There can be no question that Security and Privacy are strongly related. It would be easier if they were the same thing. But they’re not, of course; there are differences. This blog has never shied away from stating the obvious. This post tries to enumerate the significant differences between privacy and security: I. They come … Continue reading
Tag Archives: Information Security
In Defense of Compliance
We read it everywhere: “compliance is not enough”. “Security must be more than compliance.” Granted. When the phrase “checking the box” only means working from a compliance checklist and never looking at how your servers are configured, you are vulnerable. When security professionals point this out, they are responding to the well intentioned attitude of … Continue reading
A new role in data privacy: the searcher
The EU’s efforts to define a right to be forgotten and the recent U.S. Supreme Court decision about how privacy is protected on cell phones go hand in hand. They remind us that the medium is still the message and that there is a new role in discussing data access and control. Why connect these … Continue reading
Customer service, distilled
Even security folks serve customers. Perhaps they’re other people that work in the company or they’re the company’s clients. But there is a simple reality to serving customers that is often lost on people because they focus too much on their role within the organization. This chart, a bit exaggeration and a bit parody, is … Continue reading
Let’s stop measuring risk
Ok, I don’t quite mean that. What I mean is let’s stop using residual risk as the final product of the risk measurement calculation. Let’s consider a more pragmatic formula. This is going to seem sacrilegious to NIST and the VERIS guys will probably just think I am being quaint, but I am serious. I … Continue reading
Where Chicken Little Went Wrong
This is about the fundamental formula for assessing risk. I saw a post on a LinkedIn Group the other day, a group where myself and about 39,000 of my closest colleagues (more on them later) exchange ideas around IT Governance and related issues, and I made a comment which led to a discussion which brought … Continue reading
One hand washing the other
Can the HIPAA Security Rule learn something from the HIPAA Privacy Rule? When it comes to encryption at the application security level: yes. First, one of my particular soapboxes: in a world where medical records are increasingly found in digital form, the HIPAA Security Rule and the HIPAA Privacy rule cannot be minded by two … Continue reading
Why isn’t this blog more technical
I am getting a fair amount of questions (which is blogger speak for the more introspective “I keep asking myself”): why isn’t this blog more technical? Why aren’t I persistently advancing threads about advanced persistent threats? Am I intentionally filtering out packet filter discussions? (note to self: do not turn into cyber security’s answer to … Continue reading
The Winter of our discontent
Can information security professionals be satisfied? Ever? Yes. But should they be? Ever wonder if Advanced Persistent Threats came into the world in part because the information security profession became more and more predictable? Or worse: commoditized, as I will discuss below. Lately, as corporate web sites from multiple industries in virtually every continent are … Continue reading
Tellers of tales and Debunkers of myths
An organization needs both. You need someone who can “weave a yarn”, “tell a tale”, “paint a picture with words”, etc. But you also need someone who “lets” facts get in the way of those myths. Marketing and sales folks need to be tellers of tales. And this does not mean they need to be … Continue reading
{Cyber Security} 