How to Report Cyber Risk to the Board

I’m giving a webinar tomorrow based on the whitepaper I authored for ISACA: Reporting Cybersecurity Risk to the Board of Directors. It’s a free download. I cover Board reporting from the technologists perspective, covering the role of the Board and how to communicate to them in a way they understand. You can register for theContinue reading “How to Report Cyber Risk to the Board”

Pandemic Lessons and Record Count

I was asked to write a piece for ISACA about cyber risk in the Pandemic. I used some popular memes as a bouncing off point to talk about how to manage risk in these crazy times. You can read this here. I also had my article about why using record counts as your risk appetiteContinue reading “Pandemic Lessons and Record Count”

Welcome to 2020! Cyber Risk Prospectuses and a “Manifesto”

Welcome to 2020! I kept busy last month, even with the holidays. Here are some updates: I wrote a piece for ISACA about how much spending is being done in aggregate for cyber security and how we need to rationalize the controls we are spending on. The FAIR Institute called this my manifesto here :-)Continue reading “Welcome to 2020! Cyber Risk Prospectuses and a “Manifesto””

ICYMI: Digital Transformation

I wrote an article to help ISACA introduce its Digital Transformation research in the Financial Services industry. There are some interesting findings in here about AI, IOT, Cryptocurrency, and Blockchain.   My article in Bankingexchange.com is here ISACA’s Digital Transformation Barometer research is here

ICYMI: Risk Management and the Paradox of Common Sense

I really enjoy reading Duncan Watts work and I was blown away by how he assailed the concept of common sense that we all rely upon so readily: What we don’t realize, however, is that common sense often works just like mythology. By providing ready explanations for whatever particular circumstances the world throws at us,Continue reading “ICYMI: Risk Management and the Paradox of Common Sense”

Lowest Common Risk Denominator

I tackle the notion of risk appetite in this month’s column using some metaphors with which you might be familiar. You don’t get to pick your auto insurance coverage by expressing the number of accidents you are willing to accept, yet that’s how a lot of organizations think about cyber risk. Fortunately, the cyber insuranceContinue reading “Lowest Common Risk Denominator”

Risk and Regulation

My latest @ISACA article was published today. In it, I focus on the notion of where our authority comes from in Information Security. Too often, in my opinion, we rely on regulation as a source of “why” when articulating control requirements. I think this is dangerous and counter to the very nature of what anContinue reading “Risk and Regulation”