Mark Walsh

Recent Posts

3 Security Myths That Will No Longer Fly in 2016

Posted by Mark Walsh on Feb 22, 2016 10:38:29 AM

2016_Myths_That_Wont_Fly_Blog_Post.jpgWith 2016 underway, and CIO’s taking a more critical eye at cyber security costs, and boards having a better informed definition of information risk, security organizations will be forced to evolve from past practices that were once seen as appropriate.  With today’s advanced threats weighed against business priorities, CISO’s may need to abandon some assumptions and methodologies that are no longer acceptable. 

3 Security Myths that Will No Longer Fly in 2016 

1: A Products vendor can drive the organization’s entire security strategy

Security product salespeople will tell you that simply buying their expensive software will “address all your PCI compliance needs” or “cover 14 of the 20 critical security controls.”  But the truth is that these tools neither solely ensure compliance nor fully meet the security needs of the business.   Information security is about people and processes. Spending an entire year’s security budget on security software will leave an organization without the appropriate amount of staff to run the tools, and lacking in the maturity that only documented procedures can provide.

Read More

Topics: Security

Need Your Security Budget Approved? Two Components to Increase Success

Posted by Mark Walsh on Feb 17, 2016 11:39:18 AM

Marks_Budget_Blog_Post.jpgIn the years before business leaders truly understood cyber risk, requested budgets for cyber security departments were often approved without thoughtful consideration or review.  There was a day when CISO’s could basically say to a CIO, “I can’t tell you how much safer this will make us, and I can’t say we absolutely won’t have a data breach, but I need 3.5 million dollars.”  Most of those inflated numbers were driven by the desire to buy the latest security tools that vendors promised would solve all security problems.  The funds were to be spent, generally, on products and the staff to support them.

CISO’s can no longer expect to have large annual budgets approved without tangible, quantified data to back up the necessity.  The days have passed when budgets were built on fear, uncertainty, and doubt (FUD), empire building, or opportunities to buy the trending tools.  Security funding needs to produce measurable results, or at a minimum, be supported by credible metrics that validate the business needs. 

Read More

Topics: Business, Security, Security Program Development

A Risk Register is Not the First Step in Your Archer Journey

Posted by Mark Walsh on Jan 26, 2016 12:00:00 PM

Risk_Register_Blog_Post.jpgDue to the way the RSA Archer product is sold, customers often find themselves the proud owners of the Risk Management module.  Side-by-side with the Enterprise, Policy, and Compliance modules, Risk Management is marketed as a necessary and important module to tackle in the initial phase of the Archer journey.  As professional services providers, clients often ask CyberSheath to assist them with the creation of a risk register as their first step with Archer because it is something they have heard they need to do.

A Risk Register as a First Step is Not the Answer

The problem is that the majority of new Archer customers that we have partnered with are in the information security field, where actual threats and incidents consume every working hour.  The daily realities of malware, vulnerabilities, exception requests, business needs, and compliance requirements take up more than enough of a security team’s time each month for them to be prioritizing a risk register as their first GRC capability.

Read More

Topics: eGRC

There is No Industry Average for Security Maturity

Posted by Mark Walsh on Dec 23, 2015 12:35:10 PM


“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.” – Ernest Hemingway

When planning for a security maturity assessment by an independent third party, many organizations often ask if their results can be compared to other companies in their specific industry.   On the surface this “benchmarking” seems to be a reasonable request.  CIOs want to spend as much on security as their peers;  CISOs want to be “as secure” as their competitors.  Nobody wants to devote wildly more or less resources to the effort than those in their industry.  However, the request to see your company’s security maturity “score” stacked side-by-side with other companies is not attainable for two reasons.

Read More

Topics: Security Assessment, DFARS

Controlling Software in Your Enterprise for GRC and Security Benefits

Posted by Mark Walsh on Oct 28, 2015 1:41:12 PM

20 Critial Controls: Control 2Note: This is the second in a series of blog posts in which CyberSheath GRC consultants specifically describe how the RSA Archer GRC Solution can assist with the adoption of the Critical Security Controls for Effective Cyber Defense.  Each post of this series will focus on one of the 20 Critical Security Controls. Click here to access the first post of this series.

CyberSheath has worked with many customers who are just beginning their GRC journey.  As security consultants first, the initial steps we take when building out GRC efforts for any organization align with the Critical Security Controls for Effective Cyber Defense.  These controls, formerly known as the SANS 20 Critical Security Controls, focus on prioritizing actionable and pragmatic security functions that are effective against advanced attacks.

20 Critical Security Controls

Control 2: Inventory of Authorized and Unauthorized Software

Read More

Topics: eGRC

7 Step Process to Transform From a Tactical to Strategic GRC Approach

Posted by Mark Walsh on Oct 13, 2015 1:18:59 PM

RSA Charge October 21-23, 2015

RSA Charge 2015 is almost here!  This exclusive user event brings together industry thought-leaders, experts, and security professionals to share their experiences and lessons-learned.  CyberSheath and other RSA Charge speakers will educate attendees on best practices, as well as tips to proactively avoid security threats and safeguard your organization’s digital assets. To help get you started, review the infographic below depicting our 7 step process to transform your organization’s GRC approach from tactical to strategic.

Read More

What a FitBit Can Teach Us About Security Metrics

Posted by Mark Walsh on Sep 1, 2015 10:41:00 AM

Mark_Running_Blog_PostI started running and biking a lot in 2003.  I do it to have fun, but also to stay healthy.  Back then I worked with some other cyclists, one of whom was an Excel guru that loved collecting workout data.  I started tracking my workouts, too, on his amazing spreadsheet with 11 tabs, pivot charts, and macros.  Every day I was logging my miles, activities, and other workout information.  I even tracked stuff like the weather conditions, what running shoes I wore, and personal bests on a specific route.  This data will make me a better runner, I thought, and healthier.

But invariably, I’d miss a day of data entry.  Whether I was on vacation and away from my computer, or busy, or lazy, a missed day would turn into two, then five.  I’d forget what I did for workouts and not enter data.  Over time the data had such holes that it became unreliable and, eventually, meaningless.  The manual data collection and entry was painful, and I began to actually dislike working out because I didn’t like entering the data.

Read More

Archer Roadshow - Consolidating GRC Initiatives with RSA Archer

Posted by Mark Walsh on Mar 27, 2015 8:42:00 PM
CyberSheath took to the road this month to talk about Archer GRC.  To learn more about GRC and how to be a succesful consumer of a governance, risk and compliance framework, check out our post on 8 Steps that Drive GRC Success.  If you are still not convinced, listen to one of our customers, a multi-billion dollar technology integrator, describe how CyberSheath Professional Services successfully implemented GRC to create a business enabling capability!  Click here to view the video.
Read More

Topics: eGRC

How Security Can Actually "Enable the Business"

Posted by Mark Walsh on Mar 11, 2015 8:50:00 PM

One of the most over-used phrases in security organizations today is “enabling the business.”  It looks great on mission statements and sounds good in meetings, but what does it really mean?  Common answers usually center on “protecting information” and “responding to incidents.”  But are the defensive actions of a security organization truly assisting the company with growth and productivity?  How can security actually help the organization accomplish more work and subsequently add revenue? 

Read More

Topics: Business, Security, eGRC

Thoughts on the 2015 RSA Archer Roadshows

Posted by Mark Walsh on Mar 6, 2015 8:48:00 PM


Read More

Topics: Roadshows, eGRC, RSA ARcher