-
In my latest column for the @ISACA newsletter, I delve into the complex interplay between common sense and cyber security.
-
In the realm of cyber risk quantification, it’s a common belief that emotions should be kept out of the risk assessment and decision-making processes. Certainly, there are valid concerns associated with the influence of emotions, which cannot be overlooked. However, it’s important to recognize that emotions do have a rightful place in risk management. In…
-
Here is a mega-update of things I meant to post since Sept(!) In the September 2023 ISSA Journal, I worked with my colleague Natalie Jorion to publish this piece about SEC cyber materiality. You can access the article here. I did a webinar with ISS Corporate about the SEC materaility rule. You can watch the…
-
In this @ISACA newsletter column, I talk about some real-world perspectives I encountered where one organization was told they shouldn’t quantify cyber risk.
-
I recently coauthored an article for the ISACA Journal with a coworker about imputing the cost of a data breach from record count. We also recorded a podcast based on the article. You can read the article here and listen or watch the podcast. I also authored a piece for the @ISACA newsletter on the…
·
-
I recently wrote this piece for ISACA on business process maps. Clearly, this is tongue in cheek – there are a lot of benefits to building a map of business processes and for a security professional, these maps can become the basis of lots of security and risk reporting. You can read my thoughts on…
-
I had a great time talking with Ben Ben-Aderet on the CISO Insiders Podcast. He asked really interesting questions about not only information security but also caused me to reflect on myself and what I learned during my time in the industry. You can check it out here (he bookmarked different topics so you can…
-
I wrote this piece after I read one person’s take on the relationship between near misses and audit findings. I wanted to reflect my thinking on the matter in a way that gave risk organizations a useful function to pursue after an incident. You can read about the role that your near misses (and other’s)…
-
I wrote this piece as an analysis of what Marsh is experiencing in the marketplace. I wanted to have a cyber risk analyst’s take on the same data and to see where we could learn from their analysis and apply that in our practice. One edit, it looks like I made a typo. The line…