If you don’t have a reliable and authoritative repository of the devices connected to your network, their posture and the use of privileged accounts, it is difficult to believe that you really have any hope of managing them well to protect your organization’s sensitive information. If you are not managing IT security risk well, it will have an effect on all aspects of enterprise risk. This is why situational awareness needs to be a top enterprise focus.

The first category in the NIST Cybersecurity Framework is “Identify”. The first 5 CIS controls related to discovery, inventory and posture of endpoints, software and privileges. Read More

Should we be surprised at all that Facebook, Google and others base their business plan on the marketing of our personal information and on the doorstep of GDPR, from customers to Senators are astonished they haven’t noticed or cared up until now? A heavy-handed regulatory response could have us rethinking the current model of social media and marketing. Does the pendulum swing back to the closed communities like AOL of the 1990s? This issue requires informed discussion (frankly, many Senators are out of touch on this topic) if we are to avoid throwing the baby out with the bathwater.

The NIST Cybersecurity Framework has five categories for enterprise security: Identify, Protect, Detect, Respond, Recover. There is a lot of focus on Detect and Respond as the new shiny. Let’s be honest, every company should be doing their due diligence in all five of these categories. While traditional  protection controls are less effective, we still need to be doing what we can to identify and protect (let’s face it, we used to rely on static antivirus and today it is laughable to suggest static AV is anywhere adequate protection for endpoints).

I’ve heard people say that we don’t need defense in depth, we need to detect in depth. I’m not sure what that means. I agree we need to do a better job of detecting faster and responding better, but we only have two options here, DEFENSE and OFFENSE. I really don’t hear enterprise CISOs suggesting we attack back. Not sure the general counsel would agree on that either. Read More

One of the most frequently maligned and misused terms by information security vendors is: Artificial Intelligence (AI). AI and machine learning (ML) are, however, not a passing fad. Let me define these terms in more details.

Artificial intelligence has been the subject of sci-fi novels for several decades now. Computer systems with “brains” to rival or surpass that of humans. The idea that AI systems are “thinking machines” that in any way rival the human brain, is fiction. At least in the near future. Read More

We have may concerns today regarding security and privacy, but our concerns will only be magnified in the future. In this presentation I look forward 10, 20 and 30 years into the future at trends, issues and possible solutions. (My notes for #CERIAS20 futurist panel.) https://is.gd/CERIASfuture18