In my last article, I talked about using the 20 Critical Controls as a practical security strategy. I showed how the controls map to a wide variety of international and national standards. I also mentioned a great www site, www.auditscripts.com, where you can download 3 excellent spreadsheets to help you measure your progress in the…
DetailsI frequently talk to myself. I think that this is mostly OK, except when I have an argument. The other day, I asked myself, “Who am I?” and I was surprised with the answer. It turns out that this is not a simple question, especially if the one asking is a computer (of course, they…
DetailsWhy did the chicken cross the road? To add 200 more steps to his daily wearable device count! But did the chicken ever stop to think about the impact to his life if that data were to be breached? I have my doubts. In today’s world with the increasing number of devices that we use and…
DetailsThe recent Sony breach attributed to North Korea is only the latest in a series of Sony hacks that trace back to 2005. Most news stories point to the recent breach as an example of why corporations should take information security more seriously. Sony is being used as a cautionary tale of what awaits companies…
DetailsIt’s now commonplace to read that security means more than checking off boxes on a compliance checklist. A robust approach to security includes trying to fill the gaps between the boxes. I would argue that that argument has mostly been won. In No Book to Be By, I argued that we should extend that argument…
DetailsI’ve been around the computer business for a long time. Way back, before the Web and even before computers, if you wanted to send a secret message to someone, you used a simple substitution code. An example of this was the Caesar cipher. This was a simple rotation or shift of the alphabet. Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ…
DetailsNowadays, data breaches are a subject of conversation at dinner tables and in boardrooms. Cyber insurance premiums to cover these breaches are skyrocketing. Recent surveys and breach reports have highlighted the challenges with software security. The 2015 Annual Verizon Data Breach Investigations Report points out that applications are the number one attack vector leading to…
DetailsI went to the Educause Security Professionals Conference last week. I have been going to this conference for many years and always take home something useful. This year, James Bamford, best known as an expert on the NSA, gave the keynote address. His talk was about how America has lost control of this secret and…
DetailsThe world of the CISO is becoming an almost thankless job. No matter what you do, how well you present to the Board, how complete your program is, it seems your back is always against the wall. The business complains of the burden security places on operations, the delays it causes, the relationships it destroys,…
DetailsWhile I was unable to attend RSA this year, after reading Chenxi Wang’s LinkedIn post on ‘Booth Babes’, I have to say… It’s about damn time. To briefly recount a personal experience, several years ago, while walking this same Moscone floor, I was quite literally almost run over by a lycra-wearing ‘policewoman’ buzzing around the expo floor…
DetailsOne of the aphorisms used in security is, “We have to be right all of the time, and the bad guys only have to be right once.” While this may or may not be 100 percent accurate, it is a pretty good policy to go by when you’re building a security program. With over 325,000…
DetailsBayes’ Theorem essentially measures the degree of belief, or certainty in something. The Cybersecurity industry has been challenged with the idea of sensitivity and specificity for quite some time. In computer science this can be codified via binary classification (decision trees, Bayesian networks, support vector machines, neural networks). Many industry Cybersecurity solutions will be relegated…
Details