July 2, 2016 Nobody wants to pay for security, including security companies https://www.linkedin.com/pulse/nobody-wants-pay-security-including-companies-beno%C3%AEt-h-dicaire In theory, consumers and businesses could punish Symantec for these oversights by contracting with other security vendors. In practice, there’s no guarantee that…
April 21, 2014 Data on a Train http://www.informationsecuritybuzz.com/daily-commute-mean-data/ The latest intelligence on Al-Qaeda, a high profile Child Protection report and plans for policing the London 2012 Olympics; three very different documents…
August 31, 2013 On ‘paranoia’ – revisiting “Paid to be paraoid” My fellow CISSP and author Walter Jon Williams observed that Paranoia is not a part of any mindset. It is an illness. Ah, Walter…
May 14, 2013 Does ISO 27001 compliance need a data leakage prevention policy? On one of the ISO-27000 lists I subscribe to I commented that one should have a policy to determine the need for and the…
March 26, 2013 What is the goal behind calculating assets in ISO-27000? My friend and colleague Gary Hinson said about asset valuation in ISO-27000 So, for instance, it’s hard to say exactly how much the HR…
March 15, 2013 “Paid to be paranoid” Read the first four paragraphs of this: http://hollylisle.com/shoes-and-handbags/ Forget the rest, forget that its about ‘creative writing’, just answer that question. Bruce Schneier among…
October 2, 2012 How much Risk Assessment is needed? In many of the InfoSec forums I subscribe to people regularly as the “How long is a piece of string” question: How extensive a…
October 2, 2012 An “11th Domain” book. http://www.infosectoday.com/Articles/Persuasive_Security_Awareness_Program.htm Gary Hinson makes the point here that Rebecca Herrold makes elsewhere: Awareness training is important. I go slightly further and think that a…
August 9, 2012 How to build an asset inventory for 27001 How do you know WHAT assets are to be included in the ISO-27K Asset Inventory? This question and variants of the “What are assets…
May 25, 2012 Why Info Sec Positions Go Unfilled http://www.infosecleaders.com/2012/05/career-advice-tuesday-why-info-sec-position-go-unfilled/ There are many holes in this, but I think they miss some important points. First is setting IT HR to look for Infosec….
March 23, 2012 Social Engineering and sufficency of awareness training Someone asked: If you have a good information security awareness amongst the employees then it should not a problem what kind of attempts are…
November 13, 2011 Which Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA … What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level? I’m asking about a…
August 4, 2011 Mistaken Thinking – Risk not threats Via a LinkedIn posting in the Infosecurity magazine forum titled “Internet Threats Posed By Mobile Devices: How Can We Prevent Them?” I came to…
December 3, 2010 All Threats? All Vulnerabilities? All Assets? One list I subscribe I saw this outrageous statement: ISO 27001 requires that you take account of all the relevant threats (and vulnerabilities) to…
September 15, 2010 Career Insights from Stephen Northcutt, CEO of SANS http://www.bankinfosecurity.com/articles.php?art_id=2914 Fascinating. I get a lot of enquiries from wannabes who, as they put it, want to “break into security“. I presume they see…
March 26, 2010 A Security Policy needs to be abstract not specific Image via Wikipedia There’s much I don’t like about many of the published security policies an the ones I see in use at many…
December 27, 2009 Throwing in the towel I was saddened to hear of an InfoSec colleague who met with overwhelming frustration at work: After two years of dealing with such nonsense,…
October 6, 2009 About creating Corporate IT Security Policies As I’ve said before, you should not ask yourself what policies to write but what you need to control. If you begin with a…
August 18, 2009 8 Dirty Secrets of the IT Security Industry – CSO.com Bill Brenner wrote an article that covers some security consulting in general and PCI DSS in particular. Do make note of points 1,3, and…
June 19, 2009 Does the Certified Ethical Hacker add value to a CISSP A young colleague asked about the value of the CEH certification. Would it “Add Value” to his existing CISSP? The syllabus looked interesting to…
