Stories by By Mathias Thurman

  • Taking our breach response plan for a test-drive

    One thing that we security managers can be sure of is this: There is no guarantee that our company will not suffer a security breach. In fact, the odds are increasing all the time, helped along by the proliferation of mobile devices, companies' heavy use of software as a service and the <a href="http://www.computerworld.com/category/consumerization/?nsdr=true">consumerization of IT</a>. And let's face it: Creating a culture that fosters innovation and attracts talent exacts a cost in defensibility.

  • With greater visibility comes increased response

    I mentioned in a previous article that we are using <a href="http://www.computerworld.com/article/2894450/making-the-case-for-security.html">a "loaner" Palo Alto Networks firewall</a>, with all the bells and whistles. Our testing led to all sorts of interesting discoveries, and I certainly hope that the executive staff will agree that the increased visibility makes this sort of new-generation firewall well worth the investment.

  • Making the case for security

    Having been at my new company for several months now, this week I was invited to inform executive management about the state of our security. I had half an hour to formally introduce myself and talk about my philosophy, my initial findings and the priorities I think we need to have.

  • Awareness on the cheap

    You don't have to spend a lot of money on some information security initiatives. Take <a href="http://www.computerworld.com/article/2504968/cyberwarfare/security-awareness-can-be-the-most-cost-effective-security-measure.html">security awareness</a>, for example. You can get huge returns with small investments.

  • Detoured by Shellshock and Poodle

    As I moved into the information security position at my new company a few weeks ago, I was anxious to do a full assessment of our security defenses. But I was immediately sidetracked by, not one, but two major vulnerabilities that couldn't be ignored. Those were fires that had to be put out before I could do anything else.

  • The security function needs SMART metrics

    I've become a <a href="http://www.computerworld.com/article/2554061/security0/measuring-the-value-of-metrics.html">big fan of metrics</a>. I wasn't always, but throughout my career in information security, I've had bosses who have challenged me on metrics, and I have honed my skills so that now I feel the metrics I collect meet the "SMART" test: specific, meaningful, actionable, repeatable and time-dependent.