About Heuristic Security

“A heuristic technique is any approach to problem solving or self-discovery that employs a practical method, not guaranteed to be optimal, perfect, logical, or rational, but instead sufficient for reaching an immediate goal.”

As a Chief Information Security Officer (CISO) with close to 20 years experience building and leading information security programs for organizations around the world, I have seen the dramatic escalation in the threats to sensitive information and systems, as well as the explosive growth of security technologies, mandated regulations and controls that have sprung up with the intent of “helping” organizations address these threats.

Yet for all these advancements, the problems of information loss, unavailability, and misuse are demonstrably worse than they have ever been, with announcements of information security breaches and data losses on a massive scale occurring so frequently as to render people numb to the news. When examining the root causes of many of these breaches, it is obvious time and again that regardless of the size of the security organizations or the millions spent on advanced security technologies, the problems can often be traced to ignorance at the senior levels of the organization as to the real threats facing the organization, compounded by an inappropriate focus on implementing advanced technologies and controls that are not aligned to addressing the true risks that these threats represent.

This website is my attempt to provide practical guidance to CISOs and business leaders on what threats are most relevant to their business, what are the motives of the attackers and what means will they use to inflict harm, what gaps in the organization are most likely to cause these means to be realized and what organizations can do from a people, process and technology perspective to address these gaps and the associated risks.

My aim is not to duplicate all the advice and controls that exist in CIS, ISO, NIST or other security control frameworks, but rather to provide a relatively simple approach for creating an effective security program for organizations which have not had one previously.

All the information in this blog is free to use and is based on my nearly 20 years experience developing security programs across the globe for organizations big and small, leveraging publicly available information from CIS, NIST, ISO and others. This advice is not intended to describe the security program needed for a Fortune 100 company, however, it can certainly be used by a large company to ensure that their program is meeting a consistent baseline level of protection and as well driving more productive conversations with their company’s leadership regarding cyber-risks.

Your productive contributions and feedback are welcome in this effort by writing to me at [email protected].