Jay Heiser

A member of the Gartner Blog Network

Entries Tagged as 'risk assessment'


We say no because that’s what you ask us to say

by Jay Heiser  |  March 28, 2013  |  Comments Off

We’ve riffed for years on the distinction between “Dr. No” and “Mr/Ms Yes”, but many enterprises continue to back the security professional into the awkward far corner of the Business Prevention Department.  If the risk assessor is going to be blamed for security failures, then that person is always going to be motivated to make […]

Comments Off

Category: Cloud IT Governance risk management security     Tags: ,

Definition: Service Provider Security Evaluation

by Jay Heiser  |  August 10, 2012  |  2 Comments

The process in which the buyer asks a random list of questions that might have some minor relevance to some aspect of a provider’s security posture, and the potential provider pretends to answer them.

2 Comments »

Category: Cloud risk management security     Tags: , , ,

Diversity is nature’s way of managing portfolio risk

by Jay Heiser  |  May 9, 2011  |  Comments Off

Is it really possible that a single attack can simultaneously impact 100,000,000 people? Multi-tenancy truly gives new significance to concerns about monoculture risk.

Comments Off

Category: Cloud IT Governance risk management security     Tags: , , , , , , , , , ,

Do We Need Cloud Computing Laws?

by Jay Heiser  |  February 24, 2010  |  1 Comment

I’m concerned that we’re going to legally mandate the application of last century’s standards and practices (SAS 70, FISMA, etc) to new computing models that we have only begun to understand. I’m in favor of revisiting the US privacy regulations, but it would be premature to apply them to cloud computing in any highly specific way. Commercial and goverment entities that want to store PII in unproven multi-tenanted services should be held accountable if that experiment fails.

1 Comment »

Category: Uncategorized     Tags: , , , , , , , ,

If you can’t stand the heat, get your cloud out of the kitchen

by Jay Heiser  |  February 9, 2010  |  Comments Off

A man walks into a physician’s office and says “Doctor, it hurts when I use my computer.” The physician replies, “then don’t use your computer.” A dumb old joke or a wise observation on human nature?  I receive several calls a week from people looking for the best practices on managing cloud computing security and […]

Comments Off

Category: Uncategorized     Tags: , , , , ,

Toxic Clouds: A virtual pig in a digital poke?

by Jay Heiser  |  February 1, 2010  |  5 Comments

When the global financial services firms melted down in late 2007, much of the blame was attributed to an over-reliance on a highly-leveraged financial abstraction called a Collateralized Debt Obligation (CDO). As described in a recent blog entry by Gartner analyst Andrew White, Cheap money, sloshing around the place, feeding an insatiable growth in demand […]

5 Comments »

Category: Cloud risk management security     Tags: , , , , ,

Measuring Clouds

by Jay Heiser  |  January 26, 2010  |  1 Comment

I’ve spent a lot of the last 2 years researching the problem of making business decisions about the relative levels of risk associated with partners and service providers.  Externally provisioned services, such as Cloud Computing (whatever the service) and SaaS (whatever the computing model) are problematic.  We’ve learned a lot about security risk management over […]

1 Comment »

Category: Cloud risk management security     Tags: , , ,