Posts by kevinbeaver

2 min Security Strategy

Just a little more may be all you need for great security

The following is a guest post from Kevin Beaver. See all of Kevin’s guest writing here [/author/kevinbeaver]. Thomas Edison once said that many of life's failures are experienced by people who did not realize how close they were to success when they gave up. Thinking about this in the context of security, the success that you're looking for could just be a day's worth of work away. Or, maybe just a few weeks’ worth. But how do you know? Will you be able to figure that out without falling into t

3 min Compliance

HIPAA Security Compliance Fallacies (And How To Avoid Them)

Health Insurance Portability and Accountability Act (HIPAA) compliance hasn’t been what I thought it was going to be. When I first started out as an independent security consultant, I was giddy over the business opportunities that I just knew HIPAA compliance was going to bring. Around that time, I learned something from sales expert, Jeffrey Gitomer, that has had a profound impact on my career. He said that if you work for yourself and are in sales, which I am, that you must write and speak if

3 min SecOps

Stop aiming for security perfection—just do what's right

Guest author Kevin Beaver discusses 'relentless incrementalism' in building out and improving security programs.

2 min Security Strategy

Filling big gaps in security programs

Guest author Kevin Beaver talks about helping organizations bridge policy-practice gaps in their security programs.

3 min

Why you have to move beyond "We have a policy for that"

I've never been a big fan of – or have believed in the value of – security policies. Sure, they're necessary for setting expectations and auditors want to see them. They can also serve as a sort of insurance policy to fall back on when an unexpected security “event” occurs. But, at the end of the day, security policies often contribute minimal value to the overall information security function. As I've seen time times before: many organizations have great paperwork but their security program sti

2 min User Behavior Analytics

Want to bolster your security program? Keep users from making decisions.

How many times have you witnessed security problems caused by a user making bad decisions? I'd venture to guess at least a few dozen if not hundreds. We've all seen where the perfect storm forms through weaknesses in technical controls, user training, and – most often – common sense and the outcome is not good. Best case it's ransomware or a similar malware infection. Beyond that, the sky is the limit. Before your organization suffers a breach and is having to answer to the news media and lawyer

2 min Endpoint Security

Addressing the issue of misguided security spending

It's the $64,000 question in security – both figuratively and literally: where do you spend your money? Some people vote, at least initially, for risk assessment. Some for technology acquisition. Others for ongoing operations. Smart security leaders will cover all the above and more. It's interesting though – according to a recent study titled the 2017 Thales Data Threat Report [

4 min Rapid7 Perspective

Why Security Assessments are Often not a True Reflection of Reality

Inmates running the asylum. The fox guarding the henhouse. You've no doubt heard these terms before. They're clever phrases that highlight how the wrong people are often in charge of things. It's convenient to think that the wrong people are running the show elsewhere but have you taken the time to reflect inward and determine how this very dilemma might be affecting your organization? I see this happening all the time in terms of security assessments. In organizations both large and small, I se

2 min Vulnerability Disclosure

A very predictable vulnerability on most networks – are you looking for it?

I've always believed that information security doesn't have to be that difficult. It's really not when you focus on the essentials. The problem is, many people continue to ignore the basics []. In search of something bigger, better, and sexier, they look past the small number of flaws that are creating the majority of the business risks. The mindset is “Surely we have to spend tens of thousands of dollars on the latest products

3 min Security Strategy

What's the root cause of your security challenges?

This is a guest post from our frequent contributor Kevin Beaver []. You can read all of his previous guest posts here [/author/kevinbeaver/]. My favorite lyricist, Neil Peart of Rush, once wrote “Why does it happen? Because it happens.” Some deep lyrics on life that many people, unfortunately, apply to their information security programs. These people go through their days, months, and years, letting things “happen”. It could be a user unhappy about the security h

2 min Security Strategy

The One Aspect of Selling Security That You Don't Want to Miss

This is a guest post from our frequent contributor Kevin Beaver [/author/kevinbeaver/]. You can read all of his previous guest posts here [/author/kevinbeaver/]. When it comes to being successful in security, you must master the ability to “sell” what you're doing. You must sell new security initiatives to executive management. You must sell security policies and controls to users. You even have to sell your customers and business partners on what you're doing to minimize information risks. Thi

2 min

SMB Security is so Simple - Take Advantage of it Now.

This is a guest post from our frequent contributor Kevin Beaver [/author/kevinbeaver/]. You can read all of his previous guest posts here [/author/kevinbeaver/]. Small and medium-sized businesses (SMBs) have it made in terms of security. No, I'm not referring to the threats, vulnerabilities, and business risks. Those are the same regardless of the size of the organization. Instead, I'm talking about how relatively easy it is to establish and build out core information security functions and o

2 min Authentication

Passwords and the Devolution of Computer Users

This is a guest post from our frequent contributor Kevin Beaver [/author/kevinbeaver]. You can read all of his previous guest posts here [/author/kevinbeaver]. Recently, I wrote about my thoughts on why we feel like we have to force short-term password changes in the name of “security.” [/2016/04/28/why-do-we-keep-forcing-short-term-password-changes] Since that time, Microsoft made an announcement to step in and help set its users (and itself) up for success [

2 min Authentication

Why do we keep forcing short-term password changes?

This is a guest post from our frequent contributor Kevin Beaver [/author/kevinbeaver/]. You can read all of his previous guest posts here [/author/kevinbeaver/]. I'm often asked by friends and colleagues: Why do I have to change my password every 30 or 60 days? My response is always the same: Odds are good that it's because that's the way that it's always been done. Or, these people might have a super strict IT manager who likes to show - on paper - that his or her environment is "locked down."

2 min Security Strategy

Never Underestimate the Power of Relationships in IT & InfoSec

This is a guest post from our frequent contributor Kevin Beaver [/author/kevinbeaver]. You can read all of his previous guest posts here [/author/kevinbeaver]. 2016 marks the 15th year that I have been working for myself as an independent information security consultant. People who are interested in working for themselves often ask for my thoughts on what it takes to go out - and stay out - on your own. Early on, I thought it was about business cards and marketing slicks. In fact, I spent so mu