Make Policy Your Friend and Learn to Love Governance and Compliance

I was a GRC (Governance, Risk, and Compliance) person first and now I am a CISO (Chief Information Security Officer). It was 20 years ago, thereabouts, and I knew I wanted a change. I’d abandoned my goal of a career that I’d attended college for, technical theatre, and was working retail for a large, national …

Rebranding “InfoSec” as “Business Security”

“No one really gets what it is we do.” I read and hear that phrase, or something similar, a lot when consuming InfoSec (information security) content. There are references and allusions to it on Social Media, write-ups in industry periodicals, and references to it on podcasts. The arguments tend to be the same. “It’s not …

Security is the Force of the Business Galaxy

Quick acknowledgment here; this is written from the perspective that security is at the center and core of all business. That is simply a conceit to allow for the perspective. The core element of any business is to make money and increase profits and profitability over time, I get that. Many businesses struggle with figuring …

Phishing is not an Awareness Program

Security Awareness Training is big topic and it consists mostly of people saying that you need to run phishing campaigns. People are your weakest link, but that’s their nature. It’s more than knowing social engineering, identifying phishing scams in all its forms. You need to train your HR people on listings and job postings. Train …

Importance of the Boring Stuff: Policies

A lot of people think of InfoSec and immediately think of “hackers.” Writing and running code, discovering vulnerabilities and writing exploits, discovering bugs by reviewing code and looking for failings, and all other activities that look cool when presented on TV and film, where energy drinks cover the desk, and the only light on the …