Sun Tzu's "The Art of War" offers insights into military strategy that are applicable to information security. Two salient concepts discussed in his treatise are invincibility and vulnerability. While the former exists can acted upon, the latter relies on the actions of the opponent.
In a "Do more with less" world, we have to take a closer look at the effectiveness of our current InfoSec investments. This installment offers some ideas on how information professionals can contribute.
David Kelleher's "10 Things that WON'T Happen in 2009" is an insightful discussion of security issues that, against all efforts, seem to visit up with each coming year. This series will explore what we can do to improve the odds.
» read more | 2 comments
Yes, ladies and gentlemen, according to the Institure of Internal Auditors(IIA), "there is no such thing as 'IT Risk'". After closing a semester of teaching web application security, I wanted to share my observations and concerns regarding the understanding of "risk" among the next generation of security professionals.
» read more | 9 comments
I met the CEO of a holding company on a recent flight to North Carolina. Our conversation started on the topic of my 'Art of War' column. The column, I explained, is focused on sharing Sun Tzu's insights on strategy with information security practitioners. At firts he was silent, but I could tell something was wrong.
» read more | 7 comments
“Your paradigm is so intrinsic to your mental process that you are hardly aware of its existence, until you try to communicate with someone with a different paradigm.”
--Donella Meadows
For some of us, security is realized through physical and network controls that address the risks to a given environment. Others view techniques aimed at education and user empowerment as critical to organizational security. Then there are those who march onto the risk landscape under the banner of effective governance and oversight.
» read more | 6 comments
