- Leadership Return on Investment (ROI) - A Touchy Security Topic
ROI in finance means income-generating return, but security prevents loss rather than creating wealth. Vendors misuse "ROI" to justify expenses as "investments." ROSI calculations rely on annualized...
- Leadership 5 Bad Habits of Cybersecurity Professionals
Activity doesn't guarantee progress. Security teams keep falling into five habits that look productive, but leave our programs no stronger than before.
- Leadership Breaking Down the Walls Between Application and Infrastructure Security
When separate teams run application security and infrastructure security, attackers exploit the gap between them and you spend on the wrong risks. The technology has already merged the two domains,...
- Leadership The Worrisome State of the Cybersecurity Industry
What's most telling about the security community's long list of complaints is how little it has changed over the years. Tools that don't fit our needs, vendors that overpromise, spending divorced...
- Risk Management Non-Financial "Currency" for Framing Security Discussions
Frame security discussions using internal "currency" beyond dollars—reputation, service availability, trade secrets. Also consider individual concerns: looking bad in front of managers, being fired...
- Risk Management Which Information Security Controls Are Most Important?
Comparing Securosis, PwC, and SANS 20 Critical Controls projects, system hardening appears across all three lists. Other consistently important controls include centralized security event monitoring,...