Back to the Future: A 2023 Report on Effective Cyber Risk Management

I talk to a lot of companies about cyber risk management vs. cyber security. I seem to get one of two possible responses – the first being a blank stare, the second being whole-hearted agreement but with the caveat that they are just starting on their journey to true cyber risk management. So even though […]

Groundhog Vulnerabilities

Groundhog Day is celebrated each year in the United States and Canada on February 2. It comes from a superstition that if a groundhog emerging from its burrow on this day sees its shadow due to clear weather, it will retreat to its den and winter will persist for six more weeks; but if it does not see its […]

Will Solarwinds be the Crisis Cybersecurity Needs?

All of us in the cybersecurity business like to believe that cybersecurity is a boardroom issue and has been for the last few years. On the other hand we all know that most executives view cyber security as a technical issue to be handled by technologists, antithetical to corporate culture and a burden on doing […]

3 Clear and Present Cyber Dangers in 2021

According to the recently released World Economic Forum (WEF) Global Risks Report 2021, cyber risks continue ranking among the top ten clear and “present dangers” (high probability risks over the next 2 years).   This present danger translates into three key cybersecurity challenges for 2021:   Increasing cybersecurity complexity – This is driven both by increased […]

Threat Intelligence + Threat Scenarios = Predictive Cyber Security

Cyber Threat Intelligence (CTI) involves analyzing information about threats and producing guidance on how to respond. An interesting 2020 survey by the SANS institute on CTI (requires registration) found more organizations then ever adopting CTI programs and focusing on tactics, techniques and procedures (TTPs). The primary goals of these CTI programs are: threat detection (89%), […]

Capitol Breach and Cyber Threats

Last week pro-Trump rioters occupied portions of the U.S. Capitol building. This is a real issue for cyber defense since once there is known or presumed loss of physical security for systems you can no longer assume the same level of trust for those devices.  This scenario is similar to supply chain attack scenarios (like […]

Surprise: CISOs are Human

The CISO role is generally considered one the highest stress, least appreciated executive\managerial jobs. Even before the COVID crisis, nearly 9 out of 10 executives holding the title of chief information security officer (CISO) or chief security officer (CSO) reported “moderate or tremendous” job-related stress. Many say the heightened stress levels has led to mental […]

Supply Chain Risk Management

NIST Special Publication 800-161 on “Supply Chain Risk Management Practices for Federal Information Systems and Organizations” was issued about 5 years ago (it is currently going through a revision). It is a long document (based off the NIST 800-53r4 document on controls) and covers just about everything you could think of that is needed for […]

CISOs, Purple Teams and Cynefin

Cynefin is sense making framework created in 1999 by Dave Snowden. Cynefin offers five decision-making contexts or “domains”: obvious, complicated, complex, chaotic, and a center of disorder. Figure by Snowded  (Own work, CC BY-SA 3.0)   I believe that the main proactive aspect of a CISO’s job is to lower complexity by moving many events as possible to […]

Microsoft, SUNBURST and Supply Chain Attacks

Continuing my tracking of the Solarwinds trojan (SUNBURST), I came on an article about Microsoft’s response – “Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach”. Seemed a bit over the top to me until I looked up Death Star and found this: DEATH STAR OG – “Death Star OG indica dominant […]