WEF – Principles of Board Governance for Cyber Risk

A new whitepaper was released this week from the World Economic Forum. I was very honored to be a part of the group that authored this (you can see my contributions in section 2.2 – Understand the economic drivers and impact of cyber risk). The paper is free to download here.

Welcome to 2020! Cyber Risk Prospectuses and a “Manifesto”

Welcome to 2020! I kept busy last month, even with the holidays. Here are some updates: I wrote a piece for ISACA about how much spending is being done in aggregate for cyber security and how we need to rationalize the controls we are spending on. The FAIR Institute called this my manifesto here :-)Continue reading “Welcome to 2020! Cyber Risk Prospectuses and a “Manifesto””

Risk Frameworks, Equifax, and Public Sector Risk

Time for another cyber risk roundup! I was interviewed for an article on Health Security and Risk Frameworks: Providers Must Go Beyond Frameworks for Strong Risk Management 800,000 Systems Still At Risk to BlueKeep RDP Vulnerability My hot take on the Equifax settlement For ISACA, I took aim here discussing the ways in which publicContinue reading “Risk Frameworks, Equifax, and Public Sector Risk”

Using Risk to Justify Security Strategy and Spending

I wrote a piece for RiskLens* recently that talks about how to utilize FAIR for building and justifying an information security budget and strategic initiatives. Its an interesting problem space as there is a need to have the appropriate level of abstraction (program level versus technology level) but its also a very solvable problem toContinue reading “Using Risk to Justify Security Strategy and Spending”

Using Economics to Diagnose Security Model Failure

Many information security practitioners labor daily to increase security for the organizations in which they work. The task itself seems beset with obstacles. On the one hand, there is the need to acquire security funding from executives that are distracted from security by the sturm und drang of the daily operation of the business, temperedContinue reading “Using Economics to Diagnose Security Model Failure”

Open Group Podcast on Risk – June 2013

I participated in my second risk management podcast for the Open Group that was published today. I like this one better than my previous one–I tried to talk slower in this one anyways  ;-) I was happy with the topics that we discussed, most notably that as regulators become more aware of the capabilities ofContinue reading “Open Group Podcast on Risk – June 2013”

Substituting Risk Tolerances

I hate hand dryers in washrooms. I’m not alone: if Wikipedia is to be believed, 63% of people preferred paper towels over hand dryers in restrooms. I’d wager the other 37% choose what they thought was the right answer. Each time I use them, I always end up with cold, wet hands and if I’mContinue reading “Substituting Risk Tolerances”