85.7% COVID-19 Free March Update!

RSA Roundup Updates on the Monday all-day FAIR session I did with Jack Jones, Chad Weinman, and Rachel Slabotsky, as well as my Thursday session on maturing your risk management practice. RSAC 2020 Report – Big Turnout for 2 FAIR Seminars, Breakfast Advice on Starting a FAIR Program from Jack Jones and Fannie Mae, AscenaContinue reading “85.7% COVID-19 Free March Update!”

Accepted at RSA 2019 – Virtual Pen Testing

I’m very pleased to announce that I’ve been accepted to speak again at next year’s RSA Conference. I’m going to be presenting on an Agent Based Model concept using FAIR risk results jointly with my colleague Joel Amick. Joel’s team and my team worked to develop a POC of this work and we can’t waitContinue reading “Accepted at RSA 2019 – Virtual Pen Testing”

The “Yes, and…” Approach to IT Risk Mgmt

In my January column for @ISACA I talk about the use of a improv technique called “yes, and…” that you can read about here. The idea is to keep the improv scene going as long as possible by working with your partner versus opposing them. If they propose something, no matter how outlandish, you assumeContinue reading “The “Yes, and…” Approach to IT Risk Mgmt”

Using Risk to Take the High Road

My @ISACA column for November was published recently. You can read it here. This was a tough one to write, and not just due to the 200 word max limitation (which I still exceeded). Overall, lots of security professions tend to (I believe) unknowingly speak ill of the management of the companies for which theyContinue reading “Using Risk to Take the High Road”

High Accumulation

I recently relocated to Charlotte from Ohio. Its South, but not so much so that it doesn’t get cold and yes, sometimes there is even snow. As I become acclimated to things down here, I am always surprised at the response that folks from here have to snow. They dislike it immensely and are oftenContinue reading “High Accumulation”

Security is an Empty Gun

There is a point where a security exception ceases to be an exception and becomes the rule. Its at times like these that the information security department can swagger in and lay down the law. Put simply, security makes the rest of the business comport to its will, and if push comes to shove securityContinue reading “Security is an Empty Gun”