Protecting People, Not Just Data

Companies' cultures need to change. You need to become concerned about every new piece of software, every new connection and every new piece of data -- whether or not you're required by law to care. If some piece of software doesn't contribute to your core business, don't allow it. If some new Internet-connected service isn't part of your mission,

There are parallels here to information security, or any central risk function, in terms of thinking who your customers are. Is it the shareholders (and Board as their representatives) to reduce the risk of losses? Is it executive management both for loss reduction as well as enabling and supporting business growth or mission success? Or is it the

the third and most exciting piece of his framework is something he thinks most cybersecurity people don't focus on: embracing compassion while providing guidance.

I saw a few tweets about this article tongue in cheek saying "time to update your threat model" - but how many actually do that? Who is at work this week creating a document that illustrates how a data breach of their external council could lead to their own data loss event? I'd guess it is a very small number of folks. I'm making the cas