I wrote a piece for ISACA about how the rise of the Chief Trust Officer role is changing the landscape for cyber security and cyber risk leadership. Borrowing from the CISO, CSO, CPO, CIO, and digital transformation roles, the Chief Trust Officer can become the go to role to govern technology and ensure customer’s trustContinue reading “Rise of the Chief Trust Officer”
A new whitepaper was released this week from the World Economic Forum. I was very honored to be a part of the group that authored this (you can see my contributions in section 2.2 – Understand the economic drivers and impact of cyber risk). The paper is free to download here.
NIST webinar, app rationalization for Federal Cloud Smart policy, Risk Mgmt Maturity report, and Davos
Welcome to 2020! I kept busy last month, even with the holidays. Here are some updates: I wrote a piece for ISACA about how much spending is being done in aggregate for cyber security and how we need to rationalize the controls we are spending on. The FAIR Institute called this my manifesto here :-)Continue reading “Welcome to 2020! Cyber Risk Prospectuses and a “Manifesto””
Time for another cyber risk roundup! I was interviewed for an article on Health Security and Risk Frameworks: Providers Must Go Beyond Frameworks for Strong Risk Management 800,000 Systems Still At Risk to BlueKeep RDP Vulnerability My hot take on the Equifax settlement For ISACA, I took aim here discussing the ways in which publicContinue reading “Risk Frameworks, Equifax, and Public Sector Risk”
I wrote a piece for RiskLens* recently that talks about how to utilize FAIR for building and justifying an information security budget and strategic initiatives. Its an interesting problem space as there is a need to have the appropriate level of abstraction (program level versus technology level) but its also a very solvable problem toContinue reading “Using Risk to Justify Security Strategy and Spending”
I was reading up on cyber deterrence today and ran across this little gem in relation to nuclear deterrence: Because of the value that comes from the ambiguity of what the US may do to an adversary if the acts we seek to deter are carried out, it hurts to portray ourselves as too fullyContinue reading “Cyber Deterrence”
Many information security practitioners labor daily to increase security for the organizations in which they work. The task itself seems beset with obstacles. On the one hand, there is the need to acquire security funding from executives that are distracted from security by the sturm und drang of the daily operation of the business, temperedContinue reading “Using Economics to Diagnose Security Model Failure”
Jack Jones wrote a blog post for our publisher’s site about why its important to justify security spend, and how the industry is at a turning point about that. Also, another quick note: it seems that the book is available on Google Play in eBook format (scanned pages; not reflow like you’d get on Kindle).
I participated in my second risk management podcast for the Open Group that was published today. I like this one better than my previous one–I tried to talk slower in this one anyways ;-) I was happy with the topics that we discussed, most notably that as regulators become more aware of the capabilities ofContinue reading “Open Group Podcast on Risk – June 2013”