Protecting Your Kids Online

The More You Know . . . Picture it—Texas, 1985: A scrawny, neurotic eight-year-old asks her dad for help with her homework. The assignment? Design a Fire Safety Plan for your home and family. My dad is former military. He was, to put it mildly, rigorous about rules and safety, so my plan was the […]

The Five Best TED Talks on Cybersecurity

Teddy Bear looking cute

It’s been a long year since the pandemic began, and one of the things that I’ve missed most has been the opportunity to be able to attend our local TED talks or to hear my cyber peers share their important perspectives on cyber with the TED audiences. With that in mind, I thought I’d share […]

Make Cybersecurity Easy With Tiny Habits

Have you ever been told to never write your password down? Or never use social media? Don’t click on links? Never use Wi-Fi at a coffee shop? Cybersecurity should be easy, but sometimes advice like this makes it seem hard. We think making cybersecurity can be easy, you just need to build habits. There are […]

The Inside Story of How The Girl Scouts Created Their Cybersecurity Merit Badges

Empty classroom

In June 2017, I was in Vancouver, British Columbia, attending Palo Alto Networks’ annual cybersecurity conference, Ignite. Typically, the focus is on in-depth technical challenges and on how customers are solving those problems using Palo Alto’s technology, but something different happened in 2017. During the opening keynote, Mark McLaughlin, who was the CEO of Palo […]

Cybersecurity Mythbusters – Biggest Phisher Edition

You should always expect to get a phishing message. Or at least that’s what we tell people. That is the solution to all our phishing problems, right? Actually, I think this has turned out to be another one of those myths that we tell ourselves in the cybersecurity world. And to protect our communities effectively, […]

Cybersecurity’s Pepsi Challenge

I’ve been thinking a lot lately about one of the most famous marketing campaigns of all time, the Pepsi Challenge. But this isn’t an article about soft drinks, or marketing agencies.  This article is about cybersecurity awareness and how we need something better. If you’ve never taken the Pepsi Challenge, let me describe it for […]

Phishing Fair Can Build Trust

I was talking with some colleagues on LinkedIn recently about simulated phishing. A company last week used a particularly tone deaf simulated phishing message at a company struggling during the COVID-19 pandemic. Employees had been furloughed, salaries were cut, so when a simulated phishing message claiming to offer bonuses was sent, the employees were furious. […]

Bullet Resistant Cybersecurity Advice

image of a woman looking through a broken car window

In the beginning of Andrew Carnegie’s famous book, How to Win Friends and Influence People, he tells the story of safety inspector George Johnston. Johnston’s job was to get people to wear hard hats at construction sites. He would tell them, with the force of his authority, that they should wear their hats — even […]

The Top 10 Best Cybersecurity Strategies

After reading the great list of the Top 10 Worst Cybersecurity Strategies from Matthew Rosenquist I started thinking about what a similar list might look like for best cybersecurity strategies. We often focus on what not to do in cyber…and this makes sense, it’s more efficient to avoid problems. Where is the advice on what […]

The 60 Questions To Ask Before You MSSP Your SOC

Next week, I’ll be giving a talk “To MSSP or Not to MSSP: Some SOC Questions” at Educause Security Professionals. I’ve never met anyone who has said they love their MSSP. My team and I have been through several POCs with MSSPs, and have used several SOCs with various results. I don’t think there is […]

Culture Eats Cybersecurity For Breakfast

EGG LOCKS

Eggo Waffles weren’t always called Eggo Waffles. In the 1950s, in the boom that followed World War II, Americans began a love affair with frozen foods. Frank Dorsa and his three brothers in San Jose California had been running a highly popular mayonnaise business and had expanded into powdered waffle mix, but demand for their […]

Unsolicited Advice For Solicitors: Part Deux – An Unexpected Calendar Entry

I got a calendar invite from a vendor this week. Several of my colleagues were included, but not ones that I would normally meet with. I had never met this vendor before. I had never exchanged emails with this salesperson. I checked with my colleagues and none of them had ever had a conversation with this individual either. As I […]

What Toys R Us Taught Me About Growing Up

When I was in high school, I got a job working at Toys R Us. It was one of the best jobs I ever had, and to this day I still think about all of the lessons I learned about service to others, responsibility, and integrity. My secret ambition was to be able to wear […]

The Funny Thing About Blind Spots

When I was in college, I got a job one summer at a comedy club. It wasn’t as glamorous as it sounds. I didn’t get to meet any comedians. My job was essentially a telemarketer. I would call people who had attended previous shows and tell them they had won free tickets to see the […]

The Best Job I Ever Had

“Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing.” -Hellen Keller In honor of Labor Day, I’ve been reflecting on my career […]

Cybersecurity New Years Resolution

I don’t normally make New Year’s resolutions. But when I do, I start them in March. As you may have noticed, I decided to start blogging again. I published a book last year on cybersecurity for the layperson (managers, salespeople, executives) and I knew I wanted to begin writing a sequel. I didn’t have a theme […]

An OSI Model for Security Awareness

There are two parts of every great performance: the outer game and the inner game. Most books on coaching focus on the outer game. The outer game is what happens on the field. What sport are you playing? What plays are happening? What techniques are you using to hold or hit the ball? How do […]

It’s Always Sunny In Cybersecurity

In ancient times when there was a total eclipse, many people believed that evil was taking over the world. In those days, before telescopes or astronomy, people believed that the sun was some sort of god: the Greeks called this god Helios and the Egyptians called him Amun-Ra. The idea that a god could be […]

Cybersecurity Secret Santa

One year, I asked for a video game for Christmas. This was back when video games still had cartridges and came in a very distinctive package. So when I saw this familiar shape with some Santa Claus wrapping paper around it, I knew I had gotten what I wanted. I usually had two hours after […]

Abundant Cybersecurity

I was talking with a fellow CISO at a conference recently and she said something that resonated with me. She had just acknowledged that she wasn’t fully staffed and that her budget was down slightly. “But we’re doing better than we ever have,” she explained. It took a few weeks for me to process this, […]

The Nine Habits of Highly Effective Cybersecurity People

I was interviewing a manager recently about his department’s cybersecurity practices when I asked him whether they lock their paper records up at night. He said yes, they keep their files locked at all times, not just at night. I pointed to the filing cabinet in his office, where they key was still sticking out […]

Cybersecurity Role Models

Every time I interview a candidate, I ask, “Who is your role model in cybersecurity?” Some candidates name famous hackers, like Kevin Mitnick. Others choose well-known journalists like Brian Krebs or a prolific writers like Bruce Schnier. One candidate said their role model was Neo from the Matrix movies. There isn’t any right answer to this […]

You’re Fired – Cybersecurity Apprentice

You’re fired. No, this isn’t about a politician’s catchphrase. It’s actually something I overheard at a conference last year. I was listening to two people sitting near me talk about a security incident that had happened at the woman’s company. “He should be fired,” was the other person’s immediate response. This makes me wonder if […]

Security Awareness Training, Now With Personality!

I had the opportunity a couple of months ago to meet Kevin Finke at a conference. Kevin isn’t a security guy, he’s a self described design nerd. But Kevin has changed the way I look at my security awareness program. We talk a lot about how we need to “revolutionize” our security awareness programs, but […]

The Next Generation of Security Professionals

Yes…that’s me and my wife, hanging out with Jeordi LaForge (LeVar Burton), Dr. Beverly Crusher (Gates McFadden), and Mr. Data (Brent Spiner).  Trek yourself before you wreck yourself. In The War of Art, Steven Pressfield says that the difference between an amateur and a professional is that the professional has a plan. According to CSO […]

Unsolicited Advice For Solicitors

“These are the new leads. These are the Glengarry leads. And to you they’re gold, and you don’t get them. Why? Because to give them to you is just throwing them away. They’re for closers.” –Glengarry Glen Ross This past week I got around 70 cold calls or emails from vendors I’ve never worked with […]

Pick Up Lines Vs. Social Engineering

One of my favorite pickup lines goes like this…have a girl feel the cuff of your jacket or shirt. Ask her, “do you know what kind of material this is”? And when she says no, tell her “boyfriend” material. Here’s a thought exercise. (Disclaimer, I could be totally wrong. Also, I’ve never used a pick […]

Herd Immunity & Information Sharing In Cybersecurity

As I raise my child, I’m continually amazed at how fragile we are as a species. What’s more, how do animals survive in the wild? Not only do herds of giraffe’s or antelope have to face illnesses, they have to fight off large predators. We’re in a similar situation with cybersecurity. Hackers act in a […]

Show Me the Money: Incentivizing Cybersecurity

What I’m about to tell you, it’s a very personal, a very important thing. Hell, it’s a family motto. Are you ready? Here it is: Show me the money. SHOW! ME! THE! MONEY! A core principle of nearly every business in the world is that they incentivize great performance. This might be a monetary bonus […]

Cybersecurity’s Happy Gilmore Problem

People, processes, and technology are the three parts of every security program. Sometimes, people make the mistake of believing that technology is the biggest or most important part. It isn’t. It might be the easiest part, since you can make quick changes to technology and buy new things to instantly improve it. But the biggest […]

Between The Keyboard And The Chair

I have a lot of respect for people who work at a help desk. When I was right out of college, I got a job at a call center. I had to take an average of one call every 4 minutes. That means I talked to 120 people every day on average, and a lot […]

The Strongest Element

In Cybersecurity we refer to employees as the Human Element. We generally call the Human Element the weakest link in Cybersecurity. It’s easy to see the logic in this, but unfortunately for many of us, this is wrong. Humans are the Strongest Element in Cybersecurity. Sure, humans are the ones that make the mistakes. They […]

Privacy, Customs, and You

If you are travelling to Mexico and you are a technophile, good news!  The 9th Circuit now says that Customs agents no longer have carte blanche to search your devices. See more from the Wired article: http://www.wired.com/threatlevel/2013/03/gadget-border-searches/ The 9th Circuit decision has an impact on border crossings into California and Arizona.  That doesn’t mean that […]

Crimesourcing

Imagine a world where criminals used sophisticated networks of middlemen. Transactions between pawns were untraceable. All using the power of something called, the Internet. And people wonder why I say that the law is having a hard time keeping up with technology. The article gives a great overview of the developments in cybercrime over the […]

What Would Jesus Hack

Interesting article in the Economist about the connection between Christian values and the values of the Hacker/Open Source Community: http://www.economist.com/node/21527031

What has Al Franken done for me lately, Part 1

In February of this year, the Senate Judiciary Committee voted to form a new sub-committee on Privacy, Technology, and the Law. They chose my favorite Senator, Al Franken to chair the new group. After I heard about this new committee’s formation back in February (feb 14), they kinda went radio silent for a few months, […]

2011 US Information Security Related Measures

So far, in the first 6 months of 2011, there have been 9 different Information Security related proposals put forward by different Senators that would create new laws or reform existing ones. February 20 2011 – Rep. Rush (D-Ill) reintroduces BEST PRACTICES Act April 7 – SEC Regulation S-P mandates that financial firms safeguard confidential […]

Sony PSN Breach

One of the reasons I decided to start an Information Security blog is that after researching some of the issues around the Sony PlayStation Network Breach that occurred in April I was left with more questions than answers.One of the things that I’ve noted is that there are very few blogs out there that deal […]