Enterprise Cyber Risk Management
Cybersecurity Thrives in An Organizational Context
It is common knowledge that you cannot define the security of anything without understanding its context. It is also true that to improve your organization’s security posture you need to understand that organization. Over 50% of CISO’s still report to the CIO function. This blog post outlines, in Mind Map format, the activities of the…
Read MoreThe First National Cybersecurity Summit
On July 31, 2018, I attended the first National Cybersecurity Summit at the US Customs House in lower Manhattan. The building itself was constructed around 1902-1907 in order to collect tariffs. Teddy Roosevelt was President and tariffs were a subject of divisive national debate. Global issues were still in evidence at the Cybersecurity Summit, with…
Read MoreNew Privacy Laws Require Security Professionals Up Their Game
Two recent privacy laws—GDPR and the California Consumer Privacy Act (AB-375) –focus more attention on protecting the digital privacy of individuals. Both laws will require that security professionals up their game. In this post, I will cover some of the security implications of AB 375. Gone are the days when privacy requirements could be handed…
Read MoreCybersecurity Workforce Development: Real or Imagined Problem?
Yesterday DHS and the Commerce Department released their most recent workforce report “Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce”. The report was commissioned by the Trump administration in May 2017. Having studied this issue from roles in academia, private industry and government, I thought I would share my thoughts on the report.…
Read MoreAntidote for Fake Everything
In this digital era, anything can be faked; followers, news, experts, emails, and so on. The possibilities are limited only by the imagination of the faker. It turns out that these issues were addressed back in 1996, by Carl Sagan, the world-famous astronomer. His context was UFOs, but his formula for separating facts from fiction…
Read MoreInformation Security Risks, Gray Rhinos and Black Swans
Information security over the past few years has been obsessed with zero-day vulnerabilities, hacking exploits, and headline-making mega breaches. Every security risk manager is looking for the “unknown unknowns” that could result in untimely unemployment. But is that the right approach? One presentation and one book made me think otherwise. The presentation was Alex Stamos’s…
Read MoreManaging Information Security On a Limited Budget
The recent government shutdown got me thinking about budgets and information security. Having just submitted a proposal to a small business myself, I am asking the question: What is best practice for small or mid-sized business (SMB) information security? Every SMB is going to have a limited budget. This budget has to cover control implementation and maintenance. There’s no…
Read MoreBuilding a Security Start-Up
If only building a security start-up was as predictable as transitioning from caterpillar to butterfly! But, it’s not. Unfortunately, it usually requires many turns and corresponding changes. Consider companies like Blackberry, once a ubiquitous handset provider, now an enterprise security provider. Or Radware, once a load balancing product company, is now known for its DDoS…
Read MoreCybersecurity Risk Management for Directors
There are many posts on corporate directors’ responsibilities toward the organizations where they are board members. In fact, corporate directors themselves may be targets for hacktivists or cybercriminals and need to make sure they have adequate protection. This protection should include both home and professional office. Directors obviously will have access to sensitive insider information…
Read MoreHow IT Leaders Can Keep a Seat at the Table
In this era of digital disruption, business leaders are turning to technology to keep up. But, will they continue to turn to traditional IT leaders to map out the future? This is the question addressed by Mark Schwartz’s new book A Seat at the Table. Mr. Schwartz engagingly analyzes the present and provides guidance for IT leaders…
Read More