Software security is a key piece of your enterprise security strategy ... what do we think about that, and how do we help thousands of global customers get a handle on this very difficult problem?  Check out this video from iconic Time Square, NYC...

Have you ever heard a CISO talk about the ROI "death spiral"?  This guest-post by an anonymous CISO from the Fortune 500 explains briefly what that means.

Every good CISO says that they want to revolve security around the axis of business... but are you actually delivering on that promise?  It may be significantly harder than you'd think...

Continuing on the discussion of Healthcare sector challenges for the CISO, today I cover the notion of risk classifications.  While this is a topic as old as Information Security, I present to you an interesting way of doing risk classification that I've used, and I've had others teach to get an idea of what real priorities should be for Information Security in your healthcare organization...

As a supplement to the "build vs. buy" blog posts, I posed 3 simple questions to a few of my CISO colleagues in healthcare... the ones who got back to me had some very interesting, if not frank, answers for us...

Live from New York City, I corner HP's CISO, Rich Armour, and asked him the questions that you wanted answered ... so here we go!

Today I continue the series on CISO challenges, with a 2-part blog post on "Build vs. Buy" ... in part 2 we're going to address the issue of "what" to outsource and the right questions to ask to get you thinking in the right direction...

Today I continue the series on CISO challenges, with a 2-part blog post on "Build vs. Buy" ... in part 1 we're going to address the base issue, and look at when you should think about outsourcing, versus building your own.

Security has many subtleties.  Last week at the CISO event in New York City, hosted by HP Enterprise Security, some well-known CISOs shared their experiences, challenges and frustrations.  This post discusses one of those - dealing with usability and affordability in the enterprise...

What's in a name? Does a rose by any other name really smell as sweet?

Does an organization absolutely need a CISO to have security, or can someone else in the organization take the responsibilities without having the title?

A colleague sent me a headline and executive summary from a Forrester "Forrsights" piece called "The new IT security buyer landscape" by Heidi Shey and Stephanie Balaouras. I have not yet had a chance to read the paper, but the executive summary has caught my attention when you juxtapose it against recent conversations and discussions I've had with some of you. The core question out there seems to be - "is this the year we reinvent the CISO?" and I'm hesitant to answer anything besides an emphatic yes.

Well, I survived my first day of RSA Conference 2012, and the gauntlet of meetings, lunches, meet-ups and interviews that is this crazy stretch of trade-show ever year. I'm particularly happy as I write this not because I'm particularly encouraged by anything I've seen on the just-opened trade show floor, but primarily from the things happening off the floor.

Check out this podcast

with Visible Ops author and IT performance Jedi Master "Real" Gene Kim and get a free exerpt from his new book as soon as it's available!  That's right, free podcast with Gene to fill your brain with all sorts of CISO and IT Security management goodness plus a free excerpt from his book when it's available (just subscribe below).

What more could you ask for?

  Yesterday's post opened up the idea that Gene Kim started me on while we recorded Episode 10 of the "Down the Rabbithole" podcast (released 2/6/12 here) which is How does a CISO become a catalyst for change, with not only responsibility - but also capability?  Today's post seeks to provide clues and hints (there aren't really any answers) on how a CISO can gain capability (or earn it) by becoming a catalyst for positive change in his or her organization.  This is a difficult topic because it often involves a lot of you should, and you could types of ideas - but rest assured the things I'm talking about here I've either tried myself or have had others tell me they work.  This post also draws upon the collective ideas from the LinkedIn "SecBiz" group which has become a favorite place for many to discuss this, and I encourage you to join and participate that group as well.

  I just finished editing a podcast (Episode 10 for release Monday February 6th) where I got to sit down with Gene Kim, the guy who wrote the Visible Ops book - a staple of every good IT manger's bookshelf.  I can't help but write a little bit about one of the topics which just resonated with me based on some of my job history.  The idea of "blending in with the furniture" is one that I know many IT managers follow in organizations and situations where they feel they simply cannot succeed.  Let's break this down because I know many of you are feeling this pain.