“You’re always telling me what to do!” “You never tell me what to do!” “You’re to lazy to actually lead!” A subordinate in a stressful situation can make a lot of allegations but the root of the problem may…
Category: Information Assurance and Security
Draft Rosetta Stone (Incident Response)

This gallery contains 1 photo →
CISO metrics: Right sizing and right costing an information security program
In the continuing attempt to prove to the wider world I’m a desirable hire as a CISO for a fortune 100 company. I offer the following and hope even if you don’t hire me that you get something of use…
CISO Hunting Tags: What threat hunting should mean to you
If you don’t have a successful information security program don’t waste your dollars or time on threat hunting until you can secure what you own first. There has been much ink spilled on threat hunting in the network. Even the…
New CISO? Get your first 90 days action items here
So you’re a new CISO and you just arrived at the organization. What should your personal interaction project plan look like? I tell CISO’s that they should plan on a few days to simply spin up their technology, get their…
You’re not in our industry WTF do you know about infosec?
This is more from my noisy search for my next windmill to tilt at in what will be the great success of helping an organization become more resilient, capable, and respected for the information security posture they exhibit. I like…
Hiring military leaders off the street
Lots of snark talk from the military types out there. I understand it, but don’t have to agree with it. Over the weekend Military Times put out an article that above the fold states. Defense Secretary Ash Carter wants to…
Am I looking for a job?
I’m a senior executive, a subject matter expert, and an influential strategic leader in cyber security. Why would I always be looking for a job, why would I always be keeping my ear to the ground, and why would I…
NDU Presentation to the faculty
I’ve been asked to talk about a variety of topics. This particular topic was a strategic look at three policy changes that might degrade, deter, or disrupt adversary capability in cyberspace. NDU IRMC 2016 Presentation (PPT)
Some ICS Reading Resources
Quick hit on some things for reading up on control system security. One of my favorites is Kurtz, R., (2006) “Securing SCADA Systems” this particular book is older, but it has a great section on comparing ICS security protocols. Meant…
Metrics of Precision for Leaders of Security Programs
Slides for my talk at National Defense University Information Resources Management College (IRMC) Metrics_of_Precision_For_Leaders_Of_Security_Programs
Don’t be that guy: Try promoting professionalism and empathy
I’ve hired a lot of people. Between academia, government, and industry I’ve been on hundreds of hiring boards. I’ve been junior enough to be a primary assessor and senior enough to rate other peoples skill at hiring. I like building…
Curmudgeon Information Security Officer
After reading the first third of “Disrupted; My Misadventure in the startup bubble” by Dan Lyons I realized that I had been marketing myself all wrong. Hiring managers like the little-emperors of China want happy, go-lucky, youthful, soft individuals to…
Humans, networks, and visualizing risk to the network
Risk is made of disparate components that technologists inherently understand. Decision makers and corporate staff that are not necessarily smart in technology are often left flummoxed by the technobabble. As technologists and information security practitioners it is important to think…
Infosec reality: When you don’t have the goose that laid the golden egg
You are a CIO or CISO looking at your next budget cycle. You know that there is way more threats operating on innumerable vulnerabilities than you can afford to mitigate. How best to spend the often shrinking budget you have…