Zen Garden of InfoSec

Information security and governance explained in plain language for IT personnel, business executives, and boards of directors.

About This Blog


Why start yet another blog? Why start yet another information security blog?

Because I haven’t come across any information security blogs that satisfy the needs of the layperson. They’re all highly technical discussions, catering to “infosec” experts with deep technical backgrounds. And if you don’t have that background, you miss the basic points being made.

So my mission is this: To reach out to the laypersons and teach them what they need to know to navigate the world of information security and IT risk.

This blog is about bridging the gap between “us” and “them”. It is about teaching people how to think about information security and IT risk.


I’m going to cover real-world infosec topics, and explain them in plain language so that anyone who wants to understand, will be able to. I word it that way for a reason: I go into banks and other organizations, and as soon as the topic of IT or infosec is raised, they throw their hands up. “I don’t understand that technical stuff. I don’t have the background. I’m just a manager/CFO/CEO. I can’t understand it like you can.”

Infosec is not all about deep technical knowledge. The basics of information security and IT risk management is good governance. Hire nerds like me for the details but manage infosec yourself.


I expect my audience to be many different types of people. But it is going to be focused at the following:

  • Business executives and boards of directors
  • Non-technical managers of information security
  • New infosec managers with a technical background
  • Techies who are new to the field of information security.

To help the layperson, I plan to use HTML definition and abbreviation tags for words that have specific infosec meanings, like vulnerability, and cross-link to longer, in-depth definitions. I will cite authoritative sources when necessary and appropriate. But this content is intended to be understood. Let me know in the comments if there’s something you don’t understand and I will explain.


I will not intentionally plagiarize; I will attribute my sources as well as I can. However, sometimes good ideas spontaneously pop up around the same time, and I have occasionally come up with the same ideas as others. Let me know, and I will cross-link right away.

This is informal writing. I tend to write in a conversational style, but that can stray into lecture at times. As such, I overuse ellipsis, dashes, and commas. Especially commas. This is not indicative of my voice or style when writing formally.

Comment Policy

I welcome differing opinions–but not to the detriment or disturbance of myself, the community, or its individual members. This is all about spreading information security knowledge. It would be against my values to prevent comments. Unfortunately, there will inevitably be a few individuals who, from time to time, feel bad about themselves and find it easier to make others feel bad rather than to fix their own issues. It’s human nature and a very common (though unacceptable) defense mechanism. The trick for me and others is to not take it personally. But when I see behavior threatening to myself or other commenters, I will delete comments. If an individual’s disruptive behavior persists, then I may block that user from participating.

Keep it real. I ask that you be respectful in your postings. Please don’t post comments that are:

  • Abusive, defamatory, or obscene
  • Fraudulent, deceptive, or misleading
  • In violation of a law, regulation, contract, or another person’s intellectual property rights.


This is an information security blog. Inevitably, the discussion will turn to less savory websites. I may link to websites containing harmful or inappropriate content. You may do so as well in the comments. But only if you provide ample warning before and after the link, such as [MALWARE] or [NSFW].


The Cliff Notes version of who I am is this: I am a computer nerd who got into information security and IT risk management in 2005, and I’ve been in love with the field ever since. Almost all of that time has been spent dealing with infosec and risk in regulated industries, especially financial institutions. I have worked for an ethical hacking/security consulting firm and for a federal financial institution regulator.

I am not the worlds greatest hacker; be wary of anyone who claims they are. I do not have all the answers; be wary of anyone who claims they do. What I am great at is explaining things and starting useful conversations. So here’s my attempt to do that on a larger scale…