Risk Management
Follow-up: Integrating Assessment Tools
My last post spawned some questions, which I responded to in turn. Here was my response: [Adapters] Adapters for assessment results can take a few forms, but let’s address three specific scenarios that fan-in to an assessment results/presentation step and a few that fan-out. [Fan in] Fan in typically comes from three sources: 1) static [...]
Three New Books
There are three new books (recently released) that are worth a look. Once is an absolute necessity for any security practitioner. The others may be interesting for some readers of the blog. The book that you MUST READ RIGHT NOW is the second edition of Ross Anderson’s Security Engineering book. Ross did a complete pass [...]
Additional Thoughts on “The Risk of Too Much Risk Management”
My previous post sparked comments from Mike Rothman, Alex, Christofer Hoff, Arthur, and perhaps others I haven’t seen. I sincerely appreciate everyone’s considered feedback. In this case, the feedback was to tell me I’m off-base on terminology, and that’s all good. I’m happy to take lumps when I mess something up. I really meant it [...]
The Risk of Too Much Risk Management
IT controls. Corporate governance. Decision support. Right-sized spending (another phrase I thought I coined, but I see it gets three hits in Google). These are all part of the all-too-nebulous activity often referred to as data security risk management. Let’s put a stake in the ground on what risk management means. I’m not referring to [...]
One View of Why Risk Management Takes Too Long
As I get back into the risk management arena after a sojourn in knowledge management (mainly designing knowledge-driven offerings and monetizing the associated intellectual property), I find yet another example of “the more things change, the more they stay the same.” I think the executive view of information security risk management techniques as viable decision [...]
