Time for another cyber risk roundup! I was interviewed for an article on Health Security and Risk Frameworks: Providers Must Go Beyond Frameworks for Strong Risk Management 800,000 Systems Still At Risk to BlueKeep RDP Vulnerability My hot take on the Equifax settlement For ISACA, I took aim here discussing the ways in which publicContinue reading “Risk Frameworks, Equifax, and Public Sector Risk”
Time for another roundup! Below are some works I’ve recently done on Apex Threat Agents, HITRUST, my time at the Gartner Summit, and some thoughts on Iranian attacks. How to Model Risk in an Apex Predator Cyber-World Enhancing HITRUST Risk Assessments with Cyber Risk Quantification (CRQ) Gartner 2019 Debate: Quantitative vs. Qualitative Cyber Risk AnalysisContinue reading “Apex Threat Agents, More HITRUST, Quant/Qual Showdown, and Iran”
As a part of my new role with RiskLens, I’ve been publishing several articles. Included here is a recap of my work over the past month: The ZombieLoad speculative execution bug raised the specter of a possible 40% hit in performance. I gave a plan to evaluate this new bug in the context of riskContinue reading “ZombieLoad, Business Acumen, HITRUST, and DHS Directive”
Security leadership is risk leadership
With RSA completed over two weeks ago, and an ensuing sickness, I realized I haven’t posted about my presentation with Joel Amick. I thoroughly enjoying sharing this work with the RSA audience and had some great conversations afterwards. I think agent-based modeling (ABM) has some interesting use cases in cybersecurity and risk management. I think that inContinue reading “RSAC 2019 Virtual Pen Testing Slides Available”
For this months @ISACA Tips column, I wrote about the conundrum of defining and assessing emerging risk. Its an interesting space to assess; technologies and trends so cutting edge that they sorta defy precision assessments, yet also so important as to require them. You can check it out here.
I was recently interviewed by the FAIR Institute as a part of their Meet a Member series. I talk a little bit about my origins measuring cyber risk using FAIR. You can listen to the interview here.
RSA Conference is next week and I’m excited to share that I will be presenting on some work a a colleague and I have done on building an Agent-Based Model (ABM) using FAIR risk data. This should be an interesting discussion, so please join me next Wednesday at 2:50PM Pacific in Moscone West 2011. IContinue reading “Presenting on Agent Based Risk Modeling at RSA Conference Next Week”
“There is a certain uselessness in saying an organization does not want to accept high risk.” My latest @ISACA article was published and as I was re-reading this line it resonated with me even more. You have to have more fidelity in how you define risk appetite for it to be useful. More tips onContinue reading “Applied Risk Appetite”
On November 7th I was honored by my alma mater, Nova Southeastern University, as the 2018 Distinguished Alumni from the College of Engineering and Computing. It was an amazing event and the alumni association treated us all very well. I was humbled by the caliber of people alongside which I was named. They recited allContinue reading “Named NSU Distinguished Alumni”