Archive for the “Doing it Differently” category

A New Way to Tie Security to Business

by adam on June 20, 2016

As security professionals, sometimes the advice we get is to think about the security controls we deploy as some mix of “cloud access security brokerage” and “user and entity behavioral analytics” and “next generation endpoint protection.” We’re also supposed to (…)

Read the rest of this entry »

Sneak peeks at my new startup at RSA

by adam on February 18, 2016

Many executives have been trying to solve the problem of connecting security to the business, and we’re excited about what we’re building to serve this important and unmet need. If you present security with an image like the one above, (…)

Read the rest of this entry »

Improving Security Effectiveness

by adam on July 16, 2015

For the last few months, I’ve been working full time and talking with colleagues about a new way for security executives to measure the effectiveness of security programs. In very important ways, the ideas are new and non-obvious, and at (…)

Read the rest of this entry »

The New Cyber Agency Will Likely Cyber Fail

by adam on February 10, 2015

The Washington Post reports that there will be a “New agency to sniff out threats in cyberspace.” This is my first analysis of what’s been made public. Details are not fully released, but there are some obvious problems, which include: (…)

Read the rest of this entry »

Security 101: Show Your List!

by adam on January 5, 2015

Lately I’ve noted a lot of people quoted in the media after breaches saying “X was Security 101. I can’t believe they didn’t do X!” For example, “I can’t believe that LinkedIn wasn’t salting passwords! That’s security 101!” Now, I’m (…)

Read the rest of this entry »

Employees Say Company Left Data Vulnerable

by adam on October 7, 2014

There’s a recurring theme in data breach stories: The risks were clear to computer experts inside $organization: The organization, they warned for years, might be easy prey for hackers. But despite alarms as far back as 2008, $organization was slow (…)

Read the rest of this entry »

BSides LV: Change Industry Or Change Professionals?

by adam on August 27, 2014

All through the week of BSides/BlackHat/Defcon, people came up to me to tell me that they enjoyed my BSides Las Vegas talk. (Slides, video). It got some press coverage, including an article by Jon Evans of TechCrunch, “Notes From Crazytown, (…)

Read the rest of this entry »

What Security Folks Can Learn from Doctors

by adam on June 11, 2014

Stefan Larson talks about “What doctors can learn from each other:” Different hospitals produce different results on different procedures. Only, patients don’t know that data, making choosing a surgeon a high-stakes guessing game. Stefan Larsson looks at what happens when (…)

Read the rest of this entry »

There’s more than one way to threat model

by adam on April 23, 2014

Today, most presentations on threat modeling talk about each phase of the process. They talk about how to model what you’re building, what can go wrong, and what to do about it. Those tightly coupled processes can be great if (…)

Read the rest of this entry »

The Breach Trilogy: Assume, Confirm, Discuss

by adam on April 22, 2013

We’ve been hearing for several years that we should assume breach. Many people have taken this to heart (although today’s DBIR still says it’s still months to detect those breaches). I’d like to propose (predict?) that breach as a central (…)

Read the rest of this entry »