Risk Appetite

In the early 2000’s, I was seemingly always having discussions with peers, friends, and customers on the meaning of InfoSec (aka cybersecurity) risk. Speaking beyond the dozens of models, methods, and practices and looking to really understand the elements of risk in corporations. Later I would write extensively on the topic, eventually evolving into the Adaptive […]

The State of Security – Ten Years Later

A decade ago I wrote a four-part series about the state of security touching on the relationships between regulations, standards, and ultimately business expectations in the light of risk and liability. It’s an interesting read from a throw-back perspective. The State of Security (Part 1 of 4) Will state law set a new low for […]

A Mature Security Program: The value of CMM

I originally wrote this back in 2009. I was having a lot of discussions around maturity and the role of maturity in security programs. Interestingly, this is a topic that continues to resurface to this day. With that in mind, I figured I’d publish it again for prosperity.   There are a lot of security […]