I was quite intrigued, recently, by a question posed by the author of Securosis.com and his answer:

“So how do you build the mindset?
You immerse yourself in security, and I don’t mean the job. Don’t read books on cryptography, go read some quality spy novels and security tales with ultra-paranoid protagonists that consistently improvise creative solutions [...]

Bruce Schneier is noting that in looking through a bunch of phished passwords taken from MySpace, he’s impressed that passwords have improved. Traditionally, the story was that people used passwords that were way too easy to crack — often just a word that could be found in the dictionary or someone’s name. However, it seems [...]

Following a Q&A session where someone asks about security malpractice insurance, Dan Morrill examines whether or not such an idea makes sense. He points out that in order to have malpractice, there first needs to be standards of practice and some system to build out an actuarial table to define the risk. That assumes that [...]

It’s great to be discussing security risk management, because it’s important to be thinking strategically about security. However, thinking and doing may be two different things, and many are noticing that as much as they think they’re getting into the security business to do strategic things, the daily grind is often more about fighting fires. [...]

Infoworld has a story about IT becoming a revenue center, rather than a cost center, for some companies. While a little more narrowly focused, could the same be true for IT security as well? For companies that have done a good job implementing security for their own systems, why not sell some of that knowhow [...]

Responding to a post on the Layer 8 IT security blog about how those setting IT security policies should be within the IT organization, Riskanalys.is has a post saying that IT risk management people belong outside of an IT group. The thinking is that IT isn’t well enough respected, to some degree. It’s not seen [...]

Among those who work with data for a living (or a passion), there’s quite a bit of excitement over a brand new online service called Swivel, which acts as a hub for storing and sharing data sets. The idea is that, in true “web 2.0″ fashion, anyone out there can simply upload whatever data they [...]

One of the “risks” that companies often look at in doing risk management is the risk of their reputation being soiled by a security breach. However, some are suggesting that risk is overstated. The claim is, more or less, that data breaches have become so common that they’re just not newsworthy any more — and [...]

So, you want to be an IT security professional? Apparently, it’s not all fun and games — at least according to the latest Dark Reading IT security professionals’ survey. Many are upset at the amount of administrative work they need to do, which they often feel takes away from actually doing their jobs. They also [...]

As plenty of people probably realize, last week the new rules concerning “e-discovery” went into effect, leading to plenty of new worries for companies to comply with the law concerning how they store, keep track of and (in the event of lawsuits) retrieve certain electronic data sent on their networks. The rules are already scaring [...]