Before joining the SEI, Christopher was a scientist at Carnegie Mellon Research Institute, where he developed mobile robots for hazardous environments. He also worked at AT&T Bell Laboratories, where he designed information systems to support AT&T's advanced manufacturing processes.
How did you get interested in computer security?
My background is in risk management. Before becoming involved in computer security, I developed techniques for assessing risk on software development projects. Moving to information security risk was a natural progression.
What operating system(s) do you use and why?
The organizations with which we work use a variety of operating systems, so we need to have some familiarity with many operating systems.
How long did it take you to write "Managing Information Security Risks: The OCTAVE Approach" and what was it like? Any major difficulties?
It took us about a year to write the book from concept to completed manuscript. Writing a book requires a significant time commitment. We had a lot of material with which to work. However, it took us a while to sort through all of the information and set a workable scope for the book. In the end, writing the book was a very rewarding experience for me.
The biggest difficulty in writing the book was making a fairly dry subject as readable as possible.
If you could start working on the book all over again, would you make any changes?
We went through much iteration before settling on the format of the book. I don't think that we would make any major changes. However, each time I read it, I find minor revisions I would like to make.
What are your favourite security tools?
When people hear the phrase "security tool," they often think of a tangible product. If you view security tools in that sense, there are many useful products available today. One problem is that not enough people are knowledgeable in the use of those tools.
I like to broaden the definition of "security tool" to include any means that helps to improve security. Security-related education and training is number one on my list. This includes general security awareness training for staff and managers as well as specific technology-related training for administrators.
In your opinion what are the most important things an administrator has to do in order to keep a network secure?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.