Admittedly I'd been a little busy as of lately, and one unfortunate casualty has been the blog. Still, I just ran against a perfect illustration of Realistic Security Principle #1: 

You cannot design a control that is dependent on the behavior of humans and expect...

At the risk of bringing the wrath of many friends and colleagues, not to mention the entire security audit industry, upon my head, I wanted to write a post on a rather sensitive topic these days.

Security audits. 

I dedicated a chapter to this in my book, but in retrospe...

Having now had to spend time in multiple WeWork offices because some of our customers use them, I want to state this in the strongest possible terms: 

WeWork is terrible at everything they do once you are in a building.

This is a repeat pattern. Stuff rarely works...

Stop it!

I swear, if one more person comes to me and asks me about hashing or encrypting data or putting it in a vault somewhere or whatever, just so they no longer have to comply with GDPR then… then… then my brain will explode on them and then they will end up with a...

A few years ago, I called in to Michael Krasney's morning show when he was discussing privacy and Facebook. I suggested the idea that Facebook users should be given the option to "redeem" their marketing value by paying an annual fee to use the service in a more privat...

At EAmmune, we do risk assessments very differently.

That statement could easily be one of our taglines. In all honesty, it's a direct result of my own rather passionate view that the way RAs are generally done is... well... stupid. I don't care what framework you're us...

Wow, so much going on.

First of all, sorry about neglecting the blog. As I made yet another posting directly to my LinkedIn profile this morning, I realized that the whole purpose of having this here was to support crossposting.

Which I have been failing at. Miserably.

Wh...

Great research piece by Evan Schuman in SC Magazine which you really should go read (email signup required). I also have a local copy stored under the publications tab, but I do encourage you to sign up at SC Magazine. 

As an interesting sidenote, I was taken a little b...

Here is a little secret about the title of "Why CISOs Fail" which, I believe, comes across as a potentially provocative title. When I started writing it, I actually decided to use the word fail precisely because it seems that, in the business world, it really is a 4-le...

I published my post on this topic in the SSS ("Simple Security Screwups") file yesterday night, but followig a quick LinkedIn exchange with the most prominent thought leader on identity theft in the country and probably the world (Mr. Neal O'Farrell), had a few more th...