url0108l&entactname=%2FnbrRecordingURL.do Continue reading