Book Submitted

Hello everyone!

I thought I’d give you a brief update. I’ve been very quiet here lately as Jack Jones and I made the final push to complete the book. We submitted the completed manuscript on or about Tax Day in April (with so many late nights, its hard to remember exactly when we were done). The next steps include some editing and proofing as we finalize everything for publishing. The expectation is that we will have it published before the end of summer. I’ll keep you informed here as we gain more information.

BTW, in case you didn’t know, Jack Jones has been blogging on the CXOWARE website:

There is some good content there :-)



Book Cover Revealed

Recently, our editors revealed the final version of the book cover and indicated that its okay to share with you. So here it is: the official cover of Measuring and Managing Information Risk: A FAIR Approach. As soon as we get a publication date we will be happy to share. Tentatively we are looking at late this Summer or early Fall.


(Note: I’m not sure but the actual cover may vary from this as we go through the production process).

The “Yes, and…” Approach to IT Risk Mgmt

In my January column for @ISACA I talk about the use of a improv technique called “yes, and…” that you can read about here.

The idea is to keep the improv scene going as long as possible by working with your partner versus opposing them. If they propose something, no matter how outlandish, you assume its valid and work with it. This gives you the opportunity to redirect the outcome. However, if you shut down the scene and attempt to wrestle control away from your partner, the scene gets awkward and if you do it enough they tend to not want to work with you anymore.

It’s a metaphor you see: work with the business on their initiatives and you get invited back to the table.

Using Risk to Take the High Road

My @ISACA column for November was published recently. You can read it here.

This was a tough one to write, and not just due to the 200 word max limitation (which I still exceeded). Overall, lots of security professions tend to (I believe) unknowingly speak ill of the management of the companies for which they work. It’s second nature to think that your judgement about security overrides whatever else management is doing. My point with this column was to help people see that risk management defines priority across the organization; in other words, I’m sure that marketing, accounting, sales, etc. think that whatever they are working on is far more important than what security is doing. Thinking about these priorities through a risk lens helps people level-set their work against the rest of the company’s work. I use an outraged “author’s voice” to wake people up to what they are saying and how they express it.

This was difficult to write primarily because I didn’t want to insult anybody, but to also help people understand that the words they use, even amongst other security professionals, are not productive in improving relationships within the rest of the company.

New Journal Article on Supplier Security Assessments

Today an article I worked with help from Kevin Chalk was published in the ISSA Journal. When I am able, I will post the text here for review. It should be in your inbox if you prefer to read e-versions of articles. Not sure when they get mailed out.

It’s a great piece on how to apply some soft skills (and some decidedly not so soft skills) in the furtherance of conducting a supplier review. You will never know as much about the supplier as they know about themselves, so this is a good approach to trying to uncover where there may be a lack of truthfulness in certain responses.

We wrote about using the Reid Technique, which is a standard in law enforcement interviewing and interrogation. Its worth exploring to see if it fits into your own security and risk program.

A Cooperative Model for Security, Audit, and Risk: A collaborative approach to risk-based audits

Information technology audit is a relatively recent addition to the professional world of auditing. A review of the history of IT audit leads one back to the Electronic Data Processing Auditors Association (EDPAA), which is the forerunner of what would eventually become the Information Systems Audit and Control Association (ISACA)1. Although EDPAA published control objectives in the 1970s, what would eventually become ISACA’s flagship publication (Control Objectives for IT; COBIT) was published in 19962. In large part, this publication defines controls for IT systems, but is grounded in the definitions of controls codified by The Committee of Sponsoring Organizations of the Treadway Commission Internal Control-Integrated Framework (COSO)3. Clearly, IT auditing was happening before these organizations codified the practice as reliance upon IT systems was identified as critical to organizational success. Indeed, the authors of the original COBIT document identifies their impetus for creation thusly:

“In recent years, it has become increasingly evident to regulators, lawmakers, users, and service providers that there is a need for a reference framework for security and control in information technology (IT).”2

Continue reading A Cooperative Model for Security, Audit, and Risk: A collaborative approach to risk-based audits

I’m Writing A Book

Earlier this year my good friend Jack Jones and I entered into a contract with Elsevier imprint Butterworth-Heinemann to write a book on the risk assessment methodology FAIR. We will deliver the final manuscript in the fist quarter of 2014 and it should be in print next summer/fall. The title of the book is tentatively called Measuring and Managing Information Risk: A FAIR Approach.

It is a real honor to be able to write about a topic I love with the industry visionary that taught me how to do it.

From the beginning, when Jack and I first began talking about this book (over dinner in the early summer of 2012) we wanted to write a conversational book to teach risk practitioners how to do FAIR. We didn’t want to write a risk textbook, and to be sure this is not a math book. It is very much intended to be an accessible book to help people understand how to take the work they are currently doing in risk management and improve the results quickly using applied methods and techniques. And don’t worry: our trademark senses of humor will be firmly intact throughout (my tongue always seems to be firmly ensconced in my cheek).

This book has been a long time coming. FAIR has evolved significantly since Jack Jones first published the FAIR whitepaper in 2005. Jack and I have conducted numerous FAIR training sessions and classes that detail the evolution of this now industry standard, but one thing is still a challenge for many people: how to apply FAIR to the daily security scenarios with which they are faced. This book will describe various scenarios to help lift the fog and give people “Ah-Ha” moments as they will quickly find examples that emulate current scenarios they are facing, or application techniques they can use to help better model the risk they are currently modeling in FAIR. We are even taking it further by showing you how to present risk scenarios to management and how to integrate FAIR into many popular risk assessment standards (NIST, ISO, etc.).

When you are done reading this book, you will know how to apply FAIR anywhere to model the risk associated with virtually anything. And it will also be a great reference for those looking to earn the Open Group’s upcoming FAIR Risk Analyst certification.

So naturally writing a book takes a lot of work so that’s why my writing here has been sketchy these past couple months. But in the meantime, you can get a preview of the book at a blog post that Jack wrote to better understand the concepts around what risk management is and how to practice it.