weighing in on a debate with no one right answer A few thoughts on “the debate” that is still going on. And has been for decades. Should the Security function report in to IT. I’ve been a firm “no” for as long as I’ve been a practitioner. I started reporting into a profit center/revenue unit … Continue reading
Category Archives: Cybersecurity
Saying the quiet part out loud
The CISO has always been one of the organization’s debunker of myths- often those that IT tells. Here’s a classic most if not all CISO’s have heard: “Sure it hasn’t been patched in 2 years but it’s behind the firewall so there’s no risk.” The role is increasingly called on to add some reality to … Continue reading
The empathetic CISO
a roadmap for a people-centric approach to security In July of 2017, I published “What is at the Center” on the website Security Current. I made the argument that even though risk, networks, data and compliance can all be the center of a security program, it really should be people. At the time, I suggested … Continue reading
People are hardly the weakest link in security
What started as a sales pitch turned into a slogan and is now axiomatic in some circles. “Your people are the weakest link.” More and more people are recognizing how wrong-headed that is but in the hopes of accelerating the demise of this phrase, let’s actually look at it. Consider the technical controls most organizations … Continue reading
The Supply Chain shouldn’t be zero-trust
I get it for network architecture. I get it for strong authentication. I get it for making sure I am not a robot (not, by the way). But I have to trust my partners. So when it comes to third party risk management, I refuse to accept that my relationships begin with the assumption that … Continue reading
SSO what? Maybe single sign *on* isn’t always appropriate
Part two of my end of year posts regarding authentication. Sometimes it feels like technologists want to build a mansion for their users. Once you’re In the mansion, all doors are open. And for a unified suite of tools that one might use in, let’s just say, an office, that’s a rational approach. But security … Continue reading
Forget your password
One of two posts to end the year regarding authentication. This one is about that link on on-line logon screens that is almost always labeled “Forgot Password” or “Forgot your password.” Go ahead, check every on-line relationship you have and see what the link is labeled. Well, what if I didn’t forget and I still … Continue reading
The Engineers get busy: the Spectre/Meltdown patch roller coaster
The aspect of the latest Spectre/Meltdown vulnerability that interests me is not how wide-spread it might be. Not that it is down below the OS level. And while I am thankful I cannot find reports of it being exploited in the wild, not even that is what really interests me (though I am of course … Continue reading
Your breach notification will arrive in 525,600 minutes (UBER)
About a year after 57 million records were breached at Uber, the company issued a breach notification press release. The CEO made no excuses for the lateness of the notice and to be fair, he was not involved in the handling of the whole thing since he was hired after the event. The notification also … Continue reading
How about just being nuts?
If you do get that phone call from “John at Technical Services” (who you are certain is a scammer) telling you they have detected a virus on your computer and need to work with you to get rid of it, don’t hang up. Just calmly say “The virus told me you would call. It said … Continue reading
{Cyber Security} 