Writing

Security Blog

  • CISO TALK: Navigating Boardroom Realities and Liability
    CISO TALK: Navigating Boardroom Realities and Liability

    I appeared with Mitch Ashley and JJ Minella on Techstrong TV to discuss the realities of a CISO’s journey into the boardroom, liability, and the SEC’s new disclosure rules.

  • 6 Steps to Landing a Job in Cybersecurity
    6 Steps to Landing a Job in Cybersecurity

    Looking to move into a cybersecurity career? Start with these six steps to evaluate and prepare yourself.

  • Why assessing third parties for security risk is still an unsolved problem
    Why assessing third parties for security risk is still an unsolved problem

    A recent ranking of the most cyber-secure companies reveals weaknesses in current third-party risk management practices. A Forbes article is making the rounds right now about America’s most cyber-secure companies, and I can already see the cybersecurity outrage machine up in arms. Full confession: I haven’t yet read the article, but I’m about to. I’m writing this…

  • Learning More from Accidents
    Learning More from Accidents

    When accidents happen, there’s a seductive call to look for a root cause – that is, a chain of events without which, the accident would not have happened.  In hindsight, root causes are apparently easy to identify; one works backwards from the accident, identifying causal threads until reaching the “root cause.”  It’s simple, and it’s generally wrong.…

  • Software liability reform is liable to push us off a cliff
    Software liability reform is liable to push us off a cliff

    Regulatory mandates for software security like those in the Biden Administration’s National Cybersecurity Strategy could cause more problems than they solve. Like “SBOMs will solve everything,” there is a regular cry to reform software liability, specifically in the case of products with insecurities and vulnerabilities. US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly’s comments this…

  • What the Uber verdict means to CISOs: You’re (probably) not going to jail
    What the Uber verdict means to CISOs: You’re (probably) not going to jail

    CISOs and potential CISOs worried about criminal risk won’t go to jail if they follow four simple steps. There seem to be two reactions to the verdict in the Sullivan case. One reaction, often from CISOs already stressed by being outside the room where it happens, is to decide that being a CISO isn’t worth the risk…

  • TikTok resets the clock on security leadership
    TikTok resets the clock on security leadership

    Roland Cloutier is stepping down as global CSO to become a strategic advisor to TikTok’s CEO. The clock is ticking on the CSO succession plan. The best time to do succession planning was last year.   But the next best time is right now. The news this morning that Roland Cloutier is stepping away from the TikTok…

  • We don’t need another infosec hero
    We don’t need another infosec hero

    By setting yourself up as the defender, the solver of problems, you cast your business colleagues as hapless victims or, worse, threats. This is not a useful construct for engagement. There’s this belief among a lot of security professionals that we are special, in that we are the defenders of our companies.  We like to…

  • The cloud security emperor has no pants
    The cloud security emperor has no pants

    “Shared responsibility” usually means that no one is responsible for minding the gap. Don’t fall in. As anyone who has worked on a cross-functional team with no clear owner knows, “shared” or “joint” responsibility often means that everyone assumes that someone else is taking care of the problem. Without clear effort to make sure that…

  • The security user experience (SUX)
    The security user experience (SUX)

    Security processes that treat the very users we protect as unwanted burdens and alienate them in the process are a path to failure. The next time you receive a phishing email, forward it to wherever your organization tells you to report phishing attempts.  What response would you appreciate? Maybe a brief thank you or follow-up…

Leadership Newsletter

  • The Future of Work

    Here we are.  Three to six months into CoviDistancing – call it lockdowns, social distancing, isolation, shutdowns – and, really, there’s no end in sight.Let that sink in for a few minutes.  It’s possible that there’s an effective vaccine just around the corner – which generally means a year of human trials so we know it’s reasonably safe.  It’s possible that… Read this …

  • Moving to Distributed Work

    So, you’re working from home … For a while. You’ve probably worked remotely before, and you’re thinking, “I’ve got this!” Odds are, you’re mistaken. You don’t have this. That’s OK; this is an opportunity to learn new skills. You can think of working from home much like someone moving into an entirely new environment. Your… Read this …

  • One company’s successful approach to gender balance

    In an industry where 10-15% of staff are women, the InfoSec team at Akamai—a cybersecurity, content-delivery network and cloud-service provider—is now 40% women. Driving that change—from 28% two years ago—took only a few, simple practices that might work in many other organizations. We drove those changes in partnership between the talent-acquisition team and the hiring managers;… Read this …

Fiction