People are hardly the weakest link in security

Posted on January 4, 2020 by David Sheidlower • 2 Comments

What started as a sales pitch turned into a slogan and is now axiomatic in some circles. “Your people are the weakest link.” More and more people are recognizing how wrong-headed that is but in the hopes of accelerating the demise of this phrase, let’s actually look at it. Consider the technical controls most organizations … Continue reading →

Being an InfoSec Professional / Cybersecurity

I’m certain that too much certainty is certain failure

Posted on December 6, 2014 by David Sheidlower • Leave a comment

I’ve extolled the virtues of false positives before. Talking about the Boy Who Cried Wolf, I’ve pointed out that the villagers who chose to ignore his false alarms rather than correct his behavior or replace him were taking an unnecessary risk. The story and a pack of wolves bear me out on this. I still … Continue reading →

Being an InfoSec Professional / Cybersecurity

In Defense of Compliance

Posted on October 31, 2014 by David Sheidlower • Leave a comment

We read it everywhere: “compliance is not enough”. “Security must be more than compliance.” Granted. When the phrase “checking the box” only means working from a compliance checklist and never looking at how your servers are configured, you are vulnerable. When security professionals point this out, they are responding to the well intentioned attitude of … Continue reading →

Being an InfoSec Professional / Cybersecurity

How to lie with risk analyses

Posted on September 6, 2014 by David Sheidlower • 1 Comment

How to lie with statistics was written by Yale Professor Darrel Huff in 1954. Now, 60 years later, many things he described as misuse of statistics are common place. He considered it ridiculous, for example, to take the combined years of work experience of the people at a company and add them together and say that the … Continue reading →

Cybersecurity

A new role in data privacy: the searcher

Posted on July 11, 2014 by David Sheidlower • Leave a comment

The EU’s efforts to define a right to be forgotten and the recent U.S. Supreme Court decision about how privacy is protected on cell phones go hand in hand. They remind us that the medium is still the message and that there is a new role in discussing data access and control. Why connect these … Continue reading →

Being an InfoSec Professional / Cybersecurity

Best…Practices…Ever

Posted on June 7, 2014 by David Sheidlower • 1 Comment

Just like common sense isn’t always common, best practices aren’t always. The best. This matters when describing security controls. And since it seems to be a professional trade secret, I want to come clean about it. There are at least three qualitative ways to describe a security control: How much it complies with something How … Continue reading →

{Cyber Security}

right here- where information security is combined with humanism. By David Sheidlower

Tag Archives: information security best practices

People are hardly the weakest link in security

I’m certain that too much certainty is certain failure

In Defense of Compliance

How to lie with risk analyses

A new role in data privacy: the searcher

Best…Practices…Ever