Doing it Differently

At RSA’17, I spoke on “Security Leadership Lessons from the Dark Side.” Leading a security program is hard. Fortunately, we can learn a great deal from Sith lords, including Darth Vader and how he managed security strategy for the Empire. Managing a distributed portfolio is hard when rebel scum and Jedi knights interfere with your…

Read More Introducing Cyber Portfolio Management

There are two great blog posts at Securosis to kick off the new year: Tidal Forces: The Trends Tearing Apart Security As We Know It (Rich Mogull) Network Security in the Cloud Age: Everything Changes (Mike Rothman) Both are deep and important and worth pondering. I want to riff on something that Rich said: On…

Read More 2017 and Tidal Forces

[Dec 20 update: The first draft of this post ended up with both consumer and enterprise advice, which made it complex. The enterprise half is now on the IANS blog: Never Waste a Good Crisis: Yahoo Edition.] Yesterday, Yahoo disclosed that attackers broke into Yahoo in 2013 and stole details on a billion accounts. Brian…

Read More Yahoo! Yippee? What to Do?

One of the themes of The New School of Information Security is how other fields learn from their experiences, and how information security’s culture of hiding our incidents prevents us from learning. Today I found yet another field where they are looking to learn from previous incidents and mistakes: zombies. From “The Zombie Survival Guide:…

Read More Learning from Our Experience, Part Z

Recently, some of my friends were talking about a report by Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports.” In that report, we see things like: More than three in five board members say they are both significantly or very “satisfied” (64%) and “inspired”(65%) after the typical presentation by IT and…

Read More What Boards Want in Security Reporting

Back in October, 2014, I discussed a pattern of “Employees Say Company Left Data Vulnerable,” and its a pattern that we’ve seen often since. Today, I want to discuss the consultant’s variation on the story. This is less common, because generally smart consultants don’t comment on the security of their consultees. In this case, it…

Read More Consultants Say Their Cyber Warnings Were Ignored