CISOs are typically not the owner of their organization's most critical (or even non-critical) assets and data. There are usually business unit leaders assigned to that, and the CISO's role is to help reduce the risk to those assets. If the CIS...

 Security conferences and events are often built with a certain audience in mind. Some are for a a general audience, and others are focused on the CISO. But if an event has a focus on the CISO, it should be for a good reason. I discuss som...

Does practice make perfect? Probably not perfect, but it does make you better. That also applies when performing tabletop exercises. But is it feasible to practice as much as you SHOULD when everyone has other jobs to do? That's what Michael is...

In mentorship, it's often thought that the mentor is doing the teaching and the mentee is doing the learning. But mentors should also be open to and seek out lessons that they can take from the mentee. In this #CyberSunday, I talk about how ten...

The 2024 RSA Security Conference is here. While I am not going this year, I do want to give a few professional networking pointers for folks who are going, especially if you are a new conference attendee. These conference habits have helped me ...

Attack vectors and methods tend to by cyclical, meaning attackers will come back to see if old tricks will yield new results. I talk about one such attack vector that might be coming back in style... with a slight twist.Want to reach out...

SIEM (Security Incident and Event Management) has been a round a long time. But there are some recent trends and new vendors that are creating fresh ways to implement and operationalize SIEM. I'm discussing a couple of the larger SIEM and secur...

How can you tell if a new #cybersecurity concept (think Zero Trust) in cybersecurity is a just a flash in the pan or a valuable idea that can be utilized in your program? In this #CyberSunday, I talk about an unusual method for being able to po...

There is a lot of fear of the security implications about AI and other new and/or improved technologies. And while some fear is healthy, we also can't let it keep us from thinking about uses for that same tech to improve security. Let's talk ab...

Michael  talked about security control monitoring a few weeks ago. In this #CyberSunday, he is digging in a bit around an essential part of control monitoring: configuration management/monitoring. What is config management/monitoring, what...

There is a lot of talk and advice on social media, blogs, etc. about the Cybersecurity job market. There's no doubt it's a tough market right now, but does that mean you should stay away? Here's my opinion on the topic and some quick advice of ...

An X/Twitter thread about technology vs communication in #cybersecurity inspired today's video. Which one do you think is more important or more difficult? Watch today's #CyberSunday to get Michael's opinion.Things Mentioned:

Today's #CyberSunday is about monitoring controls regularly (as opposed to a point-in-time assessment). Michael gets into some methods of monitoring and what you should monitor them against (hint: monitoring is NOT just technical).Want t...

Many of us were affected by the cell carrier outage last week. Some initial explanations have come out, but are those explanations plausible? And is a #cyberattack just - or more - plausible than the explanation that AT&T gave? On today's #...

Indecision and apathy from alert fatigue are big issues in #cybersecurity. But have you thought about how FUD marketing can cause some of the same problems? And it's not just vendors throwing the FUD. In today's cybersunday, Michael talks about...

It's #cybersunday, and it's also time for the Big Game (can't use the real name because reasons). Michael is a big American Football fan, so he's getting into #cybersecurity football analogies. But he's also trying to dig a little deeper and st...

Michael is in the snow in Michigan to record today's Cyber Sunday. The cold weather and road conditions inspire a cybersecurity analogy around making decisions and determining priorities for your security program.Want to reach out to the...

Michael is wrapping up his Risk Management/Assessment series on today's #CyberSunday. His two points today are around risk assessment frameworks and a caution about GRC tools.We hope you enjoyed the series! If there's anything you'd like...

Michael tells a story from his professional past explaining some of the differences between Risk Mitigation and Risk Avoidance.  The scenario on today's #CyberSunday runs through some of the reasons and calculations that went into the deci...

2024 is almost here, and that means a special end-of-year CyberSunday to close out the year. Today, Michael is talking about three topics that warrant special consideration for enterprise security programs in the new year. Listen in and tell us...

It is crucial to know what role the CISO/security leader plays when it comes to risk. In today's #CyberSunday Michael talks about working with asset owners/business leaders before, during, and after a risk assessment. Wa...

Risk assessments have inherent value for the business if done correctly. But there can also be explicit value for the business in performing a risk assessment and implementing a security program based on that assessment. In this #CyberSunday, M...

Before you can figure out what risks to accept, you have to prioritize the risk. Before you can prioritize risk, you have to get visibility in your environment to determine what your risks are made of. In today's #CyberSunday, Michael talks abo...

A CISO recently shared a LinkedIn post regarding speaking engagements. In this post he advised security leaders to ONLY accept paid engagements as their time is valuable. In this week’s #cybersunday Michael, who is not only a CISO but the found...

Reviewing accepted risks is a crucial part of a risk management program. In today's #cybersunday, Michael talks about some important best practices like considering risk tolerance changes, involving business units in your review process, and ot...