Lowest Common Risk Denominator

I tackle the notion of risk appetite in this month’s column using some metaphors with which you might be familiar. You don’t get to pick your auto insurance coverage by expressing the number of accidents you are willing to accept, yet that’s how a lot of organizations think about cyber risk. Fortunately, the cyber insuranceContinue reading “Lowest Common Risk Denominator”

Smart Contracts

I was interviewed for, and quoted in, this ISACA publication around Smart Contracts. Upon reflection, what we are really seeing is just a continuation of the concept of Code = Law as pointed out by Lawrence Lessig in his 1999 book, Code and Other Law of Cyberspace. The Smart Contracts doc is a free downloadContinue reading “Smart Contracts”

Interviewed on the Juicebox Podcast

I was recently interviewed on the JuiceBox Podcast, a production of the Arden’s Day Blog. This is a Diabetes-heavy conversation which I sometimes talk about on my Blog. About halfway through we do have a little discussion¬†about risk when we talk about how I viewed the having a child that has T1D the same asContinue reading “Interviewed on the Juicebox Podcast”

Risk and Regulation

My latest @ISACA article was published today. In it, I focus on the notion of where our authority comes from in Information Security. Too often, in my opinion, we rely on regulation as a source of “why” when articulating control requirements. I think this is dangerous and counter to the very nature of what anContinue reading “Risk and Regulation”

Article on Cyber Risk Taxonomy on Risk.Net

I wrote a piece for risk.net that discusses techniques for integrating a cyber risk taxonomy with an operational risk taxonomy. It’s behind a paywall, so apologies for that up front, but they do have a free trial. Its a great article for those that are struggling with aligning the need for cyber risk granularity withContinue reading “Article on Cyber Risk Taxonomy on Risk.Net”