9 hours ago5 minThe Most Important Mental Models for CISOs - Simple Steps for Outsize EffectsThere are lots of problem solving techniques across many fields. These are often represented as mental models or behavioral short-cuts. H...
Sep 203 minThe Rising Tide and the Case for Security OptimismContinuing with the theme of raising the baseline by reducing the cost of control we can see the next logical progression is that the fas...
Sep 134 minRaise the Baseline by Reducing the Cost of ControlOne of the most successful techniques for enterprise security in many organizations is to create a universal baseline of controls that ap...
Sep 63 minTaking Inventories to the Next Level - Reconciliation and TriangulationWe know it is important to have good inventories across all of the assets we care about in an enterprise. For security purposes this is, ...
Aug 223 minCybersecurity Workforce Development - UpdatedIt is still somewhat frustrating that most of the dialog about the skills shortage in cybersecurity focuses, perhaps inevitably, on the a...
Aug 83 minInsider Threat - Blast Radius Perspective - UpdatedOf the vast canon of insightful commentary that has come from Dan Geer over many years, one that especially stuck with me was his descrip...
Aug 110 minCybersecurity and the Board : A Fresh Perspective?How to represent cybersecurity (or technology / information risks more generally) to the Board is an ongoing subject of discussion in mos...
Jul 254 minCompliance vs. SecurityIt is sad that many security discussions are so binary: that is, if you’re not wildly for something then you must be wildly against it. O...
Jul 183 minThreat Intelligence - UpdatedThis is an update from a thread that became a post last year. Threat intelligence seems, at least to me, to get maligned too much. For ma...
Jul 123 minSecurity Leadership: A-grades vs. Pass/FailThe underlying secret of most great security leaders and teams is one thing: the ability to know what needs to be done really well vs. wh...
Jun 74 minAre Security Incidents Really Increasing?I see regular waves of articles and commentary that assert : “We are spending more and more on security but security incidents / breaches...
May 173 minCrypto isn’t the Only Cyber Issue in a Post Quantum WorldLet’s assume general purpose quantum computers that can operate usefully at scale are coming. I think a reasonable timeframe is 15 years....
May 92 minThink Twice Before Switching Off Controls : Chesterton's FenceChesterton's Fence is a cautionary tale to make sure that before you change things you actually understand their purpose. This is particu...
May 35 minCyber Risk QuantificationRisk quantification, in any field, is not an end in itself. It exists to compel some action. That action might be to drive decisions or s...
Apr 265 minAre You Managing Your Risk Register Effectively?Not all risks are possible to fully mitigate in every context, so you need to record and manage those residual risks. These are often put...
Apr 194 minIntelligence Failures - “The Distortion of Retrospect”The codebreaking and overall intelligence success of Bletchley Park in World War II is legendary. Ultra, along with broader Allied signal...
Apr 53 minPrioritizing Security Improvements - A Deceptively Simple WayIn most organizations you are constantly upgrading your security controls. This is for many reasons, including: New threats induce higher...
Mar 222 minSelling into a Crisis (Rights and Wrongs) It can be irritating to receive e-mails from vendors during a time of crisis, like now, with the spin that their products can help. It is...
Mar 13 minCybersecurity Macro Themes for the 2020'sIn this coming decade there will be 5 major themes that differentiate great security programs, products, features and processes. These ar...
Feb 25 minDealing with the Deluge of VendorsEveryone is deluged with approaches from product and service vendors, small and large. Even vendors struggle to keep track of who their c...