Home Podcasts Videos Guest Posts Q&A My Take Bio Contact

Guest Blog Post


GUEST ESSAY: A call for rethinking incidence response playbooks

By Liz Maida

We see it week after week. Insidious cyber threats that spread throughout enterprises like wildfire and proliferate around the globe, interfering with crucial work and holding data hostage. These attacks make the news cycle for a few days, security teams wring their hands over it, and then forget all about it – until the next attack. Lather, rinse, repeat.

When will the security community get smarter about our approach to identifying and thwarting cyber threats, instead of just responding to the one at hand?

Related video: Tempered Networks introduces identity-based networks

The known threat of today — whether it’s malware, social engineering or phishing — inevitably morphs into the zero-day threat of tomorrow. Which means that all the tactical work security teams …more

GUEST ESSAY: “Chess Master Project’ should restore resiliency to U.S. power grid

By Paul Myer

The evolving risk of a coordinated, catastrophic, cyberattack on U.S. energy delivery systems (collectively known as “the power grid”) via vulnerable Industrial Control Systems (ICS), resulting in wide spread, prolonged power outages, is not a new concern to energy industry executives or government policy makers.

Owners and operators of energy sector assets understand the possible impacts of coordinated physical and cyber-attacks which threaten reliability and resilience of U.S. energy delivery systems. They experienced havoc and disruptive economic and social impacts from the prolonged power outages over wide-spread areas resulting from the 2003 North East Blackout and the 2011 Southwest Blackout events.

Related podcast: How Russia’s election tampering relates to Ukraine power grid attacks

However, with an industry-standing focus on grid reliability, a lack of qualified cyber security experts, and reliance on the fact that a hypothetical cyberattack event resulting in wide spread outages has not yet occurred on the U.S. power grid, energy sector utilities have become complacent in their cyber protection strategies. …more

GUEST ESSAY: How safeguarding user credentials can lower cyber insurance premiums

By Dean Thompson

According to Lloyd’s of London, a massive global cyberattack could result in economic losses as high as $53 billion.

Given that, it’s no surprise that an increasing number of businesses are adding cybersecurity coverage to their liability insurance. But as businesses rush to insure, the cost and precise scope of coverage of these policies are coming under under scrutiny. A key question is whether or not non-malicious human activity is covered.

On one hand, cybersecurity policies that do not cover human error – which would include falling victim to sophisticated phishing schemes, visiting Trojan-infected sites, or even deferring patches or updates – would be of far more limited value.

That’s because, according to a recent Verizon study, 81 percent of breaches …more

GUEST ESSAY: A call to reinvent security by following the ‘Three Ways of DevOps’

By Jeff Williams

How do you know that your bank’s software is secure? Your airline? Your government?

The average application has 26.7 serious vulnerabilities, 82% of breaches in financial organizations are due to applications, and the average breach costs $4 million. With roughly 20 million developers worldwide, we’re producing vulnerable code faster than ever before.

Other industries have wrestled with similar pervasive problems and made progress. Automobiles are safer, food is more nutritious and so on. DevOps has shown dramatic benefits for other aspects of software development: 5x lower change failure rate, 96x faster mean time to restore service, and 2x more likely to exceed business goals. Perhaps the secret to effective security can be found in DevOps too.

Related podcast: What is DevOps and …more

GUEST ESSAY: 5 deadly sins for which companies reap their just reward: data breaches

By Morey Haber

I love statistics. They are a valuable commodity in a discussion to formalize a point and validate your position. Many times, others will question the source, accuracy, or even meaning of a statistic to skew the results in their favor. In addition, a statistic taken out of context, or viewed on its own, can lead to very misleading results. The point is statistics drive everything from social initiatives to new product development. The methodologies to collect and develop them are a science.

So where is a good source for statistics? If you are security professional like myself, you may turn to vendors, analysts, or the government for results. My company, BeyondTrust, is one of those vendors and produces statistics like the …more

GUEST ESSAY: Trump’s Cybersecurity Executive Order is Only a Start

By Bob Ackerman

President Trump last May signed a cybersecurity executive order (EO) outlining plans to improve data security for federal agencies and to better protect critical U.S. infrastructure. I view it as a call to action, more than past administrations have done. This alone makes it worthwhile.


But it’s just a start. Much  more needs to be done, and whether this materializes is anybody’s guess. Take, for example, the goal of improved protection of U.S. infrastructure. The administration must respond decisively to the fact that our electric grid and other key components of national infrastructure were designed to be functional, not secure.

Related article: Obama uses bully pulpit to encourage public-private …more

GUEST ESSAY: Why Trump’s cybersecurity executive order is a step in the right direction

By Alberto Yépez

Last May, the White House issued a cybersecurity executive order (EO)—the Trump administration’s first major action on cyber policy. It has attracted naysayers. The fact is, however, that the president has finally plugged a huge hole by putting in place a guiding strategy for our nation’s cyber defense.

And his suggestions are solid.

Related article: Trump’s cybersecurity order calls for work force development

The order charges the government with reviewing its cyber posture and places responsibility for cyber risk on those officials who lead federal agencies, such as the Departments of Homeland Security and Defense. They must provide reports this month based on the National Institute of Standards and Technology framework, the de facto standard. And broader reports on issues impacting our nation’s critical …more