In all this talk about security risk management, sometimes it’s good to take a step back to see the forest for the trees. Bruce Schneier points us to an essay that highlights the difference between perceived risk and real risk. It’s got nothing to do with computer security directly (rather, it’s about the “security theater” [...]

Clearly, there’s not much point to a security system if nobody uses it. But are there some measures we can expect people to take on their own behalf? Can’t they at least come up with good passwords and not post them to their monitor with post-it notes? Recently, Richard Steinnon attended a security event where [...]

When people talk about “evolution” of the security market, they tend to mean the way in which the bad guys, the malicious hackers, scammers and tricksters continue to evolve and change and look for new vulnerabilities and loopholes. However, it’s just important to recognize evolution in other areas of the security business as well — [...]

In discussing a term like “risk management” many people like to look at it simply from a numerical, statistical standpoint. But it’s important to remember that numbers don’t always tell the whole story. While the article linked here focuses on risk management just in the financial realm, it applies to security risk management as well. [...]

Best practices can be wrong. Best practices are about relying on what’s been done in the past. Following the past — especially in an industry when things change rapidly can make anyone miss the reality of the situation. Best practices certainly sounds positive. But “this is the way we’ve always done things” is a statement [...]

There’s a lot of talk these days (especially at McAfee) over just what “security risk management” really means. It’s an important part of McAfee’s approach to security, and it’s important that it be something real, and not just a buzzword that sounds good. It’s easy, when you hear phrases like security risk management, to glaze [...]

In the last year or so, there have been many, many reports of stolen data from companies. This isn’t because companies were suddenly more careless with their data, but because of new laws (kicked off by a California state law) that required companies to alert customers if their data may have been stolen. Thus, many [...]

It’s getting easier and easier to launch a phishing attack. According to the Anti-Phishing Working Group, a complete, soup-to-nuts phishing kit can now be bought for $30. Hacking kits have been available for some time allowing people with very little technical knowledge to launch an attack, but they’re becoming increasingly sophisticated. Those selling the kits [...]

It’s hard enough to get people to employ basic security procedures, like protecting their WiFi or getting them to use passwords with both numbers and letters. So as the complexity of a system grows, it’s inevitable that home and corporate users will simply fail to follow good procedures. Yet the debate about security and usability [...]

Recently I have met with several national and international companies that are considering or are implementing an outsourcing arrangement. Outsourcing is something that we have done for decades (see: ADP, Paychex, AccountTemps). I truly understand the business rational around this as a means to help stay competitive and allow technical teams to focus on their [...]