January 31, 2010

The Balanced Scorecard is second on the list of 7 must have CISO tools. Someday I'll get past any guilt of referring to Balanced Scorecards for information security teams. Fitting the traditional categories into a cost center is a bit challenging. However I don't want...

January 29, 2010

The information security team strategy tops the list of the must-have CISO tools. Developing a strategy is a discretionary activity and often overlooked. However if anyone wonders what you do, the value you provide, or asks where you're going, investing in a strategy p...

January 25, 2010

Of course after I blog about 7 great things my rss feeder sends me 7 sinful things. Check out The Opposite of Luck blog. One reason I like it is because it's a general IT blog - no security wonks. For some reason it makes me happy to see general IT struggle with the sa...

January 24, 2010

Working for and with many CISO's I've had the benefit of learning many approaches to manage teams and programs. In 2009 I started to formalize the most effective practices. A question I continue to struggle with is why doesn't everyone manage their program proactively?...

January 14, 2010

I think George Kurtz summed it up, "wow." This isn't the blog to follow late breaking developments of the Google et al. hacks (one of my favorites is the Register). This is the blog to discuss how best to use this data as evidence in your risk and mitigation prioritiza...

January 11, 2010

I had a good time reading a Securosis thread how to measure risk framework effectiveness. Check it out. Securosis is often informative and entertaining. This was just a blog conversation but some themes are worth expanding beyond the comment box. One was the pessimism...

January 8, 2010

Through securitymetrics.org I saw Matthew Rosenquist's great post and whitepaper for their Threat Agent Risk Assessment. Worth a look!

While there are many approaches to conduct an assessment e.g. NIST, OCTAVE, etc. my favorite step is how to best communicate the result...

January 7, 2010

In 1999 I really enjoyed the movie The Matrix, it was also around the time I first left Microsoft. I'm sure it was just a coincidence  The loose translation of "know thyself" stuck with me in a lot of ways. Within IT security risk management, the phrase applied to: kno...

January 5, 2010

Recently a customer asked me how to document risk assessments. Below is a summary of our discussion.

On the risk assessment documentation front, it depends. I like to define 3 categories of assessments:

1. Summary: for position papers and quick turn-around requests

2. Det...

January 4, 2010

The New Year brings a new blog and a lot of excitement for living my professional passion. It's taken 15 years, 2 security startups, 2 tours at Microsoft, and a helluvan experience at Washington Mutual to get here. Now it's time to focus on building the tools and appli...