David Sheidlower


Turner Construction

David Sheidlower, CISSP, CISM is the Chief Information Security Officer for Turner Construction, one of the largest construction management companies in the United States. Previously he was CISO at BBDO, the world's most awarded advertising agency. Previousy he was (CISO) for Health Quest, the Mid-Hudson Valley's largest healthcare system. David also serves as a member of the State of New York Health Information Network Policy Committee. Prior to Health Quest, he was the Division Information Security Officer within the small business lending division of Wells Fargo Bank—the largest small business lender in the country. David writes and blogs on security with a focus on the intersection of cyber security and humanism, something he is uniquely qualified to write on. His past activities include presenting at the MIS Institute’s Big Data Security Conference, working with the World Health Organization on Functional Health Status Measures and teaching letterpress printing at the Naropa Institute’s Jack Kerouac School for Disembodied Poetics in Boulder, Colorado. David also blogs at www.cybersecrighthere.com . He holds a Bachelor’s degree from the University of California, Berkeley and a Master’s degree in Health Service Administration from St. Mary’s College of California.

At the Privacy & Security Forum: What I Said

Posted on: 16 Nov 2015

Focus is over-rated when you’re starting out.  The original idea for my presentation at The Privacy & Security Forum in Washington, D.C. was to talk exclusively on how security controls relate to the frameworks that sweep them up and organize them.   It was to be “how controls become a framework” in the spirit of the…

At the Privacy & Security Forum: What I Saw

Posted on: 28 Oct 2015

Privacy folks and security folks were finally intermingling by design and not by accident or through one or the other being adventurous.  I’m a huge proponent of the two being intermingled (my post Security and Privacy walk into a bar is an example). So I was glad to attend the inaugural Privacy & Security Forum…

Afterthoughts: Big Data and Us Little People

Posted on: 07 Jul 2015

The original series was written in a frenzy.  Aggregating is the inverse of broadcasting.  Aggregation is biased towards anonymity. Being the subject of a data point is a matter of immediate experience.   Cohorts choose people more than people choose cohorts.  And so on. Frenzies have a welcome feature: the simultaneity of both focus and chaos. …

Compliance Beyond Black and White

Posted on: 28 May 2015

It’s now commonplace to read that security means more than checking off boxes on a compliance checklist.  A robust approach to security includes trying to fill the gaps between the boxes.  I would argue that that argument has mostly been won. In No Book to Be By, I argued that we should extend that argument…

Falsely Negative About False Positives

Posted on: 22 Apr 2015

Distributed Denial of Service (DDoS) attacks are very inefficient but very effective.  Auditors are careful to be sure their findings are accurate so that they are not accused of being unfair to their subjects and so they maintain their reputation for impartiality.  Spammers expect a small number of hits for the millions of messages they…

No Book to Be By

Posted on: 17 Mar 2015

In some cases, hiring a project manager is the most sensible thing you can do.   A seemingly can’t miss action that preserves the status quo while getting the organization where it needs to be.   But it is a huge mistake.  This rant is written with all due respect to project managers everywhere, but read on…

Risk Averse. Rule Averse.

Posted on: 17 Feb 2015

It’s 2 in the morning.  You are stopped at a well-lit, completely empty intersection looking up at a red light.  If you’re like me, you will wait till that light turns green before taking your foot off the brake, but there is a nagging little part of you that bristles at the thought that the…

Risk Based vs. Rule Based

Posted on: 27 Jan 2015

I have always found that information security professionals tend to fall into three categories: SWAT Teams, Power Rangers or Nerds with an edge (see a blog post of that name I wrote earlier by clicking here).   We all play all three roles, of course, when the need arises.   But we all have our tendencies. When…

The Question of the Questions

Posted on: 13 Jan 2015

Incessant questioning can reduce the best thinking to no more than a background chorus of “Are we there yet?”  But there are still some things that have to be asked. I have spent the past four articles observing how aggregation is emerging as more than just an automated process.  I’ve tried to show the following:…

GRC Debunker

Posted on: 11 Dec 2014

(UPDATED) CISO’s and their teams are not just producers of risk analyses and assessments.  We are also consumers of them.  They come from many sources.  The main four are: Responses from third parties whose goods and services we are evaluating as part of our due diligence Assessments provided by entities that are targets of mergers, acquisitions,…