Recent Posts

Board Governance

Board Governance

As a security executive, I often find myself troubled about the lack of cyber risk understanding in companys' executive management. I may be wrong, but apparently not very much. Lately, the voices for the need of proper cyber security risk governance at the board level are getting louder, and are coming from multiple sources; including the US Security and Exchanges Committee.

How to budget for security?

How to budget for security?

I often get into discussions about budgets and how much a company should invest in its security program. There is no easy answer because the problem we are trying to solve has many unknowns.

There are many ways one may address this question, the main one being a rule of thumb.

To cyber-insure or not?

To cyber-insure or not?

Professional liability insurance has been around for long. It is not a surprise that Cyber Insurance is becoming a trend lately, considering the constantly raising number of security breaches. The post in one sentence: Cyber insurance is a good thing but be careful what you wish for.

Steps in no-man's land

Steps in no-man's land

Some major breaches have seen the light of day lately, and everybody agrees that they will keep coming. I don't believe you will find any security professional respecting himself to tell you that this will stop. The reasons are many, but the most important one is the (lack of) security design. Systems, processes and services have been moving to production without security design for years. And unfortunately in many cases they still do.

In our (security) profession it is becoming common to jump on each other's throat; and the result is the public blaming of the CISO involved - like leaving them alone to take some hard steps in the middle of no man's land.