Respected Information Security expert, advisor, evangelist, co-host on Paul’s Security Weekly, and recently returned to a Consulting/Advisory role at Online Business Systems. Over 35 years of experience working in all aspects of computer, network, and information security, including risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. Previously held security research, management and product development roles with the National Security Agency, the DoD and private-sector enterprises and was part of the first penetration testing “red team” at NSA. For the past twenty years, has been a pen tester, security architect, consultant, QSA, and PCI SME, providing consulting and advisory services to many of the nation’s best known companies.
Have you ever noticed that much of the mission of cyber- and information security professionals seems to be focused on vulnerabilities? Have you ever heard of the risk equation? Perhaps you are familiar with one or more versions that help you derive the risk to your organization (sometimes referred to as residual risk). I have been wondering for a while how to suggest to our industry that there is perhaps TOO much focus on vulnerabilities and not enough attention or focus on the other elements that derive the standard risk equation. Remember how the disclosure of Meltdown/Spectre introduced a “perfect storm” scenario where the vulnerability wasn’t easy to patch or fix, and the solution seemed to be break things? This created a situation where the “security solution” wasn’t simply to apply the patch – and that left many organizations scrambling to figure out how to deal with this example of a persistent vulnerability. This is a great example of what I’ve wanted to discuss for a while – what else should we focus on in terms of security if/when the vulnerabilities still remain. Interested? Intrigued? Come join the discussion!