Over the past few years there has been a lot of discussion and research on the weakness of password use.  Should passwords be changed on a periodic basis?  What's the best compromise on complexity requirements and one's ability to memorize the password?  Is single sign on too risky? Are passwords even effective at all?  The arguments, and proponents or opponents for each, can be found everywhere.

Being the rational, level headed guy I am, I like to look at each scenario from a risk based perspective.  You really have to consider the vulnerability and threat and pick a proper control to address the specific risk identified.  In some cases you'll pick multiple controls to address multiple risks.

Read more: The Proverbial Password Arguments

Visa and MasterCard are both reporting massive breaches impacting millions of card holders today.  Check out Brian Krebs' article here.  Looks like we're all playing the lottery whether we buy a ticket or not.  This is just the beginning folks.  I hope we don't become numb to it.  That would be really bad.      

It seems that cloud security is a hot topic these days.  I was in Cedar Rapids last week at the chapter meeting for both the Institute of Internal Audit (IIA) and Information Systems Audit and Control Association (ISACA) presenting on cloud security and audit issues.  I'll also be presenting to the Des Moines chapter of the Information Systems Security Association (ISSA) meeting today about the same topic.  If you'd like a copy of the presentations feel free to contact me.

The "cloud" is a touchy subject when it comes to security.  Some companies are wholeheartedly embracing it while others are running from it.  Which it the right approach?  That really depends on one thing.  Control.  How much does it mean to you and how much are you willing to spend to keep it.  Everybody assumes that data is less secure in the "cloud".  I'd argue that thinking is really more of a control issue.  Many cloud providers, not all mind you, have top notch security programs and systems which far exceed what many small to medium companies can afford on their own.  In that respect security is better.  However if you measure security by other matrix such as access control, the security value may be weakened.  Long story short.  You must define what "secure" means and then compare your security to a cloud provider's security.  Only then will you know which road to follow.

The CISSP boot camp sponsored by the Des Moines chapter of the ISSA, Integrity and the Electronic Crime Institute at DMACC is returning to Iowa the week of May 7th - 11th.  ISSA members receive a $200 discount.  There are also discounts for early registration, government/education and companies who send multiple students.

The course isn't just for those who wish to study for the CISSP.  It's also great for anyone who has information security and risk management duties and wants to gain a deeper knowledge base in these disciplines.  This is a great opportunity to get information security training in Des Moines with no out of state travel.

Contact Cristin Faith for more details or to register.  This email address is being protected from spambots. You need JavaScript enabled to view it. 515-965-3756



As an executive you expect your security team to provide recommendations for how to reduce the risks associated with use of technology in your business.  The question is, have you given them enough information to succeed?

One client told me the only benchmark their security team has from the top brass is "Keep us out of the news."  Anyone else see a problem with this statement?  I personally wouldn't mind seeing Integrity featured on local and national news every night, as long as it's good news.

Read more: More on the Executive's Role in Security and Risk Management

Are you a business executive that needs to hear about information security and risk management without the spin?  I may be your new best friend.  I've been in executive leadership positions in technology, information security and business and I have some information you need to hear.

Too often business leaders are asking their security leaders to make decisions for them because they don't feel they have a good grasp on the issue at hand.  Big mistake. 

Read more: The Role of Business Executives in IT Risk Management

Doing business comes down to one simple question.  How much money are you willing to lose in an attempt to make even more money?  In other words…how much risk can you stomach?  A good information security professional must understand this principle.  They must also be willing to exercise flexibility in their personal opinions and help business leaders understand risk.

An information security professional must understand their role in the organization.  If they understand it and operate within it, they can be a very useful resource.  If they don’t, they become a huge liability.  Security pros must understand that business decisions must be made by business leaders.  Our role is to help business leaders understand risk and learn how to mitigate it.  Their job is not to make the ultimate decision.  That’s the role of a business leader and one I’ll talk more about in another post.

Read more: The True Role of an Information Security Professional

Contact Information

Birmingham Office


Des Moines Office


Kansas City Office