I regularly get asked by new CISOs for information – benchmarks – on how much organizations like theirs should spend on security. That’s a deceptively simple question, and while there’s plenty of surveys that you can reference, none of them provide more than a rough starting point – there’s just too many variables.
I had an interesting conversation about data integrity attacks recently. Those involve altering records, rather than stealing them. The initial reaction was that they’d just restore from backup (like a disaster recovery plan). When I pointed out that most advanced attacks are in the environment for months before discovery, the light bulb went off: You […]
I’ve written before about the hype around AI, where there’s lots of potential, a ton of smoke and mirrors, and a few real things. Blockchain is right there contending for the king of the mountain. So what’s real, what’s hype, what’s plain dumb, and what isn’t anyone really talking about?
There’s a lot of talk about aligning security programs and business or functional goals, but in practice, that’s much easier “powerpointed” than done. Business consequences of security decisions, and security consequences of business decisions in the broader context are all too often missed or ignored, sometimes even deliberately. As Obi-Wan said to Luke, “What I […]
Over the past few weeks, I’ve been facilitating sessions at Evanta CISO events. If you’re not aware, these are discussions for CISO’s by CISO’s, held around the country and well worth the time. The topic for my sessions was AI & orchestration in cybersecurity, with more than 60 CISOs participating in five cities. While each […]
