Security Project Triage is all about Resource Allocation

In my latest @ISACA column, I tackle the problem of project triage. Its a pernicious problem that many security departments have to manage: we have to check everything currently in place, yet new stuff is being added all the time. I address this problem from a risk perspective: we need to allocate our scarce securityContinue reading “Security Project Triage is all about Resource Allocation”

Zanshin Risk Management

I really enjoyed Bruce Schneier’s recent post on Code Yellow. It inspired me to write about it in the context of personal self defense (and its parallels to the Japanese term zanshin). I disagree with Bruce’s opinion that being in Code Yellow generally is a bad thing (at least, that’s the impression I got from his piece).Continue reading “Zanshin Risk Management”

DeVry Charlotte 2014 Commencement Address

On 27 June 2014, I delivered the Commencement Address to the graduating class at DeVry University Charlotte. I was honored to be asked by Dr. Regina Campbell. I didn’t post the address here previously, but I talk about risk so I thought it might be interesting to my followers here. Enjoy!   Thank you to Dr.Continue reading “DeVry Charlotte 2014 Commencement Address”

Using Behavioral Interview Techniques to Assess Supplier Security Posture

Organizations are increasingly furthering their goals through reliance on suppliers conducting critical work. In support of this, information security departments routinely conduct security assessments of those suppliers in order help minimize risk in their supply chains. These assessments usually consist of some combination of questionnaires, onsite observations, testing, and interviews. Unfortunately, such assessment routines tendContinue reading “Using Behavioral Interview Techniques to Assess Supplier Security Posture”

Open Group Podcast on Risk – June 2013

I participated in my second risk management podcast for the Open Group that was published today. I like this one better than my previous one–I tried to talk slower in this one anyways  ;-) I was happy with the topics that we discussed, most notably that as regulators become more aware of the capabilities ofContinue reading “Open Group Podcast on Risk – June 2013”

Risk Response Requires Critical Thinking

My @ISACA column was published today. Read it here.   Edited: I realized they edited the full submission I made (I could tell because it sounded a little off from what I recalled). Below is the full post:   Depending on your point of view, risk management is either a very easy or a terrifically difficultContinue reading “Risk Response Requires Critical Thinking”

Negligence and Compliance

Compliance is out of control. Its pervasive in our society now and there is no going back. Allow me to explain. My kid attends pre-school. They go outside daily to play, so we were asked to provide some sunblock. Makes sense, our family is pale so we are used to that routine. We brought itContinue reading “Negligence and Compliance”

High Accumulation

I recently relocated to Charlotte from Ohio. Its South, but not so much so that it doesn’t get cold and yes, sometimes there is even snow. As I become acclimated to things down here, I am always surprised at the response that folks from here have to snow. They dislike it immensely and are oftenContinue reading “High Accumulation”

Substituting Risk Tolerances

I hate hand dryers in washrooms. I’m not alone: if Wikipedia is to be believed, 63% of people preferred paper towels over hand dryers in restrooms. I’d wager the other 37% choose what they thought was the right answer. Each time I use them, I always end up with cold, wet hands and if I’mContinue reading “Substituting Risk Tolerances”

How Security, Audit, and Risk should work together

My article on the role of audit and risk was published in the ISSA Journal this past October 2012. If you didn’t catch it then, you can find it here. I began this article with a question, when did IT auditing become a profession. With that in mind, I want back to the original version of COBITContinue reading “How Security, Audit, and Risk should work together”