Archive for the “best practice” category

How to mess up your breach disclosure

by adam on March 30, 2012

Congratulations to Visa and Mastercard, the latest companies to not notify consumers in a prompt and clear manner, thus inspiring a shrug and a sigh from consumers. No, wait, there isn’t a clear statement, but there is rampant speculation and (…)

Read the rest of this entry »

Kudos to Ponemon

by adam on January 23, 2012

In the past, we have has some decidedly critical words for the Ponemon Institute reports, such as “A critique of Ponemon Institute methodology for “churn”” or “Another critique of Ponemon’s method for estimating ‘cost of data breach’“. And to be (…)

Read the rest of this entry »

New School Approaches to Passwords

by adam on January 10, 2012

Adam Montville left a comment on my post, “Paper: The Security of Password Expiration“, and I wanted to expand on his question: Passwords suck when they’re not properly cared for. We know this. Any other known form of authentication we (…)

Read the rest of this entry »

Discussing Norm Marks’ GRC Wishlist for 2012

by alex on December 21, 2011

Norm Marks of the famous Marks On Governance blog has posted his 2012 wishlist.  His blog limits the characters you can leave in a reply, so I thought I’d post mine here. 1.  Norm Wishes for “A globally-accepted organizational governance (…)

Read the rest of this entry »

The New School of Security Predictions

by adam on December 21, 2011

Bill Brenner started it with “Stop them before they predict again!:” My inbox has been getting hammered with 2012 vendor security predictions since Halloween. They all pretty much state the obvious: Mobile malware is gonna be a big deal Social (…)

Read the rest of this entry »

Are Lulz our best practice?

by adam on June 10, 2011

Over at, Patrick Grey has an entertaining and thought-provoking article, “Why we secretly love LulzSec:” LulzSec is running around pummelling some of the world’s most powerful organisations into the ground… for laughs! For lulz! For shits and giggles! Surely (…)

Read the rest of this entry »

Gunnar’s Flat Tax: An Alternative to Prescriptive Compliance?

by alex on January 14, 2011

Hey everybody! I was just reading Gunnar Peterson’s fun little back of the napkin security spending exercise, in which he references his post on a security budget “flat tax” (Three Steps To A Rational Security Budget).  This got me to (…)

Read the rest of this entry »

CRISC – The Bottom Line (oh yeah, Happy New Year!)

by alex on January 2, 2011

No doubt my “Why I Don’t Like CRISC” blog post has created a ton of traffic and comments.  Unfortunately, I’m not a very good writer because the majority of readers miss the point.  Let me try again more succinctly: Just (…)

Read the rest of this entry »

The Only Trust Models You’ll Ever Need

by alex on December 23, 2010

Lately there has been quite a bit of noise about the concept of “trust” in information security.  This has always confused me, because I tend towards @bobblakley when he says: “trust is for suckers.” But security is keen on having (…)

Read the rest of this entry »

Best Practices for Defeating the term “Best Practices”

by adam on February 12, 2010

I don’t like the term “Best Practices.” Andrew and I railed against it in the book (pages 36-38). I’ve made comments like “torture is a best practice,” “New best practice: think” and Alex has asked “Are Security “Best Practices” Unethical?“ (…)

Read the rest of this entry »