Blog

My writing focuses on information security, with topics ranging from broad IT trends to detailed technical advice on malware. Scroll through the posts to see whether my interests overlap with yours. Follow this blog to keep up with my latest publications.

Withholding Single Sign-On from SaaS Customers is Bad for Business and Security

Despite years of public shaming by security professionals, some SaaS vendors only offer Single Sign-On (SSO) in high-end “enterprise” product tiers. By withholding this capability from smaller organizations, they put customers’ security at risk. Moreover, such vendors base a pricing strategy on a weak signal and miss an opportunity to lower their own security risk….

Read more

Three Ways CISOs Can Drive More Meaningful Collaboration

Today’s CISOs are more than technologists—we strive to make ourselves well-rounded business leaders. This involves aligning our efforts with business objectives and collaborating with colleagues who are not experts in IT or security. In fact, Gartner’s research found that top-performing CISOs regularly meet with three times as many non-IT stakeholders as they do with IT…

Read more

Let’s Address the Cybersecurity Careers Gap

Too many people are unsure how to enter or grow in the cybersecurity industry. It’s a relatively young field, and we haven’t done a good job of defining what it means to have a career in it. Hiring managers who are worried about finding candidates because of the much-discussed cybersecurity skills gap should consider the…

Read more

As a CISO, Are You a Builder, Fixer, or Scale Operator?

When contemplating the next step in your career as a cybersecurity leader, understand what you do best and what you enjoy doing. Figuring this out will help you identify organizations and projects that will benefit from your superpowers and accelerate your growth as a professional. As an added bonus, you’ll be more effective in communicating…

Read more

Untangling the Complexity of SaaS Ownership in the Enterprise

Before SaaS, employees had to rely on IT and other teams to procure software, which gave the organization a direct way of controlling such purchases and deployments. Now, employees can sign up for SaaS applications without involving anyone in the company. All it takes is a few clicks and (sometimes) a credit card for people to…

Read more

Shift Your Mindset from Conflict to Collaboration to Succeed in Security

In the two decades I’ve spent in cybersecurity, I’ve observed and experienced the fighting spirit of security professionals: When tasked with safeguarding information assets, we envision ourselves erecting defenses to keep threat actors at bay, or we emulate malicious actions to find flaws in the organization’s security measures before attackers exploit them. We fight. Let’s…

Read more

Cybersecurity: No Longer the “Department of No”

Cybersecurity leaders not only go against threat actors to defend the organization but also find themselves at odds with other business executives. How can we avoid fighting everyone? What does it take to ensure the security team doesn’t become the department of “no”? We’re often in the position of having to deny people’s requests. Our…

Read more

How to Ask Questions to Succeed with Security Projects

No matter the years of experience in cybersecurity, security professionals are often in situations where crucial details are missing. Yet, we often hesitate to ask questions because we don’t want to appear ignorant or don’t know what to ask. I captured my perspective on asking questions in a constructive way in a three-post series. Read…

Read more

How You Can Start Learning Malware Analysis

Malware analysis sits at the intersection of incident response, forensics, system and network administration, security monitoring, and software engineering. You can get into this field by building upon your existing skills in any of these disciplines. As someone who’s helped thousands of security professionals learn how to analyze malware at SANS Institute, I have a…

Read more

REMnux Tools List for Malware Analysis

REMnux® offers a curated collection of free tools for reverse-engineering or otherwise analyzing malicious software. How to find the right tool for the job, given how many useful utilities come as part of the distro? To guide you through the process of examining malware, REMnux documentation lists the installed tools by category. Each grouping, which…

Read more