September 2009
1 post
My 5 Things
Ed Bellis tagged me. Jerk :-)
So here goes:
1.) I spent my 1-12 years outside of Charlottesville, Virginia. And coming out here to Purcellville, I realize that I like the country.
2.) I’m a political independent. This tends to surprise people with whom I align on one or two issues and then find that I don’t tote their party line. Why am I independent? What are the chances...
August 2009
1 post
““Backpack, you need to know everything we’re going to need for the...”
– Chandler Howell on Dora The Explorer as Project Manager.
June 2009
1 post
9 tags
Exploration in (New) Media Center Building
So we’ll be moving to a rural area of Virginia in a couple of weeks, and as part of trying to figure out what utilities to move and when, I decided to revisit how we, as a family, will entertain ourselves. Our family of five includes my wife, myself, my two sons (age 7 & 11), & my 17 month old daughter.
Currently, we have basic cable from Time Warner, with Road Runner basic...
May 2009
1 post
Facebook Tumblr Link
So with me not blogging at RiskAnalys.is anymore, I thought I’d try to figure out what I should do about this website. So far, I’ve linked Tumblr (this site) to my Facebook account.
They *seem* to be serving a similar purpose. Honestly, I think I’d like an OS X app to blog more here about stuff that is more than twitter, and not risk management related.
April 2009
3 posts
It’s a FAIR Pandemic… →
RMI welcomes Jack Freund to the RiskAnalys.is blog…
Once again the 24-hour news cycle is buffeting us with “information” about the new risk that will surely end us all. I’ve received several…
Pair of Jacks →
Please join me in welcoming Jack Freund as a contributor to this blog. Jack is a certified FAIR analyst and has a boatload of experience in the information security profession. Welcome Jack!
Aggregate analysis (or measuring the surface area... →
One of the questions I commonly encounter is “How do you take something like FAIR and apply it to a big problem, like measuring the aggregate risk within an entire organization?” In order to keep…
March 2009
1 post
Load of Tosh? →
Long time no post… My sincere apologies, and I hope someone out there is still interested. I guess I needed a little prodding, which Stuart King so kindly provided. I’ve provided a response on…
February 2009
3 posts
Alex →
Those of you who are familiar with this blog probably recognize Alex Hutton as THE voice of RMI and FAIR, and for good reason. For over two years now, Alex has earned a reputation as a spirited and…
Sweet Giveaway: Personal Honey Point License →
I have Five licenses for MicroSolved’s Personal Honeypoint Honeypot product to give away. I’m using the OSX version right now at a coffee shop. From what Brent Huston tells me, you can even…
Potpurri: Ponemon, Payment Professionals,... →
Today’s blog post is a quick catch up post on several fronts.
I LIKE PROFESSIONAL ASSOCIATIONS
First, Chris Hayes, David Mortman and I had the honor of being bought dinner by Mike Dahn. …
January 2009
6 posts
A BRIEF ARGUMENT FOR PCI DSS (OR ALEX’S 5S’S FOR... →
real quick: It might be worth noting that I wrote this the weekend before Heartland was announced.
So I was reading this excellent article on Taiichi Ohno and the Toyota Production System over…
The Source of PCI DSS “Failure” →
This is somewhat of a follow up from my post on changing our attitude towards how we might best protect consumers that use credit cards.
In FAIR, there are three types of contact that drive the…
Maturity & Measurement Redux →
My friend Mike Rothman had some fun things to say about this post I made last year in his recent insight. Love ya Mike, but I have to respond in kind.
“I’ve used the saying, “when all you have…
Using The Compliance Stick Actually Weakens You →
Anton is the “PCI Guy” (sorry, not sure of his real title) at Qualys. If you haven’t seen them yet, he’s got some pretty ranty posts about PCI up. Which are awesome. In his most recent post he…
A Couple of Links on Risk & Decision Making →
First, I wanted to point you over to Chris’ Risktical blog. He’ll be doing a FAIR analysis over there that looks interesting. It’s nice that Chris is dedicating his time on this, given the…
Thoughts on ISO 27005 →
First, many readers sent us the New York Times/Slashdot “Risk Management” link. Thank you!
The beginning of a reasoned response was written by Aleks on Andrew Gelman’s blog (…
December 2008
6 posts
Moving Towards A Mature Security Organization... →
Over the past couple years of blogging, I’ve found that about once or twice a month I’ll write a really long blog post on a subject, only to scrap it before publication. It might be because my…
Fun From FAIR Training →
Sorry for the slow week. We had two sets of training that went (we thought) really, really well.
One of the things we do is ask learners to bring in scenarios that they want to run through FAIR….
Penetration Testing Not Dead, Probably Just Pining... →
Bill Brenner has an article in CSO magazine in which “Fortify Co-Founder and Chief Scientist Brian Chess says:
“2009 will mark the end of pen tests as we know them.”
…
A Friday Afternoon Conversation About PCI DSS →
So I should be doing a million other things beside this, but….
I was thinking while I was driving today about PCI (yeah, that might be an indicator that I think about Risk Management too much). …
What is a Wise Risk Decision Worth? or ISO 27001... →
So yesterday I asked readers to comment on thoughts I had that came from a question asked on the ISO 27001 Google Group:
“How I can communicate the value of an ISO implementation to non-security…
KPIs for ISO 27001? Do Such Things Exist? →
On Gary Hinson’s excellent ISO 27001 Google Group, the following question was just posed:
Dear Implementers:
What could be the KPIs by which I, being Management Representative,
can show…
November 2008
4 posts
Stuff You Might Like →
Usually I beg off of doing posts that link to other posts (Liquidmatrix does a great job of this on a regular basis), but I was afraid that James & Dave’s usually excellent intern might miss some…
Rational Risk Management, ‘Angry Italians’, and... →
Hope you all had a great weekend. I had meant to point you earlier to a FAIR analysis that Chris Hayes did over at his Blog. But I’ve been a little busy, and before I could mention it, Stuart…
On Security & Risk Management Innovation →
Pre-Script - It should be noted that the outcome of this discussion - in the last paragraph - is one smart way you can approach the “We need to reduce your budget” discussion (if that discussion…
Check It Out! FAIR Public Training December 10-12 →
There’s been quite a few people talking about what sorts of strategies make sense for security and security departments in a downturn. And they’re all very good - but there’s one thing that I’d…
October 2008
8 posts
On Being Informative, or Seeing Through The Fog →
Carrying on from yesterday’s post a bit, I’m happy to admit that Chris’ poem is right: we don’t have nearly the information we need now when we’re supposed to have “control” over our assets, putting…
Beat Poet - Chris “Doby Gillis” Hoff →
Crazy, Man.
CLOUD COMPUTING - STORMY WEATHER? →
Lots being written about the Cloud, most of it quite dark and gloomy. In fact I’m surprised, that Hoff hasn’t got a preso spooled up called “The Toxic Cloud” or something…
A Cryptographer and a Data Communications Guy Talk... →
Sounds like the beginning of a joke, right? So these two guys walk into a bar…
“The” Bruce Schneier and Marcus Ranum have an article up on TechTarget/Information Security Magazine called,…
Gartner’s worst case for 2009 IT budgets isn’t so... →
AESRM - Projects and Publications →
Our Blog Got High Ratings! →
Tooting our own horn on Monday morning, the excellent Thinking Problem Management blog gave us their coveted “5 pineapple” rating!
In your face, RISKS Digest!
Why Risk Management Doesn’t Work (?!) →
Several folks (Hi Daniel, Brent, David!) sent email & twitters asking us our opinion on a Dark Reading article called “Why Risk Management Doesn’t Work” which if you click on the link should…
September 2008
6 posts
Around The Web For Friday →
We’re frequently asked what we’re reading and what we like in blog posts, so here are some interesting things that hit our RSS readers that you may have missed:
COBIT rivals ITIL from The IT…
One Man’s Frustrations With “Risk Management” →
Chris, who is a male in Government C&A has a blog with a wonderful title: How is that Assurance Evidence?
I’d love to have another blog even more specific - “Ok, that Assurance is Evidence Of…
So Logically, If She Weighs The Same As A... →
I usually try to stay far away from politics and current events, but my friend Rich has put up a blog post blaming the credit crisis on quantitative analysis, and then positing that because the…
Hansei and the CISO →
Continuing our series on Hansei-Kaizen, you’ll recall that my thoughts are about applying the concept of relentless reflection (Hansei) and continuous improvement (Kaizen) to security management. …
Best, Good, Standard Practices →
It’s like Scott knew it was my birthday and wrote a special comic just for me!
Risk and CVSS →
Chris Hayes is taking me to town in terms of risk content with his last two posts on Risk & CVSS. I told you his blog was going to be a good one.
August 2008
8 posts
Gemba & The Journey →
Couple of things first before we get to the next post in the Hansei series. First, Jon Robinson was thinking about reputation damage and stock price and wrote a very lucid and smart post on the…
Relentless Reflection - What it Means in Risk... →
Picking up from yesterday, Today I’d like to talk about:
HANSEI - WHAT IS “RELENTLESS REFLECTION?” - And why we’re talking about it in the context of Risk Analysis.
Recall from yesterday’s post…
Hansei-Kaizen & Risk Management Practices →
You might consider this a follow on to the Deming in Risk Management series I did this spring.
Recently, Thinking Problem Management wrote on the concept of Hansei-Kaizen. That started…
Reputation Damage & Measurement →
Reputation damage can be one of the most difficult concepts to build measurements around. In fact, it can be difficult to develop the actual metrics for the measurements, as well. Damage to things…
Server Upgrade →
So our server was upgraded by our hosting provider. Unfortunately, in the upgrade, a comment from Christian was lost amidst the shuffle. Sorry Christian!
Please take a second and verify your RSS…
Is Your Firewall a “High Risk Entity” →
Not trying to be overly snarky here, but I was reviewing some GRC product literature recently. And there was a screenshot of an application window showing how the software helps identify “high risk…
UPDATES GALORE! or, THE PRONOUN “WE” MEANS YOU... →
So much traveling, so little blogging. Sorry everyone. I’ve gotta say first that I really enjoyed meeting readers and friends of the blog this past two weeks.
Today, allow me to update you on…
New Weblog - It’s Gonna Be Good: Risktical.Com →
From Chris Hayes at http://risktical.com/.
I have the utmost respect for Chris as a risk analyst. He’s big in (started?) the Columbus OWASP chapter (and I have to admit to not getting to a…
July 2008
18 posts
Mathematicians, The French, & Risk Analysts
Goethe: “Mathematicians are like Frenchmen: whatever you say to them they translate into their own language and forthwith it is something entirely different.”