Risk Appetite

In the early 2000’s, I was seemingly always having discussions with peers, friends, and customers on the meaning of InfoSec (aka cybersecurity) risk. Speaking beyond the dozens of models, methods, and practices and looking to really understand the elements of risk in corporations. Later I would write extensively on the topic, eventually evolving into the Adaptive […]

The State of Security – Ten Years Later

A decade ago I wrote a four-part series about the state of security touching on the relationships between regulations, standards, and ultimately business expectations in the light of risk and liability. It’s an interesting read from a throw-back perspective. The State of Security (Part 1 of 4) Will state law set a new low for […]

A Mature Security Program: The value of CMM

I originally wrote this back in 2009. I was having a lot of discussions around maturity and the role of maturity in security programs. Interestingly, this is a topic that continues to resurface to this day. With that in mind, I figured I’d publish it again for prosperity.   There are a lot of security […]

Flashback Monday

I’ve been in a number of workshop meetings walking through the development of security models and solutions. It’s been effective and informative. I’m the new guy and not a lot of folks know much about me other than I’ve been doing security for some years. The topic of maturity came up and the role of […]


A new edition of the HP INFORM – Enterprise Security eZine was published recently. There are very interesting articles and one is an interview of me about coming to HP and view on information security.