Alex Hutton

About

Hi. This is my personal weblog. I also write at:

http://www.newschoolsecurity.com
http://securityblog.verizonbusiness.com

Twitter

    Following

    http://jonrobinson.tumblr.com/
    Designed by Josh. Powered by Tumblr.

    » Potpurri: Ponemon, Payment Professionals, Perimeters, & Pete Lindstrom

    Today’s blog post is a quick catch up post on several fronts.

    I LIKE PROFESSIONAL ASSOCIATIONS

    First, Chris Hayes, David Mortman and I had the honor of being bought dinner by Mike Dahn. …



    February 04, 2009, 3:20pm  Comments

    » A BRIEF ARGUMENT FOR PCI DSS (OR ALEX’S 5S’S FOR LEAN INFORMATION SECURITY MANAGEMENT)

    real quick:  It might be worth noting that I wrote this the weekend before Heartland was announced.

    So I was reading this excellent article on Taiichi Ohno and the Toyota Production System over…



    January 27, 2009, 10:04am  Comments

    » The Source of PCI DSS “Failure”

    This is somewhat of a follow up from my post on changing our attitude towards how we might best protect consumers that use credit cards.

    In FAIR, there are three types of contact that drive the…



    January 23, 2009, 12:47pm  Comments

    » Maturity & Measurement Redux

    My friend Mike Rothman had some fun things to say about this post I made last year in his recent insight. Love ya Mike, but I have to respond in kind.

    “I’ve used the saying, “when all you have…



    January 21, 2009, 11:44am  Comments

    » Using The Compliance Stick Actually Weakens You

    Anton is the “PCI Guy” (sorry, not sure of his real title) at Qualys.  If you haven’t seen them yet, he’s got some pretty ranty posts about PCI up.  Which are awesome.  In his most recent post he…



    January 15, 2009, 8:26am  Comments

    » A Couple of Links on Risk & Decision Making

    First, I wanted to point you over to Chris’ Risktical blog.  He’ll be doing a FAIR analysis over there that looks interesting.  It’s nice that Chris is dedicating his time on this, given the…



    January 13, 2009, 11:03am  Comments

    » Thoughts on ISO 27005

    First, many readers sent us the New York Times/Slashdot “Risk Management” link.  Thank you!

    The beginning of a reasoned response was written by Aleks  on Andrew Gelman’s blog (



    January 06, 2009, 1:31pm  Comments

    » Moving Towards A Mature Security Organization Using A Measured Approach to Risk Management

    Over the past couple years of blogging, I’ve found that about once or twice a month I’ll write a really long blog post on a subject, only to scrap it before publication.   It might be because my…



    December 22, 2008, 2:12pm  Comments

    » Fun From FAIR Training

    Sorry for the slow week. We had two sets of training that went (we thought) really, really well.

    One of the things we do is ask learners to bring in scenarios that they want to run through FAIR….



    December 12, 2008, 3:06pm  Comments

    » Penetration Testing Not Dead, Probably Just Pining for the Fjord

    Bill Brenner has an article in CSO magazine in which “Fortify Co-Founder and Chief Scientist Brian Chess says:

    “2009 will mark the end of pen tests as we know them.”



    December 08, 2008, 10:34am  Comments