All Posts

A thumbnail image

Talking to Executives About Cyber and Technology Risks

Senior managers talk about risks, and not about threats or controls. To have better conversations with senior leaders, focus where the risks are coming from, and why. This post offers a vocabulary for talking about cyber- and technology-related risks and their causes.

A thumbnail image

Who Killed the Perimeter? Some Clues.

Enterprise network perimeters have been disappearing: at first slowly, and then suddenly, all at once and at knifepoint. If this were a game of Clue, I’d accuse the Ransomware Actor, on the Edge Device, with the Zero-Day.

A thumbnail image

Microsoft to CIOs: Drop Dead

Microsoft’s new advice for securing Active Directory does customers a disservice by focusing on the wrong things. Tomorrow’s “Zero Trust” and Azure roadmaps won’t stop today’s ransomware epidemic. Enterprises need to protect the Active Directory they’ve already got.

A thumbnail image

Why CISOs should Care About Cloud “Drift”

Drift metrics can help measure how well-managed an enterprise’s technology assets are. CISOs can mine data contained in mainstream cloud configuration tools to understand conformance or divergence from expected states.

A thumbnail image

SRE Metrics and Security Measurement

Google’s approach to measuring site reliability has much to recommend it. CISOs can steal a leaf from their book.

A thumbnail image

Five Lessons from a Decade of Security Metrics

The data revolution sweeping over IT has come to cybersecurity. CISOs can learn from their success disasters, instrument their controls, and write key risk indicators (KRIs) that resonate with their audiences.