I recently attended the Open Security Summit. While there, I met Dave Snowden, who introduced me to his Cynefin Framework, which has sparked a bit of a journey for me ever since. Cynefin is an interesting welsh word with no real English translation but has been described by “It describes…
Category: Security
Unmitigated Surprise and Why Robust Risk Identification Matters
I have been rediscovering my security risk management roots recently and developing the components of a quantitative approach to security risk management. I am picking up the risk books I put down in 2008 when Cyber became the new brand for information security. At that time I became much more…
Homebrew Monte Carlo Simulations for Security Risk Analysis
I cannot say enough good things about Doug Hubbard’s work. I’ve been obsessed with How to Measure Anything and The Failure of Risk Management so when he published How to Measure Anything in Cybersecurity Risk with Richard Seierson I could not have been happier. The whole book is worth reading…
CISO Priorities
I recently developed a set of playing cards for use by CISOs when talking to their own teams or with their peers about what their priorities are. I worked with Matt Ballantine of Stamp who has developed a number of similar cards in his CxO Priorities line for technology, markets…
Good security is a conversation, not an argument. Part Two.
In my previous post, I outlined why I feel the lack of good conversations between security practitioners and other people in their organisations leads to poor outcomes. A crucial part of the challenge is the need to truly develop a dialogue both parties need to listen to the other. “This…