These are ideas I’d like to write about (sometimes the idea morphs but it starts here):

  1. Twitter breach and internal support tools Part 1 and Part 2
  2. externalities in risk models link
  3. A Canadian perspective on breach class action lawsuits
  4. Boards vs management - responsibilities for information security risk management
  5. Acceptable risk link
  6. Third party risk management
  7. The one risk to bind them all link
  8. Doing a SOC2 wrong
  9. Drieu vs Zoom
  10. The evolving threat landscape
  11. Target state and BHAGs
  12. Three Lines of Defense and management accountability
  13. Don’t take your vulnerability report to the Board
  14. Operational Risk isn’t solved; so cyber risk isn’t either
  15. Privacy vs Security - why privacy is easier
  16. Privacy: an engineering perspective
  17. Small Business security
  18. Strategy and roadmaps
  19. Outsourcing - what can you outsource?
  20. Risk decisioning - who is senior enough?
  21. externalities in threat models link
  22. Who owns security?
  23. Security awareness is the least you can do
  24. Breaches will happen, what can a consumer do?
  25. Innovation at the Edge vs the Enterprise Vendor Assessment
  26. Closed Source / Proprietary security governance
  27. Why GRC sucks and lessons learned from SAP
  28. Disclosures
  29. Five year old lessons from a CVSSv2 10.0 vulnerability link
  30. Governance structure OR why I’m okay with committees
  31. FAIR… lessons learned
  32. Privileged Account Management is really about culture change
  33. The CXO that didn’t patch
  34. A story about not lying to customers
  35. Ethics and risk
  36. Designing risk appetites [DRAFT]
  37. Kill the endpoint [DRAFT]
  38. Do the right thing even if it will hurt
  39. Most fun app pen test
  40. Crypto keys and how to mishandle them
  41. Did the red team tell you anything you didn’t now? AKA who is the audience of a red team report?
  42. Continuous verification
  43. The impact of getting security wrong
  44. Breaches and CISO longevity
  45. AI goal alignment
  46. AI in security - surprise, it’s not AI and it’s not observable
  47. How well do we understand risk?
  48. Policy exceptions and other things hackers don’t care about
  49. The role that analysts play in our decisions
  50. Falling to the level of training
  51. Compensation
  52. The need for policy writers with technical experience
  53. Federated business models and risk aggregation
  54. The ethics of bad code and platforms
  55. It’s easy to be kind
  56. Proprietary methods, for pay standards and unavailable research
  57. Security poverty line vs benchmarking vs acceptable risk (or why comparing yourself to others is dangerous)
  58. Your business doesn’t care about maturity scales AKA talk actual risk
  59. Band-aiding legacy technologies and behaviours AKA making it security’s problem
  60. Trust doesn’t scale link
  61. Wristwatches and Time servers - a story about manual processes you wouldn’t think exist link
  62. The non-impossibility of getting someone to do something they shouldn’t
    • why “user action” is a false comfort in scoring
    • consider Windows DNS vuln, social engineering
    • The internet is a big place… there’s a slim percentage of one person doing something but it’s almost a certainty someone will do that thing
  63. Big orgs, slow change
  64. Leadership isn’t about you
  65. The likelihood of a breach
  66. Policy management is change management
  67. Vendor assessments are an unreliable governance tool
  68. Survivor bias and the possibility of non-visible hackers (reflection on Project Freta)
  69. On NYSFed vs First Title Insurance
  70. Risk Budgets