Being an InfoSec Professional / Cybersecurity / Data Science / Risk Management

People are hardly the weakest link in security

What started as a sales pitch turned into a slogan and is now axiomatic in some circles.  “Your people are the weakest link.”  More and more people are recognizing how wrong-headed that is but in the hopes of accelerating the demise of this phrase, let’s actually look at it. Consider the technical controls most organizations … Continue reading

Being an InfoSec Professional / Cybersecurity

I’m certain that too much certainty is certain failure

I’ve extolled the virtues of false positives before.  Talking about the Boy Who Cried Wolf, I’ve pointed out that the villagers who chose to ignore his false alarms rather than correct his behavior or replace him were taking an unnecessary risk.  The story and a pack of wolves bear me out on this. I still … Continue reading

Being an InfoSec Professional / Cybersecurity

In Defense of Compliance

We read it everywhere: “compliance is not enough”.  “Security must be more than compliance.”  Granted.  When the phrase “checking the box” only means working from a compliance checklist and never looking at how your servers are configured, you are vulnerable. When security professionals point this out, they are responding to the well intentioned attitude of … Continue reading