Feb 264 minControls - UpdatedI wrote the first version of this post nearly 3 years ago. It is interesting that since then much of it remains true. Oddly, it also...
Sep 12, 20218 minIf Accounting were like CybersecurityIt has always struck me how well the field of finance and more specifically accounting has done to standardize on its terms. This...
May 22, 20212 minSegmentation Technologies / Zero TrustI first came across the notion of doctrine vs. structure in this depiction about the relative positioning of tanks from some blog or...
Apr 24, 20211 minLeadership, Business, Security and Risk Reading ListThis is my list of favorite books across the various professional disciplines I’m interested in. I have a set of favorite books that are...
Feb 27, 20213 min"Hell Yes, or No" vs. "Soft Yes, and Fast Quit"I am a big fan of the concept of saying, “Hell Yes, or No” to decide whether to do something or not. Derek Sivers has written well about...
Jan 30, 20215 minResearch Challenges in Info/Cybersecurity - Part 1: “Silicon"This is the first of a two part post on research challenges centered on systems, computer science and engineering research challenges....
Dec 19, 20205 minPrivilege Management Program - GovernanceI can’t recall having seen an overview of a systematized privilege management program. There are lots of great articles on specific...
Nov 22, 20205 minScenario Planning - The Best Technique You Might Not Be UsingScenario planning is one of the most underutilized techniques in security. Which is surprising given how effective it is in [good]...
Oct 13, 20202 minVulnerability Management - UpdatedIt still surprises me that much of the tone of vulnerability management is about patch/bug fix vs. detecting broader configuration and...
Sep 20, 20203 minThe Rising Tide and the Case for Security OptimismContinuing with the theme of raising the baseline by reducing the cost of control we can see the next logical progression is that the...
Sep 6, 20203 minTaking Inventories to the Next Level - Reconciliation and TriangulationWe know it is important to have good inventories across all of the assets we care about in an enterprise. For security purposes this is,...
May 17, 20203 minCrypto isn’t the Only Cyber Issue in a Post Quantum WorldLet’s assume general purpose quantum computers that can operate usefully at scale are coming. I think a reasonable timeframe is 15 years....
May 9, 20202 minThink Twice Before Switching Off Controls : Chesterton's FenceChesterton's Fence is a cautionary tale to make sure that before you change things you actually understand their purpose. This is...
Feb 2, 20205 minDealing with the Deluge of VendorsEveryone is deluged with approaches from product and service vendors, small and large. Even vendors struggle to keep track of who their...
Jan 20, 20204 minOperational ResilienceThe Bank of England has recently released a sequence of consultation papers, after an earlier discussion paper, laying out a framework...
Jan 1, 20203 minPredictions and Calls to ActionIt’s that time of year for all the predictions of what to expect for the next year, and now - the next decade. I’m generally not a fan of...
Nov 10, 20191 minShrines of Failure I was at an event recently where one participant talked passionately about a disaster they had that they have since preserved artifacts...
Sep 1, 20192 minVulnerability ManagementI don’t see much written on vulnerability management in more holistic terms vs. patch/bug fixing. This might be ok given a lot of...
May 24, 20191 minCoding Skills and SecurityI've increasingly found, with respect to coding, security has come full circle. Those of us who started in the 80's/90's had to code (or...
Feb 12, 20192 minTechnology - RetrospectiveIn the late 1980’s I was a developer using virtualized systems and containers, software defined networks, thin-client end points that...