August 6, 2011 The Decline of the Physical Desktop http://www.eweek.com/c/a/IT-Management/As-Foretold-by-Desktop-Managment-Tools-588370/ What’s interesting here is that this isn’t preaching “The Cloud” and only mentions VDI in one paragraph (2 in the one-line expanded version)….
June 21, 2011 In praise of OSSTMM In case you’re not aware, ISECOM (Institute for Security and Open Methodologies) has OSSTMM3 – The Open Source Security Testing Methodology Manual – http://www.isecom.org/osstmm/…
February 24, 2011 Are *YOU* ready to give up yet? Apparently (ISC)2 did this survey … which means they asked the likes of us …. http://www.darkreading.com/security-monitoring/167901086/security/security-management/229219084/under-growing-pressure-security-pros-may-be-ready-to-crack-study-says.html Faced with an attack surface that seems to…
December 3, 2010 All Threats? All Vulnerabilities? All Assets? One list I subscribe I saw this outrageous statement: ISO 27001 requires that you take account of all the relevant threats (and vulnerabilities) to…
November 11, 2010 BCP or BIA Image via Wikipedia A business might possibly choose not to have a BCP but they might be interested in doing a BIA After all,…
October 1, 2010 On the abuse of the term “Architecture” in IT A friend and colleague who is also a security guru and much better qualified than me and who admits that he is not a…
September 23, 2010 Third-party code putting companies at risk Image via Wikipedia http://www.infoworld.com/d/developer-world/third-party-code-putting-companies-risk-302 This opens: The use of third-party code in applications represents a big security risk for companies, according to a study…
August 20, 2010 Open source and commercial support In a discussion of Open Source vs Closed Source/Commercial … Voice 1: Maybe because they’re not customers? (in the paying for a service sense)…
July 14, 2010 IAM – Basics – Policy If there’s one thing that upsets me when I see articles and posting to forums about policy, its mention of a “Password Policy”. I…
June 29, 2010 You don’t need a Firewall Security Policy A member of a discussion list I subscribe asked for a Firewall Policy template. A usual, I was alarmed enough by this to want…
June 4, 2010 Google Phasing out Windows http://www.h-online.com/security/news/item/Report-Google-phasing-out-internal-use-of-Microsoft-Windows-1012679.html “According to a report in the Financial Times, Google are phasing out the use of Microsoft‘s Windows within the company because of security…
May 19, 2010 The Classical Risk Equation What we had drilled into us when I worked in Internal Audit and when I was preparing for the CISA exam was the following…
March 26, 2010 A Security Policy needs to be abstract not specific Image via Wikipedia There’s much I don’t like about many of the published security policies an the ones I see in use at many…
February 28, 2010 The FBI risk equation It seems that to make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation: risk = threat x vulnerability x…
February 5, 2010 The checklist revolution works http://www.smartplanet.com/technology/blog/rethinking-healthcare/the-checklist-revolution-works/838/ I can see the reasoning behind why doctors would object to check-lists, but it makes me wonder why so many corporate IT departments,…
January 25, 2010 About Social Networking policy Policy development is one of my areas of practice, so when a colleague on a mailing list asked about how to phrase policy to…
November 13, 2009 The Cost of patching I saw this assertion go by and it stood out: The bigger cost would be the cost of not patching. Such items as downtime…
October 6, 2009 About creating Corporate IT Security Policies As I’ve said before, you should not ask yourself what policies to write but what you need to control. If you begin with a…
September 16, 2009 The Glass Half Full Image by Getty Images via @daylife Optimist: The glass is half full Pessimist: The glass is half empty Cost Accountant: The vessel is too…