A Place for Risk Geeks

Last Build Date: Sun, 05 Jun 2011 16:06:38 +0000


Risk Rating Litmus Test

Sun, 05 Jun 2011 15:23:20 +0000

One of the significant challenges the risk profession faces is the ability to prioritize.  What I see a lot of in the industry are tools and methods that spit out dozens or even hundreds of “High Risk” or even “Critical” findings from a single evaluation.  As a result, typically one of the following happens: Paranoid [...]

A change in venue

Mon, 11 Apr 2011 13:26:34 +0000

I’m excited to announce that I’ve just accepted a position at Huntington Bank in Columbus Ohio as Senior Vice President and IT Risk Officer, starting May 1st.  This will be an outstanding opportunity to personally put FAIR through its paces in a way that just isn’t possible as a consultant.  Those of you who have [...]

To Be FAIR About It

Wed, 16 Mar 2011 17:29:47 +0000

I came up with something useful to post about the other day, only to wonder whether I’d already posted about it sometime ago.  (It turns out I had, mostly.)  But in the search through past posts, three things became clear: I really haven’t had that many posts.  Alex was prolific, and Jack Freund and Ryan [...]

CVSS Review

Thu, 10 Feb 2011 21:54:09 +0000

I recently had the privilege of being a guest on the Securabits podcast and, during the session, was asked about other frameworks.  I mentioned CVSS (Common Vulnerability Scoring System) in my answer and said I thought it had some serious problems as an analysis and measurement tool (however I also said there were good things [...]

It’s still a choice

Wed, 19 Jan 2011 11:10:53 +0000

This post is prompted by an “enthusiastic debate” about regulatory compliance I had recently with another gentleman in our profession. I’d love to take a poll of infosec professionals to find out how many of them adhere strictly to speed and other traffic laws when they drive.  Why?  Because many of these are the same [...]

The Certified FAIR Practitioner Forum is now online

Thu, 09 Dec 2010 18:30:22 +0000

Finally, after many suggestions to do so, we’ve developed an online community for certified FAIR practitioners.  This is a place for people to ask questions, share challenges and successes, and recommend improvements.  It is also a source of additional documentation, example analyses, and training that aren’t available to the general public.  If you’ve completed FAIR [...]

More than just numbers

Mon, 29 Nov 2010 12:06:45 +0000

Many people believe that FAIR focuses strictly on quantitative risk statements, but they couldn’t be further from the truth.  The numbers simply allow us to recognize conditions and convey information better than we could do in any other way.  Sometimes, however, numbers don’t tell the whole story. In this post I’ll describe two conditions defined [...]

Visibility Analysis Webinar

Sat, 20 Nov 2010 11:47:06 +0000

The Visibility Analysis webinar on Wednesday was very well attended and has received excellent feedback.  My thanks to everyone who showed up.  If you couldn’t make it, you can find the recording here. Also, those who attended the webinar are eligible for a 20% discount on our online FAIR training.  Please just contact me before [...]

Visibility – one of the keys to effective risk management

Thu, 21 Oct 2010 19:13:21 +0000

Please join me in a webinar on risk management where I’ll pull back the covers and discuss a component of the FAIR framework that hasn’t been shared publicly before. Although FAIR is primarily known as a framework for quantifying risk, other parts of the framework focus on understanding how to manage risk more effectively.  In [...]

Flaw of Averages Webinar

Fri, 15 Oct 2010 13:27:32 +0000

If you’re not already familiar with Dr. Sam Savage’s book “The Flaw of Averages” then you probably should look into it.  A great place to start would be the free webinar he’s giving next Tuesday (Oct 19) at 10:00 PT.