Friday, September 14, 2018

Smart Contract Security

As more orgs look at embracing blockchain there will be a need to assess the security of Smart Contracts, particularly for Ethereum-based blockchains.

Look for vendors to develop solutions, and custom prof svcs firms to cater to this niche.

Sunday, August 26, 2018

Transitioning Technical Professional Service & Payment for Outcomes

With the advent of bug bounties, the transition of healthcare charges aligned to outcomes, and the history of legal services tied to outcomes, there needs to be a transition to technical professional services being aligned to outcomes.

Now, one may argue that FFP "packaged" projects are already tied to outcomes, though those are far & few between.

So, eventually industry should tie compensation to outcomes & we may see a better percentage of efficiencies from the larger consulting firms.

Saturday, August 25, 2018

Cloud Architecture: Build (IaaS) versus Buy (PaaS)

Cloud providers are introducing many new services to their portfolios.  So, organizations now have a decision to make regarding build vs buy.

Here are pros & cons for each:

PaaS / Buy: (pros) time to market, CapEx reductions; (cons) usually multi-tenant, will require skill-set updates, vendor lock-in, OpEx increases

IaaS / Build: (cons) familiar ITSM / ITIL model, CapEx focus, single tenant, existing skill-set, increased portability; (cons) slower agility

Monday, June 25, 2018

Cloud Visibility

With more organizations going to the cloud, with shadow IT, and with GDPR requirements cloud visibility seems to be the latest fad....

Microsoft & Amazon picked up on this several years ago, thus Azure Info Protection (AIP) and AWS Macie but, that does not cover them together or Google / Salesforce / Rackpsace.

So, expect this area to gain traction for several more years...

Saturday, June 23, 2018

Incident Response v.2.0: Partner Office 365 (O365) Compromise

As more ecosystems move to Microsoft's Office 365 it seems necessary to create an IR playbook for O365 compromises.

Said playbook should include proper responses.

Tasks to perform should include:


  • Disabling established trusts
  • Quarantining emails / messages
  • Establishing enhanced security policies / black lists
  • Calibrating monitoring / notification rules



Wednesday, March 21, 2018

Facebook, Cambridge Data Compromise Should Not Surprise Consumers

Facebook is receiving bad press due to compromised consumer data by a Cambridge-based analytics firm for political purposes.

Frankly, this should not be news as social media outlets, and free online services (email, vlogs, blogs), use subscribing advertisers to generate their revenue by selling the (supposed to be anatomized) data.  Said data extraction models have been the point of episodes on shows like Netflix's House of Cards. 

Regardless, the sensitive data is supposed to be masked.  And how obfuscated said data is, is often a matter of debate.

So, the questions is, will the US get serious about data privacy now and / or will consumers migrate from these services in droves?

TBD....

Friday, February 23, 2018

Metrics for Risk Management & Cybersecurity

A book by the name of How to Measure Anything in Cybersecurity Risk articulates enhanced metrics (versus impact & likelihood) via Bayesian models.

However, sans cyber insurers & actuaries, most risk management / cybersecurity functions struggle with the most simple metrics.  That happens due to a lack of technical key risk indicators (KROs) agreed to by the business.


While quantitative analysis can help derive budgeting priorities, most organizations are simply not mature enough to know the qualitative gaps within their enterprise.