I was first introduced to Agile methodologies in 2014, as the company I was with at the time started moving from a Waterfall approach to Agile with our development teams.  These agile teams typically consisted of a business analyst, scum master, back-end developers, UX developers, and quality assurance analysts. Security had not yet found its place in this new structure, however, we quickly learned that adopting a hybrid form of “ScrumBan“, a… Read More

When I first stepped into the CISO role, I had the tremendous benefit of receiving help and advice from a number of seasoned CISOs and CSOs. Having now filled roles for several years, there are a number of things (in no particular order) learned from my experience that I would like to pass along to others. Teamwork is cruical Building rapport and working relationships, both internally and externally, are very important. You… Read More

When I first assumed the role of CISO at my current organization, I knew that a variety of commercial security tools had been purchased, along with numerous other open source, or otherwise free tools that were also being used for various functions. This raised a number of questions for me, including: What specific functions does each tool offer? Many tools are multi-functional. Which tool is the right tool for the job? How… Read More

How do you define or measure the state of security within your organization? This is the age old question that business leaders and information security professional have been struggling with for some time. The many factors that determine one’s security posture can differ widely between organizations. There is no “one size fits all” that works for everyone. Over the years, various security frameworks have been developed to assist with establishing a healthy… Read More

Similar in some ways to a network firewall, a web application firewall (WAF) is a device (or in some cases a service), purpose-built to protect web applications. Instead of filtering requests at the network level with rules based on IP addresses and network protocols, WAFs understand http requests and responses at the application layer. WAF rules are crafted to identify anomalous http requests, and take action accordingly. While very powerful and useful,… Read More