I am a big fan of Seth Godwin’s blog which can be found here:
If you are not familiar with Mr. Godwin, I highly recommed perusing his blog. While not an infosec blog, his insights into marketing and perception are useful in many ways.
He had a post that pointed to this YouTube video. Watch the video and then read on:
Did you watch it? It’s important that you did for what follows.
I was reading a discussion about Risk Assessment methodologies on the CISSP forum the other day. In it, many many different methodologies were referenced/pointed out. Obviously, having a number of methodologies to choose from is great since just about every assessment seems to be different than the last. But watching the video helped me to remember that when we are using a methodology or using questionnaires or otherwise performing an assessment, we need to be careful that we are not be blinded by watching for the passes.