Just like common sense isn’t always common, best practices aren’t always. The best. This matters when describing security controls. And since it seems to be a professional trade secret, I want to come clean about it. There are at least three qualitative ways to describe a security control: How much it complies with something How … Continue reading
Tag Archives: David Sheidlower
Customer service, distilled
Even security folks serve customers. Perhaps they’re other people that work in the company or they’re the company’s clients. But there is a simple reality to serving customers that is often lost on people because they focus too much on their role within the organization. This chart, a bit exaggeration and a bit parody, is … Continue reading
That’s what I’m talking about
There it was in the Times this morning. A piece by Professor Peter Ludlow of Northwestern University. Dr. Ludlow is right there doing just what this blog tries to do. The professor is far more articulate than I of course. But he’s read Schneier and Hobbes (and no doubt many others) and sees how they … Continue reading
Dedoméno
Socrates happens on his old friend, Dedoméno. He makes a new friend and has a conversation. DEDOMÉNO: Socrates, it is a pleasure to see you on line SOCRATES: Dedoméno, it is a surprise to see you. I thought you were away. DEDOMÉNO: Just so, Socrates. But I am visiting my friend Clapper. SOCRATES: Clapper? The famous … Continue reading
Don’t Blame the Boy Who Cried Wolf
Another story about false positives and what they really teach us. The traditional story is of a boy who is given the responsibility to guard the village herd of sheep. He is supposed to scream for help to notify the villagers when the sheep are threatened. He decides he wants company and screams “wolf” so … Continue reading
A change is gonna come
This will start with the first law of thermodynamics and end up with change management. All the while, we will keep information security in focus. So, simply put, the first law of thermodynamics says that the amount of energy in a closed system cannot be increased or decreased. If we substitute “effectiveness of security controls” … Continue reading
Where Chicken Little Went Wrong
This is about the fundamental formula for assessing risk. I saw a post on a LinkedIn Group the other day, a group where myself and about 39,000 of my closest colleagues (more on them later) exchange ideas around IT Governance and related issues, and I made a comment which led to a discussion which brought … Continue reading
When is a breach notification not a breach notification?
In Memoriam Barnaby Jack.(1) When it’s an indictment, a settlement or an ethical hack. It is interesting to note the difference between a breach notification press release (these are required by law, for example, for breaches of health care data affecting over 500 individuals) and the subsequent coverage and reports of indictments, settlements and ethical … Continue reading
One hand washing the other
Can the HIPAA Security Rule learn something from the HIPAA Privacy Rule? When it comes to encryption at the application security level: yes. First, one of my particular soapboxes: in a world where medical records are increasingly found in digital form, the HIPAA Security Rule and the HIPAA Privacy rule cannot be minded by two … Continue reading
Why isn’t this blog more technical
I am getting a fair amount of questions (which is blogger speak for the more introspective “I keep asking myself”): why isn’t this blog more technical? Why aren’t I persistently advancing threads about advanced persistent threats? Am I intentionally filtering out packet filter discussions? (note to self: do not turn into cyber security’s answer to … Continue reading
{Cyber Security} 