About Ben Tomhave

Ben Tomhave is a security architect with New Context, a lean security firm. He holds a Master of Science in Engineering Management from The George Washington University and is a CISSP. He has previously held positions with Gartner, AOL, Wells Fargo, ICSA Labs, LockPath, and Ernst & Young. He is former co-chair of the American Bar Association Information Security Committee, a senior member of ISSA, former board member at large for the Society of Information Risk Analysts, and former board member for the OWASP NoVA chapter. He is a published author and an experienced public speaker, including speaking engagements with the RSA Conference, MISTI, ISSA, Secure360, RVAsec and RMISC, as well as Gartner events.
26 01, 2017

DevOps and Separation of Duties

By | 2017-02-28T22:27:31+00:00 January 26th, 2017|Blog|

Despite the rapid growth of DevOps practices throughout various industries, there still seems to be a fair amount of trepidation, particularly among security practitioners and auditors. One of the first concerns that pops up is a blurted out “You can’t do DevOps here! It violates separation of duties!” Interestingly, this [...]

18 01, 2017

“Minimum Viable” MUST Include Security

By | 2017-01-18T21:53:17+00:00 January 18th, 2017|Blog|

If you're a startup trying to get a product off the ground, you've probably been told to build an "MVP" - a minimum viable product - as promoted by the Lean Startup methodology. This translates into products being rapidly developed with the least number of features necessary to make an initial sale [...]

30 11, 2016

Rapid Iteration Doesn’t Mean “Stop Thinking”

By | 2016-11-30T16:27:01+00:00 November 30th, 2016|Blog|

In the world of DevOps we often like to talk about rapid iteration in relationship to shortened feedback cycles, and yet oftentimes something gets lost in translation. Specifically, just because failure is ok, because failure leads to learning, it does not mean that we shouldn't be thinking at all. And, [...]

19 10, 2016

Change the Incentive Model, Change the Culture

By | 2016-10-31T22:18:54+00:00 October 19th, 2016|Articles, Blog, Tips & Tricks|

It's imperative that all security conversations start not with technical issues, but instead with an understanding of the context for those issues, and the incentive models and org culture against which they're (mis)aligned. This is why our Lean Security model is about business transformation rather than being yet another IT [...]

9 09, 2016

Change the Incentive Model, Change the Culture

By | 2016-10-24T19:43:23+00:00 September 9th, 2016|Blog|

We all know there are problems with security. We all know that things aren't keeping pace or improving measurably and meaningfully at a rate or in a manner that most of us would deem sufficient or acceptable. Yet, all we seem to be doing is continuing to cast stones, castigate [...]

Load More Posts