Archive for the ‘Uncategorized’ Category

Every Business Should Join a Peer Group for Cybersecurity

Earlier this year I shared my thoughts with you about the new program for small and mid-sized enterprises from the cybersecurity association (the making cybersecurity expertise available to everyone.

Now, I’d like to invite you to join an online Cybersecurity Community of Excellence.

Unlike the ISACs, which focus on sharing vulnerability data with members and require their members to have technical security professionals on staff, the ComEx groups actively improve each process related to the rest of the NIST Cybersecurity Framework, SANS Top 20, ISO and FFIEC requirements. In short, every business, even those without mature security programs and geeky cybersecurity experts, can now benefit from peer groups.

These online peer group training programs help you and your team to build an effective and even award winning information security program steadily at very low cost, in place of expensive consultants and disruptive conferences & training events.

  • Comply with federal regulations and industry standards

    The cybersecurity collaboration portal for you and your peers

    The cybersecurity collaboration portal for you and your peers

  • Benchmark cybersecurity with your peers
  • Show measurable improvement quickly
  • Ease compliance audits
  • Qualify for an ISSA Cybersecurity Quality Award

It is inexpensive and easy to join a Cybersecurity Community of Excellence. All companies in the peer group improve cybersecurity together, learn from one another, and never lose what they’ve learned because it is all preserved in a continually growing and improving knowledge-base.

Cybersecurity excellence is within reach of every company.

Download the Member Guide to see how easily regional banks, hospitals, law firms, and every other type of business of any size may join.

Join a Cybersecurity Community of Excellence today and let’s improve cybersecurity together!

Categories: Uncategorized

Steve Hunt’s Free eBook for Security Managers


When I asked many of you, my peers in IT, if it would be helpful to have a playbook for security management like those used by the best quarterbacks or midfielders or point guards (pick your sport!), many of you said yes right away, but then asked what it would look like.

“You mean like the SANS Top 20?” one might ask.

“You mean like OWASP?” another would say.

As downright useful as both of those sets of recommendations are, that’s not what I meant. I’m thinking more along the lines of a guide for security executives, security directors. A management guide.

“Oh, you mean like Peter Drucker’s The Practice of Management, or Steven Covey’s 7 Habits of Highly Effective People.”

That’s warmer. Both of those books help to build necessary management skills. It was then that I realized that there really isn’t a business handbook for security managers.

Therefore, I’ve started to put one together based on my interdisciplinary security management course that I’ve taught for some years at DePaul University. I call it The Security Manager’s Playbook: A Leader’s Guide to Optimizing Cyber Security for any Business

Click here to download an abridged version for Free. Yes, I want the free eBook

Categories: Uncategorized

“Yes, Commissioner. We’ll get right on it.”


Recently I was asked to describe the services of Hunt Business Intelligence. I said, “It’s like picking up the bat phone and getting expert help for any security question or challenge.”

That’s a good image, and one our customers still use to describe us to their peers. However, a more formal way of describing it is like this:

Since 2005, Hunt Business Intelligence has been helping leaders to optimize security.  We serve the entire ecosystem of security—end users, vendors, and investors.

  • Enterprise Leaders, such as CIOs, COOs and heads of security (CISO, CSO) and large and mid-sized enterprises
  • Product Managers
  • Venture Investors

In short, you have Steve Hunt and his team of seasoned security experts available for you to address any challenge by phone or email or in person.

  • Need outside experts to assess your security program and provide you with a formal analysis? Our Security Success Score™ measures your company’s Security Maturity.
  • Got a big meeting or product release coming up? Let Steve Hunt and his Hunt Business Intelligence team ensure that you are fully prepared.
  • Wrestling with a tedious security problem? We have practical, actionable advice.
  • Dealing with office politics? Our advisers have seen it all before and will help you shine as a leader.
  • Want a one-day workshop to accelerate your security program? Our consultants are dynamic facilitators and will leave your entire team feeling enriched and empowered.

Advisory phone and email packages begin at just $1995. Visit our website or simply drop us a note at in order to get started.

Join this list of satisfied customers Contact us today and get a Free eBook The Security Manager’s Playbook: A Leader’s Guide to Optimizing Cyber Security for any Business


Categories: Uncategorized

Six Sad Security Management Flaws You Can Fix Today

SSSMAre you one of the lucky few NOT suffering from these six costly management problems?

To learn my Four Steps to Security Maturity, and to find out your organization’s Security Success Score™ click here.

During seventeen years at Hunt Business Intelligence and Forrester Research I’ve had the privilege of researching trends and best practices across the security industry. In-depth interviews with over 450 CIOs and security leaders show that the greatest weaknesses in security programs are not technological, nor are they skill- or personnel-related. The greatest shortcomings, affecting more than 9 out of 10 security programs, have to do simply with management, or what I like to call Security Maturity.

Here is where the success of security leaders consistently breaks down:

Read More

Categories: Uncategorized

Free Tool for Improving Cyber Maturity

banner self assess

This week, the ISSA ( announced a free online tool available to all cyber security professionals. It is being offered as part of its partnership with the Alliance for Performance Excellence, which promotes Baldrige-based quality and performance frameworks. You may know Baldrige as the framework behind TQM, Six Sigma and other improvement systems.

I think this is a powerful tool and a great opportunity for all of us in technology and business to start building quality into our security programs, and to resist the temptation to be in a pertetual state of fire-fighting.

Andrea Hoy, President of ISSA, characterized the partnership this way in the ISSA press release.

The Alliance for Performance Excellence will help our members with principles and tools that can be used to build and test more resilient mature security operations. For over 30 years, Baldrige has been well recognized as the standard to reach in business for performance excellence, and I am honored that the Alliance for Performance Excellence has selected us as a partner.

The Alliance for Performance Excellence is supporting ISSA members–and the entire industry–by providing a free Baldrige-based self-assessment tool through its partner, ManageHub. This self-assessment, named the Security Success Score™, allows anyone to assess the performance of security operations in light of NIST-based and Baldrige-based frameworks. The Security Success Score™ is suitable for any sized organization, with special emphasis on small and mid-sized organizations.

Click here to take the Free self-assessment

Read the full Press Release here

Categories: Uncategorized

The NIST CyberSecurity Framework has Never Been So Easy to Follow



Are you finally ready to improve the maturity of your organization’s CyberSecurity program but not sure where to start? The NIST CyberSecurity Framework is an excellent path to success, but it will seem daunting at first.

My customers and my fellow ISSA members with the most mature security operations follow the NIST framework, and many more are jumping on board every day.

After all, CyberSecurity only succeeds when combined with CyberMaturity. What’s CyberMaturity? It refers to running security like a well-run business. Applying business best-practices yields true resilience and cost effectiveness in a security program. Unfortunately, measuring actual progress with a standardized maturity scoring has been impossible.

Until now.

Now, the folks behind NIST’s world famous performance excellence program have partnered with the ISSA and ManageHub to provide a free assessment of your organization’s CyberMaturity.  Get your completely free and anonymous Security Success Score here.

When you are ready to accelerate your progress, then use this new service: CyberMaturity-as-a-Service.

Simply sign up, then log in to the online workspaces of Begin following the preloaded processes of the NIST Cybersecurity Framework and watch your security operations begin measurably improving right away.

You’ll be assigned a personal online coach for a small monthly fee who will periodically check your work and give you guidance along the way.

Now, small and mid-sized organizations can have the same (or better) maturity as the large, rich enterprises. It’s easy, and you do not need expensive consultants or technology.

Start today! Send me a LinkedIn note to learn more, or visit

Categories: Uncategorized

Famed security adviser, Steve Hunt explains, “Why I Hate Security.”

November 16, 2015 Leave a comment

Famed security adviser, Steve Hunt explains, “Why I Hate Security.”

These criticisms of cybersecurity and risk management are nothing new. You’ve heard them all before, or muttered them under our breath. If you are a business executive, you’ve shaken your head when you’ve seen it. And if you are a security professional, you’re guilty of more than one.

  • “I hate security.” love-hate-security-2014
  • Much of what passes as security is no more than window dressing, or, as Bruce Schneier has called it, Security Theater, with its posturing, phony controls and security guard bravado.
  • Not a week goes by that a CIO or other executive hears a pitch from a security vendor, whose eyes are bugged out as their words ooze fear, uncertainty and doubt.
  • Security directors, including some of the most esteemed CISOs, can be seen from time to time running the halls, arms flailing overhead, screeching “The sky is falling! The sky is falling!”
  • Risk management experts talk for hours about the “fuzzy logic” of measuring impact and likelihood, using game theory, and generally talking until the audience goes numb.
  • And when the big one happens, when the big data breach hits, as it inevitably does, security pros and business executives alike point fingers at budgets, and internal politics, and vendor missteps for blame.

So I am here to give you the straight dope. To address all of these complaints once and for all. To put the discussion to rest so we can all move on.

Security is all those things.
Security IS often mere theatrics.
Vendors DO commonly sell FUD in place of value.
Risk management experts DO often employ pseudo science “to definitively calculate” intangible and unknown risks.
CISOs DO sound like Chicken Little when they predict the things we simply aren’t prepared for and need more budget for.
And security pros DO like to find a scapegoat.

All of these things are true, and security deserves its criticism.

I personally, however, look at it differently. Security is something special to me. For example, when I see a CISO work his or her way out of a messy data breach by responding quickly, limiting impact, and recovering smoothly–it gives me a very satisfied feeling.

Moreover, when I think of my own career as a security professional, I think of the truly costly and damaging attacks that we’ve avoided by working hard to improve continuously.

In the early 1990s I worked at a financial institution in Chicago. We got hacked–before we even had the word “hacked.” The bulletin board server was fine yesterday, but today it isn’t, and the audit log is gone. As we scratched our heads an ol’ timer leaned over us and said, “Looks like you got a security problem with your computer.”

I was stunned. I had never considered security and computers in the same thought before. My father was a locksmith, and I had worked my way through college and grad school at the University of Chicago with my own locksmith company and building PC clones on the side. So when I heard those words, a light bulb went on. I thought to myself, I know security, and I know computers. Right then I began retooling for a career in computer and network security. Right place. Right time.

So security gave me an entree into the world of the fledgling Internet, and into the world of creating value for the business in ways I never could have imagined before that fateful day seated cross-legged on the floor, under a desk, staring blankly at the back of a bulletin board server.

Security also did much more than that. It solved real problems. From the script-kiddies of the ’90s to the state sponsored hacking of the 2000s, security gave hundreds of professionals an opportunity to fight in very foreign territory–guerrilla IT warfare. We created a new way of operating the Internet, and we opened doors permitting businesses to create value and revenue in new ways. For example, the security community put its collective head together limiting loss sufficiently to make online commerce (once called e-commerce) a reality.

Converged approaches to physical and cyber security for the decade beginning 2001 created an amazing new world of inter-networked security cameras, intrusion detection, gates, fences, locks, employee ID badges, laptops, personal devices, and home automation controls. Everything was suddenly networkable because the basic questions of authentication and authorization (who are you? and, what are you supposed to do?) were answered by security professionals.

Today, we are coming up with clever ways to extend the work we did previously and apply it to the Internet of Things. Soon, we will see alternatives to keys and locks being used widely in the secure networking of any and every common device at home or sensor on a locomotive. Homes will operate more efficiently and businesses will make countless billions in new revenue because of IoT. This is possible because the security industry truly is doing its best.

Does security have its foibles? Is it security theater laced with FUD, bad logic and blame? Yes. But does it create value that outweighs its sometime silliness? Yes it certainly does. For me personally, it has provided me many benefits and opportunities, making me a better philosopher of technology, a better technologist in general, a better citizen of the world, a better provider for my family.

So the next time you sit through another ridiculous vendor pitch about all the bad things that will happen if you don’t buy their product, use your phone to securely transfer funds at your bank, or buy a gift for your kid on Amazon, or plan the next product launch with confidence that the security pros have your back.