Book Submitted

Hello everyone!

I thought I’d give you a brief update. I’ve been very quiet here lately as Jack Jones and I made the final push to complete the book. We submitted the completed manuscript on or about Tax Day in April (with so many late nights, its hard to remember exactly when we were done). The next steps include some editing and proofing as we finalize everything for publishing. The expectation is that we will have it published before the end of summer. I’ll keep you informed here as we gain more information.

BTW, in case you didn’t know, Jack Jones has been blogging on the CXOWARE website:

There is some good content there :-)



Book Cover Revealed

Recently, our editors revealed the final version of the book cover and indicated that its okay to share with you. So here it is: the official cover of Measuring and Managing Information Risk: A FAIR Approach. As soon as we get a publication date we will be happy to share. Tentatively we are looking at late this Summer or early Fall.


(Note: I’m not sure but the actual cover may vary from this as we go through the production process).

The “Yes, and…” Approach to IT Risk Mgmt

In my January column for @ISACA I talk about the use of a improv technique called “yes, and…” that you can read about here.

The idea is to keep the improv scene going as long as possible by working with your partner versus opposing them. If they propose something, no matter how outlandish, you assume its valid and work with it. This gives you the opportunity to redirect the outcome. However, if you shut down the scene and attempt to wrestle control away from your partner, the scene gets awkward and if you do it enough they tend to not want to work with you anymore.

It’s a metaphor you see: work with the business on their initiatives and you get invited back to the table.

Using Risk to Take the High Road

My @ISACA column for November was published recently. You can read it here.

This was a tough one to write, and not just due to the 200 word max limitation (which I still exceeded). Overall, lots of security professions tend to (I believe) unknowingly speak ill of the management of the companies for which they work. It’s second nature to think that your judgement about security overrides whatever else management is doing. My point with this column was to help people see that risk management defines priority across the organization; in other words, I’m sure that marketing, accounting, sales, etc. think that whatever they are working on is far more important than what security is doing. Thinking about these priorities through a risk lens helps people level-set their work against the rest of the company’s work. I use an outraged “author’s voice” to wake people up to what they are saying and how they express it.

This was difficult to write primarily because I didn’t want to insult anybody, but to also help people understand that the words they use, even amongst other security professionals, are not productive in improving relationships within the rest of the company.