A while ago I wrote a blog post called Escaping the Hamster Wheel of Pain decrying the lather-rinse-repeat cycle that the security industry seems to be fixated on.
Chief Information Security Officer
Andrew Jaquith is the Chief Information Security Officer for Scotiabank US. Andrew’s 25-year career as a CISO, CTO, executive, and cyber practitioner spans startups (with two successful exits), Fortune 100s, and global financial services firms. He founded Markerbench, a boutique consultancy specializing in cybersecurity. Through 2023, he served as the CISO of Covington & Burling LLP. He has served as a Managing Director in technology risk and cybersecurity for Goldman Sachs and JP Morgan Chase, respectively. He serves as a Board Advisor to SecurityScorecard, as an Advisor to Anetac, and as a member of the Technical Advisory Board of Panaseer. Andrew graduated from Yale University.
Prior to Scotiabank, Andrew was most recently the CISO of Covington & Burling LLP, a $1.5B AMLAW 50 firm with 14 offices in the US, EMEA, Asia Pacific and China. At Covington, Andrew was responsible for cyber and physical security globally. During his tenure, his focus areas included shrinking the firm’s external perimeter, implementing new security tools, expanding and upskilling the security team, de-risking Active Directory, shifting security services to the cloud, and speeding up the firm’s IT operating tempo to reduce risk.
Andrew’s prior experience includes serving as the CISO of QOMPLX, Inc, a cyber-security startup focused on critical enterprise infrastructure. He was the global Cyber Security Operational Risk Officer for JP Morgan Chase, and was a Managing Director for Technology Risk Measurement and Analytics at Goldman Sachs. Andy’s earlier roles include as Chief Technology Officer (CTO) of the managed security services provider SilverSky. He has held senior security analyst roles at Forrester Research and Yankee Group, and was a co-founder of @stake, a pioneering cyber-security consultancy. Andrew wrote the best-selling and definitive book on security metrics (“Security Metrics: Replacing Fear, Uncertainty and Doubt”), used by a generation of risk professionals to connect security to the corner office.
Andrew graduated from Yale University with a BA in Economics and Political Science. He lives with his family in New York.
This website does not reflect the opinions of my current or prior employers. All views expressed on this site are my own.
For technical details about how this website was made, see the Colophon.
We’ve had some interesting chatter on the securitymetrics mailing list today about sparklines: tiny, intense, word-size graphics. This is one of Edward Tufte’s latest confections. His formal definition is here.
At the risk of turning this into a link blog, here are two nifty articles that drifted across my field of view today:
Google: Putting Crowd Wisdom to Work.
Like many other people, I’ve downloaded and read the semi-annual Symantec Threat Report. I’ve always been a fan of this publication, which provides a level of texture, richness and depth about malware and threat trends that isn’t easy to get anywhere else. Symantec understands they’ve got an exploitable asset—their DeepSight sensor network—and they’re flogging it for all it’s worth. Good on ’em.
There’s been plenty of ink spilled in the press (e.g., Computerworld, El Reg ) about what the latest report means. Controversies and headlines abound: is Firefox really less secure than IE? Are Mac users living in a “false paradise” as the report claims? Are botnets running the universe?
All of these are important questions, and the report gives information on all of them. I recommend you read the report for yourself, and reach your own conclusions. That said, I find the report more interesting for what it doesn’t say. Reading between the lines is the best way to read the Symantec Threat Report.
Have you been following Microsoft’s plans for IE7? I have, and a blog post I read about their anti-phishing plans just about made me spit out my coffee.
Webroot has lately been producing a series of quarterly statistics on infection rates for four types of badness:
Adware Trojan horses—botnet software falls into this category System monitors—includes key loggers Tracking cookies Now, one could certainly raise objections about selection bias.