{"id":391,"date":"2011-03-19T10:32:00","date_gmt":"2011-03-19T15:32:00","guid":{"rendered":"http:\/\/rud.is\/b\/?p=391"},"modified":"2018-03-10T07:53:37","modified_gmt":"2018-03-10T12:53:37","slug":"crossroad-of-erm-and-the-parallels-to-irm","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/","title":{"rendered":"Crossroad of ERM and the Parallels to IRM"},"content":{"rendered":"<blockquote><p>Had to modify the latimes URL in the post due to a notice from Wordfence\/Google<\/p><\/blockquote>\n<p>I was reviewing the &#8211; er &#8211; <i>highlights?<\/i> &#8211; from the ninth ERM Symposium in Chicago over at <a href=\"https:\/\/riskviews.wordpress.com\/2011\/03\/18\/crossroad-of-erm\/\">Riskviews<\/a> this morning and was intrigued by some of the parallels to the current situation in enterprise security risk management (the ERM symposium seemed to be laser-focused on financial risk, which is kinda sad since ERM <b>should<\/b> make security\/IT compliance risk a first class citizen). Not all topics had a 1:1 parallel, but there were some interesting ones:<\/p>\n<ul>\n<li><b>Compliance culture of risk management in banks contributed to the crisis<\/b> :: While not necessarily at <i>crisis<\/i> levels yet, the compliance culture that is infecting information security is headed toward this same fate. Relying on semi-competent auditors to wade through volumes of compensating controls and point-in-time reviews to deliver &#x2713;&#8217;s in the right boxes is not a recipe for a solid security program that will help mitigate and respond effectively to emerging threats.\n<\/li>\n<li><b>Banks were supposed to have been sophisticated enough to control their risks<\/b> :: I&#8217;ll focus on medium-to-large enterprises for this comparison, but I&#8217;m fairly confident that this is a prevalent attitude regarding information security in corporations across the globe (&#8220;<i>We manage information risk well<\/i>&#8220;). Budgets seem to be focused on three fundamental areas that non-security-folk can conceptually grasp: <b>firewalls<\/b> (stop), traditional <b>anti-virus<\/b> (block) and endpoint disk <b>encryption<\/b> (scramble). By now, with a <span class=\"removed_link\" title=\"http:\/\/www.curphey.com\/2011\/02\/owasp-has-it-reached-a-tipping-point\/\">decade<\/span> of <a href=\"http:\/\/www.verizonenterprise.com\/resources\/reports\/rp_2010-DBIR-combined-reports_en_xg.pdf\">OWASP failures<\/a> [PDF, pg 28], a multi-year debate about <a href=\"https:\/\/isc.sans.edu\/diary\/Is+Anti-Virus+Dead%3F\/4808\">anti-virus efficacy<\/a> and ample proof that vendors <a href=\"https:\/\/nvd.nist.gov\/view\/vuln\/search-results?query=adobe&amp;search_type=all&amp;cves=on\">suck<\/a> at building secure software as evidence, you&#8217;d think we&#8217;d be focusing on identifying the areas of greatest risk and designing &#038; following roadmaps to mitigate them.\n<p>This may be more of a failure on our part to effectively communicate the issues in a way that decision makers can understand. While not as bad as the outright lying committed by those who helped bake the financial meltdown cake, it is important to call out since I believe senior management and company boards would Do The Right Thing&trade; if we effectively communicated what that Right Thing is.<\/p>\n<\/li>\n<li><b>Regulators need to keep up with innovation and excessive leverage from innovation.<\/b> :: The spirit of this is warning that financial regulators need to keep a sharp eye out for the tricky ways institutions come up with to get around regulations (that&#8217;s my concise summary of &#8220;innovation&#8221;). Think &#8220;residential mortgage-backed securities&#8221;. The &#8220;excessive leverage&#8221; bit is consumers borrowing way too much money for over-priced houses.\n<p>I&#8217;m not going to try to make a raw parallel, but just focus on the first part: <i>Regulators need to keep up with innovation<\/i>. The bad guys are <a href=\"http:\/\/www.bankinfosecurity.com\/p_print.php?t=a&#038;id=2019\">getting more sophisticated and clever<\/a> all the time and keep up with <a href=\"https:\/\/www.androidpolice.com\/2011\/03\/01\/the-mother-of-all-android-malware-has-arrived-stolen-apps-released-to-the-market-that-root-your-phone-steal-your-data-and-open-backdoor\/\">hot trends<\/a> faster than we can defend against them&#8230;due in part to our wasted time testing controls and responding to low-grade audit findings. When even the SOX compliant <span class=\"removed_link\" title=\"http:\/\/www.networkworld.com\/news\/2011\/031811-rsa-hack-faq.html?page=1\">security giants can fall hard<\/span>, you know there&#8217;s a fundamental problem in how we are managing information security risk. Regulators &#038; legislators need to stop <code>( http:\/\/ articles. latimes. com \/2011\/feb\/11\/business\/la-fi-0211-privacy-20110211 )<\/code> jerking knees and partner with the best and the brightest in our field to develop new approaches for prescribing and validating security programs.<\/p>\n<\/li>\n<li><b>ERM is not an EASY button from Staples<\/b> :: I&#8217;m *so* using that quote in an infosec context this week\n<\/li>\n<li><b>Many banks and insurers should be failing the use test for ERM regulation to be effective.<\/b> :: More firms need to fail SOX and PCI  and [insert devastating regulation acronym here] checks or SOX &#038; PCI requirements need to change so that we see more failing. Pick one SOX <b>and<\/b> PCI compliant company at random and I&#8217;ll bet they have at least one exploitable Internet-based exposure <i>or<\/i> that custom-crafted malware can get through. If we start making real, effective, and sane regulations, we&#8217;ll start contributing to the betterment information security in organizations.\n<\/li>\n<li><b>Stress testing is becoming a major tool for regulators.<\/b> :: What if regulators did actual stress testing of our security controls versus relying on point-in-time checks? I know that the stress tests for banks end up being a paper exercise, but even those exercises have managed to find problems. Come in, pick three modern exploit vectors and walk-through how company defenses would hold up.\n<\/li>\n<li><b>Regulators need to be able to pay competitive market salaries<\/b> :: we need smarter rule-makers and examiners. There <b>are<\/b> good people doing good work in this space, just not enough of them.\n<\/li>\n<li><b>Difficult for risk managers to operate under multiple constraints of multiple regulators, accounting systems.<\/b> :: Just domestically, 42 states with separate privacy regulations, SOX for public companies, PCI compliance for those who process credit cards and independent infosec auditing standards across any third-party one needs to do business with make it almost impossible to stop spinning around low-level findings and focus on protecting critical information assets. We need to get to a small number of solid standards that we can effectively understand and design solutions to meet.\n<\/li>\n<li><b>Nice tree\/forest story:  Small trees take resources from the forest.  Large trees shade smaller trees making it harder for them to get sunlight.  Old trees die and fall crashing through the forest taking out smaller trees.<\/b> :: This made me think of the rampant consolidation of the security tech industry. Savvy, nimble &#038; competent boutique vendors are being swallowed by giants. The smart people leave when they can and the solutions are diluted and become part of a leftover stew of offerings that don&#8217;t quite fit together well and are not nearly as effective as they once were.\n<\/li>\n<li><b>Things that people say will never go wrong will go wrong.<\/b> :: &#8220;We&#8217;ll never have a SQL injection. Our mobile devices will never get malware on them. Those users will never figure out out to do [that thing], why should we spend time and resources building it correctly?&#8221;\n<\/li>\n<li><b>Compliance should be the easy part of ERM, not the whole thing<\/b> :: So. True.\n<\/li>\n<li><b>Asking dumb questions should be seen as good for firm. 10th dumb question might reveal something that no one else saw.<\/b> :: This needs to be a requirement at everyone&#8217;s next architecture meeting or project initiation meeting. At the very least, do something similar before you let someone open up a firewall port.\n<\/li>\n<li><b>There is a lack of imagination of adverse events.  US has cultural optimism.  Culture is risk seeking.<\/b> :: Can be easily seen in our headstrong rush into <a href=\"https:\/\/blogs.cisco.com\/datacenter\/consumerization-of-enterprise-it-drives-demand-for-unified-virtualization-architecture\">consumerizing IT<\/a>. I find that architects, engineers and application developers tend to see 1-2 &#8220;security moves&#8221; out. We need to do a better job training them to play Go or Chess in the enterprise.\n<\/li>\n<li><b>People understand and prefer principles based regulation.  But when trust is gone everything moves towards rules.<\/b> :: If firms had been Doing The Right Thing&trade; in information security when they had the chance, we wouldn&#8217;t be in the state we are in now. I can&#8217;t see us getting [back] to principled-based regulation any time soon.\n<\/li>\n<li><b>Supervisors need to <a href=\"http:\/\/www.google.com\/url?sa=t&amp;source=web&amp;cd=1&amp;sqi=2&amp;ved=0CBQQFjAA&amp;url=http%3A%2F%2Fwww.imf.org%2Fexternal%2Fpubs%2Fft%2Fspn%2F2010%2Fspn1008.pdf&amp;rct=j&amp;q=learning%20to%20say%20no%20imf&amp;ei=FJqDTeP6M4fpgAfr44HUCA&amp;usg=AFQjCNHrpFQOY9yTtjIXug3AOv_mSuu3Sg&amp;sig2=1_YKXEAbPgfEedcWbHjNGA&amp;cad=rja\">learn to say no<\/a><\/b> :: How many firewall port opens, disk-encryption exclusions, anti-virus disables and other policy exceptions have you processed just this past week? How many defenses have you had to give up during an architecture battle? Non-infosec leaders absolutely need to start learning how to say &#8220;no&#8221; when their best-and-brightest want to do the wrong thing.\n<\/li>\n<li><b>Caveat Emptor<\/b> :: Don&#8217;t believe your infosec vendors\n<\/li>\n<li><b>A risk metric that makes you more effective makes you special.<\/b> :: We have risk metrics? Seriously, tho, if we can measure and report risk effectively, our infosec programs <b>will<\/b> get better.\n<\/li>\n<\/ul>\n<p>I may have missed some or got some wrong. I&#8217;d be interested in any similarities or differences other saw in the list or if you think that I&#8217;m overly cynical about the state of affairs in infosec risk.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Had to modify the latimes URL in the post due to a notice from Wordfence\/Google I was reviewing the &#8211; er &#8211; highlights? &#8211; from the ninth ERM Symposium in Chicago over at Riskviews this morning and was intrigued by some of the parallels to the current situation in enterprise security risk management (the ERM [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[55,3,4,50],"tags":[339,395,367,389,391,392,388,393,368,394,369,371,735,387,738,390,386],"class_list":["post-391","post","type-post","status-publish","format-standard","hentry","category-compliance","category-information-security","category-risk","category-zombies","tag-actuarial-science","tag-crime-prevention","tag-data-security","tag-do-the-right-thing","tag-encryption-2","tag-endpoint-disk-encryption","tag-exploitable-internet-based-exposure","tag-firewall-2","tag-information-security-2","tag-mobile-devices","tag-national-security","tag-regulatory-compliance","tag-risk","tag-secure-software","tag-security","tag-sql-injection","tag-staples"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Crossroad of ERM and the Parallels to IRM - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Crossroad of ERM and the Parallels to IRM - rud.is\" \/>\n<meta property=\"og:description\" content=\"Had to modify the latimes URL in the post due to a notice from Wordfence\/Google I was reviewing the &#8211; er &#8211; highlights? &#8211; from the ninth ERM Symposium in Chicago over at Riskviews this morning and was intrigued by some of the parallels to the current situation in enterprise security risk management (the ERM [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2011-03-19T15:32:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-03-10T12:53:37+00:00\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2011\\\/03\\\/19\\\/crossroad-of-erm-and-the-parallels-to-irm\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2011\\\/03\\\/19\\\/crossroad-of-erm-and-the-parallels-to-irm\\\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"Crossroad of ERM and the Parallels to IRM\",\"datePublished\":\"2011-03-19T15:32:00+00:00\",\"dateModified\":\"2018-03-10T12:53:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2011\\\/03\\\/19\\\/crossroad-of-erm-and-the-parallels-to-irm\\\/\"},\"wordCount\":1304,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"keywords\":[\"Actuarial science\",\"Crime prevention\",\"Data security\",\"Do The Right Thing\",\"encryption\",\"endpoint disk encryption\",\"exploitable Internet-based exposure\",\"firewall\",\"Information security\",\"mobile devices\",\"National security\",\"Regulatory compliance\",\"Risk\",\"secure software\",\"Security\",\"SQL injection\",\"Staples\"],\"articleSection\":[\"Compliance\",\"Information Security\",\"Risk\",\"Zombies\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2011\\\/03\\\/19\\\/crossroad-of-erm-and-the-parallels-to-irm\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2011\\\/03\\\/19\\\/crossroad-of-erm-and-the-parallels-to-irm\\\/\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/2011\\\/03\\\/19\\\/crossroad-of-erm-and-the-parallels-to-irm\\\/\",\"name\":\"Crossroad of ERM and the Parallels to IRM - rud.is\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\"},\"datePublished\":\"2011-03-19T15:32:00+00:00\",\"dateModified\":\"2018-03-10T12:53:37+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2011\\\/03\\\/19\\\/crossroad-of-erm-and-the-parallels-to-irm\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2011\\\/03\\\/19\\\/crossroad-of-erm-and-the-parallels-to-irm\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2011\\\/03\\\/19\\\/crossroad-of-erm-and-the-parallels-to-irm\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/rud.is\\\/b\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Crossroad of ERM and the Parallels to IRM\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/\",\"name\":\"rud.is\",\"description\":\"&quot;In God we trust. All others must bring data&quot;\",\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/rud.is\\\/b\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\\\/\\\/rud.is\"],\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/author\\\/hrbrmstr\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Crossroad of ERM and the Parallels to IRM - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/","og_locale":"en_US","og_type":"article","og_title":"Crossroad of ERM and the Parallels to IRM - rud.is","og_description":"Had to modify the latimes URL in the post due to a notice from Wordfence\/Google I was reviewing the &#8211; er &#8211; highlights? &#8211; from the ninth ERM Symposium in Chicago over at Riskviews this morning and was intrigued by some of the parallels to the current situation in enterprise security risk management (the ERM [&hellip;]","og_url":"https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/","og_site_name":"rud.is","article_published_time":"2011-03-19T15:32:00+00:00","article_modified_time":"2018-03-10T12:53:37+00:00","author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"Crossroad of ERM and the Parallels to IRM","datePublished":"2011-03-19T15:32:00+00:00","dateModified":"2018-03-10T12:53:37+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/"},"wordCount":1304,"commentCount":0,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"keywords":["Actuarial science","Crime prevention","Data security","Do The Right Thing","encryption","endpoint disk encryption","exploitable Internet-based exposure","firewall","Information security","mobile devices","National security","Regulatory compliance","Risk","secure software","Security","SQL injection","Staples"],"articleSection":["Compliance","Information Security","Risk","Zombies"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/","url":"https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/","name":"Crossroad of ERM and the Parallels to IRM - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"datePublished":"2011-03-19T15:32:00+00:00","dateModified":"2018-03-10T12:53:37+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2011\/03\/19\/crossroad-of-erm-and-the-parallels-to-irm\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"Crossroad of ERM and the Parallels to IRM"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":"&quot;In God we trust. All others must bring data&quot;","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p23idr-6j","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":298,"url":"https:\/\/rud.is\/b\/2011\/03\/07\/behind-the-mask-supporting-the-new-cio-personas\/","url_meta":{"origin":391,"position":0},"title":"Behind The Mask : Supporting The New CIO Personas","author":"hrbrmstr","date":"2011-03-07","format":false,"excerpt":"This morning, @joshcorman linked to an article in the Harvard Business Review \"The Conversation\" blog that put forth the author's view of The Four Personas of the Next-Genereation CIO. The term persona is very Jungian and literally refers to \"masks worn by a mime\". According to Jung, the persona \"enables\u2026","rel":"","context":"In &quot;Compliance&quot;","block_context":{"text":"Compliance","link":"https:\/\/rud.is\/b\/category\/compliance\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1786,"url":"https:\/\/rud.is\/b\/2012\/11\/18\/speaking-at-rsa-conference-2013\/","url_meta":{"origin":391,"position":1},"title":"Speaking At RSA Conference 2013!","author":"hrbrmstr","date":"2012-11-18","format":false,"excerpt":"Earlier this week, @jayjacobs & I both received our acceptance notice for the talk we submitted to the RSA CFP! [W00t!] Now the hard part: crank out a compelling presentation in the next six weeks! If you're interested at all in doing more with your security data, this talk is\u2026","rel":"","context":"In &quot;Charts &amp; Graphs&quot;","block_context":{"text":"Charts &amp; Graphs","link":"https:\/\/rud.is\/b\/category\/charts-graphs\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":133,"url":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-measuring-metrics-programs-why-arent-we\/","url_meta":{"origin":391,"position":2},"title":"Metricon: Measuring Metrics Programs (Why Aren&#8217;t We?)","author":"hrbrmstr","date":"2011-02-14","format":false,"excerpt":"Speaker: Jared Pfost (@JaredPfost) Framing: IT Security Metrics in an Enterprise \u00a0 If metrics are valuable, why aren't we measuring them. Virtually no research on them. \u00a0 The Chase Measuring metric program maturity would be easy, but not valuable Metric programs aren't a priority for enough CISOs for a benchmark\u2026","rel":"","context":"In &quot;Information Security&quot;","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":611,"url":"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/","url_meta":{"origin":391,"position":3},"title":"Your New Mega Security Program","author":"hrbrmstr","date":"2011-06-29","format":false,"excerpt":"Everyone who can read this blog should remember the Deepwater Horizon spill that occurred in the Spring of 2010; huge loss of life (any loss is huge from my persective) and still unknown impact to the environment. This event was a wake-up call to BP execs and other companies in\u2026","rel":"","context":"In &quot;Information Security&quot;","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":136,"url":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-verification-versus-validation\/","url_meta":{"origin":391,"position":4},"title":"Metricon: Verification versus Validation","author":"hrbrmstr","date":"2011-02-14","format":false,"excerpt":"Speaker:\u00a0Jennifer Bayuk \u00a0 Based on work for Stevens Institute of Technology. How do professional systems engineers work? History: Mainframe physical security (punch cards) cables to terminals network to workstations (some data moves there & on floppies) *spike in misuse & abuse modems and dedicated links to external providers\/partners added midrange\u2026","rel":"","context":"In &quot;Information Security&quot;","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":552,"url":"https:\/\/rud.is\/b\/2011\/04\/28\/dropbox-1-2-0-experimental-build-fixes-security-issue\/","url_meta":{"origin":391,"position":5},"title":"Dropbox 1.2.0 Experimental Build &#8220;Fixes&#8221; Security Issue","author":"hrbrmstr","date":"2011-04-28","format":false,"excerpt":"If you are concerned about the Dropbox design flaw exposed by the dbClone attack, then have we got a link for you! The intrepid DB devs have tossed up a forum release which purports to fix all the thorny security issues. You can no longer just copy a config file\u2026","rel":"","context":"In &quot;Dropbox&quot;","block_context":{"text":"Dropbox","link":"https:\/\/rud.is\/b\/category\/dropbox-2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=391"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/391\/revisions"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}