Skip to main content

Unless you've been hiding under a rock for the past three weeks, you're probably familiar with CVE-2019-0708, also known as the "Bluekeep" vulnerability.  This Remote Code Execution vulnerability in Remote Desktop Services (formerly known as Terminal Services) is particularly nasty as it it is pre-authentication and requires no user interaction.  This makes it the perfect vulnerability to integrate into a self-propagating worm that would quickly spread around the world, just like WannaCry did in 2017.  It also make

On March 29, 2019, Alex Polimeni and I presented at the BSides Austin conference on some of the work we've done for National Instruments with respect to using the NIST Cybersecurity Framework (CSF) as the foundation for an assessment of the organization's cybersecurity maturity.  For those who aren't familiar with the NIST CSF, it splits cybersecurity best practice activities up into five functions: Identify, Protect, Detect, Respond, and Recover.  Then, each of those functions are split into several categories.  For example, the Identify function is split into the categories of Asset Manag

Recently, a friend sent me a blog post by John A.


Before starting SimpleRisk, I sat in the CISO chair, on the other side of the negotiating table.  I learned the tricks that vendors played with pricing to get it up and had some tricks of my own that I'd use to get it back down.  Discounts of 50% or more were not uncommon and our procurement team mostly let me do my own thing because they knew they weren't going to be able to touch my pricing.  My team and my peers even used to half-jokingly say that I should do a talk on vendor price negotiations.  And while I still wear the discounts that I negotiated as a badge of honor, there's a part o

Has the number of security issues you deal with on a routine basis ever made you feel a bit like Atlas carrying the world on your shoulders?  I can’t tell you the number of conversations I’ve had with discontented security practitioners who lament to me the woes of trying to speak with management about the latest Heartbleed or Spectre/Meltdown vulnerabilities and “management just doesn’t understand”.  Even worse, when management inevitably turns a blind eye to the issue, the security practitioner worries that they’ll be searching for a new job if the vulnerability is ever exploited.  As the

A couple of weeks ago I participated in a CISO Summit with a focus on the topics of Security Visibility and Incident Response.  At one point, towards the end of the summit, we fell on the topic of having a "Table Top Exercise (TTX)".  I have to admit that I'd heard of these before, but I'd never before participated in one myself.  But as these CISOs talked more and more about how it worked, who was involved, and the lessons learned, I was intrigued.


Every comic book superhero has a story behind them describing how they overcame some form of adversity in order to become the crime-fighting protector of all things good that we've come to know and love. Just like those champions of justice, SimpleRisk also has an origin story. It all started in 2012, when Josh Sokol was tasked with starting an enterprise risk management program at National Instruments.

Subscribe to management