weighing in on a debate with no one right answer A few thoughts on “the debate” that is still going on. And has been for decades. Should the Security function report in to IT. I’ve been a firm “no” for as long as I’ve been a practitioner. I started reporting into a profit center/revenue unit … Continue reading
Tag Archives: Cybersecurity
Saying the quiet part out loud
The CISO has always been one of the organization’s debunker of myths- often those that IT tells. Here’s a classic most if not all CISO’s have heard: “Sure it hasn’t been patched in 2 years but it’s behind the firewall so there’s no risk.” The role is increasingly called on to add some reality to … Continue reading
The empathetic CISO
a roadmap for a people-centric approach to security In July of 2017, I published “What is at the Center” on the website Security Current. I made the argument that even though risk, networks, data and compliance can all be the center of a security program, it really should be people. At the time, I suggested … Continue reading
The Supply Chain shouldn’t be zero-trust
I get it for network architecture. I get it for strong authentication. I get it for making sure I am not a robot (not, by the way). But I have to trust my partners. So when it comes to third party risk management, I refuse to accept that my relationships begin with the assumption that … Continue reading
Your breach notification will arrive in 525,600 minutes (UBER)
About a year after 57 million records were breached at Uber, the company issued a breach notification press release. The CEO made no excuses for the lateness of the notice and to be fair, he was not involved in the handling of the whole thing since he was hired after the event. The notification also … Continue reading
Patch yours!
Security professionals feel no great joy in being right about patching. The past two months have been a period of “I told you so” moments for anyone who has ever had to have the conversation with a sys admin about the importance of patching (it’s been a long time for me but the memory lingers). … Continue reading
Awareness training always has an attitude
A lot depends on why you think you’re training people. That motivation comes through in the attitude. And that attitude has a lot to do with how successful the training is. By my estimate, there are any number of nuanced attitudes but they more or less gravitate to one of three motives: We’re training you … Continue reading
Depends what you mean by “guest” and other musings about WiFi
This is not primarily about the security of attaching to a wireless access point (WAP). But since communication is a two way affair, let’s start with the endpoints and get them out of the way: You are more likely to have your purse snatched at a train station than in your living room. And the … Continue reading
Misuse of the word “firewall”
Political reporters/analysts have taken to using the word “firewall”. To which we as cybersec geeks can only respond “huh”? To be bi-partisan about it, I provide two examples. Writing about the South Carolina Democratic Party primary, CNN says “At the heart of Clinton’s strategy to sew up the Democratic nomination is the notion that minority … Continue reading
The “Big” Risk Transfer
There is time between those risk management milestones. During that time, risk is in limbo. During that limbo, it’s the CISO that owns the risk. Orchestrating the transfer of risk to the appropriate risk owner is one of the most under appreciated things that a CISO does. Here’s a hypothetical example: let’s say that there … Continue reading
{Cyber Security} 