You are currently browsing the tag archive for the ‘Jack Whitsitt’ tag.

Getting to be a busy fall/winter schedule. If you’re interested in catching up with me, learning, or just discussing security, check me out at one of these venues:

  • Sept 14 | Washington DC | EnergySec Summit
    • Giving workshop on Frameworks and the Discipline of Cybersecurity
  • Sept 28-29 | Krakow, Poland | CYBERSEC EU
    • Panelist in the State Stream
  • Oct 8-9 | Detroit, MI | SIRAcon
    • Speaking on risk: Yours, Anecdotally”
  • Jan | Florida
    • To Be Announced

Cant make these? Interested in having my somewhat unusual viewpoints represented at your security, industry, coffee, hiking, or other event? Let me know so I can get it on the calendar! :)


Well. Long overdue, but here nonetheless, is the next draft of my NIST Cybersecurity Framework “B-Sides” (Alternate). It’s just a draft, but it builds on the last one I posted and is designed to provide a much more comprehensive and much more effectively structured beginning to a framework than the one industry created with NIST, DHS, and the White House.  It’s also substantially broader and, I think, more effective than some of the other alternatives that have come from industry.  It’s not “complete”, but I believe the structure is the key to a successful framework and I think I’m close to nailing it here. Check out the image at the end of this post. You may also want to pre-read THIS:

The framework consists of 5-components that provide the “Model” elements that go into cybersecurity management at an organizational level:

  1. Business Consequence Framing
  2. External Threat Framing
  3. Business Vulnerability Introduction Assessment
  4. Business Quality Management
  5. Cyber Vector Control

Each of these components are co-dependent on each other in assuring that cybersecurity is effectively managed.  They will each contain sub-elements that can be attached to specific practices (processes/controllers) and views.  (Note: the components are not completely filled in with these sub-elemtns – they just contain quick swags.)

Of the components, The “Business Vulnerability Introduction Assessment” is the most notable and, in combination with “Business Quality Management” it represents one of the largest and meaningful gaps in cybersecurity thinking today – including the #NISTCSF.  The premise is that business decisions lead to security vulnerabilities and that the frequency and type of decisions that introduce vulnerabilities can be identified, quantified, and managed through a quality assurance program. Further, doing so will reduce the business’s exposure surface and allow their cyber security, risk management, and compliance programs to more effectively (with regard to both risk reduction and cost reduction) target areas for specific improvement in a rapidly evolving world.

The Processes (including roles and responsibilities within an organization) by which these model components are executed and the Views in which the associated information is stored and made available to appropriate stakeholders will represent two critical, but future layers to this framework.

Finally, almost all classic “cybersecurity best practices” such as those existing in NIST 800-53, the SANS 20, etc. are to be found in the “Security Program” sub-element under “Cyber Vector Control”.  This relatively “small” position in the overall framework does not detract from the importance of those best practices – they are, after all, the sharp edge of the sword – but their placement should be a strong message about the amount and type of underlying support from the rest of the organization that is required to make those best practices sustainable, efficient, and effective.

If this seems simple, I’ll grant that. There are YEARS of thought and experience going into distilling a complex topic into what is essentially just 5 boxes. But,  if that seems obvious or innocuous,  I’ll disagree. There are *many* layers of complexity supporting this model, why it’s framed this way and not another, and (more importantly) still more layers of complexity that this model **will enable** through its simplicity. You can find the older draft HERE



1. SV Said: “it puts risk management as a sub-component at the bleeding edge; it definitely does not belong there”.  I responded with:

I would not categorize the bottom element as the bleeding edge. Instead, it is the edge that steers the ship and that gets things done. It loops back and informs the very top of the stack – the intersection of strategy and and environment. Further, and this is a critical point for me, you can have risk management without the other elements happening, but it won’t be very good risk management. Think of it like a sports team. You can get a bunch of people off the street, teach them the rules, and they’ll play a game. But if you want them to win, they need to run laps. Practice with the ball. Play as a team effectively in practice. In other words, they need to have discipline and be conditioned. The other elements – Business Consequence Framing, External Threat Framing, Decision-Vulnerability Introduction Assessment, and Business Quality Management are the fundamental elements that allow the organization to not only more effectively inform risk management, but also to more effectively take advantage of the benefits of risk management in a way that allows it to pivot toward and address prioritized threats. Again, how these place relative to each other in an organization is another “View” of the framework that is not complete or shown here.

Not really appropriate for this blog, but I’m pretty lazy about updating my art-only one: Paivi and I were juried into (along with many other talented local photographers) the DCist Exposed show this year and the opening is Saturday, March 6. Come see it, if you’re in town and free.  My selected photo was:

Official press release follows:

Washington, DC — is pleased to announce its fourth annual DCist Exposed Photography Show, at Long View Gallery, running March 6 to 21, 2010. Out of over 1,000 individual entries submitted through, 47 winning images were selected by a panel of judges to be included in this year’s DCist Exposed exhibit. prides itself on engaging and promoting emerging local photographers through its daily use of images from the popular, reader-generated DCist Flickr photo pool.  Each day, selects photos from the pool for use in its daily coverage of local news, arts and entertainment, food and sports.

This year’s opening reception will be bigger and better than ever, to be held Saturday, March 6, 2010 from 6 to 10 p.m. At the bar, mixologist Scott Palmer from Dino will have a special punch, Leopold Brothers will host a liquor tasting, and Pabst Blue Ribbon will hold down the fort with plenty of beer.  Nage will provide hor’dourves, while DJs v:shal kanwar and Sequoia spin tunes.  Reception is $5 per guest at the door.

Long View Gallery is located at 1234 9th St. NW, just a few blocks from the Mt. Vernon/Convention Center Metro. The 2009 DCist Exposed event welcomed over 1,000 people on opening night, and with this even larger venue, we expect our biggest crowd ever. All photographs selected and displayed at DCist Exposed will be for sale at prices well below traditional gallery shows.  Regular gallery hours are Wednesday-Saturday, 11 a.m. to 6 p.m., and Sunday, 12 to 5 p.m.

The 2010 DCist Exposed Photography Show is sponsored by Ten Miles Square, Pink Line Project, and Pabst Blue Ribbon.

EDIT: I have some newer, better webcam audio visualizers and some utility patches available now. Click Here:

For all of you who have asked for this, I’ve made my Artomatic Quartz Composer based webcam audio visualizer available as a free download.(Keep in mind, this is only for Mac OS X users – Quartz isn’t portable).

You can download it here:

(Im calling it “WAVIQ” for short…Webcam Audio Visualizer In Quartz”…since it needs some sort of a name and I dont feel that creative about it.)

A quick overview:

The composition has two inputs – the webcam and an audio source.  If you have a built in webcam, it will default to that. Likewise, if you have a built in mic (most laptops do), the composition will default to using  that as your audio source.  You can change these by going into the patch inspector for the Video and Audio patches and selecting “settings”. (In the case of the audi, double-click the macro patch “Audio Source” and then click on “Audio Input” to get there).

The only other settings you’ll be interested in are the Increasing Scale and Decreasing Scale parameters found in the Audio Input patch. These affect how fast the values for movement, color, etc. get bigger and how fast they get smaller. This will affect how the composition responds to different music.  Also, keep in mind that in the audio settings of OS X itself, you can change the mic sensitivity. This will affect how the composition responds as well.

You can also find a basic tutorial to get you started on tweaking this in the links below.

Thats it. Drop me a line with any questions and have fun with it. If you do end up using it, I’d love to hear about it.



I’ve spammed this particular link everwhere else I can think of, but still neglected to post it here on my blog.

Basically, I was approached a few months ago by a senior editor of Symantec’s online magazine “Norton Today” because they were interested in doing a piece on Art and Security. I was approached because of my old work in security data visualization and the fact that’d I’d started to rework and hang the pieces in art shows like Artomatic and My Space on 7th.

Anyway, the interview went really well (in addition to being a lot of fun) and it’s now online at:

(Edit: This link now appears down after a few months. Symantec has republished the article here: )

They used a few older images in their Flash slideshow (My fault – I didnt get them newer images in time).  These were the originals we used at NetSec to do analysis and which have been in a number of presentations (and were in the batch I sent to ArcSight as examples when they were still developing Interactive Discovery, iirc).

You can find the “art” versions that I’ve hung up in galleries at the following link:

I’m still interested in working more of these, but have been moving from graphing – which was a necessity of the business at the time – into a broader field of ontological information/concept representation in art.

(This is in addition to my media experimentation with / interest in projection. I think Id like to merge these two tracks together in the future, but havent gotten there yet.)

Hey all!

I’m going to be showing some data visualizations at the My Space on 7th art show in Washington, DC starting Friday, July 11 at the Touchstone Gallery! Everyone should come out. I took a look at the space and there’s some interesting work hanging already. (And I have to thank Paige, here, who unintentionally helped me decide what to show…but more on that in a later post.)

Oh. And there will be wine tasting opening night. :)

There will be three old, but reworked images and one new one created just for this show.  Only one has ever been printed before and they all look pretty fantastic.

The new one consists of two superimposed graphs (a paraplot and a scatterplot) of illegitimate traffic going to/from “” (that would be, uh, most of it).

The three older ones are:

Destination Port Traffic Volume (global sample)

(Test Data from custom developed SEM correlation  modules)

(Pcap data from 10,000 spam emails)

Follow me on Twitter

My Art / Misc. Photo Stream