RISK & CYBERSECURITY

This is the second part of the post from 2 weeks ago, which explored research challenges in Info/Cybersecurity related to systems:...

This is the first of a two part post on research challenges centered on systems, computer science and engineering research challenges....

Many years ago I wrote down a list of the drivers that create information / cyber-risk or that otherwise compel the need to mitigate this...

I can’t recall having seen an overview of a systematized privilege management program. There are lots of great articles on specific...

Security ratings services tend to be loved or loathed. Loved if you consume them and it makes your job easier, especially if you have no...

The success of a security program is largely determined by how well it is integrated into the fabric of the organization, in terms of...

Over the years I've noted the behaviors I’ve seen from consistently successful people. In this context I define success as a balance of...

Scenario planning is one of the most underutilized techniques in security. Which is surprising given how effective it is in [good]...

“For every metric, there should be another ‘paired’ metric that addresses adverse consequences of the first metric.” - Andy Grove We talk...

The uncanny value is a famous term in robotics.  It is used to describe how we accept robots that don’t attempt to look too human, but,...

There will be 6 major themes that differentiate great security programs, products, features and processes. These are different from...

I have built up a disdain for cybersecurity budgeting benchmarks. To be fair, there are some good attempts amid a sea of haphazard...

It still surprises me that much of the tone of vulnerability management is about patch/bug fix vs. detecting broader configuration and...

Truly excellent security programs deliver more than security risk mitigation. I know it is kind of ridiculous to say that when doing the...

There are lots of problem solving techniques across many fields. These are often represented as mental models or behavioral short-cuts....

Continuing with the theme of raising the baseline by reducing the cost of control we can see the next logical progression is that the...

One of the most successful techniques for enterprise security in many organizations is to create a universal baseline of controls that...

We know it is important to have good inventories across all of the assets we care about in an enterprise. For security purposes this is,...

It is still somewhat frustrating that most of the dialog about the skills shortage in cybersecurity focuses, perhaps inevitably, on the...

Of the vast canon of insightful commentary that has come from Dan Geer over many years, one that especially stuck with me was his...