This site represents, in many ways, my desire to write about information security. I enjoy writing because it allows me to share a perspective and contribute to the industry, even if only in a small way. Throughout my career I've taken the opportunity to share my thoughts, perspectives, experience, and guidance through books, articles, and whitepapers, many of which have been referenced extensively and appeared in multiple languages. Here are some of my works with stories and descriptions, albeit only a portion of my writings on the topic of information security.


Editing this book with Rich was bittersweet. I had known Hal Tipton since 1999 when he first invited me to be one of the contributing authors for his Information Security Management Handbook. When he passed in March of 2012 it was a huge loss to the security industry. When it came time to produce the next handbook with Rich, it was a difficult decision, but I saw it as an opportunity to honor his memory and legacy.


This book was a big challenge to write because it forced me to explore many aspects of security and my own convictions. Security is critical, especially today, in all aspects of our life. However, this book is specifically directed at the business. The ability to adapt rapidly while ensuring a meaningful posture is essential to demonstrating value and ultimately enabling the company to achieve its goals and aspirations. There are a lot of books about security, of course, but the new twist to this one is how to connect all the things we do today in a compelling manner to get the most from our efforts for the business.

In 2011, I was provided the opportunity by Rich O'Hanley, my publisher and friend for more than a decade, to explore more deeply the business processes and unique perspectives of organizations having penetration tests performed. As a result I published my fourth book in December of 2011, CISO's Guide to Penetration Testing. It takes into account the nuance of having tests performed, drawing from many years of managing such activities.
My second book, The Ethical Hack: A Framework for Business Value Penetration Testing was the beginning of my departure from technology and venture into aligning security with the business. Having been a penetration tester from a long time ago to being the VP of a global EH group, I had many feelings and perspectives on testing, which IEEE seem to agree with in their review of the book. This book was a great opportunity to explain to the business the value and pitfalls of penetration testing. I've spoken to many organizations around the world that use this book as their vulnerability management framework.
My first book, A Technical Guide to IPSec Virtual Private Networks took some time to write. At the time (1999), there were only two IPSec books on the market and both left a great deal to be desired at the technical level. I know this because I was working with a large company designing a global VPN and there was nothing but the standards (RFC's) to go by to guide me. I became frustrated at the lack of meaningful information and decided to write a book to help others in the same situation.
I received a note from Hal one day asking if I would write one of the chapters for the Official (ISC)2 Guide to the CISSP CBK. There were several chapters that needed authors, but Access Control looked the most interesting to me. When I received the CBK I was supposed to write about it was huge. As a result, the chapter is the largest in the book. I'm very proud to have been a part of this book and would do it again in a heartbeat.
This is a good story. While attending InfoSec Con in Orlando, FL (2010) I was hanging out with Rich O'Hanley near the book store when I saw this new edition of the CISSP CBK. He mentioned that there was some new content and Stephen Fried, author of “Mobile Device Security”, had edited the Access Control chapter. Funny, I had met Steve not ten minutes before and he was saying to me, "I think we've met before." Well, virtually I guess when he updated my chapter. Steve promises he hardly touched it;) Steve is a great guy and highly recommend his book.
I wrote this whitepaper, "Maintaining Security During an Economic Fallout" when working for BT. BT launched three major security themes within the security strategy, one of them being Security Cost Containment. As I was writing this and other articles, such as the one for NetworkWorld “Four steps to mastering security kung fu”, it became obvious to me that what we do as an industry today will have huge implications in the future. Also, operating more efficiently and providing more visibility into security activities is the core of savings and to ensure adaptability in the future. So, this paper really introduces a complex, far reaching concept that has a home in today's environment.
I had written several papers before this one, but this was more of a release of knowledge and became the driver for writing my IPSec book. People were asking me about IPSec, how it worked, and how to use it. So, I sat down in front of my laptop and in about 3 hours wrote the whitepaper. It's interesting to note that to date I've stumbled across more than 40 other publications that reference this paper.
Shortly after I wrote my IPSec book, a colleague at INS, Victor Kasacavage, reached out and asked if I would contribute to the book he was producing, "Complete Book of Remote Access: Connectivity and Security". The book followed the same formula in the HISM and ISC2 CBK, bringing authors together. All in all, several of my papers on VPNs and portions of my IPSec book were used, modified, and intertwined with material from other contributing authors to create chapters 9, 10, and 11. Credit really goes to the authors listed first for those chapters for pulling it together and doing the heavy lifting.
Very early in my career I was convinced that security was about maturity and not simply the existence of people, process, and controls, but how well they functioned. I knew everything tied to this - capability, effectiveness, investment, etc. - and spoke about it regularly. At about this time (2005) INS established a strategic partnership with SITA and I was in Switzerland quite often. I was asked by someone from SITA to write a paper for publication on the topic. I sat down and wrote “Measuring the Maturity of Your Security Program” shortly thereafter. Interestingly, this too was referenced a great deal and the instigator for my third book.
With all the writing I was doing and my involvement in the industry, I was offered to be the Managing Editor of the Information Systems Security Journal, which I jumped at. At this point I had written several articles in the Journal, such as (In)Security of VPNs, Taming the New Wild West, and numerous editorials. It wasn't until I collected 6 authors to write a special edition (shown in pic) and after many times asking, I was given the position of editor by Rich O'Hanley. I was the editor for over two years and enjoyed every minute.
I was very vocal about the effects of network diversity and the impacts to security. Eventually, I was contacted (via INS) by Cisco to write a paper about the "Security Virtues of a Common Infrastructure" highlighting my philosophies on this topic. This paper has been in many forms and I've seen it referenced in materials all over the world from individuals, companies, and governments. I still get nay-sayers at times, saying I'm crazy for my comments and convictions, but I stand by the advantages of a common infrastructure.
In 2002 I was doing some work with a utilities company and introduced to a new regulation concerning security. Having some experience in the industry, I became deeply involved. I attended several FERC/NERC governance workshops and even collaborated with the FBI on the topic. As a result, I wanted to share and wrote "Security Regulations Affecting the Power Industry". I gave several speeches and webinars and built a huge collection of standards, tools, templates, and training materials. Then, of course, the regulation took a turn, became less significant and the whole thing sorta went away. Now (2009) the FERC/NERC Cyber Security standard has taken on new life. May be some of the stuff I built years ago is still applicable.
From 2000 to 2006 I wrote at least one, mostly two or more articles in every edition of the Information Security Management Handbook, the very foundation of the CISSP program, edited my Micki and Hal. Through these years I wrote articles, such as Identify Theft, Outsourcing Security, Network Monitors and Sniffers, Message Authentication, Reporting Incidents, Smart Cards, IPSec Key Management, and several others.
This was my first (if I recall correctly) and wrote on IPSec (surprise). Actually, at this point I had found some flaws in the very concept of VPNs and endpoint security so I wrote a chapter discussing these concerns and methods to avoid.
This was my second time around writing for the series. I took a leap and wrote about message authentication, which was difficult because, of course, it has to be perfect. I ran that article past so many people just to be sure.
By now, I established a good working relationship and had written several articles for the Journal and other publications. Some of these appear in this edition.
I started to get into authentication mechanisms, specifically smartcards and other technologies. I wrote about authentication and other topics in this edition.
For this edition I wrote several articles and updated some others that were popular topics I had received comments on.