In With A Roar, Out With A Whimper
It's been nearly 2 years since I've written anything for my blog here, and I can't say that there's much of a good reason for it. Part of the reason has been prohibitions from past employers on doing anything public ... Read More
A Shortage in Common Sense: The Myth of the Talent Gap
I have a visceral reaction every time I encounter yet another article bemoaning the so-called "talent gap" or "labor gap" in cybersecurity. Having been in and out of the job market several times over the past decade (for better and, ... Read More
Business Must Change: InfoSec in 2019
I don't know about you, but I am happy to see 2018 ended. Personally, it was a very difficult year, capping a very difficult decade. Now, as we embark into 2019, it's time to sit up and realize that we've ... Read More
The Quest for Optimal Security
There's no shortage of guidance available today about how to structure, build, and run a security program. Most guidance comes from a standpoint of inherent bias, whether it be to promote a product class, specific framework/standard, or to best align ... Read More
Forget C-I-A, Availability Is King
In the traditional parlance of infosec, we've been taught repeatedly that the C-I-A triad (confidentiality, integrity, availability) must be balanced in accordance with the needs of the business. This concept is foundational to all of infosec, ensconced in standards and ... Read More
Measure Security Performance, Not Policy Compliance
I started my security (post-sysadmin) career heavily focused on security policy frameworks. It took me down many roads, but everything always came back to a few simple notions, such as that policies were a means of articulating security direction, that ... Read More
The Thankless Life of Analysts
There are shenanigans afoot, I tell ya; shenanigans! I was recently contacted by an intermediary asking if I'd be interested in writing a paid blog post slamming analysts, to be published on my own blog site, and then promoted by ... Read More
Design For Behavior, Not Awareness
October was National Cybersecurity Awareness Month. Since today is the last day, I figured now is as good a time as any to take a contrarian perspective on what undoubtedly many organizations just did over the past few weeks; namely, ... Read More
Incremental "Gains" Are Just Slower Losses
Anton Chuvakin and I were having a fun debate a couple weeks ago about whether incremental improvements are worthwhile in infosec, or if it's really necessary to "jump to the next curve" (phrase origin: Guy Kawasaki's "Art of Innovation," watch ... Read More
A Change In Context
Today marks the end of my first week in a new job. As of this past Monday, I am now a Manager, Security Engineering, with Pearson. I'll be handling a variety of responsibilities, initially mixed between security architecture and team ... Read More
