Most recent blogs, netcasts, papers, etc.

Manage Vulnerabilities According to Associated Risk (May 19, 2018)

In this article, I summarize my preliminary research findings regarding how to manage vulnerabilities. It isn't as simple as throwing patches or another control at every weakness we find.

Role of User Training in Information Security (Mar 19, 2018)

This video shows how user training, although important, is a control of last resort. We should rely on it only to fill gaps left by other controls that do not rely on user behavior.

New Business Continuity Guide (Feb 7, 2018)

This is a vendor-neutral white paper that details the steps necessary to implement and manage business continuity in your organization.

Your apps are never safe enough (June 23, 2014)

You can't rely only on your developers and software vendors to deliver secure applications.

Enable the business with strategy-focused security management (June 10, 2014)

To shift to a risk management posture, security managers and analysts who work closely with project management teams must possess a specific skill set.

Adventures in Security Episode 5 - How NOT to manage incident response (June 8, 2014)

Using the FBI, the risk associated with using Chinese hardware, and what Target did wrong

Respond to actual risk, not the threat alone (June 3, 2014)

The emergence of a new threat does not necessarily constitute an emergency for your organization. Respond to actual risk, not the threat alone.

Adventures in Security Netcast Episode 4: June 1, 2014

Eight security gaps most organizations admit to having and managing the likelihood of security incidents

Security Crossword 3 (May 31, 2014)

Theme: Security Current Events

Many organizations still don't get infosec basics (May 31, 2014)

Building a security framework often starts with low or no cost solutions that many organizations still ignore.

Don't Force Business to Bypass Security (May 28, 2014)

Sometimes, we as security pros are the problem when business managers introduce elevated costs and risks.

Incident Reponse: Save Root Analysis for AFTER process recovery (May 26, 2014)

Deep analysis of the who, what, and why of a security incident should never happen before process recovery.

Simple Root Cause Analysis (April 20, 2014)

Root cause analysis doesn't have to be complicated.