Businesses undergoing ISO certification are probably aware of the 27000 series and its focus on comprehensive cybersecurity. What many organizations don’t know, however, is that the series itself provides guidelines for risk managers to better implement Information Security Management Systems (the core process of ISO 27001) following best risk management practices.
The analysis in this article is consistent with my research to date and I thought it worth sharing. I would suggest however that given the input from one of the largest audit firms creates a scenario that I refer to as the “Self-Licking Ice Cream Cone” and should be objectively consumed. It is quite ironic… Read More
The Security Trifecta is a comprehensive and innovative approach to holistic security, risk, governance and privacy coverage for the enterprise. Because the methodology is universally applicable and ultimately sustainable, it has become the perfect model for any size organization regardless of business concentration. In fact, the more critical, the more regulated, the more sensitive the… Read More
When the Cyber Czar’s and CISO’s get a seat at the big table, in a normal chair, rather than a high chair, global society will not gain traction towards appropriate information security. We will continue to be reactive and not proactive.
The Information Systems Security Association (ISSA) elections for international leadership positions has now opened. I’m running for a Director position and I’m asking ISSA members to please vote for me. As a career security professional, ISSA Hall of Fame and Fellow recipient, I have received so much value from this not-for-profit, international organization of information security professionals… Read More
Survival Guidance! MichaelPeters.org and LazarusAlliance.com is making our auditor’s resource for assessing the security controls in federal information systems and organizations free. This is a resource based on the NIST 800-53A framework you may freely use to conduct your organization’s FedRAMP, HIPAA or best practice based security audits. Your results are private and the output… Read More
For anyone who has purchased my book, Governance Documentation and Information Technology Security Policies Demystified, you now have full access to premium content that supports the book available for free download. To have access to this content, do the following:
I have been inducted into the Information Systems Security Association (ISSA) as a Fellow. ISSA participation has been a keystone component in my personal enrichment as a career security practitioner. As a global organization, membership has brought me closer to the world’s best and brightest in the business which has value difficult to quantify. I… Read More
Much to my delight, I have been inducted into the Information Systems Security Association Fellow Program as a Senior Member. ISSA participation has been a keystone element in my personal development as a security practitioner. I am truly honored and humbled by this recognition.
In May 2025, Danish officials were alerted to a chilling discovery: unexplained electronic components embedded in imported circuit boards destined for the country’s energy infrastructure. The equipment, reportedly intended for solar power or broader energy supply applications, raised immediate concerns from Green Power Denmark, a national industry group. While the intentions behind the components remain… Read More
Cloud security and compliance have emerged as critical concerns amid the modern transformation to cloud infrastructure. Adopting Cloud Service Providers (CSPs) has become a strategic imperative rather than just an option for efficiency, and organizations aiming to fortify their security orientation and navigate the complex regulatory environment effectively need to understand how to evaluate their… Read More
As the cyber threat landscape becomes increasingly dominated by state-sponsored actors and advanced persistent threats, the DoD has taken critical steps to evolve its cybersecurity requirements for defense contractors. For contractors handling Controlled Unclassified Information (CUI) and seeking to achieve CMMC Level 3, the NIST SP 800-172 Enhanced Security Requirements represent the most stringent technical… Read More
End-to-end encrypted messaging apps like Signal have gained widespread traction in the news (for better or worse). The app is widely praised for its robust encryption model, minimal data collection, and open-source transparency. Journalists, activists, and security-conscious executives have turned to Signal as a trusted tool for secure communication. But while Signal excels in privacy,… Read More
Effective log management is critical to CMMC. It ensures organizations can monitor, analyze, and respond appropriately to security incidents. Properly implemented, log management supports compliance, enhances security posture, and provides a foundation for forensic analysis. Here, we’ll discuss some of the particulars of log management under CMMC, covering the technical aspects of log management within… Read More
The transition to the cloud has been necessary for most government agencies, even as some might lag in adoption. However, this transition isn’t without its own set of issues, as it introduces a complex array of security challenges that must be addressed to protect sensitive government data and maintain public trust. Recognizing these challenges, GovRamp… Read More
Modern attackers come from any and every angle, but one thing they all want is access to data. But this doesn’t mean they just want to land in some database… more often than not, advanced attackers are looking for ways to monitor information flows to gain credentials and learn more about the systems and organizations… Read More
CMMC reshapes how defense contractors secure CUI. One of the most critical components of CMMC compliance is incident response (IR)—the ability to detect, respond to, and recover from cybersecurity incidents while meeting strict reporting and documentation requirements. Under the final CMMC rule, contractors at Level 2 and above must implement formalized IR policies, procedures, and… Read More
As organizations work toward CMMC compliance, the role of the Chief Information Officer becomes increasingly critical. A CIO ensures alignment with CMMC requirements and shapes an organization’s broader cybersecurity and IT governance strategies. This article explores the CMMC framework’s expectations for CIOs, responsibilities, and actionable steps to help organizations achieve and maintain compliance.
For years, quantum computers have been seen as science fiction. But now, with researchers making rapid leaps in practical design and implementation, publications like Gartner predict that this new technology may render traditional cryptography ineffective by 2029. This article delves into how quantum computing is shaping the future, focusing on its implications for compliance and… Read More
Adopting hybrid cloud systems—blending private on-premises infrastructure with public cloud services—has surged as organizations seek scalability, cost-efficiency, and flexibility. However, securing Controlled Unclassified Information (CUI) in these environments remains a critical challenge. These systems will use encryption to protect this data… but hybrid clouds introduce unique complexities due to data mobility, shared responsibility models, and… Read More
We’re well into the era of “hybrid,” where many tech and office jobs are managed from the comfort of our employees’ homes alongside elective trips to the office. This approach to work is often much more convenient and flexible than on-site work (when possible), but it introduces its own set of challenges, specifically around security. Hybrid… Read More
The concept of “security by design” embodies this philosophy, emphasizing that security measures must be integrated into every stage of system development and operations. From cloud environments to software development, network configurations, and beyond, the goal is to preempt vulnerabilities rather than react to breaches. This article explores security by design, why it matters, and… Read More
The increasing sophistication of cyber threats and strict (and complex) regulatory requirements create a professional environment where every player on your team has to know what they can and cannot do. In this regard, training and continuing education are non-negotiable. This article discusses the critical importance of such training, the evolving threat landscape, and best… Read More
Endpoint security has become a critical focus in the cybersecurity strategies of organizations that handle CUI as part of the Defense Industrial Base. CMMC, a DoD-mandated framework, emphasizes robust endpoint protection as integral to meeting compliance and securing national security information. This article delves into the importance of endpoint security under CMMC, the specific control… Read More