High Accumulation

I recently relocated to Charlotte from Ohio. Its South, but not so much so that it doesn’t get cold and yes, sometimes there is even snow. As I become acclimated to things down here, I am always surprised at the response that folks from here have to snow. They dislike it immensely and are oftenContinue reading “High Accumulation”

It’s always about the money

I live in a fairly straightforward world, I guess. I’m often accused of being naive but I’d argue I feel enlightened. Put bluntly, I think risk is always about money. This has to do with my education from Douglas Hubbard. When I hear nebulous problems I know that I can use the methods of EnricoContinue reading “It’s always about the money”

Substituting Risk Tolerances

I hate hand dryers in washrooms. I’m not alone: if Wikipedia is to be believed, 63% of people preferred paper towels over hand dryers in restrooms. I’d wager the other 37% choose what they thought was the right answer. Each time I use them, I always end up with cold, wet hands and if I’mContinue reading “Substituting Risk Tolerances”

Private Sector Cyberwar – part 2

I wrote about this last May, namely that so-called cyberwar events are not for the domain of the private sector to defend against. I made an argument that cyberwar perpetrators are in the upper percentiles of attackers (95% +) and that outside of building our organization’s control strength up to that level, let’s just leaveContinue reading “Private Sector Cyberwar – part 2”

How Security, Audit, and Risk should work together

My article on the role of audit and risk was published in the ISSA Journal this past October 2012. If you didn’t catch it then, you can find it here. I began this article with a question, when did IT auditing become a profession. With that in mind, I want back to the original version of COBITContinue reading “How Security, Audit, and Risk should work together”

Security is an Empty Gun

There is a point where a security exception ceases to be an exception and becomes the rule. Its at times like these that the information security department can swagger in and lay down the law. Put simply, security makes the rest of the business comport to its will, and if push comes to shove securityContinue reading “Security is an Empty Gun”

I’d like the medium please

I was thinking about risk heatmaps the other day and how organizations use different labels. Some stick with the tried and true: High, Medium, and Low. Oftentimes an interesting label is added: severe, important, serious, OMG, Armageddon, and then the highest, PCI. Intrinsically, these labels do little to communicate the relative risk. Research has indicatedContinue reading “I’d like the medium please”

Knuckle Busters

Where I live, we have been experiencing a lot of severe weather and with it, power outages. Its always fascinating to students of risk to watch how organizations behave in these scenarios. Especially interesting are how retail establishments deal with payment issues. I entered an office supply store the other day to purchase some equipmentContinue reading “Knuckle Busters”