What do you think this is?

Auditing AI systems

• 1 minute to read
• Thursday, 21st of November 2024
• • artificial intelligence
  • education
  • leadership
  • machine learning
  • management

My journey with Machine Learning and AI started back in 2017; my first article about AI in this blog was in 2019. And I believe that Governance is of utmost importance in many things, AI being one of them.

9th Information Security Conference - Greece

• 3 minutes to read
• Tuesday, 29th of March 2022
• • conferences
  • presentations
  • management
  • business
  • budget

Three years after my last appearance in a conference due to COVID-19 lockdowns, I was invited to present to the 9th Information Security Conference in Greece. The conference theme was Enabling a Secure Future: Managing Risks in a Constantly Changing World. The conference was virtual / online and was held on the 17th of February, 2022.

A leader uses DNS to educate

• 2 minutes to read
• Monday, 30th of August 2021
• • security
  • management
  • leadership

Once upon a time I spent a total of 4 hours (over three days) in meetings, stating that I will definitely not approve a security exception. At least, not until someone demonstrates that the exception requested, removes the root cause or is a valid workaround.

Vulnerability and Patch management

• 5 minutes to read
• Sunday, 14th of February 2021
• • security
  • management
  • risk management

During the last 3 months I got more times than expected in discussions about patch and vulnerability management. I need to say, there is much misunderstanding going around about these two processes; so much that I could argue that several organizations are exposing themselves significantly, just because the touch points and (lack of) dependencies in these two processes are not clear.

How to budget for security?

• 6 minutes to read
• Friday, 8th of November 2019
• • business
  • security
  • budget
  • management

I often get into discussions about budgets and how much a company should invest in its security program. There is no easy answer because the problem we are trying to solve has many unknowns.

There are many ways one may address this question, the main one being a rule of thumb.

What to do with the center of security?

• 7 minutes to read
• Monday, 17th of June 2019
• • awareness
  • management
  • leadership
  • social engineering
  • security

Some years ago, during a (quite extended) phishing avalanche in the company I was at the time, the (then) CIO said: Let's fire every user that falls for a phishing mail! That will solve the problem for good. I considered it a joke, and I replied pretty much with a rhyme: Let's train them before we blame them and I didn't give it a second throught. We went on to deploy some training modules, but never really implemented the technical controls on the mail server; an activity that if had been implemented, several of those phishing mails would never have entered the company. I think that this is not strictly a user failure and I'm inclined to blame the IT deparment more than the user.