Category Archives: Decision making

Risk Response Requires Critical Thinking

My @ISACA column was published today. Read it here.   Edited: I realized they edited the full submission I made (I could tell because it sounded a little off from what I recalled). Below is the full post:   Depending on your point of view, risk management is either a very easy or a terrifically difficultContinue reading “Risk Response Requires Critical Thinking”

I want what they’re having

When consulting on a security issue, one of the questions that makes me grind my teeth more than any other is some variation of, “What’re our competitors doing?” My initial reaction is always, “Who cares?” Its really just a useless way to think about security and risk. In my experience, no one asks this question because they areContinue reading “I want what they’re having”

Negligence and Compliance

Compliance is out of control. Its pervasive in our society now and there is no going back. Allow me to explain. My kid attends pre-school. They go outside daily to play, so we were asked to provide some sunblock. Makes sense, our family is pale so we are used to that routine. We brought itContinue reading “Negligence and Compliance”

How Security, Audit, and Risk should work together

My article on the role of audit and risk was published in the ISSA Journal this past October 2012. If you didn’t catch it then, you can find it here. I began this article with a question, when did IT auditing become a profession. With that in mind, I want back to the original version of COBITContinue reading “How Security, Audit, and Risk should work together”

Security is an Empty Gun

There is a point where a security exception ceases to be an exception and becomes the rule. Its at times like these that the information security department can swagger in and lay down the law. Put simply, security makes the rest of the business comport to its will, and if push comes to shove securityContinue reading “Security is an Empty Gun”

I’d like the medium please

I was thinking about risk heatmaps the other day and how organizations use different labels. Some stick with the tried and true: High, Medium, and Low. Oftentimes an interesting label is added: severe, important, serious, OMG, Armageddon, and then the highest, PCI. Intrinsically, these labels do little to communicate the relative risk. Research has indicatedContinue reading “I’d like the medium please”

Knuckle Busters

Where I live, we have been experiencing a lot of severe weather and with it, power outages. Its always fascinating to students of risk to watch how organizations behave in these scenarios. Especially interesting are how retail establishments deal with payment issues. I entered an office supply store the other day to purchase some equipmentContinue reading “Knuckle Busters”