I’m thrilled with many of the provisions in the President’s recent Executive Order on Improving the Nation’s Cybersecurity. The tiered software security ratings system, the IoT consumer labeling, the cybersecurity review board, and the emphasis on sharing information on breaches and other cyber incidents, are all bold initiatives
State legislatures in Nevada, Ohio, Utah and Connecticut have passed or are in the process of passing “safe harbor” protection against negligence lawsuits for companies hit with a data breach – if the companies implement controls from a recognized cybersecurity framework.
One of the questions I like to ask CISO’s is, “What is the most cost-effective control in your arsenal?” The responses are varied and interesting, but their answers are pretty consistently based on bias
If you’ve been in the cybersecurity profession for any length of time, you’ll have heard (or said) the old chestnut about two hikers who run into a bear on the trail. One hiker immediately takes off his hiking boots and puts on his running shoes.
Yesterday, while speaking to a university cybersecurity class, I was accused of being pedantic when I pointed out a problem with the phrase “The risk of that impact…”
FAIR model creator Jack Jones recently answered a FAIR Institute member's question about terminology that's one of those easily confused yet critical distinctions in cyber risk management: What's the difference between a security exception (or policy exception) and risk acceptance?
Star Trek movie fans will likely recognize “Kobayashi Maru” as a reference to the training exercise used by Star Fleet to evaluate how cadets respond to a no-win scenario.
You will hear some in the profession refer to “upside risk” and “downside risk”, or “positive risk” and “negative risk.” This can be confusing for the vast majority of people who think of risk solely in terms of loss from adverse events