I think it is safe to say that the internet is not an information superhighway anymore. Maybe it was once, but now the interstates are threatening to become toll roads, the blue highways have sponsors and so many things are on the internet that if you do make a wrong turn you could literally end … Continue reading
Tag Archives: Chief Information Security Officer
EVERYONE’S WHITEPAPER…ever. A how-to.
Sample (analysis follows): The cyber security threat landscape is awash in an ever changing fabric of “slings and arrows”. It’s not just a matter of “if” script kiddies will attack the enterprise but “when” nation states. And big, big breaches. Before the 20th century, there are only two recorded Denial of Service attacks: the burning … Continue reading
Bookish Security
My latest article in Security Current, No Book to Be By, mentions that when it comes to security, there’s no such thing as “by the book”. But I don’t go into it in that article. There I am writing about how a task-based CISO (i.e., a PM promoted to the role) might be the worst … Continue reading
In Defense of Compliance
We read it everywhere: “compliance is not enough”. “Security must be more than compliance.” Granted. When the phrase “checking the box” only means working from a compliance checklist and never looking at how your servers are configured, you are vulnerable. When security professionals point this out, they are responding to the well intentioned attitude of … Continue reading
Best…Practices…Ever
Just like common sense isn’t always common, best practices aren’t always. The best. This matters when describing security controls. And since it seems to be a professional trade secret, I want to come clean about it. There are at least three qualitative ways to describe a security control: How much it complies with something How … Continue reading
The other shoe drops: NIST issues version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity
It’s ironic that the new publication from NIST does not have an 800 series numeric designation. Not that it needs to, but here we all are using those numbers as shorthand (e.g., “I took an 800-30 July 2002 approach because revision 1 from 2012 just seemed too complex for the environment”, “We are looking to … Continue reading
Let’s stop measuring risk
Ok, I don’t quite mean that. What I mean is let’s stop using residual risk as the final product of the risk measurement calculation. Let’s consider a more pragmatic formula. This is going to seem sacrilegious to NIST and the VERIS guys will probably just think I am being quaint, but I am serious. I … Continue reading
Don’t Blame the Boy Who Cried Wolf
Another story about false positives and what they really teach us. The traditional story is of a boy who is given the responsibility to guard the village herd of sheep. He is supposed to scream for help to notify the villagers when the sheep are threatened. He decides he wants company and screams “wolf” so … Continue reading
Where Chicken Little Went Wrong
This is about the fundamental formula for assessing risk. I saw a post on a LinkedIn Group the other day, a group where myself and about 39,000 of my closest colleagues (more on them later) exchange ideas around IT Governance and related issues, and I made a comment which led to a discussion which brought … Continue reading
{Cyber Security} 