What is Meant by “Integrity” in the CIA Triad?

This is the third part of a four-part blog series covering the CIA Triad. The first part discussed the CIA triad as a whole (Part I). Part II covered Confidentiality. Part IV will cover Availability. Integrity. Many people hear or see that word and their first thought is of an individual's trustworthiness. Do they have …

Understanding “Confidentiality” Within the CIA Triad

This is the second part of a four-part blog series covering the CIA Triad. The first part discussed the CIA triad as a whole (Part I). Part II will cover Confidentiality with parts III and IV covering Integrity and Availability. Three can keep a secret, if two of them are dead. Benjamin Franklin, Poor Richards …

Introduction to the CIA Triad for Security Professionals

This is part 1 of a four-part series. We'll introduce the CIA concept overall here in the first of the series. Then cover each component more in-depth in subsequent posts One of the most critical concepts for security professionals is the CIA (confidentiality, integrity, availability) triad. It is at the core of everything we do, …

Make Policy Your Friend and Learn to Love Governance and Compliance

I was a GRC (Governance, Risk, and Compliance) person first and now I am a CISO (Chief Information Security Officer). It was 20 years ago, thereabouts, and I knew I wanted a change. I'd abandoned my goal of a career that I'd attended college for, technical theatre, and was working retail for a large, national …

Rebranding “InfoSec” as “Business Security”

"No one really gets what it is we do." I read and hear that phrase, or something similar, a lot when consuming InfoSec (information security) content. There are references and allusions to it on Social Media, write-ups in industry periodicals, and references to it on podcasts. The arguments tend to be the same. "It's not …

Security is the Force of the Business Galaxy

Quick acknowledgment here; this is written from the perspective that security is at the center and core of all business. That is simply a conceit to allow for the perspective. The core element of any business is to make money and increase profits and profitability over time, I get that. Many businesses struggle with figuring …

Phishing is not an Awareness Program

Security Awareness Training is big topic and it consists mostly of people saying that you need to run phishing campaigns. People are your weakest link, but that’s their nature. It’s more than knowing social engineering, identifying phishing scams in all its forms. You need to train your HR people on listings and job postings. Train …

Importance of the Boring Stuff: Policies

A lot of people think of InfoSec and immediately think of “hackers.” Writing and running code, discovering vulnerabilities and writing exploits, discovering bugs by reviewing code and looking for failings, and all other activities that look cool when presented on TV and film, where energy drinks cover the desk, and the only light on the …

Just get involved

So you’re starting out in InfoSec and don’t know where to start. I don’t mean the trainings, or the fields of study, the webinars, or the cons. We aren’t talking about doing your research to publish, or diving in on bug bounty research, or how to conquer your first CTF (capture the flag). Nor are …

Imposter Syndrome from a Real Imposter

That title is tongue-in-cheek. It is possibly the one universal truth that I've learned in my time working and communicating with members of InfoSec; everyone has bouts of imposter syndrome. The number of people that I revere and have the fortune to talk with, all admit to having their moments. And not just their moments …