Archive for the “Doing it Differently” category

Science of Security, Science for Security

by adam on April 9, 2019

There’s an interesting article in Bentham’s Gaze, “Science ‘of’ or ‘for’ security?” It usefully teases apart some concepts, and, yes, it probably is consistent with the New School.

‘No need’ to tell the public(?!?)

by nsadmin on April 8, 2019

When Andrew and I wrote The New School, and talked about the need to learn from other professions, we didn’t mean for doctors to learn from ‘cybersecurity thought leaders’ about hiding their problems: …Only one organism grew back. C. auris. (…)

Read the rest of this entry »

Unifying sites

by adam on April 17, 2017

When I started blogging a dozen years ago, the world was different. Over time, I ended up with at least two main blogs (Emergent Chaos and New School), and guest posting at Dark Reading, IANS, various Microsoft blogs, and other (…)

Read the rest of this entry »

Introducing Cyber Portfolio Management

by adam on February 21, 2017

At RSA’17, I spoke on “Security Leadership Lessons from the Dark Side.” Leading a security program is hard. Fortunately, we can learn a great deal from Sith lords, including Darth Vader and how he managed security strategy for the Empire. (…)

Read the rest of this entry »

2017 and Tidal Forces

by adam on January 13, 2017

There are two great blog posts at Securosis to kick off the new year: Tidal Forces: The Trends Tearing Apart Security As We Know It (Rich Mogull) Network Security in the Cloud Age: Everything Changes (Mike Rothman) Both are deep (…)

Read the rest of this entry »

Yahoo! Yippee? What to Do?

by adam on December 15, 2016

[Dec 20 update: The first draft of this post ended up with both consumer and enterprise advice, which made it complex. The enterprise half is now on the IANS blog: Never Waste a Good Crisis: Yahoo Edition.] Yesterday, Yahoo disclosed (…)

Read the rest of this entry »

Learning from Our Experience, Part Z

by adam on November 7, 2016

One of the themes of The New School of Information Security is how other fields learn from their experiences, and how information security’s culture of hiding our incidents prevents us from learning. Today I found yet another field where they (…)

Read the rest of this entry »

The Breach Response Market Is Broken (and what could be done)

by adam on October 12, 2016

Much of what Andrew and I wrote about in the New School has come to pass. Disclosing breaches is no longer as scary, nor as shocking, as it was. But one thing we expected to happen was the emergence of (…)

Read the rest of this entry »

Why Don’t We Have an Incident Repository?

by adam on September 14, 2016

Steve Bellovin and I provided some “Input to the Commission on Enhancing National Cybersecurity.” It opens: We are writing after 25 years of calls for a “NTSB for Security” have failed to result in action. As early as 1991, a (…)

Read the rest of this entry »

What Boards Want in Security Reporting

by adam on August 22, 2016

Recently, some of my friends were talking about a report by Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports.” In that report, we see things like: More than three in five board members say they are (…)

Read the rest of this entry »