There are many skilled and intelligent people who aspire to become a Chief Information Security Officer (CISO). I have some career advice for them: Don’t aspire to be a CISO. Instead, seek to be the best professional at each step in your career. Those of us who do become CISOs do so because we have a…
Details
I have gone back and forth for a long time. Should security be risk-centric or data-centric. Outside of security professionals, you sometimes meet people who believe security should be compliance-centric and others who believe security should be audit-centric (which is a type of compliance-centrism). Certainly there used to be network-centric views of security but they…
Details
CISO Security professionals feel no great joy in being right about patching. The past two months have been a period of “I told you so” moments for anyone who has ever had to have the conversation with a sys admin about the importance of patching. It’s been a long time for me but the memory…
Details
“We drive into the future looking into our rear view mirrors” Marshall McLuhan (The views expressed in this article are entirely my own do not reflect the position of my employer the Federal Reserve Bank of Richmond, the Federal Reserve Board of Governors, or the Federal Reserve System as a whole.) Notably absent from the dearth…
Details
CISOs are often in a situation where the CEO or a Board member asks them, “Just how secure are we?” Or “Are we secure enough?” These questions sound simple, but are quite difficult to answer accurately. The quick answer to the question would be, “We are more secure today than we were before and are…
Details
To Michael Mangold, the CISO of rural lifestyle retailer Tractor Supply Company, located outside Nashville, Tennessee, the most important skills for a CISO are not only technical. While his background includes technical qualifications and certifications, and the ability to evaluate new and emerging technologies and risks, Mangold also relies on his background and training in…
DetailsRecently, I posted a picture of a mind-map that I created just called “The Map of Cybersecurity Domains (v1.0).” The map was put together as a way to clear my head by fully immersing myself in the world of cybersecurity day-in and day-out for the past few years, and constant reminder that just how complex and…
DetailsThe first week of March in 2017 will be remembered as the time that AWS (Amazon Web Services) failed. The actual failure was in the Amazon Simple Storage Service (S3), but to the world in general, if your stuff was running in the Amazon cloud, it was not working. Amazon provided a very complete write up…
Details
Each year brings more large-scale security and privacy breaches, leaving the general public questioning to what extent companies could be trusted with their sensitive information. Retail, health care, banking, entertainment, governments – no industry is left untouched. Security and privacy must remain top of mind within every organization as both are essential in safeguarding data, protecting…
DetailsIn this series I take a close look at the Framework for Improving Critical Infrastructure Cybersecurity which NIST first published in February of 2014. Read Part One ‘All Infrastructure and the NIST Framework’ and Part Two ‘Hackers Are Not Afraid of Frameworks.’ There I was preparing part 3 of my close reading of the 2014 Framework for…
DetailsThere is an extraordinary amount of money and time spent on detection and response relative to cybersecurity, and much of this conversation is technology focused. In this series of articles, DocuSign CISO Vanessa Pegueros explores a different aspect of incident response — the human being. She asserts that people ultimately orchestrate incident response and the…
Details
Today the cybersecurity sector is fraught with the challenge of a diminished talent pool. Cisco’s report, “Mitigating the Cybersecurity Skills Shortage,” highlights the worldwide shortage of one million information security professionals. It sends out a disturbing warning to the cybersecurity industry to bridge this gap immediately or face consequences with significant costs. There is no…
Details