Ryan McGeehaninStarting Up SecurityFollow-Up: SolarWinds Response to SEC LawsuitSolarWinds has responded on their blog regarding the SEC’s lawsuit against them following their breach. Here is some analysis:Nov 9, 2023Nov 9, 2023
Ryan McGeehaninStarting Up SecurityLessons from the SEC’s Lawsuit against SolarWinds and Tim BrownA few days ago, the SEC filed a lawsuit against SolarWinds and their CISO that shares some similarities with the blameless post-mortem of…Nov 6, 2023Nov 6, 2023
Ryan McGeehaninStarting Up SecurityVulnerability Management: You should know about EPSSThe Exploit Prediction Scoring system (EPSS) is great. You might like it, too, if you deal with large amounts of vulnerabilities.Oct 9, 2023Oct 9, 2023
Ryan McGeehanBeyond Controls: The Power of Risk ScenariosScenarios are an underappreciated way to model infosec risk. A scenario is simply a future, consequential event you write to express a risk…Aug 24, 2023Aug 24, 2023
Ryan McGeehaninStarting Up SecurityTalking about risk with thresholds 🔥Imagine you encounter a fire in the woods. You’d instinctively decide to do one of two things:Mar 20, 20231Mar 20, 20231
Ryan McGeehaninStarting Up SecurityA blameless post-mortem of USA v. Joseph SullivanOur industry deserves a complete retrospective into the incidents behind the criminal case against Uber’s former Chief Security Officer.Dec 8, 20221Dec 8, 20221
Ryan McGeehaninStarting Up SecurityEndpoint Security: Intuition around the Mudge DisclosuresThe Mudge disclosures bring up specific pain points around how endpoint security is measured and communicated and what baselines are…Aug 24, 2022Aug 24, 2022
Ryan McGeehanHow to estimate legal costs from a data breach.We need budget and headcount to mitigate risks. Larger risks should encourage more resources towards mitigation efforts.Nov 15, 2021Nov 15, 2021
Ryan McGeehanTroubles with quantified riskRisk quantification can be confusing and derailing to groups and decision makers.May 31, 20211May 31, 20211
Ryan McGeehanA risk decomposition walkthroughThis is a method I’ve used to help frame and model cybersecurity risks over the past few years. It helps organize a lot of complexity when…Nov 20, 2020Nov 20, 2020