Poorly defined security KRI or Key Risk Indicators can give your senior management team a false sense of security but is a fear of presenting a potentially negative picture akin to the Hans Christian Anderson tale, ‘The Emporer’s New Clothes’? In this fairytale two tailors promise their emperor a new suit and tell him that…
Read more
Once an organisation understands the technical debt borrowed by its project managers the more likely projects will deliver the expected outcomes.
if the CISO isn’t providing their Board with a security ROI figure, then it’s quite probable the organisation is spending too much on the wrong things.
In the last (maybe…) of my three-part CISO rant series (See Part One and Part Two if you want to catch up) I am going to wrap up with a rant about the 33% CISOs not giving their organisations of a full CISO role. These are the CISOs who think their role is solely about…
Read more
A CISO is a strategic role, not an operational role – if you still want to run a Security Operations Centre (SOC) then (attitudinally at least) you’re not ready to be a CISO…here’s why…
The CISO reporting line is to 1 of 2 roles. The CRO if the CRO sits on the senior management team. If no CRO, then CISO should report to CEO directly.
Should organisations do more to help their users protect themselves against cybercrime at home? Should an internal awareness programme include some key things users could do at home which would reduce the chances of their employees succumbing to a fraudster? Do awareness programmes raise awareness of the cybercrime problem but ultimately neglect to educate users…
Read more
The whole point of penetration testing (pen testing) is to identify how vulnerable an organisation’s technology infrastructure is to attack. I suspect, however, anecdotally, that a lot of organisations have lost sight of this goal and are now opting for a; vendor-led, paint-by-numbers pen test consisting of maybe one of two high-profile Internet-facing applications. I’m not saying this is a systemic issue but from my observation over the last few years, it seems this approach to pen testing is pretty widespread and I think we desperately need a return to pen testing’s ethical hacking roots…
