Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.

Sense of Security written by C. Warren Axelrod

C. Warren Axelrod

C. Warren Axelrod is the Chief Privacy Officer and Business Information Security Officer for a financial services company, where he interfaces with the firm’s business units to identify and assess privacy and security risks and mitigate them, to have employees become familiar with security policies, standards, and procedures, and to ensure that they are followed.

Warren was honored with the prestigious Information Security Executive (ISE) Luminary Leadership Award 2007. He also received a Computerworld Premier 100 IT Leaders Award in 2003 and his department’s implementation of an intrusion detection system was given a Best in Class award.

He represented financial services information security interests at the Y2K command center in Washington, DC during the century date rollover. He is a founder of the FS/ISAC (Financial Services Information Sharing and Analysis Center) and served two terms on its Board of Managers. He testified at a Congressional Hearing in 2001 on cyber security.

Warren has published two books on computer management and numerous articles on a variety of information technology and information security topics, including computer and network security, contingency planning, and computer-related risks. His third book, “Outsourcing Information Security,” was published by Artech House in September 2004.

He holds a PhD in managerial economics from the Johnson Graduate School of Management at Cornell University and honors bachelors and masters degrees in electrical engineering, economics and statistics from the University of Glasgow, Scotland. He is certified as a CISSP and CISM.

Metrics Revisited – Application Security Metrics

May 12, 2008 – 6:00 am – I have recently been giving some thought to, and doing some research into, application security metrics, and I have determined, quite simply, that there aren’t any good ones. “How ridiculous!” you say, “We have two dozen application security metrics, which we report in…
Posted in Risk Analysis, Security Metrics | Tagged , , , , | Comments (0)

Security and Change (pt. 3): White Knights

April 21, 2008 – 6:00 am – There are many events that are disruptive to business operations and about which you generally know well in advance. Such events include all manner of IT and business process outsourcing, friendly and hostile mergers and acquisitions, the relocation, consolidation and dispersion of facilities,…
Posted in CSO/CISO Perspectives, Contingency Planning | Tagged , , , , | Comments (0)

Security and Change (pt. 2): Black Swans

April 14, 2008 – 6:00 am – Remember Y2K? It was the meltdown that never happened. Well, I have news for you. It could well have been a catastrophe. We really did avert it. I speak as someone who spent the Y2K weekend holed up at the Government’s command center in a nondescript building in downtown Washington, DC.…
Posted in CSO/CISO Perspectives, Contingency Planning | Tagged , , , , | Comments (0)

Security and Change (pt. 1): Blackouts

April 7, 2008 – 6:00 am – My next three columns are about change, how change, whether it be accidental or intended, can affect security, and how security might impact change. This first column is about relatively commonplace events, such as power failures, snowstorms, hurricanes, tornadoes, fires, and floods. The second…
Posted in CSO/CISO Perspectives, Contingency Planning | Tagged , , , , | Comments (0)

Metrics: A Measure of Security

March 19, 2008 – 6:00 am – Everyone seems to be measuring security. After all, the common mantra is “You can’t manage what you can’t measure.” And security cries out to be managed. But which are useful security metrics? Are we investing appropriately in the measurement of various aspects of security? I think that…
Posted in Security Metrics | Tagged , | Comments (0)