Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.

Agile Security: Balancing Security with the Need for Agility written by Jeff Lowder

Jeff Lowder

Jeff Lowder is an information security executive with a passion for continuous learning and innovation in information security risk management, with an exceptionally strong background in IT governance, inductive logic, and decision theory as it relates to risk analysis and risk management. He has over 12 years of management experience and 14 years of IT experience that span Internet security, strategic planning, incident response, compliance, information systems audit, business continuity planning, and project management.

His previous assignments include Director, Information Security at Disney Interactive Media Group, a branch of The Walt Disney Company; Sr. Security Architect / Manager, Network Security at NetZero; Director, Security and Privacy at Elemica; and Director, Network Security at the United States Air Force Academy, where he was named Information Protection Individual of the Year.

He has been published in multiple editions of the HANDBOOK OF INFORMATION SECURITY MANAGEMENT (ed. Harold F. Tipton and Mikki Krause, Auerbach Publications). He is a member of the ISSA and the Society for Risk Analysis. A graduate of Seattle Pacific University, with a B.S. degree in Computer Science, Lowder also is a Certified Information Systems Security Professional (CISSP) and has served on the boards of the Delaware Valley ISSA and the SANS Institute’s GSEC Certification Advisory Board.

How to be a Software Engineer without Understanding Software

January 30, 2012 – 6:00 am – Imagine a world where the majority of people who claim to “do” software engineering do not know even basic concepts that are taught in computer science 101 classes, such as basic data structures and why they matter. A world in which most accountants didn’t know how to read a…
Posted in Risk Analysis, software engineering | Tagged , , , , , | Comments (0)

How to Define “Connected Systems” to the PCI Cardholder Data Environment (CDE)

December 6, 2010 – 6:00 am – While the Payment Card Industry (PCI) Data Security Standard (DSS) arguably does a better job than most standards in defining scope, there is one part of the DSS that needs to be clarified. The DSS determines scope in terms of “system components,” which it defines as follows. The PCI…
Posted in Compliance and Laws | Tagged , , , , | Comments (4)

6 Theories of Probability and 6 Reasons Why They Matter to ISRA

September 7, 2010 – 6:00 am – While probably everyone would agree that information security risk analysis (ISRA) is shot through with appeals to probability, very few non-academic discussions of ISRA provide any sort of rigorous analysis of what “probability” means. (See Alberts and Dorofee 2003 for a notable…
Posted in Risk Analysis | Tagged , , , , , , , , , , , , | Comments (2)

Why the “Risk = Threat x Vulnerability x Impact” Formula is Mathematical Nonsense — Part 2

August 31, 2010 – 6:00 am – In my last post, I argued that security risk managers should stop using the “Risk = Threat x Vulnerability x Impact” formula (hereafter, the “R=TVC formula”), for two reasons. First, the variables “Threat” and “Vulnerability” are typically undefined;…
Posted in Risk Analysis | Tagged , , , , , , , , , , , | Comments (1)

Why the “Risk = Threats x Vulnerabilities x Impact” Formula is Mathematical Nonsense

August 23, 2010 – 6:00 am – Every now and then I will find a security practitioner presenting the following formula when discussing information security risk analysis (ISRA). Risks = Threats x Vulnerabilities x Impact In some versions of this formula, the word “Consequence” is sometimes substituted for…
Posted in Risk Analysis | Tagged , , , , | Comments (6)