Published inStarting Up SecurityPrioritizing Detection EngineeringDetection Engineering is a concept that has emerged in the detection space. It acknowledges the complexity of a detection stack and the…Sep 10, 20241571Sep 10, 20241571
Published inStarting Up SecurityManaging a quarterly security reviewI like an approach that combines my favorite quarterly review practices I’ve been exposed to. Here’s the general meeting structure:Aug 14, 202480Aug 14, 202480
Published inStarting Up SecurityFollow-Up: SolarWinds Response to SEC LawsuitSolarWinds has responded on their blog regarding the SEC’s lawsuit against them following their breach. Here is some analysis:Nov 9, 202325Nov 9, 202325
Published inStarting Up SecurityLessons from the SEC’s Lawsuit against SolarWinds and Tim BrownA few days ago, the SEC filed a lawsuit against SolarWinds and their CISO that shares some similarities with the blameless post-mortem of…Nov 6, 202336Nov 6, 202336
Published inStarting Up SecurityVulnerability Management: You should know about EPSSThe Exploit Prediction Scoring system (EPSS) is great. You might like it, too, if you deal with large amounts of vulnerabilities.Oct 9, 20232212Oct 9, 20232212
Beyond Controls: The Power of Risk ScenariosScenarios are an underappreciated way to model infosec risk. A scenario is simply a future, consequential event you write to express a risk…Aug 24, 2023301Aug 24, 2023301
Published inStarting Up SecurityTalking about risk with thresholds 🔥Imagine you encounter a fire in the woods. You’d instinctively decide to do one of two things:Mar 20, 2023221Mar 20, 2023221
Published inStarting Up SecurityA blameless post-mortem of USA v. Joseph SullivanOur industry deserves a complete retrospective into the incidents behind the criminal case against Uber’s former Chief Security Officer.Dec 8, 2022151Dec 8, 2022151
Published inStarting Up SecurityEndpoint Security: Intuition around the Mudge DisclosuresThe Mudge disclosures bring up specific pain points around how endpoint security is measured and communicated and what baselines are…Aug 24, 202215Aug 24, 202215
How to estimate legal costs from a data breach.We need budget and headcount to mitigate risks. Larger risks should encourage more resources towards mitigation efforts.Nov 15, 20213Nov 15, 20213
Troubles with quantified riskRisk quantification can be confusing and derailing to groups and decision makers.May 31, 20211May 31, 20211
A risk decomposition walkthroughThis is a method I’ve used to help frame and model cybersecurity risks over the past few years. It helps organize a lot of complexity when…Nov 20, 2020Nov 20, 2020
Risk and Performance ManagementRisk measurement quickly raises questions about management…. but not about risk management. Rather, managing the performance of people who…May 5, 2020May 5, 2020
Hypothesis, Risk, and ScienceMy hope is that the cyber security community will develop as a risk science.Apr 6, 20201Apr 6, 20201
Subjectivity, Risk, and ScienceA topic described as subjective is often considered non-scientific. Risk, being a subjective topic, must certainly be one that science has…Mar 18, 2020Mar 18, 2020
The value of risk organizationsHow do we approximate the amount of resource we allocate for security? In this essay, we’ll cover some principles before the quant.Mar 16, 2020Mar 16, 2020
Malicious Insider ScenariosInsider threats are often discussed as a broad category. This essay explores the malicious flavor of insider threat and ignores the “human…Feb 26, 2020Feb 26, 2020
Revisiting the Super Micro StoryChecking in on our forecasts from “The Big Hack”Jan 2, 2020Jan 2, 2020
Published inStarting Up SecurityClassifying types of “Security Work”Applying the types of work from The Phoenix Project to securityDec 9, 2019Dec 9, 2019
A risk based security project 📢Driving an awareness project with a risk measurement ethos.Dec 2, 20191Dec 2, 20191
