Security as a selling point for your business?

Most business leaders think about security as a cost. It is hard to demonstrate positive returns on security investments, which makes it a "cost" issue. Even people who work with securing information often struggle with answering the simple and very reasonable question: "where is the business benefit?". What if you turn it around, and view… Continue reading Security as a selling point for your business?

Extending the risk assessment mind map for information security

This post is based on the excellent mindmap posted on taosecurity.blogspot.com - detailing the different fields of cybersecurity. The author (Richard) said he was not really comfortable with the risk assessment portion. I have tried to change the presentation of that portion - into the more standard thinking about risk stemming from ISO 31000 rather than security… Continue reading Extending the risk assessment mind map for information security

4 habits from consulting every security professional should steal

After being home with paternal leave 80% of the weak and working 20% of the week, I will be switching percentages from tomorrow. That means more time to get hands-on with security. I've recently switched from risk management consulting to a pure security position within a fast-growing organization with a very IT-centric culture. Working one… Continue reading 4 habits from consulting every security professional should steal

How do you tell your audience that somebody found a vulnerability on your site?

Disclosing vulnerabilities is a part of handling your risk exposure. Many times, web vulnerabilities are found by security firms scanning large portions of the web, or it may come from independent security researchers that have taken an interest in your site. How companies deal with such reported vulnerabilities usually will take one of the following… Continue reading How do you tell your audience that somebody found a vulnerability on your site?

Can cybersecurity culture be measured, and how can it drive national policy?

Background NorSIS has studied what they term cybersecurity culture in Norway. The purpose of their study has been to help designing effective cybersecurity practices and to understand what security regulations Norwegians will typically accept. The study wants to measure culture, a concept that does not easily lend itself to quantification or simple KPI’s. The attempt… Continue reading Can cybersecurity culture be measured, and how can it drive national policy?

Security Awareness: A 5-step process to making your training program role based and relevant

Security awareness training is one of many strategies used by companies to reduce their security risks. It seems like an obvious thing to do, considering the fact that almost every attack contains some form of social engineering as the initial perimeter breach. In most cases it is a phishing e-mail. Security awareness training is often… Continue reading Security Awareness: A 5-step process to making your training program role based and relevant

Avoid keeping sensitive info in a code repo – how to remove files from git version history

One of the vulnerabilities that are really easy to exploit is when people leave super-sensitive information in source code - and you get your hands on this source code. In early prototyping a lot of people will hardcode passwords and certificate keys in their code, and remove it later when moving to production code. Sometimes… Continue reading Avoid keeping sensitive info in a code repo – how to remove files from git version history