Not Too FUD, Not Too Fluffy, but Just Right — The Cybersecurity Leadership world is abuzz with the news of the SEC fraud charges against the Solarwinds CISO. This blog is not an analysis of those charges. …

What Happens When You’re Done Being CISO — A couple of months ago, my position as CISO was eliminated. The company still had a CISO (more than one, in fact), and they decided to downsize my security team, and so no longer needed a person with the title of “CISO” in that part of the business. So there…

Surviving Armageddon — For those of us who follow cybersecurity trends, we are in a time period of struggle and angst. I don’t remember it being quite so grim before. Where ever you get your information, even if you don’t work in cybersecurity, the feed is full of stuff going wrong. Do you…

Maximizing Happiness — For my entire career I’ve made conscious choices to move to the next organization, and likely the next job within a company. Or an unexpected opportunity has presented itself and I have chosen to jump at it. In all cases, it has been at a time and place of my…

What is the purpose of a cybersecurity program, anyway? If we could all just agree on the answer to that question, life as a security leader would be so simple. If we could, as a profession, take the time to tell everyone else what the answer SHOULD be, that might…

In preparation for new SEC rules requiring cybersecurity expertise on public boards of directors, there has been a number of articles (like this one) lamenting that few CISOs have the executive experience or advanced degrees to serve as Directors. The prevailing sentiment is that CISOs are spending too much time…

Change your mind — FOMO: Fear of Missing Out People trained in the art of cybersecurity management spend a fair amount of time scanning the landscape, looking for things they don’t know much about, learning about new stuff (cough, AI, cough), and generally paying attention to the unknown. The Cynefin Framework would call this…

What should every person in cybersecurity know, and how? — Recently, I had the good fortune to be in a room with some really experienced, thoughtful, well-read cybersecurity professionals. I wanted to know what they think should be included in an undergraduate cybersecurity curriculum — but I had some constraints that mirrored the challenges I see in the “real world”…

Rules for Security Professionals To Live (and Die) By — What makes a good Security Leader? Certainly getting an award for security leadership is a dubious honor at best (if you must pay to get an award, do you deserve the award?). Being judged as a “good” leader is often left to the people who work near the leader —…