Archive for the “Doing it Differently” category

2017 and Tidal Forces

by adam on January 13, 2017

There are two great blog posts at Securosis to kick off the new year: Tidal Forces: The Trends Tearing Apart Security As We Know It (Rich Mogull) Network Security in the Cloud Age: Everything Changes (Mike Rothman) Both are deep (…)

Read the rest of this entry »

Yahoo! Yippee? What to Do?

by adam on December 15, 2016

[Dec 20 update: The first draft of this post ended up with both consumer and enterprise advice, which made it complex. The enterprise half is now on the IANS blog: Never Waste a Good Crisis: Yahoo Edition.] Yesterday, Yahoo disclosed (…)

Read the rest of this entry »

Learning from Our Experience, Part Z

by adam on November 7, 2016

One of the themes of The New School of Information Security is how other fields learn from their experiences, and how information security’s culture of hiding our incidents prevents us from learning. Today I found yet another field where they (…)

Read the rest of this entry »

The Breach Response Market Is Broken (and what could be done)

by adam on October 12, 2016

Much of what Andrew and I wrote about in the New School has come to pass. Disclosing breaches is no longer as scary, nor as shocking, as it was. But one thing we expected to happen was the emergence of (…)

Read the rest of this entry »

Why Don’t We Have an Incident Repository?

by adam on September 14, 2016

Steve Bellovin and I provided some “Input to the Commission on Enhancing National Cybersecurity.” It opens: We are writing after 25 years of calls for a “NTSB for Security” have failed to result in action. As early as 1991, a (…)

Read the rest of this entry »

What Boards Want in Security Reporting

by adam on August 22, 2016

Recently, some of my friends were talking about a report by Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports.” In that report, we see things like: More than three in five board members say they are (…)

Read the rest of this entry »

FBI says their warnings were ignored

by adam on August 17, 2016

There’s two major parts to the DNC/FBI/Russia story. The first part is the really fascinating evolution of public disclosures over the DNC hack. We know the DNC was hacked, that someone gave a set of emails to Wikileaks. There are (…)

Read the rest of this entry »

Consultants Say Their Cyber Warnings Were Ignored

by adam on August 3, 2016

Back in October, 2014, I discussed a pattern of “Employees Say Company Left Data Vulnerable,” and its a pattern that we’ve seen often since. Today, I want to discuss the consultant’s variation on the story. This is less common, because (…)

Read the rest of this entry »

A New Way to Tie Security to Business

by adam on June 20, 2016

As security professionals, sometimes the advice we get is to think about the security controls we deploy as some mix of “cloud access security brokerage” and “user and entity behavioral analytics” and “next generation endpoint protection.” We’re also supposed to (…)

Read the rest of this entry »

Sneak peeks at my new startup at RSA

by adam on February 18, 2016

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, (…)

Read the rest of this entry »