Andrew Jaquith Follow

I’m Andrew Jaquith, a Managing Director in financial services. I have worked for JP Morgan Chase and Goldman Sachs. Previously, I was CTO SilverSky, and former analyst with Forrester and Yankee Group. My interests include security and risk, anything data-related, app development, visualization, good writing and spirited discussion.

Andrew Jaquith

Posts by Andrew Jaquith

Why CISOs should Care About Cloud “Drift”

Why CISOs should Care About Cloud “Drift”

In security, DevOps, applications, metrics, Sep 25, 2019

SRE Metrics and Security Measurement

Why can’t IT and security get along better? Disciplined technology teams use data and metrics strategically. But security and risk teams think about metrics differently than the rest ...

In metrics, Jun 05, 2019

Five Things the Last Decade Taught Me About Security Metrics

This is the nominal text of my opening remarks for Metricon X, delivered on March 21, 2019. It has been lightly edited for clarity and a few identities have been slightly disguised. T...

In metricon, Mar 21, 2019

The Twenty-Year War on Cybercrime

This is the text of a speech I delivered at the Gartner Group Security and Risk Management Summit in June 2015. I originally wrote the speech for Sir Roger Carr, the Chairman of BAE S...

In security, risk, big data, Jun 06, 2015

The DevOps Security Handbook: Building Security In With Chef, Part III

IntroductionThis is the third in a series of occasional posts about security and DevOps. The ultimate goal of this series is to show how to build a reasonably secure Apache web server...

In security, DevOps, Oct 06, 2013

The DevOps Security Handbook: Building Security In With Chef, Part II

IntroductionThis is the second in a series of occasional posts about security and DevOps. The ultimate goal of this series is to show how to build a reasonably secure Apache web serve...

In security, DevOps, Oct 03, 2013

The DevOps Security Handbook: Building Security In With Chef, Part I

IntroductionThis is the first in a series of posts about Chef, an infrastructure automation platform. The goal of this series is to describe how to build a reasonably secure Apache we...

In security, DevOps, Oct 01, 2013

Building Security In Using Chef

Lately I have been spending a lot of time with a new best friend. This new friend is reliable; he does everything according to plan and always exactly the same way. The results are ex...

In security, DevOps, Sep 23, 2013

New Web Adventures with Heroku

Many ardent followers of this blog know that among other things, one of my professional hobbies is application development. I am a “weekend programmer.” I always have a side project o...

In applications, dev ops, Aug 26, 2013

Review of Stephen Few’s “Information Dashboard Design, Second Edition”

Twenty years ago, a polymath prophet named Edward Tufte self-published an incendiary book, The Visual Display of Quantitative Information. It forever changed how a certain species of ...

In visualization, Aug 13, 2013

Cybersecurity for Machine-to-Machine (M2M) Networks

This is the nominal text of panel remarks I delivered at the Telecommunications Industry Association’s M2M & Cybersecurity Workshop on June 4th, 2013. The objective of the panel w...

In security, Jun 04, 2013

“Everything was green. Mulally thought that was odd for a company losing billions.”

I have been a fan of the Ford Motor Company ever since I was a boy. There’s no rational reason for it, but then again, experts tell us that brand preferences are formed at very early ...

In strategy, leadership, Feb 21, 2013

Bully for BlackBerry. But Is It Too Late?

Last week Research In Motion announced three things:

In mobile, Feb 15, 2013

Four Things To Like About Obama’s Executive Order on Cyber-Security... and Four to Dislike

During his State of the Union Address on Tuesday night, President Obama announced an Executive Order on Cyber-Security. The full text is available in many places, including Wired. I’d...

In security, Feb 14, 2013

Moving to Octopress

Soon, I will be moving the website to a simpler, secure and more usable system – the same platform that powers Markerbench. It should be done in time for Mini-Metr...

In security, web websites, applications, Feb 04, 2013

All Andy’s Posts Now on Markerbench

As part of a continuing experiment with static blogging, I have moved all of my historical blog posts from to Everything is now here, including th...

In blog, applications, Jan 29, 2013

Paving Over the Proprietary Web: The Java Security Bigger Picture

Perhaps you’ve heard about the recently disclosed Java 7 zero-day exploit. The flaw allows a remote attacker to take complete control of a computer. It has been incorporated into many...

In Java, Flash, ActiveX, Oracle, web security, Jan 21, 2013

Review of Gene Kim’s novel, “The Phoenix Project”

Over the Christmas holidays, I read an advance copy of Gene Kim’s first novel, “The Phoenix Project.” Gene’s co-authors were Kevin Behr and George Spafford. It was a better read than ...

In books, DevOps, Jan 17, 2013

Outsource your web risks with a static website

A few weeks ago I put together my annual Predictions blog post for the coming year. In that post and accompanying webinar, I suggested five emerging risk areas that CISOs need to pay ...

In security, web websites, applications, Jan 08, 2013

“Every time you perform arithmetic operations on ordinal numbers, God kills a kitten”

I was reading Rich Beijtlich’s blog today, and came across that quote from a commenter known only as JimmyTheGeek. Wonderfully funny, and spot on.

In humor, metrics, security, Feb 19, 2008


Before the holidays I ran a quick, three-question, survey of the mailing list membership about the number of passwords people use. Here are the results, drawn from...

In security, metrics, passwords, Feb 05, 2008

Retired Comedians and Missed Opportunities

There’s this old joke about a comedians’ retirement home that goes something like this:

In security, Windows, humor, vendor-bashing, Jan 31, 2008

One Prediction for 2008: Site-Specific Browsers

I’ve noticed that sometimes it takes two or three “pings” for an idea to seep into my consciousness. I just got my second “ping” on a potentially Big Idea: site-specific browsers (SS...

In security, research, web security, Dec 31, 2007

Meta-Conclusions from the Chinese Honeynet Project

If you are involved in your firm’s desktop security strategies (Windows in particular), you should read this:

In security, bots, Dec 04, 2007

Run, Do Not Walk, To Your Browser and Read Dan Geer’s Analysis

Dan’s a friend of mine, and we are both data junkies. Right about the same time I put the capper on a research report on malware trends (coming soon to Yankee Group subscribers), Dan ...

In metrics, security, Nov 13, 2007

Web 2.0 Means “Security the Max Power Way”

Last week my Yankee Group research report “The Web 2.0 Security Train Wreck” went live on the Yankee website, and is available to our customers. Douglas Crockford, a very smart and in...

In research, security, humor, web security, Oct 17, 2007

Excuses Not To Use CVSS

I have always been a fan of the good work done by the CVSS folks. I have an obvious reason to like CVSS, of course: namely, to cheer on a former co-worker, Mike “Shifty” Schiffman, wh...

In security, metrics, Jul 25, 2007

The Futility of Geographic Security Metrics

While I would not call this a trend, I have noticed that lots of security companies like to put together impressive-looking charts, graphs and reports that purport to compare various ...

In security, metrics, vendor-bashing, Jul 19, 2007

What do Security-Conscious People Choose?

At security conferences and events, I have noticed that the distribution of operating systems seems to differ somewhat from what I read in the papers. As my last post showed, the Inte...

In security, Windows, Mac, metrics, May 22, 2007

Metrics from Internet Identity Workshop

This week, I am attending two security shows: the Internet Identity Workshop (IIW) in Mountain View, and the CardTech show in San Francisco. Both of these venues offer contrasting vie...

In security, metrics, May 15, 2007

Microsoft Security Intelligence Report 2H06

This is essentially a forward reference to a comment I made to another blog, but as it is related to the nature of reporting for vulnerabilities and quantitative progress against them...

In security, metrics, Windows, May 02, 2007

More Praise for “Security Metrics”

The bloggiste at Layer 8 just declared Security Metrics to be “That Good”. I have no idea who shrdlu actually is. But whomever she is, she deserves a hearty thank-you and an offer of ...

In security, metrics, books, Apr 15, 2007

Alex Hutton Likes “Security Metrics”

Alex Hutton was one of the editorial reviewers for several chapters of Security Metrics, and offered some excellent feedback during the writing stages. Now that the book has shipped, ...

In security, metrics, books, Apr 03, 2007

Introducing Security Metrics, the Cartoon

Mark Curphey’s cynical vehicle for ripping the security industry gains another blunt instrument: the Hamster Wheel of Pain, featured in Chapter One in Security Metrics: Replacing Fear...

In security, metrics, humor, Apr 01, 2007

Security Metrics Has Shipped

Greetings everybody! I am pleased to announce that my book, Security Metrics: Replacing Fear, Uncertainty and Doubt has shipped from the printers and is on its way to better bookstore...

In security, metrics, books, Mar 30, 2007

Ryan, Joe, Joanna, and the “Serious Hole” in Vista’s UAC

ZDNet’s Ryan Naraine blogs about Joanna Rutkowska’s blog post on Vista security. Joanna pointed out that Vista’s Mandatory Integrity Control feature has a few implementation flaws and...

In security, Windows, Mac, Feb 14, 2007

And So It Begins, With Small Saturated Spots

My publisher, Addison-Wesley, has recently updated the information on my book, Security Metrics: Replacing Fear, Uncertainty and Doubt on Amazon. Although I am particularly fond of th...

In security, metrics, books, visualization, Jan 10, 2007

SSL is a Concrete Sewer Pipe

My buddy Gunnar Peterson has recently been raging about the inadequacies of REST security, pointing out that RESTful folks who equate transport-level confidentiality (such as SSL prov...

In security, Jan 03, 2007

Coding in Anger

Last week’s shutoff of this website’s self-registration system was something I did with deep misgivings. I’ve always been a fan of keeping the Web as open as possible. I cannot stand ...

In security, web security, identity, Jan 01, 2007

Fortify’s Java Open Review Project: a Nascent Security Benchmarking Effort?

Today I stumbled upon Fortify’s Java Open Review Project, whose goal is to count security defects in popular Java projects.I’d like to tip my cap to Brian Chess and the folks at Forti...

In security, metrics, Dec 14, 2006

Metrics, Rothman and Gaming the System

As usual, the purposefully provocative, belligerently blogging Mike Rothman has gone and done it again — aimed his treacly firehose at security metrics, Most recently, he’s waded into...

In security, metrics, Nov 18, 2006

Good Metrics

Note from Andrew Jaquith: this essay is adapted from Chapter 2: Defining Security Metrics of my forthcoming book, Security Metrics: Replacing Fear, Uncertainty and Doubt from Addison-...

In security, metrics, books, Oct 15, 2006

SANS, Schadenfreude and the Mac

I’ve got to wonder about the what planet the SANS people live on these days. Apparently, in an effort to make their semi-annual Top 10 list of vulnerabilities appear “fair and balance...

In security, Windows, Mac, vendor-bashing, May 02, 2006

Open Letter to SC Magazine

Sent from my YG account 25 April 2006:

In security, Windows, Mac, Apr 24, 2006

Good Patch Management Metrics

Earlier today I stumbled across the NIST patch management pub; it was released in November 2005.

In security, metrics, Mar 03, 2006

Charging for Guaranteed Spam: Better Than It Sounds?

Much ink has been spilled over the recent AOL and Yahoo announcements that they will charge marketers five cents per e-mail to guarantee delivery of their mail, thus bypassing their s...

In security, spam, Feb 12, 2006

Blended Threats == Hemlock Smoothies

An open letter to all anti-virus software makers: February 2, 2006 Dear Antivirus Industry, Why are you so addicted to the term “blended threat”? It seems to mean something specia...

In security, humor, vendor-bashing, Feb 11, 2006

The Vulnerability Supply Chain

Yankee Group research may not be as well-subscribed as say, Gartner’s, but I like to think that it compares favorably with it. Earlier this year I wrote a research note titled Fear an...

In security, metrics, Dec 07, 2005

The Natives are Restless

Many readers know that my day job is as a security technology analyst for Yankee Group. Well, it’s about that time of year where we start to wind down our research calendar. One of th...

In security, Windows, research, Nov 29, 2005

The Devil’s Information Security Dictionary

Just saw the very funny Devil’s InfoSec Dictionary on the CSO site. Of course, I had to add a few definitions of my own: Blended threat: a hemlock smoothie Process, Security Is A: a...

In security, humor, Nov 14, 2005

Making the wrong development choices

I hate to be a curmudgeon about this, but this fellow needs a beat-down:Fixing AJAX: XmlHttpRequest Considered HarmfulI offer this as exhibit A (as in AJAX) about why application secu...

In applications, security, web security, Nov 09, 2005

Graphical Integrity, Part I

The folks at the NY Times have put together a nifty interactive graphic that diagrams the various data breach cases that have been disclosed since January. It breaks down when each in...

In security, visualization, Nov 07, 2005

The Cybertrust Zotob Study: Read Between the Lines

Rudolph Araujo, a contributor to the mailing list, forwarded on a link to a Red Herring article about a new Cybertrust study on the impact of the Zotob worm by Russ...

In security, Windows, research, Nov 01, 2005

Fun with Spam

Collecting Hamster Wheels of Pain is certainly a fun hobby. So is collecting the rather amusing e-mail addresses chosen by spammers to evade e-mail filters. Here are some good’uns fro...

In security, spam, metrics, Nov 01, 2005

Security Metrics: Scorecard Design

Author’s note: the chapter is not finished. It has some organizational and structural flaws that won’t be ironed out until later in the editing process. There are also some parts that...

In book, Oct 19, 2005


I’m not a violent man. But I want the person who invented this spam subject line to be killed. Preferably by some method that is at once gruesome and medieval. Drawing in quarters wou...

In security, spam, Oct 13, 2005

Hamster Wheels of Pain

A while ago I wrote a blog post called Escaping the Hamster Wheel of Pain decrying the lather-rinse-repeat cycle that the security industry seems to be fixated on. Here are some hamst...

In security, humor, hamsters, Oct 13, 2005

A Picture is Worth 1,000 Words

We’ve had some interesting chatter on the securitymetrics mailing list today about sparklines: tiny, intense, word-size graphics. This is one of Edward Tufte’s latest confections. His...

In security, metrics, books, visualization, Sep 30, 2005

Information Security OCD

Just saw the Scorsese/DiCaprio film The Aviator for the first time. The film is remarkable not just for its lush cinematography, crisp writing and convincing special effects, but also...

In security, humor, Sep 25, 2005

The Symantec Threat Report: Read Between the Lines

Like many other people, I’ve downloaded and read the semi-annual Symantec Threat Report. I’ve always been a fan of this publication, which provides a level of texture, richness and de...

In security, vendor-bashing, Sep 22, 2005

Odds and Ends

At the risk of turning this into a link blog, here are two nifty articles that drifted across my field of view today: Google: Putting Crowd Wisdom to Work. Interesting article about ...

In security, big data, Sep 22, 2005

IE7 Anti-Phishing is Land-Grab in Disguise?

Have you been following Microsoft’s plans for IE7? I have, and a blog post I read about their anti-phishing plans just about made me spit out my coffee. I’m going to do a research not...

In security, Windows, Sep 02, 2005

The 0wnership Society

Webroot has lately been producing a series of quarterly statistics on infection rates for four types of badness: Adware Trojan horses – botnet software falls into this category Sys...

In security, Windows, malware, Sep 01, 2005

Escaping the Hamster Wheel of Pain

Risk Management is Where the Confusion IsLately I’ve been accumulating a lot of slideware from security companies advertising their wares. In just about every deck the purveyor bandie...

In security, hamsters, books, May 04, 2005

Web Services Confusion

Scobleizer points out that the WS ReliableMessaging specification has been submitted to OASIS.With all due respect to the incredibly bright folks at the WS-I, I find the world of web ...

In security, humor, applications, Apr 21, 2005

Voting With Your Feet

Most people know that the dominant computing platform has a little problem with security. It’s a little problem with big consequences. Recently, research firm IDC released a report in...

In security, Windows, Mac, Dec 02, 2004