Recent Posts

Risk understanding and coronavirus

Risk understanding and coronavirus

Due to the Coronavirus outbreak there are lots of voices saying that we shouldn't care so much - especially if we haven't vaccinated for the flu which shows a lack of diligence on our side.

That could not be more wrong! People who say that understand ZERO about risk management, and since my social bubble is mostly security and risk management people, I find that very alarming.

Let me explain:

How to budget for security?

How to budget for security?

I often get into discussions about budgets and how much a company should invest in its security program. There is no easy answer because the problem we are trying to solve has many unknowns.

There are many ways one may address this question, the main one being a rule of thumb.

Long time no write

  • 1 minute to read
  • Friday, 27th of September 2019

Indeed I know I haven't posted for long. It's not that I don't have anything to say, but I'm trying to find a balance between posting something about things I know, and making sure the readers do not necessarily assume that this is how we do things in SUSE.

Getting there...

What to do with the center of security?

What to do with the center of security?

Some years ago, during a (quite extended) phishing avalanche in the company I was at the time, the (then) CIO said: Let's fire every user that falls for a phishing mail! That will solve the problem for good. I considered it a joke, and I replied pretty much with a rhyme: Let's train them before we blame them and I didn't give it a second throught. We went on to deploy some training modules, but never really implemented the technical controls on the mail server; an activity that if had been implemented, several of those phishing mails would never have entered the company. I think that this is not strictly a user failure and I'm inclined to blame the IT deparment more than the user.