Cigital’s Agile Security Manifesto

I tend to operate in accordance with the four principles of Cigital‘s recent Agile Security Manifesto. [su_pullquote align=”right” class=””]NOTE: I cannot state whether I’ve employed Cigital professionally but I have had interaction with them in my career.[/su_pullquote] These principles align with security governance, education and scaling throughout an organization versus roles in security domains taking on… Continue reading Cigital’s Agile Security Manifesto

SANS – Confusion in the Top How Many?

Enterprise Security or Secure Solution program? While discussing the SANS Top 20 Critical Controls a couple of weeks ago I ran into some confusion with an infosec partner about the number of controls we were talking about.  He referred to the Top 25 but I know from my training and certification that there are 20… Continue reading SANS – Confusion in the Top How Many?

CSIP Looks Good

After reading through the CyberSecurity Strategy and Implementation Plan (CSIP) I was impressed with its scope and relatively clear terminology, acronyms notwithstanding, and how it outlined federal strategy.  I expect the timelines to be challenging, though.   Working in a multi-national, Fortune 500 company, I know that if you don’t already have some information collected and… Continue reading CSIP Looks Good

Delivery IS Business

Business [W]hether your business’ core competencies involve products, services or legally binding promises, delivery is a measuring stick that’s used to evaluate you. Do you deliver what customers want ahead of the industry?  Do you deliver it better or cheaper.  Do you deliver a different experience; are you a boutique for your industry? Regardless of… Continue reading Delivery IS Business

Legacy Risk Corollary

Risk management encompasses risks to privacy, network, process, brand, etc.  I’m interested in a juncture of two threat vectors in this post. Legacy, in this context, refers to things that have been in-place for a long time.  Often they are heavily depended upon so that they cannot easily be replaced without significant cost and concurrent risk.… Continue reading Legacy Risk Corollary