Over the Christmas holidays, I read an advance copy of Gene Kim’s first novel, “The Phoenix Project.” Gene’s co-authors were Kevin Behr and George Spafford. It was a better read than I was expecting.
Chief Information Security Officer
Andrew Jaquith is the Chief Information Security Officer for Scotiabank US. Andrew’s 25-year career as a CISO, CTO, executive, and cyber practitioner spans startups (with two successful exits), Fortune 100s, and global financial services firms. He founded Markerbench, a boutique consultancy specializing in cybersecurity. Through 2023, he served as the CISO of Covington & Burling LLP. He has served as a Managing Director in technology risk and cybersecurity for Goldman Sachs and JP Morgan Chase, respectively. He serves as a Board Advisor to SecurityScorecard, as an Advisor to Anetac, and as a member of the Technical Advisory Board of Panaseer. Andrew graduated from Yale University.
Prior to Scotiabank, Andrew was most recently the CISO of Covington & Burling LLP, a $1.5B AMLAW 50 firm with 14 offices in the US, EMEA, Asia Pacific and China. At Covington, Andrew was responsible for cyber and physical security globally. During his tenure, his focus areas included shrinking the firm’s external perimeter, implementing new security tools, expanding and upskilling the security team, de-risking Active Directory, shifting security services to the cloud, and speeding up the firm’s IT operating tempo to reduce risk.
Andrew’s prior experience includes serving as the CISO of QOMPLX, Inc, a cyber-security startup focused on critical enterprise infrastructure. He was the global Cyber Security Operational Risk Officer for JP Morgan Chase, and was a Managing Director for Technology Risk Measurement and Analytics at Goldman Sachs. Andy’s earlier roles include as Chief Technology Officer (CTO) of the managed security services provider SilverSky. He has held senior security analyst roles at Forrester Research and Yankee Group, and was a co-founder of @stake, a pioneering cyber-security consultancy. Andrew wrote the best-selling and definitive book on security metrics (“Security Metrics: Replacing Fear, Uncertainty and Doubt”), used by a generation of risk professionals to connect security to the corner office.
Andrew graduated from Yale University with a BA in Economics and Political Science. He lives with his family in New York.
This website does not reflect the opinions of my current or prior employers. All views expressed on this site are my own.
For technical details about how this website was made, see the Colophon.
A few weeks ago I put together my annual Predictions blog post for the coming year. In that post and accompanying webinar, I suggested five emerging risk areas that CISOs need to pay attention to in the coming year.
Before the holidays I ran a quick, three-question, survey of the securitymetrics.org mailing list membership about the number of passwords people use. Here are the results, drawn from 51 responses (not bad, considering the list membership is about 400 people). I’d promised the respondents that I’d share the results… so here they are.
I’ve noticed that sometimes it takes two or three “pings” for an idea to seep into my consciousness. I just got my second “ping” on a potentially Big Idea: site-specific browsers (SSBs).
If you are involved in your firm’s desktop security strategies (Windows in particular), you should read this:
Characterizing the IRC-based Botnet Phenomenon
This is a fact-filled but eminently readable paper about 3,290 IRC-based botnet command and control networks in China from June 2006 to June 2007. In addition to doing the normal things you’d expect to see in a botnet analysis, the researchers analyzed the extent of malware samples circulated within the botnets. They also attempted to determine the effectiveness of nine anti-virus engines in detecting the samples in circulation.
If you don’t want to read the whole thing, I’ve put together the Cliff’s Notes, at least from the perspective of a data junkie like me. Here are some of the more interesting metrics from the report. Some of these are from the report itself, and I’ve derived others. Editorial comments are in italics.
Dan’s a friend of mine, and we are both data junkies. Right about the same time I put the capper on a research report on malware trends (coming soon to Yankee Group subscribers), Dan releases this tour de force, a masterful synthesis of a lot of other people’s data.