Doing it Differently

As security professionals, sometimes the advice we get is to think about the security controls we deploy as some mix of “cloud access security brokerage” and “user and entity behavioral analytics” and “next generation endpoint protection.” We’re also supposed to “hunt”, “comply,” and ensure people have had their “awareness” raised. Or perhaps they mean “training,”…

Read More A New Way to Tie Security to Business

For the last few months, I’ve been working full time and talking with colleagues about a new way for security executives to measure the effectiveness of security programs. In very important ways, the ideas are new and non-obvious, and at the same time, they’re an evolution of the ideas that Andrew and I wrote about…

Read More Improving Security Effectiveness

There’s a recurring theme in data breach stories: The risks were clear to computer experts inside $organization: The organization, they warned for years, might be easy prey for hackers. But despite alarms as far back as 2008, $organization was slow to raise its defenses, according to former employees. The particular quote is from “Ex-Employees Say…

Read More Employees Say Company Left Data Vulnerable

All through the week of BSides/BlackHat/Defcon, people came up to me to tell me that they enjoyed my BSides Las Vegas talk. (Slides, video). It got some press coverage, including an article by Jon Evans of TechCrunch, “Notes From Crazytown, Day One: The Business Of Fear.” Mr. Evans raises an interesting point: “the computer security…

Read More BSides LV: Change Industry Or Change Professionals?

Stefan Larson talks about “What doctors can learn from each other:” Different hospitals produce different results on different procedures. Only, patients don’t know that data, making choosing a surgeon a high-stakes guessing game. Stefan Larsson looks at what happens when doctors measure and share their outcomes on hip replacement surgery, for example, to see which…

Read More What Security Folks Can Learn from Doctors

We’ve been hearing for several years that we should assume breach. Many people have taken this to heart (although today’s DBIR still says it’s still months to detect those breaches). I’d like to propose (predict?) that breach as a central concept will move through phases. Each of these phases will go through a hype cycle,…

Read More The Breach Trilogy: Assume, Confirm, Discuss