QOTD - Hubbard on the Risk Management Method

The single most important metric in all of risk management is the performance of the risk management method itself. The list of risks identified can be no more valid than the entire process of identifying risks. I would think that also applies to the method of "approving" mechanisms of measurement.
-- Douglas W. Hubbard, President of Hubbard Decision Research

[Source: statement made by the author on a closed mailing list.Posted with permission of the author.]

QOTD - Foreign Government e-Spying

The nation-states that are targeting U.S. companies and U.S. government have taken a big data approach to this information. They don’t know if this is valuable now, but it might be valuable in five years so they amass it now while they can.
— Erik Rasmussen, cyber practice leader for Kroll

Src: Foreign government may be behind Anthem data breach

QOTD - Litan on Foreign Government e-Spying

Intelligence has become a data-mining exercise. The intelligence officer of 2017 needs a lot of data to find targets and get to the targets that they’re interested in.
— Avivah Litan, VP & Security Analyst at Gartner Research

Src: Foreign government may be behind Anthem data breach

Leaping Forward - Telling the Story of How InfoSec Has Matured into Cyber Risks

Readers of this blog know that I've spent nearly the past decade curating some of the best quotes about information security and related topics. What started as a self-serving repository of good material for my own use eventually grew into this blog. I owe a big thank you to all of those who, over the course of the years, have shared this site with others around them.

However, in the past year, I have to admit that I've been much more active on a different blog, that of the IBM sponsored SecurityIntelligence blog. Which brings me to this post.

Just this week, the IBM site published my 30th article, "Five Signs the CISO Who Got You Here Isn’t the Best One to Get You There," whose topic relates nicely to the evolution of the field of information security -- let's admit, security was never really just an IT issue -- and the evolution of the role of CISO.

Just as businesses have had to evolve in order to thrive, or even just to survive, so must we evolve, as information security professionals, in the face of a changing reality. We now have the attention that we've been asking C-Suite executives and board directors for. We must now step up to fulfill this new role, to meet these new expectations. The stakes are high -- businesses everywhere are getting hammered by attackers, some after a quick buck, others after the company's crown jewels.

In pitching and developing these 30 articles, I've always sought to bring value to the reader, primarily aimed at CISOs or aspiring CISOs. I'm including below the full set of links to these 30 articles (in ascending chronological order). And since IBM's blog doesn't allow for comments, I'm inviting readers everywhere to leave comments on this post instead.

Again, thank you for your support, and for your readership.


As an Information Security Professional, Are You Having the Right Conversations?
Improving Your Security Awareness Campaigns: Examples From Behavioral Science
Cyber Risks: From the Trenches to the Boardroom
CISO Influence: The Role of the Power Distance Index and the Uncertainty Avoidance Dimensions
How Helping Educators Is Good for the Cybersecurity Industry
Addressing the Information Security Skills Gap in Partnership With Academia
Why Is Your Board of Directors Finally Asking About Cyber Risks?
What Cybersecurity Questions Are Boards Asking CISOs?
Five Must-Read Articles on the Cybersecurity Skills Gap
What Can CISOs Take From the New NYSE Cybersecurity Guide?
How Are US Armed Forces Closing the Cyber Skills Gap?
How Should CISOs Report Cyber Risks to Boards?
Beyond Tech Skills: Leadership Qualities for CISOs
Get the Most Out of Your Recent Security Hires With Soft Skills
Get the Most Out of Your Recent Security Hires: The Value of Professional Development
New Year’s Resolutions for the Effective CISO
Cyber Risks: Three Areas of Concern for 2016
Highlights From the World Economic Forum’s Global Risks Report 2016
2015: The Year Feds Warned About Cyber Risks
Is Your CISO Ready to Be a Risk Leader?
Is Your CISO Out Of Place?
FTC Studying Practices of Nine PCI Companies
C-Suite Dynamics Can Impact The Organization's Cybersecurity
It's Not Too Late to Correct Your Security Posture
Securing the C-Suite, Part 1: Lessons for Your CIO and CISO
Securing the C-Suite, Part 2: The Role of CFOs, CMOs and CHROs
Securing the C-Suite, Part 3: All Eyes on the CEO
Engaging Conversations Key to Improving Cyber Risk Decisions
How to Make the Most of Your Pen Test
Five Signs the CISO Who Got You Here Isn't The Best One To Get You There

QOTD - Cyber Guardians

Cybersecurity professionals are the new guardians of big changes in the organization. Such professionals must practice business resiliency and adaptability, because they are now so integrated with digital business decisions that leaders cannot tell where business ends and cybersecurity begins. 
The digital explosion and the race to the edge have achieved what previous waves of technology evolution have failed to do — to integrate cybersecurity professionals and business leaders into effective teams for the protection and safety of the organization.
-- Christian Byrnes, Managing Vice President at Gartner

Src: Gartner Says Cybersecurity Professionals Are the New Guardians of Digital Change - Yahoo Finance

QOTD - Schmidt on Cyber Security & Board of Directors

At every board meeting, whether it’s monthly, whether it’s quarterly, cybersecurity should be on [the agenda]. If not, you’re going to wind up in a situation where you’re having an emergency board meeting to discuss something that has gone wrong.
-- Howard Schmidt, co-founder of Ridge-Schmidt Cyber LLC, and
a former cyber-security adviser in both the Obama and Bush administrations

Src: What Business and the Feds Should Do About Cybersecurity - WSJ