Archive for the “careers” category

What CSOs can Learn from Pete Carroll

by adam on February 6, 2015

If you listen to the security echo chamber, after an embarrassing failure like a data breach, you lose your job, right? Let’s look at Seahawks Coach Pete Carroll, who made what the home town paper called the “Worst Play Call (…)

Read the rest of this entry »

Academic job opening at Cambridge

by adam on July 18, 2013

At Light Blue Touchpaper, Ross Anderson says “We have a vacancy for a postdoc to work on the psychology of cybercrime and deception for two years from October.” I think this role has all sorts of fascinating potential, and wanted (…)

Read the rest of this entry »

Your career is over after a breach? Another Myth, Busted!

by adam on August 6, 2012

I’m a big fan of learning from our experiences around breaches. Claims like “your stock will fall”, or “your customers will flee” are shown to be false by statistical analysis, and I expect we’d see the same if we looked (…)

Read the rest of this entry »

Top 5 Security Influencers of 2011

by adam on December 12, 2011

I really like Gunnar Peterson’s post on “Top 5 Security Influencers:” Its December and so its the season for lists. Here is my list of Top 5 Security Influencers, this is the list with the people who have the biggest (…)

Read the rest of this entry »

The Diginotar Tautology Club

by adam on September 23, 2011

I often say that breaches don’t drive companies out of business. Some people are asking me to eat crow because Vasco is closing its subsidiary Diginotar after the subsidiary was severely breached, failed to notify their reliant parties, mislead people (…)

Read the rest of this entry »

15 Years of Software Security: Looking Back and Looking Forward

by adam on August 18, 2011

Fifteen years ago, I posted a copy of “Source Code Review Guidelines” to the web. I’d created them for a large bank, because at the time, there was no single document on writing or reviewing for security that was broadly (…)

Read the rest of this entry »

Communicating with Executives for more than Lulz

by adam on June 15, 2011

On Friday, I ranted a bit about “Are Lulz our best practice?” The biggest pushback I heard was that management doesn’t listen, or doesn’t make decisions in the best interests of the company. I think there’s a lot going on (…)

Read the rest of this entry »

Would a CISO benefit from an MBA education?

by Russell on February 9, 2011

If a CISO is expected to be an executive officer (esp. for a large, complex technology- or information-centered organization), then he/she will need the MBA-level knowledge and skill. MBA is one path to getting those skills, at least if you are thoughtful and selective about the school you choose. Other paths are available, so it’s not just about an MBA credential.

Otherwise, if a CISO is essentially the Most Senior Information Security Manager, then MBA education wouldn’t be of much value.

A Letter from Sid CRISC – ious

by alex on October 25, 2010

In the comments to “Why I Don’t Like CRISC” where I challenge ISACA to show us in valid scale and in publicly available models, the risk reduction of COBIT adoption, reader Sid starts to get it, but then kinda devolves (…)

Read the rest of this entry »

Don’t fight the zeitgeist, CRISC Edition

by Chandler on September 14, 2010

Some guy recently posted a strangely self-defeating link/troll/flame in an attempt to (I think) argue with Alex and/or myself regarding the relevance or lack thereof of ISACA’s CRISC certification.  Now given that I think he might have been doing it (…)

Read the rest of this entry »