Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.

Agile Security: Balancing Security with the Need for Agility written by Jeff Lowder

Jeff Lowder

Jeff Lowder is an information security executive with a passion for continuous learning and innovation in information security risk management, with an exceptionally strong background in IT governance, inductive logic, and decision theory as it relates to risk analysis and risk management. He has over 12 years of management experience and 14 years of IT experience that span Internet security, strategic planning, incident response, compliance, information systems audit, business continuity planning, and project management.

His previous assignments include Director, Information Security at Disney Interactive Media Group, a branch of The Walt Disney Company; Sr. Security Architect / Manager, Network Security at NetZero; Director, Security and Privacy at Elemica; and Director, Network Security at the United States Air Force Academy, where he was named Information Protection Individual of the Year.

He has been published in multiple editions of the HANDBOOK OF INFORMATION SECURITY MANAGEMENT (ed. Harold F. Tipton and Mikki Krause, Auerbach Publications). He is a member of the ISSA and the Society for Risk Analysis. A graduate of Seattle Pacific University, with a B.S. degree in Computer Science, Lowder also is a Certified Information Systems Security Professional (CISSP) and has served on the boards of the Delaware Valley ISSA and the SANS Institute’s GSEC Certification Advisory Board.

The Difference between Quantitative and Qualitative Risk Analysis and Why It Matters (Part 2)

October 29, 2008 – 6:00 am – Objective vs. Subjective Approaches: Strengths and Weaknesses As we have seen, quantitative risk analyses can be subjective and qualitative risk analyses can be objective. The purpose of this slide is to summarize and discuss some of the advantages and disadvantages of both the objective and…
Posted in General | Tagged , , , , , , , , , , , | Comments (0)

The Difference between Quantitative and Qualitative Risk Analysis and Why It Matters (Part 1)

September 4, 2008 – 6:00 am – Many discussions of security risk analysis methodologies mention a distinction between quantitative and qualitative risk analysis, but virtually none of those discussions clarify the distinction in a rigorous way. The purpose of this 3-part series is to clarify that distinction and then show why…
Posted in Risk Analysis | Tagged , , , , , , , , , , , | Comments (3)

PCI DSS Position on Patching May Be Unjustified

June 27, 2008 – 6:00 am – Verizon Business recently posted an excellent article on their blog about security patching. As someone who just read The New School of Information Security (an important book that all information security professionals should read), I thought it was refreshing to see someone take an…
Posted in Compliance and Laws, Risk Analysis, Security Metrics | Tagged , , , | Comments (2)

Agility and Risk Compensation: Exploring the Connection

June 9, 2008 – 6:00 am – In my previous and inaugural column, I introduced the concept of a tradeoff between information security and agility, where agility was defined as “the capability to change with managed cost and speed.” Information security doesn’t necessarily have to be at odds with agility, but…
Posted in Human Elements, InfoSec Economics, Risk Analysis | Tagged , , , , | Comments (4)

Fitting the CIA Triad in a Business Context: The Concept of Agile Security

May 20, 2008 – 6:00 am – Last year, Harvard Business School Press published a very interesting book entitled IT Risk: Turning Business Threats into Competitive Advantage by George Westerman and Richard Hunter. Westerman is a Research Scientist at the Center for Information Systems Research at the MIT Sloan School of…
Posted in CSO/CISO Perspectives, Compliance and Laws, InfoSec Economics | Tagged , , , , , | Comments (0)