Introducing RSA Archer GRC 6 – Inspiring Risk Management

There is no question organizations today are in a rapidly changing risk environment and the pressure to improve risk management practices is being driven top down from boards and executives. Managing a cultural shift from the reactive checking the box of compliance to a more proactive risk management model requires change and participation across the…

Read More
DtK Square Banner - Small

Marty, the Maestro and the Crown Jewels

Security.  Vulnerability.  Threats. Defense.  For those of you in ‘the risk industry,’ these words roll off your tongue with the practiced agility and grace of a seasoned ballet principle.   We use these words as a carpenter operates a saw and hammer, like a musician manipulates an instrument, like a writer brandishes a pen and paper. …

Read More
2015 s_226324081

A Pivotal Year

For the past several years, the information security industry has been saddled with labels annually. 2013: year of the breach; 2014: year of the BREACH (we really mean it); 2015 year of the MEGA breach (its gotten worse!). And with those labels every year I hear the phrase ‘this is a pivotal year in the…

Read More
road plain

Plan Your Journey to Wally World

Earlier this month, I wrote a blog about Information Security Metrics and their place in driving program maturity.  Every organization today is striving to be more mature in its information security program.  Given the constant deluge of media reports on hacks and attacks, security maturity has become a business imperative.  Metrics is one tool in the…

Read More

Mind Your Metrics

Last week I participated in a joint event with KPMG hosted by the New York Stock Exchange Governance Services.  The roundtable topic was Information Security Metrics programs – every security manager’s favorite.  Why?  Because security is so squishy.  What metrics could effectively capture the state of something that changes on a regular basis, has no…

Read More
business team work

GRC Integration = Business Value

Governance, Risk and Compliance efforts at companies are nothing new. Organizations have implemented processes and technologies to identify, manage and report on risks and compliance for decades. Only in the last 10 years or so has the term GRC been invoked to capture the overall concept of an organized, methodical approach to this core business…

Read More

Designing for Scale

I love TED talks. I am not sure if there is a better source for 10 minute chunks of information and inspiration. As I do a fair share of presenting in my career – never on the scale of a Ted talk (yet) – I appreciate the nuances of the speeches – the quick pace;…

Read More
Idea outside the box

How do you define Security?

When I chose information security as my profession, it was a conscious decision.  I felt compelled towards the technology and the fascinating challenge of securing a shifting, metamorphic ecosystem.  When we think of the term “security,” in our technology context today, immediately we conjure up images of putting up walls, defenses and traps to keep…

Read More

The Twelve Days of GRC

Greetings and Happy Holidays.   As this year draws to a close, we can all take a deep breath as this has been a big year in the world of GRC.  Collectively as an industry, we have seen the advent of new laws and industry regulations; we have embraced new technologies; we have weathered financial storms…

Read More

C+I+A+Value – A CISO Imperative

Confidentiality, Integrity, Availability – the holy trinity of the information security profession.  Chapter One of (almost) every information security document has these three words highlighted, underlined, bolded, mantra-sized…Deified.  And for good reason.  These three guiding lights of the security vocation are the stars upon which our paths are navigated.  They provide the X, Y and…

Read More