Skip to main content

Recent thoughts and media appearances

  • Finding your secret strengths

    To grow your skills, you must know your skills. Problem is, that’s harder than it sounds, if only because we rarely carve time out of our hectic lives to do so. Might as well use these next few minutes to do so, and this post will give give a technique to help you along. We cannot think about our skills in a vacuum. It’s a well researched fact that humans are horrible at assessing their own skills. We often inflate skills we do not have. We downplay skills we do have. Simply put, we lie to ourselves about the strength of our skills. We need inner honesty. We need outside voices. We need feedback… in order to examine these skills we have and those we don’t.

    Read more

  • Privacy Sigma Riders!

    A few months ago, I had the honor and pleasure to sit down with one of the most awesome people in Privacy, Michelle Dennedy, Chief Privacy Officer at Cisco, and record one of her Privacy Sigma Riders podcasts. We were in Austin. We were pumped to finally get together. We were heavily caffeinated. And we didn’t actually record anything… save for the last 25 secs of what was a 45 minute conversation. Fail… fail… fail!

    Read more

  • Why self-sovereign identity will get adopted (and it's not the reason you probably want)

    (Thanks to Kim Cameron for prompting me to write this down. Special thanks to Chuck Mortimore for his insight and probing questions and who helped me improve this.) In the identity industry, there’s been a lot hype these days around self-sovereign identity. The latest permutation in the quest for user-centric identity, self-sovereign revisits the laudable goal of enabling people to be in better control of how information about them passes to enterprises and organizations (but now with added blockchain.) To be clear, increased individual control is an important goal and one that incredibly sharp people have been working on for 15+ years, going back to InfoCard and Higgins. Before I discuss why self-sovereign has a real chance at widespread adoption, it’s important to understand why identity technologies and approaches get adopted in the first place. At least, three things are required:

    Read more

  • A Maturity Model for De-Weaponizing Identity Systems - Part 3

    In Part 1 of this series, I discussed the types of attackers who can weaponize your identity systems, use them to cause harm. In Part 2, I introduced the design goals of the Maturity Model as well as the disciplines needed to implement the Maturity Model. In this post, I’ll discuss each of the 5 levels of the Maturity Model and controls you should put in place to achieve those levels.

    Level 1 - Managed

    This level is table stakes. It optimizes your organization’s existing security controls for identity systems. I believe it helps make compliance with things like GDPR easier but it is in no way a “cure all” for regulatory burdens. To achieve Level 1, you’ll need a combination of access control, data protection, and audit:

    Read more

  • A Maturity Model for De-Weaponizing Identity Systems - Part 2

    In the first part of this series, I discussed different kinds of attackers and why they attack our identity systems. I also discussed how they can weaponize our identity systems, turning what is meant to deliver services and do good into something that can be used to cause harm. In this part I’ll talk about the goals of the model, the disciplines needed to do this work, and the levels of maturity.

    Read more