What do you think this is?

Just thoughts of a restless mind...

A year in review

As the year comes to an end, I feel like a reflection is needed. 2023 was quite a ride. I planned to have this reflection on LinkedIn, but the Prague shooting on the 21st of December made me limit my social media presence and exposure at this time, out of respect for the victims.

Board Governance

As a security executive, I often find myself troubled about the lack of cyber risk understanding in companys' executive management. I may be wrong, but apparently not very much. Lately, the voices for the need of proper cyber security risk governance at the board level are getting louder, and are coming from multiple sources; including the US Security and Exchanges Committee.

The wrong solution to a major problem

Supply Chain Risk Management is the name of a big security problem in the business world. It is so important that there isn't a single security framework that doesn't include Supply Chain Risk Management in its agenda, guidance, and suggested controls. NIST has a set of resources on the topic, but it is not the only organization that is addressing this problem.

Disclaimer: Nothing below should be taken as a criticism of the services offered. Pointing out their flaws and inefficiencies does not mean they don't have any value.

Vulnerability and Patch management

During the last 3 months I got more times than expected in discussions about patch and vulnerability management. I need to say, there is much misunderstanding going around about these two processes; so much that I could argue that several organizations are exposing themselves significantly, just because the touch points and (lack of) dependencies in these two processes are not clear.