Recently in risk-management Category

The Policy Trap

It's that time of year again: time to update the policies! This annual exercise is always a source of great enjoyment for me (no, not really). After all, there's nothing like having the non-technical flailing about as they try to force-feed technical requirements down the throats of IT without explaining, justifying, or providing any factual basis for asking. If there's something most techies love, it's an over-the-top policy recommended by external auditors.

Quite frankly, policies are the precursor to, and embodiment of, the checkbox-compliance mindset. We all know how well that's worked out for us thus far. I mean, looking at all the data breaches we're not having thanks to compliance and policies, right? Hahaha... oh.

From January 2015...

As you've undoubtedly heard by now, President Obama renewed calls for increased cybersecurity legislation, all apparently because Sony Pictures Entertain (SPE) got hacked? If you've not heard, check out the mainstream press coverage here...

Continue reading here...

From January 2015...

Now that we can soundly close the book on 2014, it's perhaps a good time to take a quick think back as we consider our best path forward. 2014 was indeed the year of infosec insanity, based on the sheer number of large breaches, number of breaches, number of "major, earth-shattering" vulnerability disclosures, etcetera etcetera etcetera (if you didn't read that last bit in the voice of the King of Siam, then check it out here).

Continue reading here...

Things That Aren't Risk Assessments
In my ongoing battle against the misuse of the term "risk," I wanted to spend a little time here pontificating on various activities that ARE NOT "risk assessments." We all too often hear just about every scan or questionnaire described as a "risk assessment," and yet when you get down to it, they're not.

Continue reading here...

GBN: Discussing RA Methods with CERT

Discussing RA Methods with CERT
In follow-up to our paper, "Comparing Methodologies for IT Risk Assessment and Analysis" (GTP subscription required), Erik Heidt and I were given the wonderful opportunity to be guests on the CERT Podcast to discuss the work.

Continue reading here...

Incomplete Thought: The Unbearable "Bear Escape" Analogy
"You don't have to run faster than the bear to get away. You just have to run faster than the guy next to you."
The problem with this analogy is that we're not running from a single bear. It's more like a drone army of bears, which are able to select multiple targets at once (pun intended). As such, there's really no way to escape "the bear" because there's no such thing. And don't get me started on trying to escape the pandas...

Continue reading here...

Fatal Exception Error: The Risk Register
I read this article a few weeks ago and set it aside to revisit. In it, the author states that "Risk management used to be someone else's job." and then later concludes that "...in a global business arena that is increasingly unforgiving when it comes to missteps, the message is clear: Everyone--including you--now has to be a vigilant risk manager." Yes, well, sort of, maybe, kind of... hmmm...

Continue reading here...

New Research on IT Risk Assessment and Analysis Methods
I'm pleased to announce that our new paper, "Comparing Methodologies for IT Risk Assessment and Analysis," is now available to Gartner for Technical Professionals subscribers! This research represents a few months of work, including many interviews with method owners and method implementers. The research process was quite fascinating and led to some unique insights.

Continue reading here...

My latest post...

3 Things I Think I Know About "Cyber" Risk

First, a note: when I say "cyber risk" here, I'm doing so knowing it's a somewhat equivocal term. I'm using it generically to be inclusive of IT risk, information risk, technical risk, and anything else along these lines that would roll-up under operational risk. More could be said, but I'll save it for another time...

Continue reading here...

And now for something a little different...

Q4 Challenge: Drop "Risk," Be More Precise
I've decided to try something a little different. Near the beginning of each quarter I'm going to issue a challenge to everyone (colleagues, clients, vendors, etc.) in order to see if we can't tackle a common obstacle to business and security. We'll see how it goes, and I hope you'll both participate and keep me honest throughout the designated timeframe!

Continue reading here...

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10