Steven Fox's blog

"IT Risk" does not exist.

Steven Fox — Fri, 26 Dec 2008 16:11:49 -0500

Yes, ladies and gentlemen, according to the Institure of Internal Auditors(IIA), "there is no such thing as 'IT Risk'". After closing a semester of teaching web application security, I wanted to share my observations and concerns regarding the understanding of "risk" among the next generation of security professionals.

A CEO's tale of disappointment

Steven Fox — Sun, 28 Sep 2008 15:02:45 -0400

I met the CEO of a holding company on a recent flight to North Carolina. Our conversation started on the topic of my 'Art of War' column. The column, I explained, is focused on sharing Sun Tzu's insights on strategy with information security practitioners. At firts he was silent, but I could tell something was wrong.

Security Paradigms

Steven Fox — Fri, 19 Sep 2008 08:13:53 -0400

Security Paradigms

by Steven Fox

"IT Risk" does not exist.
Yes, ladies and gentlemen, according to the Institure of Internal Auditors(IIA), "there is no such thing as 'IT Risk'". After closing a semester of teaching web application security, I wanted to share my observations and concerns regarding the understanding of "risk" among the next generation of security professionals.
A CEO's tale of disappointment
I met the CEO of a holding company on a recent flight to North Carolina. Our conversation started on the topic of my 'Art of War' column. The column, I explained, is focused on sharing Sun Tzu's insights on strategy with information security practitioners. At firts he was silent, but I could tell something was wrong.
The effect of paradigms on our perspective of security.
“Your paradigm is so intrinsic to your mental process that you are hardly aware of its existence, until you try to communicate with someone with a different paradigm.” --Donella Meadows For some of us, security is realized through physical and network controls that address the risks to a given environment. Others view techniques aimed at education and user empowerment as critical to organizational security. Then there are those who march onto the risk landscape under the banner of effective governance and oversight.

» read more

The effect of paradigms on our perspective of security.

Steven Fox — Thu, 18 Sep 2008 23:27:02 -0400

“Your paradigm is so intrinsic to your mental process that you are hardly aware of its existence, until you try to communicate with someone with a different paradigm.”
--Donella Meadows

For some of us, security is realized through physical and network controls that address the risks to a given environment. Others view techniques aimed at education and user empowerment as critical to organizational security. Then there are those who march onto the risk landscape under the banner of effective governance and oversight.