In my latest column I wanted to call out some of the dichotomy that exists in the cyber world today. There are so many exciting new technologies in the world, and so much more risk inherent in them. Working in risk means that you can’t avoid bad things entirely (any more than you can stopContinue reading “Interesting Times”
My latest @ISACA column was published today and in it, I talk about a concept called “pure risk.” It flies in the face of notions of “positive risk” that are in popular use. Understanding Pure Risk can help dispel any notion that Cyber Risk can be a good thing. You can read it here.
My latest @ISACA article was published today. In it, I focus on the notion of where our authority comes from in Information Security. Too often, in my opinion, we rely on regulation as a source of “why” when articulating control requirements. I think this is dangerous and counter to the very nature of what anContinue reading “Risk and Regulation”
My latest column for @ISACA was published today. In it I talk about the benefits of using verbal risk labels (things like high, medium, and low) and give some examples where this is helpful in the treatment of Type 1 Diabetes. This is an important concept for those like myself that are dedicated to quantitativeContinue reading “In Defense of Verbal Risk Labels”
Sometimes, the organization you work for will need to make budget cuts. And sometimes that means cuts to the security budget. How that should be handled is the subject of my latest @ISACA column.
My latest @ISACA article posted today. I was really pleased with this one as it uses an easily understandable metaphor to call out the often experienced desire of people to live life without risk (as evidenced by statements such as “We don’t accept any risk…”). Take a look and let me know what you think.Continue reading “The Dose Makes the Poison”
Risk management is all about making forward-looking statements about things that may or may not come to pass. This is also known as forecasting. Read more about this in my latest @ISACA column.
In this month’s @ISACA column, I tackle politics and the orientation that risk professionals should have when working in political environments. The ethical obligations of risk professionals are not as well known as they are for other professions, but they are no less important. We have an ethical obligation to tell inconvient truths about riskContinue reading “Risk and Politics”
In my latest @ISACA column, I tackle the problem of project triage. Its a pernicious problem that many security departments have to manage: we have to check everything currently in place, yet new stuff is being added all the time. I address this problem from a risk perspective: we need to allocate our scarce securityContinue reading “Security Project Triage is all about Resource Allocation”
In this edition of the @ISACA newsletter, I tackle the common problem of shared risk ownership. The behavioral economics of this scenario makes it a challenging one to solve. I’m interested in hearing any solutions you may have found to be useful.