Where I'll Be: Spring/Summer 2014 Events
A quick post... I'll be traveling a bit this Spring and Summer to speak at a number of events. For non-Gartner events, we're actively looking for GTP sales opportunities, so if you've been thinking about getting a subscription to Gartner for Technical Professionals, this could be your chance to meet face-to-face to discuss! :) For Gartner events, I will be available for 1-on-1s, as well as sales support as needed.

Continue reading here...

GBN: Discussing RA Methods with CERT

Discussing RA Methods with CERT
In follow-up to our paper, "Comparing Methodologies for IT Risk Assessment and Analysis" (GTP subscription required), Erik Heidt and I were given the wonderful opportunity to be guests on the CERT Podcast to discuss the work.

Continue reading here...

Incomplete Thought: The Unbearable "Bear Escape" Analogy
"You don't have to run faster than the bear to get away. You just have to run faster than the guy next to you."
The problem with this analogy is that we're not running from a single bear. It's more like a drone army of bears, which are able to select multiple targets at once (pun intended). As such, there's really no way to escape "the bear" because there's no such thing. And don't get me started on trying to escape the pandas...

Continue reading here...

GBN: Join Us! SRMS has an opening!

Join Us! SRMS has an opening!
We're hiring for the Security & Risk Management Strategies (SRMS) team within Gartner for Technical Professionals. Full details here.

Continue reading here...

RSA 2014 Round-up: From Predictive Analytics to Denied Taco Service
One of the most challenging aspects of attending RSA each year is not just attending, but also recovering from, RSA each year. :) It occurs to me as I finally get this recap post drafted that it's been almost two weeks since I returned and am only now getting a chance to put virtual pen to virtual paper to share my thoughts from the event. So, here goes... :)

Continue reading here...

Fatal Exception Error: The Risk Register
I read this article a few weeks ago and set it aside to revisit. In it, the author states that "Risk management used to be someone else's job." and then later concludes that "...in a global business arena that is increasingly unforgiving when it comes to missteps, the message is clear: Everyone--including you--now has to be a vigilant risk manager." Yes, well, sort of, maybe, kind of... hmmm...

Continue reading here...

GBN: Patch Your Internet Router/Gateway!

Patch Your Internet Router/Gateway!
Just a friendly fyi... if you're running an Internet router/gateway from Asus or Linksys, please make sure that you've updated the firmware recently! In some ways, this strikes me as another example of attacks on the Internet of Things (IoT). If you've been following IoT attack trends, then you may have read about the possibility that a refridgerator may have be found sending out spam.

Continue reading here...

RSAC 2014: Buyouts and Boycotts and Allegations, Oh My!
Unless you've been living under a rock, you've undoubtedly heard about the various revelations from the Snowden files, with which he absconded from the NSA. In a [Reuters article] last year it was alleged that RSA - the namesake and official owner of the RSA Conference (RSAC) - had accepted a single payment from the NSA to prominently place a flawed algorithm into their BSAFE crypto library (read more here). RSA has denied those allegations.

Continue reading here...

GBN: Rebooting the GRC Space

Rebooting the GRC Space
He's been talking about it for almost a year now, and this week we are starting to see some of the progress from the effort. For those of you who have followed the GRC (governance, risk management, and compliance) space, you'll know that it's a bit of a nightmare. It's been sub-divided, historically, between "IT GRC" and "EGRC" ("E" being for "enterprise"). There are also a couple other potential categories, like "Legal GRC" and "Financial GRC," but those have been far less prominent.

Continue reading here...

New Research on IT Risk Assessment and Analysis Methods
I'm pleased to announce that our new paper, "Comparing Methodologies for IT Risk Assessment and Analysis," is now available to Gartner for Technical Professionals subscribers! This research represents a few months of work, including many interviews with method owners and method implementers. The research process was quite fascinating and led to some unique insights.

Continue reading here...

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Recent Comments

  • Danniel: SANS Top 20 controls are not controls. Its like a read more
  • Ben: I hope that it's not so dire. I think there read more
  • Tunde: The question at the back of mind now is: How read more
  • Dan Raywood: I met you at the Barracuda party, introduced myself with read more
  • Ben: Hi Jack, Thanks for the comment. I've read the context read more
  • Jack Whitsitt: Ben - while you're correct in almost all of your read more
  • Ben: Hi Amith, This review is now near 4 years old. read more
  • Amith Sarma: Hi Ben, A very valuable feedback on the book. Thanks. read more
  • Ben: Hmmm, thanks for catching that, Rob! I was going off read more
  • Robert David Graham: Minor correction: Dell was founded in 1984, not 1994. read more

Archives

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.7