The Risk Dr ®

  • The “Yes, and…” Approach to IT Risk Mgmt

    In my January column for @ISACA I talk about the use of a improv technique called “yes, and…” that you can read about here. The idea is to keep the improv scene going as long as possible by working with your partner versus opposing them. If they propose something, no matter how outlandish, you assume…

    ·

    ,

  • Using Risk to Take the High Road

    My @ISACA column for November was published recently. You can read it here. This was a tough one to write, and not just due to the 200 word max limitation (which I still exceeded). Overall, lots of security professions tend to (I believe) unknowingly speak ill of the management of the companies for which they…

    ·

    ,

  • New Journal Article on Supplier Security Assessments

    Today an article I worked with help from Kevin Chalk was published in the ISSA Journal. When I am able, I will post the text here for review. It should be in your inbox if you prefer to read e-versions of articles. Not sure when they get mailed out. It’s a great piece on how…

    ·

    ,

  • A Cooperative Model for Security, Audit, and Risk: A collaborative approach to risk-based audits

    Information technology audit is a relatively recent addition to the professional world of auditing. A review of the history of IT audit leads one back to the Electronic Data Processing Auditors Association (EDPAA), which is the forerunner of what would eventually become the Information Systems Audit and Control Association (ISACA)1. Although EDPAA published control objectives…

    ·

    , ,

  • I’m Writing A Book

    Earlier this year my good friend Jack Jones and I entered into a contract with Elsevier imprint Butterworth-Heinemann to write a book on the risk assessment methodology FAIR. We will deliver the final manuscript in the fist quarter of 2014 and it should be in print next summer/fall. The title of the book is tentatively…

    ·

  • The 3 Lines of Defense: Bad Lenses in Good Frames

    My @ISACA column was published today. You can read it here.

    ·

    ,

  • Open Group Podcast on Risk – June 2013

    I participated in my second risk management podcast for the Open Group that was published today. I like this one better than my previous one–I tried to talk slower in this one anyways  ;-) I was happy with the topics that we discussed, most notably that as regulators become more aware of the capabilities of…

    ·

    , , ,

  • Most Likely Fined Like

    A recent article in Insurance and Technology made me think about the nature of identity as it relates to information risk management. If we take a look at the list of companies from which data is being collected, I can’t help but wonder if there is enough similarity between these companies to make some basic…

    ·

  • Risk Response Requires Critical Thinking

    My @ISACA column was published today. Read it here.   Edited: I realized they edited the full submission I made (I could tell because it sounded a little off from what I recalled). Below is the full post:   Depending on your point of view, risk management is either a very easy or a terrifically difficult…

    ·

    ,

  • Despite all my rage…

    I recently had the privilege to have some discussions with fellow members of a privacy-oriented group. They were mostly lawyers, and after a series of discussions we waded into the current disapprovals over Nordstrom’s practice of tracking people by Wifi (see here for more on this). Basically  its the implied consent that seems to be getting people up in arms. That and this…

    ·