Home » Author Archives: Doug Gray

Author Archives: Doug Gray

Cyber Security Maturity is Not Measured in Pages


If you want to understand maturity, watch a jazz concert. Much of what you hear is improvised, right there before your eyes. The music you hear is so well integrated, it seems that it’s already been planned. But in fact the musicians are making it up as you watch. How? They are following a set of rules that they have ...

Read More »

Resistance is Futile; You Must Comply

personally identifiable information

No threat actor ever avoided attacking your system because you marked a control as compliant. Yet organizations today are spending ever increasing resources to remain compliant with a myriad of frameworks, including the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF), International Standards Organization (ISO) frameworks, such as ISO 27001, and ISACA’s Control Objectives for Information and ...

Read More »

Risk Management – From Paper to Reality

Risk management

So you have completed your security controls assessment. You have beautiful risk assessment reports, and a big beautiful plan of action and milestones (POA&M). Now what? You have to bring your plan to manage risk into reality. According to the Department of Homeland Security’s Office of Cybersecurity and Communications, if you stacked all of the paperwork generated by assessment and ...

Read More »

Cyber Security: If You Don’t Know the Mission, You Don’t Know the Risk

cyber security

Like the good cyber security stewards we are, we regularly inventory our assets, assess known vulnerabilities, and stay abreast of the latest threat intelligence. So we know our risk, right? Not necessarily. When assessing risk, many cyber security professionals think of the technological impact, such as webserver downtime or the inability to deliver email. The truth is the impact is ...

Read More »