Security Blog
-
CISOs are still chiefs in name only
If you’re not in the meeting where decisions are made, then you’re not part of the C-Suite—whatever your title may be. Look around the CISO community, and you’ll find signs of burnout everywhere. Where CISOs aren’t just quitting, you’ll find increasing tension between them and their executives, sometimes resulting in surprising departures. Ply a friendly CISO with…
-
Drop the SBOM
Software bills of material are having a moment, but the costs of an externally visible SBOM are likely to outweigh the benefits, says Andy Ellis. There’s a big movement afoot to move to an SBOM-oriented world. If you’re new to this acronym, an SBOM is a “Software Bill of Materials.” The idea is that any…
-
Vulnerabilities don’t count
No one outside the IT department cares about your vulnerability metrics (or they shouldn’t, anyway). They care about efficacy. And traditional stats don’t show that. I had a lovely chat with one of my favorite CISOs the other day, helping them think through the security metrics that they report upwards. Front and center, as I…
-
Three Hidden Security Costs Behind Many Failed Projects
As a long-time CISO, I’ve been on the receiving end of … a lot of vendor sales pitches. So much so that I created a quick template to respond to all of those unsolicited messages. For the most part, vendors would either quietly disappear, or reply with good grace (for many sales development representatives, even being acknowledged…
-
The Fourth Dimension of Risk Management
When security professionals talk about risk, especially with business executives, we often use metaphors rooted in the physical world. We might talk about coverage, and compare it to the length of a wall that surrounds a group of assets. Perhaps we talk about the height of the wall, to consider how comprehensive our defenses are.…
-
Four considerations for improving cloud security hygiene
We think we understand what hygiene is, but what about cloud security hygiene? It’s not like our computers have teeth to brush. Although, if you have a child, you might be familiar with the challenges involved in even basic hygiene. Some of us might even have had conversations like this: “Did you brush your teeth?”“Yes!”You smell in…
-
Risk at the Margin
Humans are, generally, pretty awesome at risk management. Why, then, do we seem to be so bad at it – and in so many different ways – when it comes to assessing risk in the CoViD era? Risk Models First, let’s talk about how humans make most risk decisions. Risk comes in a lot of different flavors…
-
Understanding Risk
Operating or overseeing a business – whether it’s as a director, executive, or manager – requires an understanding of risk, and especially how it impacts your strategy. But risk is a nebulous concept. It means something different to everyone, so it helps to levelset not just on a working definition of risk, but on approaches…
-
Football. CoViD-19, and distributed systems hazards
Looking at the latest trickle of Covid-19 cases in the NFL – specifically in the Patriots locker room – it strikes me that some of the challenges of public health safety are strikingly similar to the issues of distributed system safety in computer systems, and each can help highlight important lessons in the other. Caveats: …
-
One company’s successful approach to gender balance
In an industry where 10-15% of staff are women, the InfoSec team at Akamai—a cybersecurity, content-delivery network and cloud-service provider—is now 40% women. Driving that change—from 28% two years ago—took only a few, simple practices that might work in many other organizations. We drove those changes in partnership between the talent-acquisition team and the hiring managers;…
Leadership Newsletter
-
Learning More from Accidents
When accidents happen, there’s a seductive call to look for a root cause – that is, a chain of events without which, the accident would not have happened. In hindsight, root causes are apparently easy to identify; one works backwards from the accident, identifying causal threads until reaching the “root cause.” It’s simple, and it’s generally wrong.In… Read this …
-
Making it safe to speak up
This week in DuhaOne: SVB’s miss, keeping onboarding fresh, make safety to spot danger, and tackling inclusion. Leadership Moment: Silicon Valley Bank The postmortems have already begun for the SVB failure, the second-largest in US history. This line inside CNN’s summary leapt out at me: Several experts who spoke to CNN said it’s likely that… Read this …
-
Food as Inclusion
Every Friday night, Jews around the world welcome Shabbat around the dinner table. Saying blessings for each, we light candles, we drink wine, and we salt and eat bread. Fire. Wine. Bread. Salt. These aren’t just Jewish traditions; I just happen to think of them that way because that is the culture in which I experience… Read this …
Fiction
-
Skeleton
A necromancer and an Olympic event [Read the story]
-
Albus Dumbledore and the Rituals of Immortality
The words that didn’t make the Harry Potter septology that fill in the blanks for what’s really going on. [Read the story]