New Journal Article on Supplier Security Assessments

Today an article I worked with help from Kevin Chalk was published in the ISSA Journal. When I am able, I will post the text here for review. It should be in your inbox if you prefer to read e-versions of articles. Not sure when they get mailed out. It’s a great piece on howContinue reading “New Journal Article on Supplier Security Assessments”

A Cooperative Model for Security, Audit, and Risk: A collaborative approach to risk-based audits

Information technology audit is a relatively recent addition to the professional world of auditing. A review of the history of IT audit leads one back to the Electronic Data Processing Auditors Association (EDPAA), which is the forerunner of what would eventually become the Information Systems Audit and Control Association (ISACA)1. Although EDPAA published control objectivesContinue reading “A Cooperative Model for Security, Audit, and Risk: A collaborative approach to risk-based audits”

Open Group Podcast on Risk – June 2013

I participated in my second risk management podcast for the Open Group that was published today. I like this one better than my previous one–I tried to talk slower in this one anyways  ;-) I was happy with the topics that we discussed, most notably that as regulators become more aware of the capabilities ofContinue reading “Open Group Podcast on Risk – June 2013”

Risk Response Requires Critical Thinking

My @ISACA column was published today. Read it here.   Edited: I realized they edited the full submission I made (I could tell because it sounded a little off from what I recalled). Below is the full post:   Depending on your point of view, risk management is either a very easy or a terrifically difficultContinue reading “Risk Response Requires Critical Thinking”

I want what they’re having

When consulting on a security issue, one of the questions that makes me grind my teeth more than any other is some variation of, “What’re our competitors doing?” My initial reaction is always, “Who cares?” Its really just a useless way to think about security and risk. In my experience, no one asks this question because they areContinue reading “I want what they’re having”

Negligence and Compliance

Compliance is out of control. Its pervasive in our society now and there is no going back. Allow me to explain. My kid attends pre-school. They go outside daily to play, so we were asked to provide some sunblock. Makes sense, our family is pale so we are used to that routine. We brought itContinue reading “Negligence and Compliance”