Apparently what Mike Tyson actually said in a 1987 interview was, "Everybody has plans until they get hit for the first time". In any case this is still a variant of the common theme of “No plan survives first contact with the enemy”, ascribed variously to von Moltke or von Clausewitz. What bugs me about the Tyson quote, is less about the quote which is undeniably correct in the spirit of the idea it’s meant to convey. But, rather there’s a tendency for people to misuse the quote as ...| Risk and Cyber
In most organizations you are constantly upgrading your security controls. This is for many reasons, including: • New threats induce higher risk exposure and require new forms of mitigation • New assets or business processes change the risk profile requiring better controls • Old controls, or wider mitigation frameworks, may have newly discovered flaws • Current controls might be harming organization agility or efficiency in the context of business goals • New legal, regulatory or c...| Risk and Cyber
Many well-known security incidents appear to have a common pattern. They are not the result of some awesome attacker capability to exploit some hitherto unknown vulnerability or to realize a risk from some combination of controls weakness not contemplated. Rather, a remarkably common pattern is that the control or controls that would have stopped the attack (or otherwise detected/contained it) were thought to be present and operational but for some reason were actually not - just when they were| Risk and Cyber
I re-stumbled across this well-worn meme of the 7 deadly sins and social media so, as many of you come back from Las Vegas I thought it would be too take a light hearted view of this from the angle of security products. 1. Gluttony: The All-You-Can-Eat Security BuffetThe insatiable urge to consume more, even when you're already bursting at the seams. The team that simply cannot say no to the next shiny new product, appliance, platform, or service. Their security stack resembles a digital hoarder| Risk and Cyber
Risk & Cybersecurity| Risk and Cyber
As security specialists, we regularly see claims about the escalating scale of cybercrime, often hearing staggering claims that it’s a "multi-trillion dollar problem." I’ve never seen any comprehensive take down or, for that matter, coherent substantiation of such claims. But, intuitively, I find them suspicious especially when the projections would have such crime overtake the GDP of the planet before long. I suspect the actual issue here is a categorization problem - although deliberat...| Risk and Cyber
As an industry we spend a lot of time talking about workforce development and skills shortages. We tend not to talk about how to organize the people we have for maximum effect. In addition to the need for automation we also need to consider team balance - the interplay of different skill sets. Looking at many organizations, I have found that such balance is at least as important as the talent of individuals. I'd argue there is a necessary "rule of thirds" (not the photography one) for organ...| Risk and Cyber
I see regular waves of articles and commentary that assert : “We are spending more and more on security but security incidents / breaches are still increasing!”Is this actually true? Or is it the case that security incidents are in reality decreasing as a proportion of the potential incidents that could occur. Let's think about this.First, I need to set a low expectation that I’m not going to prove anything here because I don’t have the data - that’s actually part of the problem and...| Risk and Cyber
One of the more common patterns of security program success vs. failure is how much leadership is prepared to stick with the work over...| Risk and Cyber
I thought I’d try something different and share some thoughts on the Cyentia Institute’s latest report, the Information Risk Insights Study. It’s increasingly clear in cyber that we need to ask better questions rather than simply keep leaping to what we think the answers might be. This study delivers on that:”Are cyber events occurring at greater frequency? Is an organization more likely to have a breach now than 15 years ago? Which types of incidents have become more common over time...| Risk and Cyber
There is a lot of conventional security that is based on established ceremonies and an unquestioning faith that if we keep doing these things then all shall be well. If the ceremonies don’t produce the required results then we are deemed to have not performed them well enough - as opposed to it just being the wrong approach. The non-believers who point this out can even be subject to an inquisition for their heresy (it might even be unexpected). Much has been written about security theater ...| Risk and Cyber
This is an update to a post from 2001 which I’m revisiting in part because some things have changed, but also because (surprisingly) much hasn’t. I first came across the notion of doctrine vs. structure in this depiction about the relative positioning of tanks from a tweet I can’t now place. It has stuck with me for a while, not just because I’m interested in tanks, but rather because I really like this notion of thinking of doctrine (the intent of use, or overall philosophy of appro...| Risk and Cyber
When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects - as well as diving into the immediate and very specific things that need improving. Here are 5 of those I’ve found useful or have seen over the years in various companies (large and small) and various contexts (public and private). This is not an exhaustive list.1. Increase Risk Transparency & Accountability. Fundamental, but not easy - something that is a ...| Risk and Cyber
There is a plethora of sample job descriptions for security leaders that are often strictly correct but can also be uninspiring or too detailed to capture the actual essence of the role. I developed this role description a while ago to try and address that. It's mainly designed for growing companies rather than more established organizations but the more I look at it the more I think it's applicable to all. It's not meant to be a long list of attributes or specific tasks but, rather, somethi...| Risk and Cyber
I recently joined Clint Gibler (tl;dr sec) at RSA for a great discussion. In it we cover a wide array of topics from the challenge of...| Risk and Cyber
I’ve had a number of requests to write a post about how to start and grow a new security program - or a substantial reassessment and rebuild of an existing program. This is a difficult one to write because, as you all know, there is no one size fits all approach. Starting from scratch in a 10 person startup is very different from (re-)building a security program in a more established organization. What I’ve tried to do here, instead, is to develop a framework and step by step guide to ap...| Risk and Cyber
I first wrote this post back in 2021 so I thought it’s time for a revisit with an addition of a few more roles. We talk about attackers being the enemy. Sometimes we talk about insider threats. But one of our biggest enemies is pernicious dependencies that limit our ability to keep environments up to date and configured to what we expect or need. One common trait of the best security programs is they have a massively deep and current understanding of what is in their environment and acros...| Risk and Cyber
Not all risks are possible to fully mitigate in every context, so you need to record and manage those residual risks. These are often put into a risk register along with the universe of risks that are mitigated. A better term to describe your log of residual risks might be Risk Inventory. Most organizations do not manage these risk inventories as well as they could. Before examining that, let’s look at what I think is a good, and simple, model of how to think about the overall risk process...| Risk and Cyber
For many years I’ve observed the same pattern of failure in projects, programs, issue mitigation and indeed anything that requires more...| Risk and Cyber
Many security leaders, at all levels, correctly focus on having a good strategy and executing against that. However, many teams confuse planning, or “strategic planning” with actual strategy. In other words, a plan is not a strategy. This short video explains this very clearly. A Plan Is Not a StrategySo, a strategy specifies a competitive outcome you wish to achieve, based on a coherent theory of winning. In the case of security the notion of a competitive outcome has multiple dimension...| Risk and Cyber
I have a regular set of go to books both for myself and what I recommend to others at all stages in their career. Here they all are with what I think, at least for me, is the key take away. Of course, there are not many classic security books here. Most of the challenges of a security leader’s role is, well, leadership along with a healthy dose of program management, culture development, technical attention to detail, risk management and more. In fact, the accumulation of security knowledge...| Risk and Cyber
Jim Collins wrote a great little book called Turning the Flywheel to further develop an idea introduced in his book Good to Great to describe how various parts of a business model can be mutually reinforcing. Most businesses from start-ups to major corporations have built or attempted to kick start their own flywheels. These flywheels operate for their business overall or individual products, to propel growth, cross-sell or otherwise amplify the economies of scale of their operations. Let...| Risk and Cyber
Quantum computing is advancing rapidly. Innovations from Google, Microsoft, IBM and others are pushing the boundaries of not just the numbers of qubits but also their quality. We are well on our way to quantum computing being practical for real world problems. This also means we are also on the path to the existence of cryptanalytically relevant quantum computers (CRQCs) that can break a number of the algorithms much of modern security depends on. Opinions vary on the timeline of when a CRQC...| Risk and Cyber
Operational resilience is a concept that has gained even further traction. It first came to prominence from financial regulators, in particular the Bank of England and then others. “Operational Resilience is the ability of firms and the financial system as a whole to absorb and adapt to shocks, rather than contribute to them”. This concept, very much applicable to all sectors, met with some eye-rolling with some people saying: “we already do this – it’s called business continuity...| Risk and Cyber
There are organizations that seem to have disproportionately created a large number of leaders who have gone on to be CISOs or other...| Risk and Cyber
I’ve given variants of this talk at a few events in 2024 and received a lot of requests for the slides and a blog post. So here we go. There are many factors to being successful in most fields at various stages of your career. These can be long lists, and you will all have your own variants of these, but for me it all comes down to this top 6:Before we unpack each of these it’s worth showing some humility here. I’ve had a long career with plenty of ups and downs across various industri...| Risk and Cyber
I managed to keep up the pace of 1 post every 2 weeks throughout 2024. Just when I think I might be running out of ideas, and the backlog of topics is running low, then something always manages to come up. I’m grateful I continue to be in a position at the nexus of various fields (technology, a range of customer sectors, government, academia and investing), of various disciplines (risk, resilience, security, privacy, compliance and trust), all while being somewhat in a front row seat for th...| Risk and Cyber
Just over a year ago I put out this blog post on the 10 fundamental (but really hard) security metrics. Since then I’ve discussed this with a lot of people and have been thinking more about this in the context of how Boards can oversee risk. For Boards, in particular, it’s clear that they need to drive behaviors by tracking leading indicators as opposed to reacting negatively when current lagging indicators don’t meet their expectations. Despite 10 metrics not seeming a lot I’m becomi...| Risk and Cyber
One of the most profound, yet simple, acts of leadership I personally experienced was in the days after 9/11/2001. After the terrorist attacks many on Wall St. had lost friends, colleagues and in many cases family members. All had worked tirelessly to recover their companies and get the financial markets up and running again by the following week. I’d worked on and off in a command center, about half a mile away from Ground Zero, for several days with little in the way of sleep. Many other...| Risk and Cyber
If you work for a large organization, especially public or otherwise regulated companies, then you may well have faced the prospect of developing a risk appetite statement. You might have been enthusiastic about this or possibly compelled by a Board member, a regulator or auditor to do it. This can end up being a "check the box” exercise to develop some abstract statement that no one really uses or values. But it doesn’t have to be this way. Risk appetite, or more specifically, definitio...| Risk and Cyber
This is the second of two posts about interviews (the first post is here). In this one I’ll focus on interviewing candidates and the main attributes to look for when selecting potential security leaders - at any level. Both posts are general tips rather than very specific points about interviewing for particular skills or roles. For the tips for deep technical interviews, coding skills tests and other types of assessments then take a look at the myriad of great articles already out there. ...| Risk and Cyber
This is the first of two posts about interviews. In this one I’ll focus on interviewing for a role. In the next one we’ll look at how to conduct better interviews. I’m going to make both of these posts more about general tips rather than specific points about particular skills or roles for which there are plenty of great resources already.I suspect many of you reading this might be well practiced but many more of you might be starting out in your career and hopefully will pick up some u...| Risk and Cyber
I wrote the original version of this post over 4 years ago. In revisiting this it is interesting to note that not much has actually advanced in the field. Yes, there have been more products and tools developed to apply FAIR or FAIR-like quantitative methods - some successful and some less so, usually indexed on the degree of effort it takes to set up the tooling to get more value out than you put in. As with other areas of risk there’s a Heisenberg-like quality to much of the approaches. Th...| Risk and Cyber
Security training is often considered a bit of a waste of time. Maybe this is unfair, but unsurprising in the face of the worst forms of training like flicking through the computer based training equivalent of a slide show or even the ritualized gotcha of the phishing test. But, training our employees, vendors and customers on important topics to help them protect themselves is important. Even the correct strategy of creating ambient controls so that people are intrinsically protected by the...| Risk and Cyber
Chesterton's Fence is a cautionary tale to make sure that before you change things you actually understand their purpose. This is particularly important for controls or other risk mitigation. When new leaders come into an organization they sometimes look at the array of controls and want to streamline them. So they start whittling away at things that apparently don't make sense or have no obvious purpose and then a few months later (maybe less maybe more) you start seeing issues, incidents or o| Risk and Cyber
One of the many paradoxes of security is that when you have invested appropriately (sometimes at significant expense) and you have less and less incidents, then some time later, someone somewhere might ask: “Why are we spending so much on security when we don’t have any issues?” If this becomes an accepted view then cuts happen, upgrades and maintenance don’t get incrementally funded, or investments to mitigate new risks are not made. You know what comes next, slowly but surely crack...| Risk and Cyber
We’re getting it wrong on the messaging for incentives to do security - and people are pretending it’s landing when it isn’t. There are 5 main categories of security incentives:1. Loss avoidance. The problem is many losses don’t outweigh the potential accumulated actual or opportunity costs of the mitigations that would have been needed to avoid the loss.2. Reputational risk / brand protection. The problem is most people forget these issues, and are acclimated to it (e.g. identity ...| Risk and Cyber
A major success marker of great security leaders and their teams is one simple prioritization technique: the ability to know what needs to be done really well vs. what needs to be simply ok. In other words knowing when to go for an "A-grade" vs. when to simply "Pass", and making sure that the A-grade goals are dominated by what gives you the most leverage not just the things that are evidently critical. It has been over 4 years since I wrote the first version of this post. Since then, these...| Risk and Cyber
Every major technological change is heralded with claims of significant, even apocalyptic, risks. These almost never turn out to be immediately correct. What often turns out to be riskier are the 2nd order effects that are a result of what is done with the new technology. No matter what, we do have to care about AI risks. Many past technological warnings of disaster have been avoided precisely because we did care. But the bigger risks come with what comes after what comes next. This is inhe...| Risk and Cyber
There are many well known, so called, laws of technology. Moore’s law being particularly emblematic. Let’s look at some of them and see what the security implications have been for each and what might further develop as a result. [Definitions of the laws are from Wikipedia or other linked sources.]1.Moore’s LawMoore's law is the observation that the number of transistors in an integrated circuit (IC) doubles about every two years. Moore's law is an observation and projection of a hist...| Risk and Cyber
A few weeks ago The White House published our PCAST report on cyber-physical resilience. Thank you for all the positive reactions to this. There is already much work going on behind the scenes in public/private sector organizations to implement various of the recommendations. One of the things we were going to put in the report was a “Letter from the Future”. I like such things, despite them being a contrivance, as it paints a more vivid picture of what might be. However, we had a lot of...| Risk and Cyber
We still have plenty of open problems in information and cybersecurity (InfoSec). Many of these problems are what could easily be classed as “hard” problems by any measure. Despite progress, more research is needed here. While there is much academic, government and private sector sponsored research underway I wonder if some alignment between all these efforts to focus on a smaller set of foundational problems would be more fruitful. The challenge is to agree on what these are. There was ...| Risk and Cyber
Unless you’re doing continuous or quarterly budgeting, which some organizations do, then you’ll no doubt be getting ready for the long haul of the annual budget process to seek the resources you need for your 2024 goals and, perhaps more importantly, to ensure that all the teams around your organization have the planned resources (people and budget) to do all what they need to do. This is one of the core disciplines of security leaders at all levels from sub-team to the whole organization...| Risk and Cyber
Maturing a security program in any type of organization is not just to increase specific control effectiveness but also to increase its scale, predictability and reliability - otherwise that effectiveness cannot be sustained. A key factor in doing this is to move from “artisanal” ways of working to become more “industrial” - that is to move beyond individual team member craftsmanship toward relentlessly consistent organization-wide outcomes. Let's examine the difference between artisa...| Risk and Cyber