Andrew Jaquith Follow
I’m Andrew Jaquith, a Managing Director in financial services. I have worked for JP Morgan Chase and Goldman Sachs. Previously, I was CTO SilverSky, and former analyst with Forrester and Yankee Group. My interests include security and risk, anything data-related, app development, visualization, good writing and spirited discussion.

Posts by Andrew Jaquith
Why CISOs should Care About Cloud “Drift”
Why CISOs should Care About Cloud “Drift”
In security, DevOps, applications, metrics, Sep 25, 2019SRE Metrics and Security Measurement
Why can’t IT and security get along better? Disciplined technology teams use data and metrics strategically. But security and risk teams think about metrics differently than the rest ...
In metrics, Jun 05, 2019Five Things the Last Decade Taught Me About Security Metrics
This is the nominal text of my opening remarks for Metricon X, delivered on March 21, 2019. It has been lightly edited for clarity and a few identities have been slightly disguised. T...
In metricon, Mar 21, 2019The Twenty-Year War on Cybercrime
This is the text of a speech I delivered at the Gartner Group Security and Risk Management Summit in June 2015. I originally wrote the speech for Sir Roger Carr, the Chairman of BAE S...
In security, risk, big data, Jun 06, 2015The DevOps Security Handbook: Building Security In With Chef, Part III
IntroductionThis is the third in a series of occasional posts about security and DevOps. The ultimate goal of this series is to show how to build a reasonably secure Apache web server...
In security, DevOps, Oct 06, 2013The DevOps Security Handbook: Building Security In With Chef, Part II
IntroductionThis is the second in a series of occasional posts about security and DevOps. The ultimate goal of this series is to show how to build a reasonably secure Apache web serve...
In security, DevOps, Oct 03, 2013The DevOps Security Handbook: Building Security In With Chef, Part I
IntroductionThis is the first in a series of posts about Chef, an infrastructure automation platform. The goal of this series is to describe how to build a reasonably secure Apache we...
In security, DevOps, Oct 01, 2013Building Security In Using Chef
Lately I have been spending a lot of time with a new best friend. This new friend is reliable; he does everything according to plan and always exactly the same way. The results are ex...
In security, DevOps, Sep 23, 2013New Web Adventures with Heroku
Many ardent followers of this blog know that among other things, one of my professional hobbies is application development. I am a “weekend programmer.” I always have a side project o...
In applications, dev ops, Aug 26, 2013Review of Stephen Few’s “Information Dashboard Design, Second Edition”
Twenty years ago, a polymath prophet named Edward Tufte self-published an incendiary book, The Visual Display of Quantitative Information. It forever changed how a certain species of ...
In visualization, Aug 13, 2013Cybersecurity for Machine-to-Machine (M2M) Networks
This is the nominal text of panel remarks I delivered at the Telecommunications Industry Association’s M2M & Cybersecurity Workshop on June 4th, 2013. The objective of the panel w...
In security, Jun 04, 2013“Everything was green. Mulally thought that was odd for a company losing billions.”
I have been a fan of the Ford Motor Company ever since I was a boy. There’s no rational reason for it, but then again, experts tell us that brand preferences are formed at very early ...
In strategy, leadership, Feb 21, 2013Bully for BlackBerry. But Is It Too Late?
Last week Research In Motion announced three things:
In mobile, Feb 15, 2013Four Things To Like About Obama’s Executive Order on Cyber-Security... and Four to Dislike
During his State of the Union Address on Tuesday night, President Obama announced an Executive Order on Cyber-Security. The full text is available in many places, including Wired. I’d...
In security, Feb 14, 2013Moving securitymetrics.org to Octopress
Soon, I will be moving the securitymetrics.org website to a simpler, secure and more usable system – the same platform that powers Markerbench. It should be done in time for Mini-Metr...
In security, web websites, applications, Feb 04, 2013All Andy’s Posts Now on Markerbench
As part of a continuing experiment with static blogging, I have moved all of my historical blog posts from securitymetrics.org to Markerbench.com. Everything is now here, including th...
In blog, applications, Jan 29, 2013Paving Over the Proprietary Web: The Java Security Bigger Picture
Perhaps you’ve heard about the recently disclosed Java 7 zero-day exploit. The flaw allows a remote attacker to take complete control of a computer. It has been incorporated into many...
In Java, Flash, ActiveX, Oracle, web security, Jan 21, 2013Review of Gene Kim’s novel, “The Phoenix Project”
Over the Christmas holidays, I read an advance copy of Gene Kim’s first novel, “The Phoenix Project.” Gene’s co-authors were Kevin Behr and George Spafford. It was a better read than ...
In books, DevOps, Jan 17, 2013Outsource your web risks with a static website
A few weeks ago I put together my annual Predictions blog post for the coming year. In that post and accompanying webinar, I suggested five emerging risk areas that CISOs need to pay ...
In security, web websites, applications, Jan 08, 2013“Every time you perform arithmetic operations on ordinal numbers, God kills a kitten”
I was reading Rich Beijtlich’s blog today, and came across that quote from a commenter known only as JimmyTheGeek. Wonderfully funny, and spot on.
In humor, metrics, security, Feb 19, 2008Passwords-O-Plenty
Before the holidays I ran a quick, three-question, survey of the securitymetrics.org mailing list membership about the number of passwords people use. Here are the results, drawn from...
In security, metrics, passwords, Feb 05, 2008Retired Comedians and Missed Opportunities
There’s this old joke about a comedians’ retirement home that goes something like this:
In security, Windows, humor, vendor-bashing, Jan 31, 2008One Prediction for 2008: Site-Specific Browsers
I’ve noticed that sometimes it takes two or three “pings” for an idea to seep into my consciousness. I just got my second “ping” on a potentially Big Idea: site-specific browsers (SS...
In security, research, web security, Dec 31, 2007Meta-Conclusions from the Chinese Honeynet Project
If you are involved in your firm’s desktop security strategies (Windows in particular), you should read this:
In security, bots, Dec 04, 2007Run, Do Not Walk, To Your Browser and Read Dan Geer’s Analysis
Dan’s a friend of mine, and we are both data junkies. Right about the same time I put the capper on a research report on malware trends (coming soon to Yankee Group subscribers), Dan ...
In metrics, security, Nov 13, 2007Web 2.0 Means “Security the Max Power Way”
Last week my Yankee Group research report “The Web 2.0 Security Train Wreck” went live on the Yankee website, and is available to our customers. Douglas Crockford, a very smart and in...
In research, security, humor, web security, Oct 17, 2007Excuses Not To Use CVSS
I have always been a fan of the good work done by the CVSS folks. I have an obvious reason to like CVSS, of course: namely, to cheer on a former co-worker, Mike “Shifty” Schiffman, wh...
In security, metrics, Jul 25, 2007The Futility of Geographic Security Metrics
While I would not call this a trend, I have noticed that lots of security companies like to put together impressive-looking charts, graphs and reports that purport to compare various ...
In security, metrics, vendor-bashing, Jul 19, 2007What do Security-Conscious People Choose?
At security conferences and events, I have noticed that the distribution of operating systems seems to differ somewhat from what I read in the papers. As my last post showed, the Inte...
In security, Windows, Mac, metrics, May 22, 2007Metrics from Internet Identity Workshop
This week, I am attending two security shows: the Internet Identity Workshop (IIW) in Mountain View, and the CardTech show in San Francisco. Both of these venues offer contrasting vie...
In security, metrics, May 15, 2007Microsoft Security Intelligence Report 2H06
This is essentially a forward reference to a comment I made to another blog, but as it is related to the nature of reporting for vulnerabilities and quantitative progress against them...
In security, metrics, Windows, May 02, 2007More Praise for “Security Metrics”
The bloggiste at Layer 8 just declared Security Metrics to be “That Good”. I have no idea who shrdlu actually is. But whomever she is, she deserves a hearty thank-you and an offer of ...
In security, metrics, books, Apr 15, 2007Alex Hutton Likes “Security Metrics”
Alex Hutton was one of the editorial reviewers for several chapters of Security Metrics, and offered some excellent feedback during the writing stages. Now that the book has shipped, ...
In security, metrics, books, Apr 03, 2007Introducing Security Metrics, the Cartoon
Mark Curphey’s cynical vehicle for ripping the security industry gains another blunt instrument: the Hamster Wheel of Pain, featured in Chapter One in Security Metrics: Replacing Fear...
In security, metrics, humor, Apr 01, 2007Security Metrics Has Shipped
Greetings everybody! I am pleased to announce that my book, Security Metrics: Replacing Fear, Uncertainty and Doubt has shipped from the printers and is on its way to better bookstore...
In security, metrics, books, Mar 30, 2007Ryan, Joe, Joanna, and the “Serious Hole” in Vista’s UAC
ZDNet’s Ryan Naraine blogs about Joanna Rutkowska’s blog post on Vista security. Joanna pointed out that Vista’s Mandatory Integrity Control feature has a few implementation flaws and...
In security, Windows, Mac, Feb 14, 2007And So It Begins, With Small Saturated Spots
My publisher, Addison-Wesley, has recently updated the information on my book, Security Metrics: Replacing Fear, Uncertainty and Doubt on Amazon. Although I am particularly fond of th...
In security, metrics, books, visualization, Jan 10, 2007SSL is a Concrete Sewer Pipe
My buddy Gunnar Peterson has recently been raging about the inadequacies of REST security, pointing out that RESTful folks who equate transport-level confidentiality (such as SSL prov...
In security, Jan 03, 2007Coding in Anger
Last week’s shutoff of this website’s self-registration system was something I did with deep misgivings. I’ve always been a fan of keeping the Web as open as possible. I cannot stand ...
In security, web security, identity, Jan 01, 2007Fortify’s Java Open Review Project: a Nascent Security Benchmarking Effort?
Today I stumbled upon Fortify’s Java Open Review Project, whose goal is to count security defects in popular Java projects.I’d like to tip my cap to Brian Chess and the folks at Forti...
In security, metrics, Dec 14, 2006Metrics, Rothman and Gaming the System
As usual, the purposefully provocative, belligerently blogging Mike Rothman has gone and done it again — aimed his treacly firehose at security metrics, Most recently, he’s waded into...
In security, metrics, Nov 18, 2006Good Metrics
Note from Andrew Jaquith: this essay is adapted from Chapter 2: Defining Security Metrics of my forthcoming book, Security Metrics: Replacing Fear, Uncertainty and Doubt from Addison-...
In security, metrics, books, Oct 15, 2006SANS, Schadenfreude and the Mac
I’ve got to wonder about the what planet the SANS people live on these days. Apparently, in an effort to make their semi-annual Top 10 list of vulnerabilities appear “fair and balance...
In security, Windows, Mac, vendor-bashing, May 02, 2006Open Letter to SC Magazine
Sent from my YG account 25 April 2006:
In security, Windows, Mac, Apr 24, 2006Good Patch Management Metrics
Earlier today I stumbled across the NIST patch management pub; it was released in November 2005.
In security, metrics, Mar 03, 2006Charging for Guaranteed Spam: Better Than It Sounds?
Much ink has been spilled over the recent AOL and Yahoo announcements that they will charge marketers five cents per e-mail to guarantee delivery of their mail, thus bypassing their s...
In security, spam, Feb 12, 2006Blended Threats == Hemlock Smoothies
An open letter to all anti-virus software makers: February 2, 2006 Dear Antivirus Industry, Why are you so addicted to the term “blended threat”? It seems to mean something specia...
In security, humor, vendor-bashing, Feb 11, 2006The Vulnerability Supply Chain
Yankee Group research may not be as well-subscribed as say, Gartner’s, but I like to think that it compares favorably with it. Earlier this year I wrote a research note titled Fear an...
In security, metrics, Dec 07, 2005The Natives are Restless
Many readers know that my day job is as a security technology analyst for Yankee Group. Well, it’s about that time of year where we start to wind down our research calendar. One of th...
In security, Windows, research, Nov 29, 2005The Devil’s Information Security Dictionary
Just saw the very funny Devil’s InfoSec Dictionary on the CSO site. Of course, I had to add a few definitions of my own: Blended threat: a hemlock smoothie Process, Security Is A: a...
In security, humor, Nov 14, 2005Making the wrong development choices
I hate to be a curmudgeon about this, but this fellow needs a beat-down:Fixing AJAX: XmlHttpRequest Considered HarmfulI offer this as exhibit A (as in AJAX) about why application secu...
In applications, security, web security, Nov 09, 2005Graphical Integrity, Part I
The folks at the NY Times have put together a nifty interactive graphic that diagrams the various data breach cases that have been disclosed since January. It breaks down when each in...
In security, visualization, Nov 07, 2005The Cybertrust Zotob Study: Read Between the Lines
Rudolph Araujo, a contributor to the securitymetric.org mailing list, forwarded on a link to a Red Herring article about a new Cybertrust study on the impact of the Zotob worm by Russ...
In security, Windows, research, Nov 01, 2005Fun with Spam
Collecting Hamster Wheels of Pain is certainly a fun hobby. So is collecting the rather amusing e-mail addresses chosen by spammers to evade e-mail filters. Here are some good’uns fro...
In security, spam, metrics, Nov 01, 2005Security Metrics: Scorecard Design
Author’s note: the chapter is not finished. It has some organizational and structural flaws that won’t be ironed out until later in the editing process. There are also some parts that...
In book, Oct 19, 2005WARNING MESSAGE: YOUR SERVICES NEAR TO BE CLOSED.
I’m not a violent man. But I want the person who invented this spam subject line to be killed. Preferably by some method that is at once gruesome and medieval. Drawing in quarters wou...
In security, spam, Oct 13, 2005Hamster Wheels of Pain
A while ago I wrote a blog post called Escaping the Hamster Wheel of Pain decrying the lather-rinse-repeat cycle that the security industry seems to be fixated on. Here are some hamst...
In security, humor, hamsters, Oct 13, 2005A Picture is Worth 1,000 Words
We’ve had some interesting chatter on the securitymetrics mailing list today about sparklines: tiny, intense, word-size graphics. This is one of Edward Tufte’s latest confections. His...
In security, metrics, books, visualization, Sep 30, 2005Information Security OCD
Just saw the Scorsese/DiCaprio film The Aviator for the first time. The film is remarkable not just for its lush cinematography, crisp writing and convincing special effects, but also...
In security, humor, Sep 25, 2005The Symantec Threat Report: Read Between the Lines
Like many other people, I’ve downloaded and read the semi-annual Symantec Threat Report. I’ve always been a fan of this publication, which provides a level of texture, richness and de...
In security, vendor-bashing, Sep 22, 2005Odds and Ends
At the risk of turning this into a link blog, here are two nifty articles that drifted across my field of view today: Google: Putting Crowd Wisdom to Work. Interesting article about ...
In security, big data, Sep 22, 2005IE7 Anti-Phishing is Land-Grab in Disguise?
Have you been following Microsoft’s plans for IE7? I have, and a blog post I read about their anti-phishing plans just about made me spit out my coffee. I’m going to do a research not...
In security, Windows, Sep 02, 2005The 0wnership Society
Webroot has lately been producing a series of quarterly statistics on infection rates for four types of badness: Adware Trojan horses – botnet software falls into this category Sys...
In security, Windows, malware, Sep 01, 2005Escaping the Hamster Wheel of Pain
Risk Management is Where the Confusion IsLately I’ve been accumulating a lot of slideware from security companies advertising their wares. In just about every deck the purveyor bandie...
In security, hamsters, books, May 04, 2005Web Services Confusion
Scobleizer points out that the WS ReliableMessaging specification has been submitted to OASIS.With all due respect to the incredibly bright folks at the WS-I, I find the world of web ...
In security, humor, applications, Apr 21, 2005Voting With Your Feet
Most people know that the dominant computing platform has a little problem with security. It’s a little problem with big consequences. Recently, research firm IDC released a report in...
In security, Windows, Mac, Dec 02, 2004