What Topics Will You Be Covering at Forrester?

I am very excited to be covering vulnerability risk management (VRM) at Forrester, including threat modeling and management and penetration testing. Some of the areas in VRM that I hope to explore include:

  • Vulnerability risk prioritization, especially with new “zero days” hitting at what seems like every Friday at 4 p.m., to help Forrester clients better understand vulnerability risks and how to respond appropriately.
  • The automation of vulnerability detection and remediation into the software development lifecycle, DevOps, and cloud operations.
  • When and how to conduct a penetration test and what to do with your findings.
  • Vulnerabilities in emerging technologies such as IoT devices and vehicles and how those vulnerabilities could impact human safety.

Tell Us About Yourself!

I’m a typical New Englander: I like summer trips to the Cape, camping in New Hampshire, seafood and lobster, and, of course, I attended, UMass Amherst. After college, I spent 10-plus years managing banking operations and financial technology teams before landing in information security risk. My experiences implementing multi-factor authentication for consumers and commercial customers and conducting security awareness campaigns translated well to building security programs in various security and risk realms. In my last role, I implemented products and programs to improve risk postures surrounding cloud migrations, brand reputation, security training, disaster recovery and business continuity planning, incident response, vulnerability management, third-party risk, regulatory environments, and threat assessments.

When I’m not working or spending time with my wife and three kids, I enjoy golfing, skiing, attending concerts, or playing guitar.

What Are The Key Issues In Vulnerability Risk Management Right Now?

We continue to see historical increases in CVEs, whose remediations have substantial impacts on IT and development operations. Forrester data shows that software vulnerability exploits were the leading cause of external attacks in 2021. Adding to the complexity is the diversity of vulnerabilities; in addition to the traditional “patch Tuesday” types, as more companies do more in-house development, there are other vulnerabilities emerging in the open source packages utilized by your dev teams. Emerging and cloud technologies are shaping new types of vulnerabilities, means to detect them, and changes to patching operations. Prioritizing which vulnerabilities to remediate and when to remediate is not a one-size-fits-all answer and something I hope to investigate through my research.

Lastly, organizations are constantly juggling priorities of speedy releases versus security requirements, which creates internal tensions. This is where external code review products like Codementor, PullRequest, which HackerOne recently acquired, or Toptal may help organizations reduce conflict between those two priorities.