NIST webinar, app rationalization for Federal Cloud Smart policy, Risk Mgmt Maturity report, and Davos
I’m very excited to announce that I will be speaking at the Cyber Future Dialogue in two weeks in Davos, Switzerland during the World Economic Forum. This is going to be an amazing opportunity to converse with distinguished leadership from around the world on the necessity of and practical means to operationalize cyber risk quantificationContinue reading “Speaking at the Cyber Future Dialogue in Davos during the World Economic Forum (WEF)”
Welcome to 2020! I kept busy last month, even with the holidays. Here are some updates: I wrote a piece for ISACA about how much spending is being done in aggregate for cyber security and how we need to rationalize the controls we are spending on. The FAIR Institute called this my manifesto here :-)Continue reading “Welcome to 2020! Cyber Risk Prospectuses and a “Manifesto””
First off, I’m very pleased to announce that I will be presenting again next year at the RSA Conference. My session is called “Maturing Cyber-Risk Management Practices: Framework and Next Steps” (EZCL-R01). This will be done as a Collaborative Learning Session (a new RSAC format). I’ll lead a discussion then turn it over to theContinue reading “RSA 2020, NIST CSF, and Dark Reading”
Time for another roundup! Below are some works I’ve recently done on Apex Threat Agents, HITRUST, my time at the Gartner Summit, and some thoughts on Iranian attacks. How to Model Risk in an Apex Predator Cyber-World Enhancing HITRUST Risk Assessments with Cyber Risk Quantification (CRQ) Gartner 2019 Debate: Quantitative vs. Qualitative Cyber Risk AnalysisContinue reading “Apex Threat Agents, More HITRUST, Quant/Qual Showdown, and Iran”
As a part of my new role with RiskLens, I’ve been publishing several articles. Included here is a recap of my work over the past month: The ZombieLoad speculative execution bug raised the specter of a possible 40% hit in performance. I gave a plan to evaluate this new bug in the context of riskContinue reading “ZombieLoad, Business Acumen, HITRUST, and DHS Directive”
I was recently interviewed by the FAIR Institute as a part of their Meet a Member series. I talk a little bit about my origins measuring cyber risk using FAIR. You can listen to the interview here.
I was humbled this week when I was awarded the FAIR Champion award from the FAIR Institute at their annual conference last week at Carnegie Mellon in Pittsburgh, PA. Jack Jones has created this extraordinary thing in FAIR and it is and will continue to do nothing less than revolutionize our industry. That he decidedContinue reading “FAIR Institute Champion Award”
I’m looking forward to participating on this panel discussion at the upcoming FAIR Conference. This is a topic that really speaks to me and I’m looking forward to sharing what I’ve experienced and hearing from the co-panelists about how they’ve accomplished the same. Here’s the full agenda and if you haven’t registered yet you canContinue reading “FAIR Conference ’18 Panel – Getting Buy-In for a Quantitative Risk Management Program”
I was inspired to write this article by a change in the speed limit that happened on a local Interstate. It was a good jumping off point to illustrate the parallels between speed limits and risk appetite and what it takes to change each. You can read the article on the FAIR Institute website here.