Security as a selling point for your business?

Most business leaders think about security as a cost. It is hard to demonstrate positive returns on security investments, which makes it a "cost" issue. Even people who work with securing information often struggle with answering the simple and very reasonable question: "where is the business benefit?". What if you turn it around, and view… Continue reading Security as a selling point for your business?

Extending the risk assessment mind map for information security

This post is based on the excellent mindmap posted on taosecurity.blogspot.com - detailing the different fields of cybersecurity. The author (Richard) said he was not really comfortable with the risk assessment portion. I have tried to change the presentation of that portion - into the more standard thinking about risk stemming from ISO 31000 rather than security… Continue reading Extending the risk assessment mind map for information security

4 habits from consulting every security professional should steal

After being home with paternal leave 80% of the weak and working 20% of the week, I will be switching percentages from tomorrow. That means more time to get hands-on with security. I've recently switched from risk management consulting to a pure security position within a fast-growing organization with a very IT-centric culture. Working one… Continue reading 4 habits from consulting every security professional should steal

How do you tell your audience that somebody found a vulnerability on your site?

Disclosing vulnerabilities is a part of handling your risk exposure. Many times, web vulnerabilities are found by security firms scanning large portions of the web, or it may come from independent security researchers that have taken an interest in your site. How companies deal with such reported vulnerabilities usually will take one of the following… Continue reading How do you tell your audience that somebody found a vulnerability on your site?

Security Awareness: A 5-step process to making your training program role based and relevant

Security awareness training is one of many strategies used by companies to reduce their security risks. It seems like an obvious thing to do, considering the fact that almost every attack contains some form of social engineering as the initial perimeter breach. In most cases it is a phishing e-mail. Security awareness training is often… Continue reading Security Awareness: A 5-step process to making your training program role based and relevant

Cybercrime one of 5 top organized crime threats to Europe according to EUROPOL

Europol has recently released its 2017 report on organized (SOCTA) crime in the EU. In this report they identify 5 key threats to Europe from organized crime groups. In addition to cybercrime itself, the report pulls forward illicit drugs crimes, migrant smuggling, organized property crime and labor market crime. Cybercriminal activities are often integral to… Continue reading Cybercrime one of 5 top organized crime threats to Europe according to EUROPOL

Is complexity better than length when it comes to passwords?

Most organizations have password policies that require users to change their passwords every XX days, and that they use a minimum (or sometimes fixed!) length, and a combination of capital and small letters, numbers and special symbols. But what exactly makes a password "strong" or difficult to guess? https://www.youtube.com/watch?v=LAvndaB65PE&feature=youtu.be Entropy can be used to measure… Continue reading Is complexity better than length when it comes to passwords?