Jay Heiser

Demanding that users not write down their passwords is a quarterly opportunity to send the message that security policy is a useless bureaucratic exercise.

2 Comments »

Category: Cloud IT Governance risk management security     Tags: passwords, policy

Share

Even worse is a policy statement such as “all employees must obey all applicable laws.” What reasonable person would disagree with that requirement? For a start, I would.

Comments Off

Category: IT Governance risk management security     Tags: law, policy, security

Share

What good is a fresh password if it is sitting on top of stale security technology? The history of computer security suggests that attention to the code is at least as important as operational processes.

1 Comment »

Category: Applications Cloud IT Governance risk management security     Tags: history, history of security, security history, security testing

Share

I get a never-ending stream of questions that usually amounts to something like “What control tasks do I need to do to be sure that this SaaS service we are going to use will be adequately secure?” Unfortunately, at this point in time, SaaS providers offer relatively little support for enterprise control over anything.  Assuming that the [...]

1 Comment »

Category: Applications Cloud IAM IT Governance Vendor Contracts risk management security     Tags: backups, BCP/DR, Cloud, cloud security, continuity, disaster recovery, information security, malware, phishing, Trojan horse, vendor risk

Share

In the worst of cases, a figurehead is appointed to give the impression that the problem is being taken care of. This is tantamount to putting a fig leaf over a sucking chest wound.

Comments Off

Category: IT Governance risk management security     Tags: CISO, security, Security-Summit-NA

Share

I hesitate to suggest that what the world really needs are more laws, but it is not reasonable is not reasonable to suggest painting some lipstick on the breach notification pig and then taking credit for protecting consumers.

Comments Off

Category: IT Governance risk management security     Tags: congress, Federal government, Federal regulation, legislation, privacy, regulation, Security-Summit-NA

Share

Its not surprising that as a technology approaches the top of the Hype Cycle, some of the vendors turn their Spin Cycle up to 11, which means there are going to be some disappointed buyers, especially those with high expectations for data encryption, and data recovery.

1 Comment »

Category: Cloud IT Governance Vendor Contracts risk management security     Tags: Cloud, cloud security, continuity, disaster recovery, information security, infosec, outsourcing, risk management, security, Security-Summit-NA, vendor risk

Share

Is it really possible that a single attack can simultaneously impact 100,000,000 people? Multi-tenancy truly gives new significance to concerns about monoculture risk.

Comments Off

Category: Cloud IT Governance risk management security     Tags: backups, BCP/DR, Cloud, cloud security, continuity, critical infrastructure, disaster recovery, risk assessment, risk management, security, Security-Summit-NA

Share

Commercial cloud computing is like sending your rings, bracelets, and brooches out to be repaired–the service provider has your family jewels in hand. Unlike a CSP, a power company doesn’t have possession of your means of production or your IP, a signficant loss potential that is also missing from the utility trope.

1 Comment »

Category: Cloud IT Governance risk management security     Tags: Cloud, security, Security-Summit-NA, utility computing

Share

I do a lot of policy review for Gartner clients, and I see many of the same counterproductive practices over and over again. Requirements to ‘do what is appropriate’ or ‘obey the law’ are tantamount to saying “we won’t tell you specifically what to do, but if you don’t do it, we will punish you.” [...]

1 Comment »

Category: IT Governance risk management security     Tags: policy

Share