RISK & CYBERSECURITY

One of the many pieces of accepted wisdom in information/cybersecurity is that complexity is the enemy of security. But is it? You...

This is my list of favorite books across the various professional disciplines I’m interested in. I have a set of favorite books that are...

There is a seminal paper in finance by Charles Ellis called the The Loser’s Game which, in simple terms, foretells the move from active...

The concept of return on investment (ROI) for security has bugged me for a long time. Not because it isn’t a laudable goal. Of course,...

This is the second part of the post from 2 weeks ago, which explored research challenges in Info/Cybersecurity related to systems:...

This is the first of a two part post on research challenges centered on systems, computer science and engineering research challenges....

Many years ago I wrote down a list of the drivers that create information / cyber-risk or that otherwise compel the need to mitigate this...

I can’t recall having seen an overview of a systematized privilege management program. There are lots of great articles on specific...

Security ratings services tend to be loved or loathed. Loved if you consume them and it makes your job easier, especially if you have no...

The success of a security program is largely determined by how well it is integrated into the fabric of the organization, in terms of...

Over the years I've noted the behaviors I’ve seen from consistently successful people. In this context I define success as a balance of...

Scenario planning is one of the most underutilized techniques in security. Which is surprising given how effective it is in [good]...

“For every metric, there should be another ‘paired’ metric that addresses adverse consequences of the first metric.” - Andy Grove We talk...

The uncanny value is a famous term in robotics.  It is used to describe how we accept robots that don’t attempt to look too human, but,...

There will be 6 major themes that differentiate great security programs, products, features and processes. These are different from...

I have built up a disdain for cybersecurity budgeting benchmarks. To be fair, there are some good attempts amid a sea of haphazard...

It still surprises me that much of the tone of vulnerability management is about patch/bug fix vs. detecting broader configuration and...

Truly excellent security programs deliver more than security risk mitigation. I know it is kind of ridiculous to say that when doing the...

There are lots of problem solving techniques across many fields. These are often represented as mental models or behavioral short-cuts....

Continuing with the theme of raising the baseline by reducing the cost of control we can see the next logical progression is that the...