I tend to operate in accordance with the four principles of Cigital‘s recent Agile Security Manifesto. [su_pullquote align=”right” class=””]NOTE: I cannot state whether I’ve employed Cigital professionally but I have had interaction with them in my career.[/su_pullquote] These principles align with security governance, education and scaling throughout an organization versus roles in security domains taking on… Continue reading Cigital’s Agile Security Manifesto
Category: Risk Management
SANS – Confusion in the Top How Many?
Enterprise Security or Secure Solution program? While discussing the SANS Top 20 Critical Controls a couple of weeks ago I ran into some confusion with an infosec partner about the number of controls we were talking about. He referred to the Top 25 but I know from my training and certification that there are 20… Continue reading SANS – Confusion in the Top How Many?
CSIP Looks Good
After reading through the CyberSecurity Strategy and Implementation Plan (CSIP) I was impressed with its scope and relatively clear terminology, acronyms notwithstanding, and how it outlined federal strategy. I expect the timelines to be challenging, though. Working in a multi-national, Fortune 500 company, I know that if you don’t already have some information collected and… Continue reading CSIP Looks Good
Delivery IS Business
Business [W]hether your business’ core competencies involve products, services or legally binding promises, delivery is a measuring stick that’s used to evaluate you. Do you deliver what customers want ahead of the industry? Do you deliver it better or cheaper. Do you deliver a different experience; are you a boutique for your industry? Regardless of… Continue reading Delivery IS Business
Legacy Risk Corollary
Risk management encompasses risks to privacy, network, process, brand, etc. I’m interested in a juncture of two threat vectors in this post. Legacy, in this context, refers to things that have been in-place for a long time. Often they are heavily depended upon so that they cannot easily be replaced without significant cost and concurrent risk.… Continue reading Legacy Risk Corollary