In 2014, the NIST Cybersecurity Framework (CSF) took the world by storm, aiming to help organizations to improve their ability to prevent, detect and respond to cyber attacks.  It has been translated to many languages and is used by the governments of the United States, Japan, Israel, among many others.  The Trends in Security Framework Adoption Survey, conducted in 2016, reported that 70% of the 300 surveyed organizations view NIST's framework as a security best practice, but, that same survey also found that 50% of

This past weekend, SimpleRisk went live with our Q2 2020 release.  Like the releases before it, a tremendous amount of effort went into packing in as many features and functionality as possible, while retaining the underlying simplicity.  In addition, our HackerOne Bug Bounty program continues to help us to identify and fix potential security vulnerabilities and we've corrected a number of bugs, as well.  The full release notes for this release can be downloaded here.  What f

About a week and a half ago, SimpleRisk went live with our Q3 2020 release.  While this release included a handful of new features as well as bug and security fixes in the SimpleRisk Core, much of our attention in this go around went towards enhancing a number of our SimpleRisk Extras.  The full release notes for this release can be downloaded here.  What follows is a description of all of the new features, bug fixes and security fixes that were included in this new release.

At the end of June 2020, a civil rights coalition, which includes the Anti-Defamation League (ADL) and the NAACP, launched the #StopHateforProfit campaign.  This campaign calls upon major corporations to put a pause on Facebook advertisements, citing the company's "repeated failure to meaningfully address the vast proliferation of hate on its platforms".  It is the result of over a decade of begging Facebook to do something about the hate speech problem.  Facebook has allowed incitement to violence against protesters fighting for racial justice in America, named Breitbart News a "trus

Today I had a really interesting conversation with a guy from Japan via LinkedIn.  It started with him trying to sell me some website design services, but when he realized their services weren't a good fit, he asked me a question.  He said "I checked a few websites - what is this risk management thing?  If we have this web design studio, how do we calculate our risks?"

As the Information Security Program Owner at National Instruments, I spent years contemplating the answer to a question that has been around since the dawn of "the cloud":

Back in 2013, when I first started working on SimpleRisk in my spare time on nights and weekends, I started using a massive Trello board to track all of the features I would need to do my job as a risk manager.  I used a relatively simple scheme of labeling each card as yellow, orange, or red to indicate the priority.  With each new feature I added, more organizations would adopt the platform; and with each new organization came fresh ideas on how to continually drive the product forward.  We still routinely get feature requests from customers and, today, that Trello board has grown t

As the Information Security Program Owner at National Instruments, a $1.4B global enterprise, I've spent the past decade building a risk management program from the ground up.  As I shared in my Founder's Story,  I struggled in the early days with defining what our program would look like, and especially around the tooling I would use, but it wasn't long before I was able to demonstrate the value of risk management to the organization.  SimpleRisk quickly became our de facto tool of choice and, as my knowledge increased and my co

This is just a short (1 minute) animated video explaining some of the capabilities around performing internal and third-party risk assessments with SimpleRisk.


Unless you've been hiding under a rock for the past three weeks, you're probably familiar with CVE-2019-0708, also known as the "Bluekeep" vulnerability.  This Remote Code Execution vulnerability in Remote Desktop Services (formerly known as Terminal Services) is particularly nasty as it it is pre-authentication and requires no user interaction.  This makes it the perfect vulnerability to integrate into a self-propagating worm that would quickly spread around the world, just like WannaCry did in 2017.  It also make

Subscribe to management