Good luck finding someone qualified… The SEC is apparently about to make it a requirement for public companies to report on “the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk”.1 Some details: Why would it be hard to find someone like this? But here’s the rub And there are some …
So you’re looking for a cyber security board member for your public company Read More »
People who don’t have to do it seem to not understand the nature of the cyber threat. This very short summary is intended for everyone who is responsible for it to hand to everyone else to help start a conversation and gain mutual understanding. The 6 questions people are commonly taught to ask are: who, …
Every once in a while I come across something interesting with substantial potential impacts but that differs from the common misconceptions. Many of them I point out with a fevered disdain of foolishness, while others I view more philosophically. This article is about some recent results that I think are worth attention, that are counter …
Some results in cybersecurity and why they may be interesting Read More »
People seem to me to be having problems dealing with enjoying their lives lived increasingly online. I live a life largely online, and with the pandemic pushing people increasingly away from the physical interaction world, I think we might be getting to the point where we do more and more that produces less and less …
The Capability Maturity Model notions that, starting from scratch, a program matures by goingthrough phases. Cyber Security as Sexy! Why don’t they invest the necessary resources? Getting to Managed is not that hard But I don’t want to! But that’s what computers are for! It takes time to mature Conclusions
A fair number of folks have been asking lately about what the best first steps in small company cyber security program development look like (a.k.a., We’re a small company… what should we do about it?). As I thought about it, the answer is pretty much the same as for a large enterprise, and the answer …
It looks like there is a coordinated effort in the US government to promote so-called “zero trust architecture”. I wrote my last article on the NIST ridiculousness in this arena, and since posting it, I have found that there are several other Federal attempts to promote the so-called architecture both within and outside of government. …
Don’t trust Zero Trust – The Whole of Government Approach Read More »
Until recently, the concept of zero trust architecture as a cybersecurity approach was a minor thorn in the side of those of us trying to achieve effective risk management in cyber systems. Similarly, the so-called “best practices” approach to cyber security that I have heard about for years has produced no such “best” anything. The …
Don’t trust Zero Trust or so-called Best Practices Read More »
