Image for post
Image for post
Image by olafpictures from Pixabay

I have had the mis/fortune (depending on your perspective) to go through pain management therapy. When there are no more medications to take, no ways to reduce the pain, and the pain is not going to go away any time soon, what’s left is You. You going face-to-face with pain.

Your body can get used to a constant level of pain. Your brain can even filter it out. You tend to need pain management when you have constant pain that can spike or grow, and that change is a part of your daily life.

I can still remember my first informal “session”. I was having an “internal abdominal procedure” without anaesthetic. I won’t get into details here, but many gory movie scenes have imagined what was a daily reality for me. …


Image for post
Image for post
Maturing whiskey barrels

This McKinsey & Company report on cyberrisk maturity models is clickbait-y, tone-deaf, judgemental, and even a little elitist. And it looks like they know it. The irony is delicious.

Quantifying Risks is Better Than Maturity

They start off their position saying that the maturity approach “has had its day” and that organizations should move to a “risk-based” approach. What they mean, though, is a “risk-quantified” approach, but:

  1. They choose a broad term that connotates that a maturity approach is not risk-based, and;
  2. They assume that everyone has the kind of data necessary to quantify risks.

So, they start off by contriving that “they know better” and they have insight into a “golden path” (clickbait), which is actually a plain, vanilla path. But they misrepresent their position and the concept of a maturity approach. …


Image for post
Image for post

I’ve been very interested in behavioural science since I was a Department Head of a college. It’s never enough to just know what to teach; that part is surprisingly easy. It more about getting what you want into the learner’s head, and that part is surprisingly difficult to accomplish consistently over a diverse population.

The same challenge is experienced by management and felt even more keenly by the cybersecurity department when they want employees to adopt a secure or compliant way of operating. How do you address failure or non-compliance?

This challenge comes up quite often when I’m drafting information security policies, and if management does not bring it up themselves, I make sure to raise it. It also comes up when the organisation talks about cybersecurity training and phishing simulations. It is important to know how to do things properly, but what happens when someone doesn’t? …


Image for post
Image for post
credit: Pixabay

Cybersecurity Leaders reside in an exceptionally important role to ensure that an organisation, and the digital economy as a whole, can survive and thrive as it pursues new opportunities and creates never-before-seen value in the world. They facilitate innovation and growth on one hand and people’s rights and safety on the other.

That’s what differentiates a Cybersecurity Leader from a Technician: it is the bigger view, that we are all called and positioned to make decisions and take actions that are so much bigger than ourselves, or systems, or our organisations.

Five Core Beliefs

As a Cybersecurity Leader, I have five core beliefs about cybersecurity that guide me and how I…

About

Jordan M. Schroeder

Managing CISO @ HEFESTIS, moderator of Security StackExchange, author of Advanced Persistent Training.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store