Tag: CISO
The constructs of a business model canvas are rooted in scientific modeling, business modeling, and system information modeling—all driven by logic. The business model canvased is modeled using the following: Inputs (This is what we want to do) What are our goals and objectives? (Value Proposition) Who and where do we need to engage…
Read MoreWhat better way to diagnose a failed security program than to point at an inferior assessment of risk? If an organization omits or misjudges a critical risk, then the decisions that flow from that finding will be incorrect. A problem with standardizing risk assessment is that the measurement of relevant risk is going to…
Read MoreSecurity issues are so prominent in most customers’ minds that CISOs are being pulled into the sales cycle more and more often. In the face of increasing cyber attacks, customers are understandably questioning the resilience of products and services. Even businesses outside of the tech industry are facing scrutiny from customers and major suppliers since…
Read MoreAll too often, I hear colleagues wax poetic on the disdain their directors and managers have towards the mission of cyber security. I’m always eager to provide some sage couples counseling wisdom toward these difficult relationships between CISOs and their colleagues. 1. Designate FUD as your Friend rather than Adversary Someone once said that Fear,…
Read MoreAh, CISOs. Such magnificent and noble creatures. There’s such a wide variety in the wild that you might have a hard time believing they are all part of the same species. Let’s take a short field expedition to familiarize ourselves with a few common varieties. And wipe all that sunscreen off your face, you won’t…
Read More
For the past 15 years, American organizations have lived in the shadow of breach disclosure. It all began in California under SB-13861 in 2002, which mandated written notification of victims of privacy breaches of unencrypted personal data. The law covers organizations located in or doing business in California. Because California is the most populous state…
Read MoreThere’s an expression in geekdom called “yak shaving” that refers to doing busywork that appears important but is actually useless. The essence is that yak shaving is easier to do than dealing with the actual problem at hand (which is often complex and hard).1 Too Much Security Awareness Training There’s only so much security training…
Read MoreIn Part I of this blog series, we introduced information modeling as a method to reduce compliance gaps. In this blog, we create a master model of protection based on the business model of a fictitious company called Eclipse Cloud Services (ECS). The master protection model forms the basis of contextualizing access to the infrastructure,…
Read MoreOver the past 11 years, I’ve done hundreds of audits for organizations of all sizes around the world. I specialize in audits for SSAE 16/18 (SOC1 and SOC2),1 Sarbanes Oxley,2 and PCI DSS.3 I’ve seen a lot of audit failures, and there are some common themes to them from which other companies can learn. My work…
Read MoreAccording to a 2015 study by Georgia Tech Information Security Center, 40 percent of CISOs reported to the CIO or CTO rather than directly to upper leadership.1 A forthcoming F5 Ponemon CISO research report will show that the trend is shifting away from CISOs reporting into the IT organization. From a legacy point of view,…
Read More