Category: Blog

February 22nd, 2013 by John

Will you be attending RSA Conference 2013?

I will be on a mobility panel, discussing BYOD with experts in the field. You don’t want to miss it! MBS-T19 – “BYOD: Here Today, Here to Stay?”

Posted in Blog

February 22nd, 2013 by John

I will be on a panel for the National Acadamy of Sciences, discussing the topic of professionalizing the cybersecurity industry. We will be speaking at the Prescott Hotel, 545 Post Street at 2PM on Monday (2/25/13). Click here for more info!

Posted in Blog

February 22nd, 2013 by John

I just recorded a podcast for the RSA Conference on a panel I will moderate next week. I hope I did justice to the topic of our RSA panel next Wednesday! It will be MUCH better when Alex Hutton, David Mortman, Jack Jones and Caroline Wong are on stage explaining why risk management matters and how we can apply metrics to understand and reduce enterprise risk.

Please join us at 10:40 Wednesday in Moscone 133. Click here for more info. Read More

Posted in Blog

February 12th, 2013 by John

I admit I have sinned. I haven’t blogged much in the past year. Most of my social media interaction has been on Facebook and Twitter and even LinkedIn. Mea Culpa, mea culpa, mea maxima culpa!

I do have an excuse though! I’ve been doing penance in the form of writing five cybersecurity courses for Laureate/Walden University and Excelsior College. I am excited about the new cybersecurity program I’ve helped develop for Excelsior College. They reached out to me in 2011, after I met the associate dean at a conference in Washington, DC. Check out their course offerings, here.

The thing about Excelsior College is, when you write a course for them, they make you teach it! So, while I have pushed myself to write meaningful courses, I’ve also been teaching them. Despite the pain and agony of long nights and short deadlines, it’s worth it in the end. I feel it’s helped me improve my own security skills. If you have an opportunity to write courses, books, speak or teach, do it! It will be a lot of extra work, when you probably already have a full schedule, but in the end you will find it beneficial. I’m a proponent of lifelong-learning, and personal/professional development, so as a recovering physicist, I really love the privilege of being allowed to teach physics and astronomy. It’s been ten years since I started teaching astronomy (and ethics) at a local university, and I now teach intro astronomy every semester at local colleges. It’s motivating and rewarding to be allowed to teach others about something you love. This last year, my company asked me to represent them in the capacity of “industry representative”, developing the Next Generation Science Standards. This is an organized effort by 48 leading states to develop K-12 science standards. This is another very rewarding opportunity, and it allows me to meet educators from across the country and learn about the issues they face as they teach our children.  So, don’t hate me Internet. I haven’t ignored you, I’ve just been busy. I promise to write more often in the future. Please don’t give up on me. Be my Valentine! 😉

Posted in Blog

March 8th, 2012 by John


We had a great turnout on Thursday for the Trainer Communications event: Security Never Sleeps… at Lulu Restaurant for lunch, across from the RSA Conference 2012. Thanks to everyone who attended!

Posted in Blog

February 24th, 2012 by John


This weekend the 2012 RSA Conference begins! I am looking forward to a busy week. Every day is essentially booked from 7am to midnight. I hope to see many of my friends at what has become an annual pilgrimage to San Francisco each spring to catch up on information security trends and technology.

For me, the focus will be on security metrics and risk management, because I’ve got a talk (Monday morning) and a panel (Wednesday morning), and a half-day seminar (Thursday afternoon) on these topics. It seems the big security issues for 2012 are: Cloud, Mobile, Social Media and Big Data. Read More

Posted in Blog

February 24th, 2012 by John
I recently gave a presentation at the Next Generation Security Summit in Atlanta, GA, on the topic of endpoint protection. I took the approach that endpoints are more than just desktop PCs these days. There is probably some debate on just what defines an endpoint. Traditionally, the endpoint was the user workstation. Remember back in the early 1990s, when we started giving end users their own computers on their desks, to replace dumb terminals. I think the term “endpoint protection” actually evolved from the model of protecting computers with antivirus, delivered and updated by floppy disks. We started to see threats increase ten years ago, when more employees started taking laptops home and connecting them to the Internet, and when we switched from dial-up modems to high-bandwidth VPN connections to our wide-open internal corporate networks. Today, the risk is even greater, and the endpoints are more varied. I don’t think we can just think of Endpoint Security as a desktop security suite. We need to look at all resources that are used for data processing and storage, and we need to move our concern from one use case, to a broader definition that addresses security more holistically. It is certainly good to be concerned about hardening desktops, but we operate in a more diverse environment, with an enterprise that extends into the cloud, with many different business access needs to address. Therefore, risk is coming at us from all directions and we need to look more holistically at risk management by better protecting the endpoints where our data resides, and one threat to mitigate is going to be the way the data is accessed. We need to do more than just put AV on our computers and call that endpoint protection. We need to focus our resources on the things that are most precious to the business. We do that first by understanding business need. Endpoint protection is a means to an end. We ultimately want to protect intellectualproperty, sensitive data and PII, and protect the brand.

I tried to get across the point that endpoint protection needs to be a combination of things, emphasizing the efficacy of layers and security in depth that is more targeted and focused on what is important to protect. This is a work in progress, but I hope you find my slide deck interesting and perhaps even useful in thinking about the problem.

Posted in Blog

August 19th, 2011 by John

Our nature is to resist change and fear the unknown.

Security isn’t about eliminating risk. It isn’t about saying no. Security is about knowledge; understanding risk and putting security risk in the right context, so business leaders can make informed decisions. When security is done right, it enables the business to embrace new and potentially transformative technologies and use them wisely to innovate and grow and produce business value. In today’s global marketplace, leveraging new technologies to create a competitive advantage can mean the diference between businesses that succeed and those that fall by the wayside. Read More

Posted in Blog