Thursday, September 27, 2018

...don't let your residual risk manage you!...



How is your Business managing "residual risk"? 

 We've all dealt with "fast tracked" projects, things are prioritized by the business (rightfully so), the downside to this is that there is always residual risk to manage.

We use the OMB 02-01 to develop a "Plan of Action and Milestones" that allows us to time-box and ensure accountability, as well as allow key executives to have a window into ongoing risk mitigation's. 

 How does your team manage and mitigate residual risk? Residual Risk is a fact of doing business, just don't let it fall between the cracks and come back to haunt you.

 Great article on residual risk
Posted by at No comments:

Monday, September 24, 2018

...making a more significant contribution to business success...



Work Smarter not Harder? Is this meaningless or meaningful? How can adopting this work ethic make a measurable, statistically significant contribution to the business of Security, Compliance, Risk and Audit?

When you learn to ... "Do Less Then Obsess!", going all in, with a fanatic attention to detail, dedicate every ounce of effort to those things that truly matter at the end of the day, always seeking perfection, you'll notice new heights of personal job satisfaction as well.

It's a fact that top performers can and will concentrate on fewer things, but obsess more about them. 

The key to success is working with your leadership team to enable them to validate that the results are significantly more valuable than sheer quantity of mediocre work product. Remember that "value metrics" that accurately measure benefit to the customer are infinitely more relevant than internal metrics that we create.

Dr. Morten Hansen shares his seven work smarter practices to help us all excel.

Perform Better
Posted by at No comments:

Wednesday, September 19, 2018

...work the CIS top 20 like a BOSS!...



There is no Information Security "labor shortage", there is a lack of understanding of the challenges and a level headed, business driven laser focus on success. 

 OWASP, OASIS, NIST, CIS, SANS, ITIL, COBIT,...these are our role models, our mentors, our "Avengers", our "S.H.I.E.L.D.". 

 Vendors that drive the hype cycle are just that, sales people, none of them know your challenges like you do. Identify your risks, work the list relentlessly, each and every day. Share the list with your teams, get their inputs and insights, make it a shared concern, empower them. 

 For my labor dollars, I look to my IT Department for recruits, they understand Information Security and Risk, just not the lingo. My training/recruitment dollars are better spent on internal IT Dept team members to boot strap them into INFOSEC...to "solve" any perceived shortage. 

 It's a fact, Sys Admin's make great INFOSEC pro's. 

 Next step would be to truly KNOW the current state and the desired end state, to do and measure what is truly important not just the shiny penny of vendor hype driven security. 

 Stop playing INFOSEC Whack a Mole... Work the CIS top 20 like a BOSS!

 Center for Internet Security
Posted by at No comments:

Monday, September 17, 2018

...cultural entropy...don't let it blind side you...



Resistance to change, my concept of "ENTROPY IMPACT" related to changing behaviors that potentially serve the business better.

I would summarize this as the negative impact of effected technology teams injecting passive aggressive slow down behavior into positive change.

Almost everything in my "things to change" list is low cost but with a high ENTROPY IMPACT quotient.

An enigma, wrapped in a conundrum.

Entropy in the Workplace
Posted by at No comments:

Thursday, September 6, 2018

...if it was easy, anyone could do it...



For me, I think we've all known this since NIST stood up the Computer Security Resource Center in the early 90's.

My desktop "short list of things to fix" has thirty-two major topics on it, 50% people and process, 50% web services and plain old security "POS".

The one thing they all have in common is the ROI & ENTROPY Impact: little or no cost, high risk because of internal change requirements, high ROI. If it was easy, anyone could do it.

We are all in this together.

DHS asks for YOUR help
Posted by at No comments:

Saturday, September 1, 2018

...ransomware or a denial of service attack...is there any difference, really?


"RansomWare" a rose by any other name...another form of the denial of service attack. Complicated but not complex. Does your "ransomware" planning encompass: Reputational Risk? SCADA System Risks? Various service/daemon/human and non-human account compromises? ID badge systems? Telephone systems with an E-Lan/VOIP component? Many other attack vectors, these are some of the ones I see overlooked with the most frequency.
Posted by at No comments:
Subscribe to: Posts (Atom)