Interviewed for the Cyber Canon

Back in April, when Jack Jones and I were inducted into the Cyber Security Canon we had the pleasure of being interviewed by Rick Howard, CSO of Palo Alto Networks. You can view the video here or watch it below. (They published the interview video back in September and I forgot to post it here.)

It was hot in the studio, so my glasses kept sliding off my face. So please excuse the weird faces I kept making :-)

OpRisk Book Chapter on Cyber Published

I’m pleased to announce that a new book has been published that includes a chapter that I wrote on Cybersecurity and Technology Risk. I was approached by the good folks at Risk Books on contributing some original Cyber content in their new publication on Operational Risk. I choose to address the general risks in the domain and paid special attention on how to define risks (risk syntax) to avoid the problems of defining control deficiencies as risk.

The other chapters in the book are really great too! There are discussions of blockchain, Big Data, Privacy, OpRisk modeling and quantification, and emerging risk.


You can pick up your copy of Operational Risk Perspectives: Cyber, Big Data, and Emerging Risks at the Risk Books website (including eBook).

Inducted into the Cybersecurity Canon

I’m very pleased to announced that the book I coauthored with Jack Jones (Measuring and Managing Information Risk: A FAIR Approach) has been inducted today into the Cybersecurity Canon at the Palo Alto Networks 2016 Ignite Conference.

The Canon includes books both fiction and nonfiction that accurately depict the history, milestones, and culture of the modern cybersecurity industry.

This is a profound honor and I’m very grateful to Palo Alto Networks CSO Rick Howard, Ben Rothke for his nomination, and of course my coauthor Jack Jones.

You can read the full press release here.

Book Submitted

Hello everyone!

I thought I’d give you a brief update. I’ve been very quiet here lately as Jack Jones and I made the final push to complete the book. We submitted the completed manuscript on or about Tax Day in April (with so many late nights, its hard to remember exactly when we were done). The next steps include some editing and proofing as we finalize everything for publishing. The expectation is that we will have it published before the end of summer. I’ll keep you informed here as we gain more information.

BTW, in case you didn’t know, Jack Jones has been blogging on the CXOWARE website:

There is some good content there :-)



I’m Writing A Book

Earlier this year my good friend Jack Jones and I entered into a contract with Elsevier imprint Butterworth-Heinemann to write a book on the risk assessment methodology FAIR. We will deliver the final manuscript in the fist quarter of 2014 and it should be in print next summer/fall. The title of the book is tentatively called Measuring and Managing Information Risk: A FAIR Approach.

It is a real honor to be able to write about a topic I love with the industry visionary that taught me how to do it.

From the beginning, when Jack and I first began talking about this book (over dinner in the early summer of 2012) we wanted to write a conversational book to teach risk practitioners how to do FAIR. We didn’t want to write a risk textbook, and to be sure this is not a math book. It is very much intended to be an accessible book to help people understand how to take the work they are currently doing in risk management and improve the results quickly using applied methods and techniques. And don’t worry: our trademark senses of humor will be firmly intact throughout (my tongue always seems to be firmly ensconced in my cheek).

This book has been a long time coming. FAIR has evolved significantly since Jack Jones first published the FAIR whitepaper in 2005. Jack and I have conducted numerous FAIR training sessions and classes that detail the evolution of this now industry standard, but one thing is still a challenge for many people: how to apply FAIR to the daily security scenarios with which they are faced. This book will describe various scenarios to help lift the fog and give people “Ah-Ha” moments as they will quickly find examples that emulate current scenarios they are facing, or application techniques they can use to help better model the risk they are currently modeling in FAIR. We are even taking it further by showing you how to present risk scenarios to management and how to integrate FAIR into many popular risk assessment standards (NIST, ISO, etc.).

When you are done reading this book, you will know how to apply FAIR anywhere to model the risk associated with virtually anything. And it will also be a great reference for those looking to earn the Open Group’s upcoming FAIR Risk Analyst certification.

So naturally writing a book takes a lot of work so that’s why my writing here has been sketchy these past couple months. But in the meantime, you can get a preview of the book at a blog post that Jack wrote to better understand the concepts around what risk management is and how to practice it.