In defense of Incrementalism (in vulnerability management)

Most of the vulnerability management programs I’ve encountered suffered from analysis paralysis—the infosec team had reams of data (or multiple spreadsheets) on their vulnerabilities but couldn’t make progress because they couldn’t decide where to start.

Questions I frequently hear include:

  • What’s the biggest vulnerability (AKA high-risk)?
  • What vulnerability hits the most systems?
  • What vulnerabilities are most easily exploited?
  • What vulnerabilities impact the highest critical business system(s) the most?

Those are all excellent questions and they assume a level of maturity that an analysis paralysis-level organization hasn’t reached yet. Maybe you haven’t completed (or started) a BIA project to determine your critical business systems. Maybe you’re still working on your device inventory. Maybe you don’t know how to define “biggest” yet.

Continue reading
Posted in Cybersecurity | Tagged , | Leave a comment

Off the Shelf: February 2024 (Newbery cleanup)

Newbery medal image from ALA website

Attending the ALA event at Loganberry in January to hear the Newbery awards reminded me of my goal to read all the Newbery Medals and to sample the more interesting Newbery Honors, so I loaded up February with Newberys. Many of the older ones are no longer in print and I dipped into LibriVox to listen to them.

How can I highlight notable books when everything I read this month (with two exceptions) was an award winner of some sort?

Continue reading
Posted in Other Thoughts | Tagged | Leave a comment

Another post on too many meetings . . . at the wrong times

A recent post in the Journal titled “Is It Ever OK to Have an 8 a.m. Meeting?”1 got me thinking. Now, I’m not going to quote from any study or point you to some paper that backs up my habits. I’m simply going to tell you that even as an early bird and as someone who generally stays after 5pm, I won’t schedule 8am meetings. Or 4pm meetings. Or Friday meetings. And I’d rather we didn’t meet on Tuesdays, either.

Some of this comes from working a few jobs that offered flextime and thrived on Teams and Zoom. Your “first-thing Monday” might flexibly mean 9am or even 10am. And likewise, your “end of day” might well mean after I’m done washing the dinner dishes.

Continue reading
Posted in Management, Other Thoughts | Tagged , , | Comments Off on Another post on too many meetings . . . at the wrong times

Threats and Risks . . . and Vulnerabilities

Venn diagram showing the intersection between Vulnerability and Threats as Risks
Low-tech Venn diagram showing the intersection between Vulnerabilities and Threats

During an interview last week I was asked to define the difference between a Threat and a Risk using language that a non-technical CEO would understand. I gave a good answer and made it to the next round. And then I got to thinking—in my answer, I also talked about a third factor that should have been called out: Vulnerabilities.

Let’s start with some definitions:

A vulnerability is a weakness in a system that exposes the system to a threat.
A threat is anything that could exploit a vulnerability.
A risk is the likelihood of a negative event and the likely impact.

Risks are found at the intersection between vulnerabilities and threats.

Continue reading
Posted in Cybersecurity | Tagged , , | Comments Off on Threats and Risks . . . and Vulnerabilities

Off the Shelf: January 2024

I had the opportunity to watch the ALA awards broadcast at Loganberry Books this year and that filled up my to-be-read stack, even more so than usual.

Simon Sort of Says

I went to Mac’s Backs one Saturday in late 2023 and stumbled upon local author Megan Whalen Turner posing as a bookseller. I mentioned that I try to read all of the Newbery Medal books and many of the Honor books (one of hers, The Thief, is a 1997 Newbery Honor) and so she recommended her friend Erin Bow’s Simon Sort of Says as a possible 2024 contender. Megan did a great job as a bookseller — I bought three more books than I had intended that day. And until 2024, I’d never read a Newbery before it won the award. Started in December and finished before the 15th, I can now check that goal off my list.

Simon Sort of Says is about a kid who is (for horrific reasons) internet-famous, so he and his family hide out in a fictitious National Radio Quiet Zone so he can restart his life (offline) as an ordinary seventh grader. It’s a great book and a worthy Newbery Honor.

Continue reading

Posted in Other Thoughts | Tagged , | Comments Off on Off the Shelf: January 2024

Off the Shelf: December 2023 (resiliency)

Book cover for "Adventures with a Texas Naturalist" containing a road runner and prickly-pear cactus.
Cover – Adventures with a Texas Naturalist

While meaningful to me, I don’t know that my December readings would make sense to many people. In no particular order:

Adventures with a Texas Naturalist

Bedichek is one of Texas’ great persons of letters, in the style of Thoreau. I plan on reading his Karánkaway soon and am attempting to get an affordable copy of The Sense of Smell.

Themes I took away: pay attention to what’s around you and beware of unintended consequences.

Continue reading

Posted in Other Thoughts | Tagged , , | Comments Off on Off the Shelf: December 2023 (resiliency)

Cybersecurity for Small Businesses, Part 1: Make it Harder

This is the first of six posts on Cybersecurity for small businesses. Click here for the Introduction and links to the others.


Make it Harder

Make the attacker’s job harder, starting with passwords.

Strengthen your passwords

The goal here is “easy to remember but hard to guess”, so length becomes more important than complexity. Consider passphrases rather than passwords. Pick a memorable phrase and use it (or some variation on it) or some random words as your password. (There’s even a web comic about this: https://xkcd.com/936/)

Continue reading

Posted in Cybersecurity | Tagged , , | Comments Off on Cybersecurity for Small Businesses, Part 1: Make it Harder

Cybersecurity Presentation for Small Businesses: Introduction

This series of posts started as an outline for a short presentation on Cybersecurity for small businesses that I would eventually give multiple times over a couple of years in the northeast Ohio area. At the time, I was advised to be hard on the listeners, effectively an attempt to scare them into action. I’m no longer certain that was the right approach and future versions of this presentation would rely more on persuasion and story-telling than on fear.

Continue reading

Posted in Cybersecurity | Tagged , , | Comments Off on Cybersecurity Presentation for Small Businesses: Introduction

Off the Shelf: November 2023 (exploration)

My curiosity in a wide range of topics shows up in my reading lists. I’m not always able to explain why something is on the list, but I’m working on doing better since I believe the “why” can be relevant to me in understanding the book itself.

Southern Upland Way

Topo/Satellite view of our Wanlockhead hike in 2022.

In late August 2022, my youngest son and I hiked across England (west to east) following Hadrian’s Wall. We had built in a day to take the train into Scotland simply so we could say we’d been there. (Merely looking at Scotland across the salt-flats at Solway Firth wasn’t enough.) The night before we were to walk into Carlisle and scoot across to Gretna Green, my son schemed up a trip to Sanquhar, then Wanlockhead (Scotland’s highest village) so we could hike up to Lowther Hill and then Green Lowther.

In doing so, we unintentionally found ourselves on a segment of Scotland’s Southern Upland Way, another coast-to-coast footpath. The eighteen hours we spent in the heather above Wanlockhead among the red grouse and the silence of the hills gave me a new experience for “remote” and “wilderness”. When we returned home, I began researching what it would take to walk and complete the Southern Upland Way.

Continue reading
Posted in Other Thoughts | Tagged | Comments Off on Off the Shelf: November 2023 (exploration)

Compass quote

compasses only tell the directions,
not which one to follow

Maclean, N. (1992). Young men and fire. Univ. of Chicago Press.

Leaders choose which direction to follow. They can make that decision any number of different ways, but the leader makes the choice.

Posted in Other Thoughts | Tagged , | Comments Off on Compass quote