Create an Incident Response Plan and Test It
All airline flight crews have aircraft evacuation plans for emergency landings, and they test them as part of training. Office buildings of any substantial size plan fire drills and test them, typically semi-annually. Businesses have cyber incident response plans that they test at least annually. Well, two out of three “ain’t bad”. According to the … Read more
Third-Party Risk Management – Make it a Service, Not a Roadblock
Since I started working in information security 16 years ago, I’ve never run across a company that doesn’t outsource some IT services. Many young companies I come in contact with today are all-cloud, with nothing in the office but a network switch and firewall/router. That’s if there is an office – I work with some … Read more
10 Commandments for Operating Security Programs
I was recently invited to present to security and IT leaders at a vendor’s gathering of small early-stage biotechs. I packaged up a deck with the anatomy of an attack, the NIST CSF process for defense, and our operating model for running a security program, including measures I saw as basic table stakes (anti-malware, email … Read more
Stop Playing with Bright & Shiny Objects: Think Process Before Technology
Scene 1: At one time in another “life,” I was hiring developers for a commercial product. We had a candidate who was sharp, if a bit quirky, and, with the agreement of my team, I took the recommendation to my manager (who had interviewed the candidate). His reaction? “Do you really want to hire someone … Read more