Pandemic Lessons and Record Count

I was asked to write a piece for ISACA about cyber risk in the Pandemic. I used some popular memes as a bouncing off point to talk about how to manage risk in these crazy times. You can read this here. I also had my article about why using record counts as your risk appetiteContinue reading “Pandemic Lessons and Record Count”

Positive Risk, ISACA Journal, and more NIST

ISACA asked me to write a short piece on my Journal article about risk communication. They published that here. I also wrote a blog post for the @ISACA newsletter about the trouble with positive risk. Lastly, NIST released an update to their ERM-Cyber integration standard and my friends at the FAIR Institute asked me toContinue reading “Positive Risk, ISACA Journal, and more NIST”

Welcome to 2020! Cyber Risk Prospectuses and a “Manifesto”

Welcome to 2020! I kept busy last month, even with the holidays. Here are some updates: I wrote a piece for ISACA about how much spending is being done in aggregate for cyber security and how we need to rationalize the controls we are spending on. The FAIR Institute called this my manifesto here :-)Continue reading “Welcome to 2020! Cyber Risk Prospectuses and a “Manifesto””

Risk Frameworks, Equifax, and Public Sector Risk

Time for another cyber risk roundup! I was interviewed for an article on Health Security and Risk Frameworks: Providers Must Go Beyond Frameworks for Strong Risk Management 800,000 Systems Still At Risk to BlueKeep RDP Vulnerability My hot take on the Equifax settlement For ISACA, I took aim here discussing the ways in which publicContinue reading “Risk Frameworks, Equifax, and Public Sector Risk”

ZombieLoad, Business Acumen, HITRUST, and DHS Directive

As a part of my new role with RiskLens, I’ve been publishing several articles. Included here is a recap of my work over the past month: The ZombieLoad speculative execution bug raised the specter of a possible 40% hit in performance. I gave a plan to evaluate this new bug in the context of riskContinue reading “ZombieLoad, Business Acumen, HITRUST, and DHS Directive”

Applied Risk Appetite

“There is a certain uselessness in saying an organization does not want to accept high risk.” My latest @ISACA article was published and as I was re-reading this line it resonated with me even more. You have to have more fidelity in how you define risk appetite for it to be useful. More tips onContinue reading “Applied Risk Appetite”

ICYMI: Risk Management and the Paradox of Common Sense

I really enjoy reading Duncan Watts work and I was blown away by how he assailed the concept of common sense that we all rely upon so readily: What we don’t realize, however, is that common sense often works just like mythology. By providing ready explanations for whatever particular circumstances the world throws at us,Continue reading “ICYMI: Risk Management and the Paradox of Common Sense”

Security Awareness and the Bystander Effect

My latest @ISACA column was posted recently. This time I tackled a hard issue in the human factors space: awareness training. Specifically, I explored the notion that having a good security team may actually impede the effectiveness of a security awareness program. I did this through the application of some concepts from the bystander effect.Continue reading “Security Awareness and the Bystander Effect”

Cyber Risk Cassandras

I wrote this latest bit for the @ISACA column after reading Richard Clarke’s book and trying to rationalize how it applies to cyber risk. It’s overly easy to predict failures and impending doom at a macro level, its much harder to do it at the micro level, which is infinitely more interesting and useful. YouContinue reading “Cyber Risk Cassandras”