SMART SecureIT: Using the NIST NICE Framework to Build a Cybersecurity Workforce

September 2, 2021 A few years ago I wrote a blog post offering advice on hiring information security professionals.  At the time, I was speaking with a small group of other cybersecurity professionals who were all sharing frustrations with the hiring hoops that they were being required to jump through – especially the common problems of unclear

SecureIT Observations: SANS Report on Managing Human Cyber Risk

April 24, 2021
For the past few years, SANS has been producing an annual report on security awareness that helps shed a light on what’s happening in the industry through data-driven analysis.  There are a few interesting findings in this year’s report that feel like they deserve additional attention and inquiry. First and foremost is a finding very

SecureIT Observations: Why Most Awareness and Training Programs Fail

May 18, 2015
I recently came across an article that pronounced security awareness efforts to be a complete and total waste of time. The author insisted that awareness efforts have no real value and that the true path to information protection lies in the advancement of technical security controls. Needless to say, I vehemently disagree with this perspective.

SMART SecureIT: Advice on Hiring Information Security Professionals

September 9, 2014
Many organizations struggle with the challenges of information security on a pretty constant basis. Size, complexity, and market segment have little to do with most of these challenges, though certainly, some sectors are bigger targets than others (government, banking, healthcare, etc). The greatest of these challenges isn’t about risk management or strategy, or any other

SMART SecureIT: Making the Case for Managed Security Monitoring

March 9, 2014
In my daily security strategy conversations with clients, I’m often asked “what’s the one thing I should really focus on?” Now that may seem like a pretty big question to ask, but when you consider how thinly spread most security functions are within many organizations (if they exist at all) it’s not a surprising one.

SecureIT Observations: Four Flavors of Risk Assessment

April 9, 2013
Risk is always an interesting topic of discussion within the infosec world. We have our own industry definitions for risk, and dozens of models to draw from when measuring or managing risk. One of the most intriguing aspects of risk-oriented work within this field is indeed how we measure risk – and how we use

SecureIT Observations: Information Security and the Hero’s Inner Journey

January 9, 2013
Of late I’ve been doing a lot of study regarding visualization, imagery, and story as tools for communicating more effectively with key stakeholders, general user constituencies, and the like. You see, I consider myself a writer. I love to write. I’m pretty good at writing. And I can write quickly (all in all it only

SMART SecureIT: Laptop Lockdown for the Roaming Professional

October 27, 2012
Over the past couple of years, laptop computers have continued to lose ground to tablets and a broad range of other mobile devices, but they still play an important role in maximizing the productivity of many. While I rely heavily on my own mobile devices for certain activities, my laptop remains the centerpiece of my

Looking Forward: The Necessity of Contextual Relevance

September 9, 2012
The nature of the security game hasn’t changed much over the past 10 to 20 years. Sure, the tools and technologies, and the types of offensive and defensive strategies that are employed have changed, but we’re still challenged in many of the same ways that we’ve always been. We’re still engaging in a losing battle

A Call to Action: Security and Organizational Culture

June 22, 2012
Within an organizational environment, the cultural norms are what drive attitudes and behaviors. It matters little what corporate policies or employee handbooks have to say if the day-to-day ‘tone’ of the organization is inconsistent with its printed materials. In many organizations, a complex set of “security policies” is used as a record – for the