About Us | Contact Us
View Cart

From a Napkin to the Future!

By Dan Hadaway | Saturday, April 22, 2023 - Leave a Comment

Questions from a decade ago . . .

That rhyme!
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

So this article starts in my bedroom; cleaning out my closet. I finally decide that yes, I’m will never grow back into the size of these suits.  I’ve lost a few pounds, and for way too long I worried that the day after I relinquish my suits, I will abandon all my new good habits, and grow right back into the larger size again. 

It’s happened before. 

So I’m going through these suits, pulling various things out of their pockets, including that pen I thought a certain person had borrowed from me, or those sunglasses I swore I left on the beach. 

Then — holy blazer Batman — I pull out a folded napkin, with a list of questions a Client and I had developed over a lunch.   I didn’t recognize her handwriting, but I did recognize the notes. She had left them at the table, and I had intended to return them to her; an intent I never met.  

I remember the lunch well.  It preceded a user awareness talk to about three hundred people.  I was nervous, because I wanted to focus on the upcoming talk, so she took notes.  We were trying to work out a list of questions we would pose to management, in the committee meeting scheduled for the following day.  Then we could focus on the user awareness talk.

You can see by the picture of this napkin, that I folded the napkin.  Like normal napkin-note-taking practices, she started taking notes on one side, then had to unfold it to take more notes, upside down to the first set of notes.  Then the tenth note was put under the 4th.  You can see that, unfolded, she wrote on a nice, large paper napkin.  (I take my Clients to nice restaurants)!  Very easy to write on. 

[Editor’s note:  we blurred the picture, to prevent  identity from being revealed.  While
the company she worked for no longer exists, we were not able to
reach our Client prior to publishing this blog post.]

I know exactly when this lunch and awareness training occurred, because a certain nephew’s funeral was held on the day after, and since I had agreed to provide training to 300 busy people, I was not going to get out of this particular engagement.  I had hoped to run up to that funeral right after the committee meeting.  I would miss the funeral, but still be with family afterwards.

So that’s how I know it was the spring of 2013. 

How interesting it is now, in 2023, to unfold a napkin full of questions for management, ten years ago.  How we were taking notes on napkins, instead of our phones.  How she started out phrasing question three one way, then softened it.  How the concern was awareness, and how that awareness was contingent on the need to start budgeting information security.  Don’t forget, in the spring of 2013, we still hadn’t experienced the “parade of breach news,” as I called the weekly drip-drip of breach news that started with the Target Breach of December 2013.  While the first incident of ransomware was in 1989, it sure hadn’t reached the radar of even most information security people.  We were still trying to convince non-banks that there was a need for security.

The management team meeting was postponed.  I don’t remember why, but postponing meetings to discuss security with management was not out of the ordinary back then.  I was able to see my family in our grief, but I never did give that napkin back to her. (I suspect I typed the questions into an email, after returning from the funeral, so that she could pose them to management in the committee meeting that I never did get to attend.)

Here are the questions she wrote, for her management team, in 2013.  Anything striking?

  1. Do you have visibility into how important security is for us?
  2. How do we think about go about deciding the likelihood that our reputation could be destroyed with just one security incident?
  3. Do you How you have go about have addressing he legal and other requirements to have the ability to detect if an incident occurs?
  4. How does our team know how to respond if an incident does occur (use if, or should we use when???)
  5. What are the unique aspects of our business that could be affected by a security incident?
  6. How do we measure the risk exposure of new information technology actions such as new applications or vendors?
  7. Is the risk shifting to the endpoints now that we’re starting to access our systems remotely?
  8. How do we protect ourselves from those threats?
  9. What are the unique threats, not only from the a confidentiality perspective, but also what if our systems went down for a long period of time?  
  10. What are unique ways we can be aware of these threats?  How do we know and how do we monitor them?

Some of you might know I have ascribed the term CyberPoet – to not only myself, but other members of the infotex team who I am actively coaching.  Go ahead, roll your eyes! Dan’s New Leaf is now weekly, because it’s all in fun!

But you have to admit, the questions on that napkin – from ten years ago – prove that my organic advice – at least about information security strategy- RHYMES!

How poetic is that?!

Oh, by the way. Stacey won’t let me take those suits to Goodwill. Says it’s been too long since I had ’em cleaned.


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex.

Dan’s New Leaf is a “fun blog to inspire thought in the area of IT Governance.”



Latest News
    Endpoint Detection and Response and You Webinar-Video In this webinar-Video, we will discuss the advantages, considerations, pricing, and configuration concerns when adding Endpoint Detection and Response to your security posture. If you are using a traditional Anti-Virus/Malware solution, you’ll want to consider adding or replacing it with a comprehensive EDR/XDR/MDR solution for the most bang […]
    R7: 2023’s Top Seven Technology Risks Webinar-Video What are the top seven risks your board should know about in 2023? Since 2006, Dan has been compiling a list of the “top seven risks small institutions are facing,” in preparation for his board presentations. This webinar will present the 2023 list in a manner that you […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX We are excited to announce the addition of William Summers to our team as our new Data Security Analyst. William brings a wealth of knowledge to our organization, and we are confident that he will be an invaluable asset in helping us reach […]
    Yes, the CISO of the Starship Enterprise On AI replacing the business of cybersecurity. Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . From time to time, my friends from high school, and even some from college, who have a minimal understanding of the cybersecurity […]
    Artificial intelligence carries risk, but so does organic ignorance … Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . At a recent conference, I noticed two camps emerging in the debate over artificial intelligence. Some people embrace AI as a tool, while others support Elon […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX We are pleased to announce the appointment of Nathan Taylor as our new Network Administrator at infotex.  “We are very excited to have Nathan join our team as a Network Administrator and look forward to his contributions to maintaining and improving our infrastructure!” […]
    about artificial intelligence . . . And who will protect us from it . . .  Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Just watched some press on the the Senate hearings over regulating AI. The normal senator faces, Sam Altman of OpenAI, […]
    The Evolution of an Inside Term Used in our Vendor Risk Report Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Those who audit infotex know that our vendor risk report refers to a couple of our providers as “ransomware companies.” This reference started evolving […]
    Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    New tools could allow unskilled attackers to launch increasingly sophisticated attacks… An article review. Imagine a world where you receive a call from your boss asking you to assist them with something… only it’s not your boss, but an AI being used by an attacker.  This isn’t science fiction, it’s an actual attack that has […]