Appetite and Exercise

In my last blog post, I posed the concept of Cyber Risk Appetite as something that all organizations need to consider today.  I used the analogy of a balanced diet of risk – taking some risks to keep the business growing while avoiding so much risk that the business becomes bloated.   The objective is to…

How Hungry is your Organization?

As someone that tries to watch my diet, I know how hard it is to deal with your own appetite. Several things that are my weakness – fresh bread, cold beer, pizza, the list goes on – are definitely not the best elements for a balanced diet.  Most of the time I am able to deal…

Know your Gaps; Take Action

Issues – we all have them.   I should clarify that statement.   I am not talking about you personally or referring to the ‘lie on the couch, tell me about your relationship with your mother’ types of issues.  I mean – all organizations have issues.   Some are big and some are little but all organizations find…

Introducing RSA Archer GRC 6 – Inspiring Risk Management

There is no question organizations today are in a rapidly changing risk environment and the pressure to improve risk management practices is being driven top down from boards and executives. Managing a cultural shift from the reactive checking the box of compliance to a more proactive risk management model requires change and participation across the…

Marty, the Maestro and the Crown Jewels

Security.  Vulnerability.  Threats. Defense.  For those of you in ‘the risk industry,’ these words roll off your tongue with the practiced agility and grace of a seasoned ballet principle.   We use these words as a carpenter operates a saw and hammer, like a musician manipulates an instrument, like a writer brandishes a pen and paper. …

A Pivotal Year

For the past several years, the information security industry has been saddled with labels annually. 2013: year of the breach; 2014: year of the BREACH (we really mean it); 2015 year of the MEGA breach (its gotten worse!). And with those labels every year I hear the phrase ‘this is a pivotal year in the…

Plan Your Journey to Wally World

Earlier this month, I wrote a blog about Information Security Metrics and their place in driving program maturity.  Every organization today is striving to be more mature in its information security program.  Given the constant deluge of media reports on hacks and attacks, security maturity has become a business imperative.  Metrics is one tool in the…

Mind Your Metrics

Last week I participated in a joint event with KPMG hosted by the New York Stock Exchange Governance Services.  The roundtable topic was Information Security Metrics programs – every security manager’s favorite.  Why?  Because security is so squishy.  What metrics could effectively capture the state of something that changes on a regular basis, has no…

GRC Integration = Business Value

Governance, Risk and Compliance efforts at companies are nothing new. Organizations have implemented processes and technologies to identify, manage and report on risks and compliance for decades. Only in the last 10 years or so has the term GRC been invoked to capture the overall concept of an organized, methodical approach to this core business…

Designing for Scale

I love TED talks. I am not sure if there is a better source for 10 minute chunks of information and inspiration. As I do a fair share of presenting in my career – never on the scale of a Ted talk (yet) – I appreciate the nuances of the speeches – the quick pace;…