Full Chapter Managing Risk and Information Security Protect To Enable 2Nd Edition Malcolm W Harkins Auth PDF

Managing Risk and Information
Security Protect to Enable 2nd Edition

Malcolm W. Harkins (Auth.)
Visit to download the full and correct content document:
https://textbookfull.com/product/managing-risk-and-information-security-protect-to-en
able-2nd-edition-malcolm-w-harkins-auth/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Information security in healthcare managing risk

Terrell W. Herzig
https://textbookfull.com/product/information-security-in-
healthcare-managing-risk-terrell-w-herzig/
The Plot to Hack America Malcolm W. Nance
https://textbookfull.com/product/the-plot-to-hack-america-
malcolm-w-nance/
IT Auditing Using Controls to Protect Information

Assets, Third Edition Chris Davis
https://textbookfull.com/product/it-auditing-using-controls-to-
protect-information-assets-third-edition-chris-davis/
Microsoft 365 Compliance: A Practical Guide to Managing

Risk Toelle
https://textbookfull.com/product/microsoft-365-compliance-a-
practical-guide-to-managing-risk-toelle/
Quantitative Finance and Risk Management A Physicist s
Approach 2nd Edition Jan W Dash
https://textbookfull.com/product/quantitative-finance-and-risk-
management-a-physicist-s-approach-2nd-edition-jan-w-dash/
Information Security Planning A Practical Approach 2nd

Edition Lincke
https://textbookfull.com/product/information-security-planning-a-
practical-approach-2nd-edition-lincke/
Gender Roles in Peace and Security: Prevent, Protect,

Participate Manuela Scheuermann
https://textbookfull.com/product/gender-roles-in-peace-and-
security-prevent-protect-participate-manuela-scheuermann/
Advances in Information and Computer Security 9th

International Workshop on Security IWSEC 2014 Hirosaki
Japan August 27 29 2014 Proceedings 1st Edition Maki
Yoshida
https://textbookfull.com/product/advances-in-information-and-
computer-security-9th-international-workshop-on-security-
iwsec-2014-hirosaki-japan-august-27-29-2014-proceedings-1st-
edition-maki-yoshida/
Managing and Using Information Systems Galletta
https://textbookfull.com/product/managing-and-using-information-
systems-galletta/
Managing Risk
and Information
Security
Protect to Enable
—
Second Edition
—
Malcolm W Harkins
Managing Risk and
Information Security
Protect to Enable
Second Edition
Malcolm W. Harkins
Managing Risk and Information Security: Protect to Enable
Malcolm W. Harkins
Folsom, California, USA
ISBN-13 (pbk): 978-1-4842-1456-5 ISBN-13 (electronic): 978-1-4842-1455-8
DOI 10.1007/978-1-4842-1455-8
Library of Congress Control Number: 2016949414
Copyright © 2016 by Malcolm W. Harkins
ApressOpen Rights: You have the right to copy, use and distribute this Work in its entirety, electronically without
modification, for non-commercial purposes only. However, you have the additional right to use or alter any source
code in this Work for any commercial or non-commercial purpose which must be accompanied by the licenses in
(2) and (3) below to distribute the source code for instances of greater than 5 lines of code. Licenses (1), (2) and (3)
below and the intervening text must be provided in any use of the text of the Work and fully describes the license
granted herein to the Work.
(1) License for Distribution of the Work: This Work is copyrighted by Malcolm Harkins, all rights reserved. Use
of this Work other than as provided for in this license is prohibited. By exercising any of the rights herein, you
are accepting the terms of this license. You have the non-exclusive right to copy, use and distribute this English
language Work in its entirety, electronically without modification except for those modifications necessary for
formatting on specific devices, for all non-commercial purposes, in all media and formats known now or hereafter.
While the advice and information in this Work are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions
that may be made. The publisher makes no warranty, express or implied, with respect to the material contained
herein.
If your distribution is solely Apress source code or uses Apress source code intact, the following licenses (2) and (3)
must accompany the source code. If your use is an adaptation of the source code provided by Apress in this Work,
then you must use only license (3).
(2) License for Direct Reproduction of Apress Source Code: This source code, from Intel® Trusted Execution
Technology for Server Platforms, ISBN 978-1-4302-6148-3 is copyrighted by Apress Media, LLC, all rights reserved.
Any direct reproduction of this Apress source code is permitted but must contain this license. The following license
must be provided for any use of the source code from this product of greater than 5 lines wherein the code is
adapted or altered from its original Apress form. This Apress code is presented AS IS and Apress makes no claims
to, representations or warrantees as to the function, usability, accuracy or usefulness of this code.
(3) License for Distribution of Adaptation of Apress Source Code: Portions of the source code provided are used
or adapted from Intel® Trusted Execution Technology for Server Platforms, ISBN 978-1-4302-6148-3 copyright
Apress Media LLC. Any use or reuse of this Apress source code must contain this License. This Apress code is made
available at Apress.com/9781484214565 as is and Apress makes no claims to, representations or warrantees as to
the function, usability, accuracy or usefulness of this code.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every
occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion
and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this
publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is
not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions
that may be made. The publisher makes no warranty, express or implied, with respect to the material contained
herein.
Cover image designed by Freepik.
Managing Director: Welmoed Spahr
Lead Editor: Robert Hutchinson
Development Editor: James Markham
Editorial Board: Steve Anglin, Pramila Balen, Aaron Black, Louise Corrigan, Jonathan Gennick, Robert
Hutchinson, Celestin Suresh John, Nikhil Karkal, James Markham, Susan McDermott, Matthew Moodie,
Natalie Pao, Gwenan Spearing
Coordinating Editor: Melissa Maldonado
Copy Editor: Mary Behr
Compositor: SPi Global
Indexer: SPi Global
Artist: SPi Global
Distributed to the book trade worldwide by Springer Science+Business Media New York,
233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail
[email protected], or visit www.springer.com. Apress Media, LLC is a California LLC
and the sole member (owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc).
SSBM Finance Inc is a Delaware corporation.
For information on translations, please e-mail [email protected], or visit www.apress.com.
Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use. eBook
versions and licenses are also available for most titles. For more information, reference our Special Bulk Sales–eBook
Licensing web page at www.apress.com/bulk-sales.
Any source code or other supplementary materials referenced by the author in this text is available
to readers at www.apress.com. For detailed information about how to locate your book’s source code, go to www.
apress.com/source-code/.
Printed on acid-free paper
About ApressOpen
What Is ApressOpen?
• ApressOpen is an open access book program that publishes
high-quality technical and business information.
• ApressOpen eBooks are available for global, free,
noncommercial use.
• ApressOpen eBooks are available in PDF, ePub, and Mobi formats.
• The user friendly ApressOpen free eBook license is presented on
the copyright page of this book.
iii
This book is dedicated to my family.
Contents at a Glance
Foreword ......................................................................................... xv
Praise for the second edition of Managing Risk and
Information Security...................................................................... xvii
About the Author ............................................................................ xxi
Acknowledgments ........................................................................ xxiii
Preface ...........................................................................................xxv
■Chapter 1: Introduction .................................................................. 1

■Chapter 2: The Misperception of Risk .......................................... 17
■ Chapter 3: Governance and Internal Partnerships:
How to Sense, Interpret, and Act on Risk ..................................... 31
■ Chapter 4: External Partnerships: The Power of Sharing
Information ................................................................................... 49
■Chapter 5: People Are the Perimeter ............................................ 65
■ Chapter 6: Emerging Threats and Vulnerabilities:
Reality and Rhetoric ..................................................................... 81
■ Chapter 7: A New Security Architecture to Improve
Business Agility ............................................................................ 99
■ Chapter 8: Looking to the Future: Emerging
Security Capabilities .................................................................. 117
vii
■ CONTENTS AT A GLANCE
■ Chapter 9: Corporate Social Responsibility: The Ethics of

Managing Information Risk ........................................................ 129
■Chapter 10: The 21st Century CISO ............................................ 139
■Chapter 11: Performance Coaching ............................................ 155
■Appendix A: References.............................................................. 171
Index .............................................................................................. 181
viii
Contents
Foreword ......................................................................................... xv
Praise for the second edition of Managing Risk and
Information Security...................................................................... xvii
About the Author ............................................................................ xxi
Acknowledgments ........................................................................ xxiii
Preface ...........................................................................................xxv
■Chapter 1: Introduction .................................................................. 1

Protect to Enable® ................................................................................... 5
Building Trust ............................................................................................................ 8
Keeping the Company Legal: The Regulatory Flood ................................................. 8
The Rapid Proliferation of Information, Devices, and Things .................................. 12
The Changing Threat Landscape ............................................................................ 13
A New Approach to Managing Risk ........................................................................ 16
■Chapter 2: The Misperception of Risk .......................................... 17

The Subjectivity of Risk Perception ....................................................... 18
How Employees Misperceive Risk......................................................... 18
The Lure of the Shiny Bauble.................................................................................. 20
How Security Professionals Misperceive Risk ...................................... 20

Security and Privacy ............................................................................................... 22
How Decision Makers Misperceive Risk ............................................... 23
ix
■ CONTENTS
How to Mitigate the Misperception of Risk ........................................... 24

Uncovering New Perspectives During Risk Assessments....................................... 25
Communication Is Essential .................................................................. 26

Building Credibility ................................................................................................. 28
■ Chapter 3: Governance and Internal Partnerships:

How to Sense, Interpret, and Act on Risk ..................................... 31
Information Risk Governance ................................................................ 32
Finding the Right Governance Structure ............................................... 34
Building Internal Partnerships ............................................................... 37
Legal ....................................................................................................................... 38
Human Resources .................................................................................................. 42
Finance ................................................................................................................... 43
Corporate Risk Management .................................................................................. 44
Privacy .................................................................................................................... 45
Corporate Security .................................................................................................. 45
Business Group Managers ...................................................................................... 46
Conclusion ............................................................................................. 47
■ Chapter 4: External Partnerships: The Power of Sharing
Information ................................................................................... 49
The Value of External Partnerships ....................................................... 51
External Partnerships: Types and Tiers.................................................. 52
1:1 Partnerships ..................................................................................................... 55
Communities........................................................................................................... 57
Community Characteristics .................................................................................... 57
Community Goals.................................................................................................... 59
Sharing Information about Threats and Vulnerabilities........................................... 59
Sharing Best Practices and Benchmarking ............................................................ 60
x
■ CONTENTS
Influencing Regulations and Standards .................................................................. 62

Corporate Citizenship ............................................................................................. 63
Conclusion ............................................................................................. 63
■Chapter 5: People Are the Perimeter ............................................ 65
The Shifting Perimeter .......................................................................... 65
Compliance or Commitment? ................................................................ 66
Examining the Risks .............................................................................. 68
Adjusting Behavior ................................................................................ 69
A Model for Improving Security Awareness .......................................... 71
Broadening the Awareness Model ......................................................... 74
The Security Benefits of Personal Use .................................................. 74
Roundabouts and Stop Signs ................................................................ 75
The Technology Professional ................................................................. 77
Insider Threats....................................................................................... 78
Deter ....................................................................................................................... 79
Detect ..................................................................................................................... 79
Discipline ................................................................................................................ 80
Finding the Balance............................................................................... 80

■ Chapter 6: Emerging Threats and Vulnerabilities:
Reality and Rhetoric ..................................................................... 81
Structured Methods for Identifying Threat Trends ................................. 82
The Product Life Cycle Model ................................................................................. 83
Understanding Threat Agents ................................................................................. 88
Playing War Games ................................................................................................. 90
Trends That Span the Threat Landscape ............................................... 91
Trust Is an Attack Surface ....................................................................................... 91
Barriers to Entry Are Crumbling .............................................................................. 92
xi
■ CONTENTS
The Rise of Edge Case Insecurity ........................................................................... 92

The Enemy Knows the System ............................................................................... 93
Key Threat Activity Areas ....................................................................... 94

The Industry of Malware ......................................................................................... 94
The Web Expands to the Internet of Things ........................................... 94

Smartphones ......................................................................................... 96
Web Applications .................................................................................................... 97
Conclusion ............................................................................................. 97
■ Chapter 7: A New Security Architecture to Improve
Business Agility ............................................................................ 99
The 9 Box of Controls, Business Trends, and
Architecture Requirements ................................................................. 101
9 Box of Controls .................................................................................................. 101
IT Consumerization ............................................................................................... 102
New Business Needs ............................................................................................ 103
Cloud Computing .................................................................................................. 104
Changing Threat Landscape ................................................................................. 104
Privacy and Regulatory Requirements.................................................................. 105
New Architecture ................................................................................. 105

Trust Calculation ................................................................................................... 106
Security Zones ...................................................................................................... 109
Balanced Controls................................................................................................. 113
Users, Data, and the Internet of Things: The New Perimeters .............................. 115
Conclusion ........................................................................................... 116

■Chapter 8: Looking to the Future: Emerging
Security Capabilities...................................................................... 117
Internet of Things ................................................................................ 120
Consistent User Experience Across Devices ....................................... 121
xii
■ CONTENTS
Cloud Computing ................................................................................. 122

Big Data Analytics ............................................................................... 122
Artificial Intelligence ........................................................................... 122
Business Benefits and Risks ............................................................... 123
New Security Capabilities..................................................................................... 123
Baseline Security .................................................................................................. 124
Context-Aware Security ........................................................................................ 126
Conclusion ........................................................................................... 127

■ Chapter 9: Corporate Social Responsibility: The Ethics of
Managing Information Risk ........................................................ 129
The Expanding Scope of Corporate Social Responsibility ................... 130
The Evolution of Technology and Its Impact ........................................ 132
Maintaining Society’s Trust ................................................................. 134
The Ethics of Managing Information Risk ........................................... 135
Conclusion ........................................................................................... 137
■Chapter 10: The 21st Century CISO ............................................ 139
Chief Trust Officer ................................................................................ 139
The Z-Shaped Individual...................................................................... 141
Foundational Skills .............................................................................. 142
Becoming a Storyteller ........................................................................ 143
Fear Is Junk Food ................................................................................ 144
Accentuating the Positive ..................................................................................... 145
Demonstrating the Reality of Risk ....................................................... 146
The CISO’s Sixth Sense ....................................................................... 147
Taking Action at the Speed of Trust ...................................................................... 148
The CISO as a Leader .......................................................................... 148

Learning from Other Business Leaders ................................................................ 149
xiii
■ CONTENTS
Voicing Our Values ................................................................................................ 150

Discussing Information Risk at Board Level ......................................................... 151
Conclusion ........................................................................................... 153

■Chapter 11: Performance Coaching ............................................ 155
How to Use the Tables ......................................................................... 156
Independence and Initiative ................................................................................. 157
Efficiency and Effectiveness ................................................................................. 158
Commitment ......................................................................................................... 160
Professionalism .................................................................................................... 161
Discipline ............................................................................................................. 161
Teamwork ............................................................................................................. 162
Problem-Solving ................................................................................................... 163
Communication..................................................................................................... 164
Goal-Setting .......................................................................................................... 168
Conclusion ........................................................................................... 169

■Appendix A: References.............................................................. 171
Index .............................................................................................. 181
xiv
Foreword
Security and first-person shooter video games have one obvious thing in common: if
you’re not continuously moving, you’re dead. In this second edition of Managing Risk
and Information Security, Malcolm Harkins helps us move our thinking into areas of risk
that have become more prominent over the last several years.
Because there is so much new content in this edition, I will focus on a topic that has
risen to greater prominence since the first edition: people are the perimeter. When we
reflect on what has changed in recent years, with an eye to the vulnerabilities that result
in real-world compromises, a pattern emerges: virtually all the major breaches that we
have seen involve manipulation of people. When nearly everyone has heard of phishing,
we have to ask ourselves: why is it still such an effective tool?
The obvious theory is that we haven’t managed people risk as well as we should.
Perhaps we have been standing still and need to learn how to dodge and experiment
with the way we drive better people-security outcomes. Unfortunately, the path is not
100% clear. Unlike technology, the field of influencing human behavior in security is
remarkably complicated and supported by limited research.
Malcolm provides us with a great foundation and framework to build our
“security engagement” functions. I like to use the word “engagement” because it
speaks to how the security organization relates to the workforce in a manner that isn’t
simply bounded by the more traditional term “training and awareness.” Engagement
encompasses anything that shifts the desired behavior outcome in the direction we want
it to go. I have seen remarkable shifts in measured behavior from the use of
non-traditional tools such as security gamification and simulation.
The way Malcolm differentiates between “compliance” and “commitment” is key.
Managing Risk and Information Security is an ever-evolving classic in the field of security
management.
—Patrick Heim
Head of Trust & Security, Dropbox
xv
Praise for the second edition
of Managing Risk and
Information Security
We assign Malcolm’s book to our Carnegie Mellon CISO-Executive

Program students on their first day of class. It is relevant, pragmatic, and
solution oriented. Our adversaries are changing their practices and so
must we. Malcolm’s book is a terrific tool for the modern-day info sec
leader who wants to shift from security as a restriction to security as a
business enabler.
—Andy Wasser
Associate Dean, CMU Heinz College
Malcolm is a top-notch executive, security leader, and innovator, with

a keen ability to convey thought-provoking and valuable insights. His
latest effort demonstrates remarkable foresight into the skills necessary
to excel as a security leader today and tomorrow.
—Clayton J. Pummill
Executive Director, Security Advisor Alliance
I could go on and on about what I liked specifically—there was

much, including the discussion about governance models and social
responsibility—but here is the net: this is the first time I’ve seen
someone be able to speak to security specifics while also raising the
conversation to a much higher level. It begins to take on an Alvin Toffler
feel from his astounding book, The Third Wave. Malcolm’s thoughts are
philosophically sweeping while at the same time imminently practical.
—Todd Ruback, Esq., CIPP-US/E, CIPT
Chief Privacy & Security Officer & V.P. Legal Affairs, Ghostery
xvii
■ PRAISE FOR THE SECOND EDITION OF MANAGING RISK AND INFORMATION SECURITY
Malcolm Harkins is a foremost expert at managing risk and information

security. In this latest book, he further expands his Protect to Enable
philosophy and does so in a way that offers practical and actionable
initiatives that any risk manager or CISO can implement to protect their
enterprise while enabling business growth. A must-read for CISOs and
their teams!
—Tim Rahschulte, Ph.D.
Chief Learning Officer & Content Officer, Evanta
Malcolm Harkins is a visionary thought leader on cyber security and risk

management. Managing Risk and Information Security is a must read.
Malcolm helps readers immediately take the information and apply it to
their own organizations. You will find that this book cuts through the fog
and provides a clear picture of where and what to focus on to effectively
manage cyber business risk.
—Phil Ferraro
Global CISO and Cyber Security Consultant
The CISO is more than just a technology expert; she must be savvy
about leadership, influence, and change across complex organizations;
someone who sees her mission not to just drive implementation of a
large system, but to foster sustainable culture change at every level. As
an organizational psychologist, I recognize Harkins’ keen eye for group
dynamics and leadership tactics that enable CISOs to enhance enterprise
security. He puts his finger on the habits, assumptions, and decision
processes typical of many employees and teams, as they unknowingly
increase security risk, and for that alone this book is a gem. It should be
required reading for aspiring CISOs and for anyone who has a role in the
recruitment and hiring of CISOs.
—Marc Sokol, PhD
Executive Editor, People + Strategy
Malcolm Harkins’ take on information security and risk is a refreshing

change from the increasingly frequent alarm bells raised in the press
with regard to the “brave new world” where technology is presented as
an ever-escalating conflict between our seemingly insatiable appetite for
connectivity, cool applications, and customized information, on the one
hand, and a desire to control who has our information and how they may
use it, on the other. Harkins instead offers a cool, clear-eyed perspective
where managing information and risk are placed in a wider context. His
prescriptions and frameworks are recipes for well-managed organizations
in the broadest sense. They allow us to embrace our new-found
xviii
technological abilities without fear because we have defined their purpose

capaciously enough to be a positive good, to be of service to all a company’s
stakeholders. That is, once we set a truly human course, technology serves
rather than threatens us. Organization purpose, when defined in this way,
is an expression of our values and is empowered by that fuel. Harkins’ book
is a practical as well as purposeful guide to a values-driven implementation
of information technology.
—Mary C. Gentile, PhD
Author of Giving Voice To Values: How To Speak Your Mind
When You Know What’s Right (Yale University Press)
In today’s rapidly evolving security landscape, security professionals are

navigating a complex set of dynamics across the enterprise. In Managing
Risk and Information Security, Malcolm Harkins draws on his rich
security experience to present a connected view of where companies
should be focused. He puts forth a valuable perspective, as organizations
around the world look to create a necessary balance of protection and
innovation, which ultimately enables business success.
—Bret Arsenault
Corporate Vice President and CISO, Microsoft Corporation
Malcolm generously shares through personal experiences and story

telling the formula for a successful 21st century CISO. It is one part
multi-disciplinary leader and one part trusted advisor to the business,
combined with behavioral models required for balanced risk decision
making. A must-read for all new CISOs. Malcolm lives his beliefs.
—Nasrin Rezai
GE Corporate Security & Compliance Officer
In the second edition of his book, Malcolm seamlessly articulates the

future horizon of cyber security and the critical role that the CISO and
security professionals will need to fulfill in order to defend both the
company and consumers they serve. The guidance he provides into the
skills, leadership, and approach required for successfully navigating
the emerging challenges of securing a digital economy is invaluable.
Regardless of your current role, this is a must-read for everyone who has
accepted this great responsibility and privilege.
—Steven Young
CISO, Kellogg Company
xix
While other security officers are looking to the traditional or the latest
“cool” product, Harkins goes against the tide and asks the questions that
need addressing. His forward-thinking mindset and Protect to Enable
approach inspire others to innovate and go beyond the mainstream.
If you cannot bring Harkins to your company for mentoring, this book
will at least spark thought and will change how your engineers view
security within the business.
—Charles Lebo
Vice President and CISO, Kindred Healthcare
Malcolm’s vast experience makes him one of the most credible security
leaders on the international stage and serves as the perfect platform for
this book. Rational, compelling, and authoritative writing is far too rare
in the world of risk and information security, but Malcolm completely
nails it in Managing Risk and Information Security with invaluable
advice and recommendations for anyone planning a future in the
security world. His extensive experience in business before becoming
a CISO is one of the missing ingredients in many security executives’
professional toolbox, which is which is why this is such an important
book. Make sure to keep a highlighter and notepad handy because there
are a lot of nuggets in here you’ll want to remember on your journey to
becoming a better security professional.
—Mark Weatherford
Chief Cybersecurity Strategist at vArmour and
former Deputy Under Secretary for Cybersecurity
at the US Department of Homeland Security
I’ve had the privilege of working with many talented CISOs over the
years and Malcolm is one of the best. His logical, methodical approach
to solving the most complex cybersecurity problems is reflected in his
lucid style. An enlightened approach to understanding risk that unites
all stakeholders and a systemic intelligence-based approach to security
infrastructure are the only ways to reduce the threat to manageable
levels. This is our best path forward if we are ever to realize the vast
potential of the innovative digital world we are creating. In Managing
Risk and Information Security, Malcolm shines a light on that path in a
comprehensive yet very readable way.
—Art Coviello
Former CEO and Executive Chairman, RSA
xx
About the Author
Malcolm Harkins is the Chief Security and Trust Officer

(CSTO) at Cylance Inc. In this role, he reports to the CEO
and is responsible for enabling business growth through
trusted infrastructure, systems, and business processes.
He has direct organizational responsibility for information
technology, information risk, and security, as well as
security and privacy policy. Malcolm is also responsible
for peer outreach activities to drive improvement across
the world in the understanding of cyber risks and best
practices to manage and mitigate those risks.
Previously, Malcolm was Vice President and
Chief Security and Privacy Officer (CSPO) at Intel
Corporation. In that role, Malcolm was responsible
for managing the risk, controls, privacy, security, and
other related compliance activities for all of Intel’s
information assets, products, and services.
Before becoming Intel’s first CSPO, he was
the Chief Information Security Officer (CISO)
reporting into the Chief Information Officer. Malcolm also held roles in finance,
procurement, and various business operations. He has managed IT benchmarking and
Sarbanes-Oxley–compliance initiatives. Harkins acted as the profit and loss manager for
the Flash Product Group at Intel; was the general manager of Enterprise Capabilities,
responsible for the delivery and support of Intel’s Finance and HR systems; and worked in
an Intel business venture focusing on e-commerce hosting.
Malcolm previously taught at the CIO Institute at the UCLA Anderson School of
Management and was an adjunct faculty member at Susquehanna University in 2009. In
2010, he received the RSA Conference Excellence in the Field of Security Practices Award.
He was recognized by Computerworld as one of the Premier 100 Information Technology
Leaders for 2012. (ISC)2 recognized Malcolm in 2012 with the Information Security
Leadership Award. In September 2013, Malcolm was recognized as one of the Top 10
Breakaway Leaders at the Global CISO Executive Summit. In November 2015, he received
the Security Advisor Alliance Excellence in Innovation Award. He is a Fellow with the
Institute for Critical Infrastructure Technology, a non-partisan think-tank that provides
cybersecurity briefings and expert testimony to the U.S. Congress and federal agencies.
Malcolm is a sought-after speaker for industry events. He has authored many white
xxi
■ ABOUT THE AUTHOR
papers and in December 2012 published his first book, Managing Risk and Information
Security. He also was a contributing author to Introduction to IT Privacy, published in
2014 by the International Association of Privacy Professionals.
Malcolm received his bachelor’s degree in economics from the University of California
at Irvine and an MBA in finance and accounting from the University of California at Davis.
xxii
Acknowledgments
I received valuable feedback from many readers of the first edition of this book. That
feedback helped me to expand the book with additional insights, clarifications, and
updated examples. It also encouraged me to add two more chapters to the second
edition: one on corporate social responsibility, and the other on performance coaching.
Special thanks to Mike Faden: without his help this book would not have happened.
As I noted in the first edition, many people during my journey at Intel helped me
learn and grow. A number of them published material that is still referenced in this
second edition.
Other experts who have helped me come from a variety of different peer groups.
They include members of the Bay Area CSO Council, the Executive Security Action
Forum, the members and staff of CEB and its Information Risk Leadership Council,
participants in the Evanta CISO Executive Summits and the CISO coalition, as well as the
Security Advisor Alliance.
Finally, I wish to thank Stuart McClure for giving me the opportunity to join Cylance.
xxiii
Preface
If you don’t believe in the messenger, you won’t believe the message.
You can’t believe in the messenger if you don’t know what the messenger
believes.
You can’t be the messenger until you’re clear about what you believe.
—James Kouzes and Barry Posner,
in The Leadership Challenge
A great deal has transpired since the first edition of this book was published in January
2013, both in the world of information risk and in my personal life and career. To briefly
cover the latter, in January 2013, I was named Intel’s Chief Security and Privacy Officer.
My broad role was one of the first of its kind in corporate America: I was charged with
managing and mitigating risk for Intel’s products and services worldwide, in addition to
Intel’s internal IT environment. In June 2015, I left Intel to become CISO at Cylance Inc.,
and in May 2016, I was named Cylance’s Chief Security and Trust Officer.
These career changes occurred during an extraordinary period of escalating
information risk, as evidenced by an almost continuous stream of major hacks and
breaches, and a corresponding rise in society’s awareness of risk. Some key examples:
• May 2013: Edward Snowden flies to Hong Kong after leaving
his job at an NSA facility in Hawaii. The following month, he
reveals thousands of classified NSA documents. The disclosures,
including previously unknown government surveillance
programs, continue to cause worldwide repercussions today.
• December 2013: The blog Krebs On Security reports a massive
data breach at Target. The company confirms the breach the next
day. Within months, Target’s CIO and CEO both resign amid the
fallout.
• May 2014: A U.S. grand jury indicts five Chinese military officers
on charges of hacking American companies and stealing trade
secrets.
• November 2014: Employees at Sony Pictures arrive at work to
discover their network has been hacked. Attackers steal and then
erase data on thousands of systems, forcing studio employees to
revert to using fax machines and pen and paper. The attackers
then dump huge batches of confidential business and personal
information online.
xxv
■ PREFACE
• March 2015: Google’s Project Zero hacking team demonstrates

the ability to exploit a fundamental flaw in DDR3 SDRAM to
perform privilege escalation attacks on systems containing the
chips. Some mitigation approaches are available, other than
replacing the DDR3 memory in millions of systems worldwide.
• June 2015: The US Office of Personnel Management announces
a data breach targeting the personal data of up to 4 million
people. The attack, which includes security clearance-related
information, is one of the largest-ever breaches of government
data. By July, the estimated number of stolen records increases to
21.5 million.
• February 2016: The Hollywood Presbyterian Medical Center in
Los Angeles says it has paid a bitcoin ransom to attackers who
held its systems hostage, encrypting data and blocking access by
hospital staff. Some believe the healthcare industry is the next
major target for cyber criminals.
Given this escalating cycle of risk, and the potential catastrophic societal
implications of today’s attacks, we must all be ready to be held accountable. This may
require a large mental shift for those used to simply assigning responsibility and blame
for a breach to the people who traditionally perform post-attack cleanup: corporate IT
departments, internal information security teams, and investigations and computer
forensics groups. Everyone, from corporate executives to security practitioners, shares
responsibility for security and privacy. We must all step back and contemplate our own
personal responsibilities, not only to the organizations we work for and the customers we
serve, but also to society as a whole.
The challenge we sometimes face is how to characterize that responsibility. Is our
responsibility to limit liability for our organizations? Or is it a duty of care to the people
whose information we store? What values are we using when we make decisions about
cyber risk, and what bias do those values create in our decisions? Are we forward-
looking enough, or will the decisions we make to fix our problems today create other
problems in the future? As Benjamin Franklin once said, “All human situations have their
inconveniences. We feel those of the present but neither see nor feel those of the future;
and hence we often make troublesome changes without amendment, and frequently for
the worse.”
As security and privacy professionals, a key part of our role is to ensure the right
dialogue and debate occurs. We need to ask “high-contrast” questions that sharply
define the implications of the choices our organizations make. We need to make sure
that the opportunities are as clearly defined as the obligations to mitigate risk, so that
our organizations make the right decisions. And we need to take equal responsibility for
the outcomes of those choices, as opposed to abdicating that responsibility solely to the
business. Once the choice is made, we must transition out of the debate about what is
right and focus on taking the right actions—on making tomorrow better than today.
We can think of this as doing what’s right. We can think of it as protecting our
customers and partners and keeping our markets healthy for everyone. No matter what
motivates us, thoughtfully building systems to support a culture of genuine responsibility
for privacy and security is not only good corporate responsibility; it is also good for
xxvi
■ PREFACE
business. For computing to continue to improve the world we live in rather than endanger
it, it needs to be trustworthy. And for that trust to be deliverable, we need to ensure the
data we enter into our computers is both secure and private. As an organization, we
demonstrate and build trust through our approach to solving these cyber-risk challenges.
In the preface of the first edition, I said “Managing Risk and Information Security is
a journey, but there is no finish line. Our approach to managing information risk must
continue to evolve as rapidly as the pace of business and technology change. My hope is
that people will read this book and begin their own journey.”
I still firmly believe what I said then. But I also believe that, as General George
Marshall once said, “The only way human beings can win a war is to prevent it.” We
are at war against adversaries who wish to harm the users of technology. But there is
also a battle among those responsible for protecting security and privacy. On one side
are organizations that would like to continue on the current path because they profit
from the insecurity of computing, or that approach the duty of care with a bias towards
limiting liability rather than protecting their customers. On the other side are those who
believe that our role is to generate trust. We do that by protecting to enable people and
businesses. It’s a hard road; I know, because I experience it every day. But we shouldn’t
back away from something just because it is hard. We need to plant our feet and stand
firm. The only question is where we plant our feet.
xxvii
CHAPTER 1
Introduction
There are two primary choices in life: to accept conditions as they exist,
or accept the responsibility for changing them.
—Denis Waitley
In January 2002, I was hired to run a new Intel internal program called Security and
Business Continuity. The program had been created following the major security events
of the previous year (9/11 and the Code Red/Nimda viruses) and it focused primarily
on the availability risks at that time. I had no background in technical security, but I
had been at Intel for nearly 10 years in a variety of business-related positions, mostly
in finance. As I learned about information risk during the first few months, it became
apparent to me that the world was starting to change rapidly and that a “perfect storm”
of risk was beginning to brew. In June 2002, I put together a diagram (Figure 1-1) to
explain the risks to my manager, Intel’s CIO, and anyone who would listen to me.
The diagram has been updated slightly since then to more explicitly highlight the
geo-political forces that are a key part of the threat, vulnerability, and regulatory
risk landscape.
© Malcolm W. Harkins 2016 1

M.W. Harkins, Managing Risk and Information Security,
DOI 10.1007/978-1-4842-1455-8_1
Another random document with
no related content on Scribd:
moment fortune seemed to favor them. The latter had indeed, in
connection with their other preparations, made particular efforts to
stir the provinces round Tlascala and toward the coast, sending large
garrisons to form centres for the native armies, the object being
partly to cut off communication with the coast, so as to prevent
reinforcements from reaching the Spaniards, and partly to effect a
rear movement when it might be decided to attack the republic.
Reinforcements had already been surprised in this region and
slaughtered, as we have seen, and raids had been made on the
allied frontier.
Here was all the cause the Spaniards required for attack, and as
the country was for the most part open, the horsemen would have
great advantage over native troops. Its subjugation, therefore,
promised to be easy, and would secure the rear. The Tlascaltecs
approved of beginning the campaign with the outlying provinces,[925]
where the concentration of forces was smaller, and where the
memory of Aztec misrule and oppression might readily induce the
inhabitants to transfer their allegiance, so as to strengthen the
conquerors and allure fresh allies. They were eager to begin the
campaign, and offered a large force of warriors. Xicotencatl junior
also evinced a promptness to coöperate, as if to remove any ill
feeling that might have arisen from his machinations.[926] In order to
thoroughly enlist their sympathies Cortés made an arrangement with
the lords whereby a number of privileges were assured to their
people, together with a fixed proportion of the spoils[927] to be
obtained during the war.
The troops were mustered at Tzompantzinco, near Tlascala,
amidst a large concourse of people. There were about four hundred
and fifty Spanish soldiers, with nearly twenty horses, a few firelocks
and field-pieces, and a number of cross-bows, but the arms were
chiefly swords and pikes. The reinforcements consisted of six
thousand Tlascaltecs, including a few Cholultecs and Huexotzincas,
a larger force being prepared under Xicotencatl to follow later.[928] A
demand had meanwhile been sent to Tepeaca to confirm the oath of
allegiance once tendered the Spanish sovereign and dismiss the
Aztec garrisons, whereupon all past offences would be forgiven. The
reply was a contemptuous refusal, with the threat that any attempt at
coercion would bring upon the invaders worse punishment than they
had received at Mexico, for they all would be dished up at the festive
board. Every proposal being rejected, a formal notice was sent
condemning the province to be chastised with sword, and fire, and
slavery, for rebellion and murder of Spaniards.[929]
The army now advanced on Zacatepec, the first town on the
Tepeaca border, where an ambuscade had been prepared in some
maize fields. This was discovered in time to prevent a surprise, but a
fierce encounter took place, wherein the horsemen did good
execution, and victory was soon obtained, with slaughter of the
flying. Ojeda, who had led the Tlascaltecs into the thickest of the
fight, came during the pursuit to the residence of the cacique and
planted there the republican flag, in token of capture. These warriors
had suffered severely, owing in part to the use of large lances by the
enemy, but the Spaniards had only a dozen wounded, beside two
horses, one of which died.[930] During the three days’ stay at this
town the neighborhood was reduced, with pillage and enslavement.
The next camp was formed at Acatzingo, which had been
abandoned by the enemy after a short fight. These successes so
discouraged the Mexican garrisons that they abandoned the
province, and the allies, on marching straight for Tepeaca, five days
later, entered it without opposition. This now became the
headquarters for the different expeditions sent out to reduce the
surrounding districts;[931] and rare work they made of it, plundering,
and tearing down idols, and making captives. Salt, cotton, feather
ware, and other commodities were abundant, and with their share
therein the Tlascaltecs were highly delighted, but the Spaniards
obtained little gold. The rulers of the country had fled; one of them to
Mexico, to remonstrate against the retreat of the garrisons, and to
demand additional aid. Finding themselves abandoned, the
inhabitants sent to beg mercy of the conquerors, and being assured
that no further harm should be done them, they returned to the city
and again tendered allegiance. Several other towns were taken,
some, like Tecalco, south of Tepeaca, being evacuated, others
tendering submission in advance, while still others required hard
fighting to subdue.
The reduction of the Tepeaca province, which was virtually
accomplished in about a month,[932] produced an immediate and
marked effect, not only on the natives, but on the late refractory
Spanish soldiers. The latter were reconciled to the prosecution of the
conquest on finding the opening campaign so speedy and
comparatively bloodless, and fresh confidence was infused into the
Tlascaltecs, and new allies came forward, while the prestige of
Spanish arms began again to spread terror among the enemy and
open a way into other provinces. This was promoted by messengers,
who carried promises of release from Aztec tyranny, and pointed out
the fate of rebellious and stubborn Tepeacan towns. The Mexicans,
who during the inactivity of the allies had grown somewhat lax in
their efforts to conciliate subject provinces, now became more
earnest, more free with presents and offers to remit tribute. These
endeavors were greatly counteracted by their troops, however,
whose insolence and greed drove the inhabitants to tacitly or openly
favor the Spaniards.
The withdrawal of the Aztec garrisons from Tepeaca served to
strengthen those on its frontier, particularly at Quauhquechollan,[933]
ten or eleven leagues south-west of the new Spanish head-quarters,
which protected the approach to the southern pass into the valley of
Mexico.[934] Its province bordered on Huexotzinco and Cholula, and
skirting the snow-crowned Popocatepetl it extended for some
distance south and south-east of it. The lord,[935] who had tendered
allegiance to Spain simultaneously with Montezuma, had recently
sent in the assurance of his loyalty, with the explanation that fear of
the Mexicans had prevented him from doing so before. A few days
later came his messengers to ask protection against the Aztec
garrisons, reinforced to the extent of some thirty thousand men,[936]
who, from their camp within a league of the city, were plundering and
committing outrages. This appeal being quite in accord with the
plans of Cortés, he at once complied by sending Olid and Ordaz,
with two hundred soldiers, thirteen horses, most of the fire-arms and
cross-bows, and thirty thousand allies.[937] It was arranged with the
Quauhquechollans that they should begin the attack as soon as the
Spaniards came near, and cut off communication between the city
garrison and the adjoining camp.
Olid marched by way of Cholula, and received en route large
accessions of volunteers, chiefly from the province to be aided and
from Huexotzinco, all eager for a safe blow at the Aztecs, and for a
share of the spoils. So large, indeed, was the enrolment that some of
the ever timid men of Narvaez conjured up from this a plot for their
betrayal into the hands of the Mexicans, with whom rumor filled
every house at Quauhquechollan, making in all a larger number than
at Otumba. The loyalty of the new province being wholly untried, and
that of Huexotzinco but little proven, the alarm appeared not
unfounded, and even the leaders became so infected as to march
back to Cholula, whence the chiefs of the suspected allies were sent
under guard to Cortés, with a report of the occurrence.[938] The latter
examined the prisoners, and readily surmised the cause of the
trouble; but, as it would not answer to dampen native ardor for the
war by leaving them in that suspicion, he apologized for what had
happened as a misunderstanding, smoothed their ruffled feelings
with presents, and encouraged their zeal. With an additional force of
one hundred soldiers and some horses he set out for Cholula to
assume command in person, shaming the men out of their fears,[939]
and accepting the large reinforcements which were offered on the
way.
As soon as he came in sight, at the end of the valley, the
Quauhquechollans, who had made their preparations in advance, fell
on the garrison, securing at the same time the scouts and stragglers.
The Aztecs resisted valiantly, encompassed though they were by
assailants who filled the roofs and heights round the temple which
formed the citadel. An entry was effected by the Spaniards, and the
natives rushed upon the warriors with such fury that scarcely one
was left to tell the tale. A number of the besieged, outside the citadel,
had already fled toward the Aztec camp, whose battalions were now
descending, brilliant in feathered mail and ornaments. Entering the
further side of the city they began to fire it. Cortés was summoned to
the rescue, and hurrying onward with the cavalry he soon routed
their disorganized masses, leaving pursuit chiefly to the allies. At a
certain pass the enemy rallied, to be dislodged within a few moments
and cut off from their camp. Exhausted by battle and flight, under a
broiling sun, they turned in disorderly scramble up the steep
mountain slope, only to find themselves checked on the summit by
fleeter bands of Quauhquechollans and other allies, and obliged to
make a stand. By this time they could hardly raise their hands in self-
defence, and the battle became little more than a butchery, during
which scattered remnants alone managed to escape, leaving the rich
garments and jewels of the dead to stay the pursuers, who now,
according to Cortés, numbered over one hundred thousand. Several
Spaniards were wounded, and one horse killed.[940] The field being
reaped, the victors entered the camp,[941] which was divided into
three parts, each large enough, it is said, to form a respectable town,
well appointed, with hosts of servants, supplies, and paraphernalia.
Laden with spoils they returned to the city to receive a well merited
ovation. The citizens were afterward rewarded with several privileges
for their loyal aid;[942] deservedly rewarded, for without their
coöperation the place could not have been captured without
difficulty, since it lay between two rivers[943] coursing through deep
ravines, and was shielded on one side by a steep mountain range.
Beside its natural strength the city was protected by a breastwork of
masonry, which extended toward the mountain and down into the
ravines, forming here a smooth facing of some twenty feet, and
rising in other places into a distinct wall of great height and width,
[944]with a parapet. There were four entrances,[945] wide enough for
one horseman only, with staircase approaches, and with maze-like
lappings of the walls, which rendered it difficult to force an entrance.
Along the walls lay piles of stones and rocks ready for the foe. The
population was estimated at five or six thousand families, supported
in part by a number of gardens within the city, and subject to it were
three towns in the valley, containing an equal number of people.
Four leagues south of Quauhquechollan lay Itzocan,[946] a well

built city, with a hundred temples, says Cortés, and a population of
three or four thousand families, situated in a fertile, irrigated valley,
which from the climatic protection afforded by the sheltering
mountains included cotton as one of its staples, and had also some
attractive gold mines. The place lay at the foot of a hill, surmounted
by a strong turreted fort, and offered a striking resemblance to
Málaga, it was said. The level sides were protected by the banks of a
deep river, which here formed a semicircle, and all round the city ran
a wall five feet high, well provided with towers and stone
ammunition. The cacique was an alien, appointed by Montezuma,
whose niece he had married, and possessed strong sympathies for
the lake government, which maintained a fine garrison. To reduce
the place, so as to root out a stronghold for the dissemination of
Aztec influence, was of the first importance.
Thither, therefore, Cortés proceeded with his forces, including
allies, who were by this time so numerous as to cover the plains and
mountains, wherever the eye could reach, representing at least one
hundred and twenty-five thousand men. On arriving before the city it
was found occupied only by warriors, estimated at from five to eight
thousand, the women and children having all withdrawn. Guided by
natives the army passed to a point affording a comparatively easy
entrance. The surprised garrison now thought less of resistance than
of securing their retreat across the river. It was spanned by a bridge,
but this the Spaniards destroyed as they fell upon them, and many of
the unfortunate Aztecs took to the water in their confusion, only to
add to the list of victims. The cavalry, swimming across with ease,
overtook and arrested a large portion of the flying till the allies came
up to aid in the slaughter.[947] Two captives were sent to offer pardon
to the inhabitants, on the condition of their returning and remaining
loyal. Soon after the chiefs came to make arrangements, and within
a few days the city had resumed its wonted appearance.
Cortés thought it the best policy, in this frontier town of his
conquest, to make a favorable impression by extending mercy, and
with the rapid flight of his fame as an irresistible conqueror spread
also his reputation as a dispenser of justice, lenient or severe, as the
case might be. A number of caciques hastened accordingly to
propitiate him, during his stay in this quarter,[948] by tendering
submission and praying to be confirmed in authority. Among them
came a deputation from the inhabitants of Ocopetlahuacan,[949] at
the foot of Popocatepetl, who cast the blame for delay on their
cacique. He had fled with the retreating Mexicans, and they
disowned him, praying that the dignity might be conferred on his
brother, who had remained, and who shared the popular desire for
Spanish supremacy. After a judicious hesitation the request was
granted, with the intimation that future disobedience would be
severely chastised.[950]
Still more flattering overtures came from the caciques of eight
towns in Cohuaixtlahuacan,[951] some forty leagues to the south,
who had already tendered allegiance on the occasion when Pilot
Umbría first passed through that province in search of Zacatula’s
gold mines.[952]
Before leaving Itzucan, Cortés was called upon to appoint a
successor to the fugitive cacique. The candidates were a bastard
son of the late native cacique, whose death was due to Montezuma,
and the son of the deceased ruler’s legitimate daughter, married to
the lord of Quauhquechollan. The general, being only too eager to
please so loyal an ally, decided in favor of his son, on the ground of
legitimacy; but since he was not yet ten years old, the regency was
intrusted to the bastard uncle, aided by some chiefs.[953] The boy
followed the army to imbibe Spanish ideas and instruction, and
received baptism not long after, with the name of Alonso,[954] the first
Christian prince in New Spain.
Another important yet troublesome expedition was to secure the
road to Villa Rica, on which so many Spaniards had fallen, and
which was still dangerous. It was intrusted to two hundred men, with
ten horses, and a large force of allies.[955] The first reduction in this
quarter had been Quecholac, where pillage and enslavement formed
the retaliation for murders committed,[956] and Tecamachalco, which
gave greater trouble before it fell, and yielded over two thousand
slaves, besides much spoil.[957] The chastisement of these districts
had taught the easterly parts a lesson, so that more hardship than
fighting was now encountered, for the march lay to a great extent
through uninhabited tracts. It was in the region of Las Lagunas that
some captive Spaniards had been denuded and fattened, and then
goaded to death, like bulls in a ring, for the amusement of the
natives. The bodies had then been devoured, a part of the flesh
being jerked and distributed over the district as choice morsels, and
pronounced savory. Forty of the most guilty tormentors were secured
in a yard for execution. Informed of their fate they began to dance
and sing, commending themselves quite cheerfully to the gods as
they bent their heads to the sword.[958] How blessed the righteous
when they die!
FOOTNOTES
[901] This appears to have taken place on the Xocotlan road, followed by the
Spaniards on first entering the country, for in the temple of this town, says Bernal
Diaz, were found the saddles and other trophies. He estimates the treasure lost at
40,000 pesos. Hist. Verdad., 108, 116-117; Lejalde, Probanza, in Icazbalceta, Col.
Doc., i. 425.
[902] Herrera writes, under Iuste and Morla. If correct there were two Morlas.
[903] Herrera copies this account, but gives also another in an earlier chapter,
which leads one to suppose that Yuste and a few companions escaped to the
mountains. They either perished of hunger or were captured at some settlement
while offering the remnant of their treasures for food. An inscription by Yuste on a
piece of bark recorded their sufferings. ‘Por aqui passò el desdichado Iuan Iuste,
con sus desdichados compañeros, con tãta hambre, que por pocas tortillas de
mayz, diò vno vna barra de oro, que pesaua ochocientos ducados.’ dec. ii. lib. x.
cap. xiii.; dec. iii. lib. i. cap. v. Torquemada repeats both versions, i. 530-1. Peter
Martyr and Gomara are also confused, allowing the Yuste party in one page to fall
at the pass, and on another to turn back to Villa Rica from Tlascala. Hist. Mex.,
165, 181-2. A misinterpretation of a vague passage by Cortés is the cause of the
mistake, into which nearly every writer has fallen. The party carried, according to
the Cartas, 141, 183-4, a number of agreements with the natives, and other
valuable documents, beside Cortés’ personal effects and valuables, worth over
30,000 pesos de oro. Bernal Diaz says three loads of gold. The inhabitants said
that people from Tezcuco and Mexico had done the deed to avenge Cacama. But
none except the natives of the district could have had time to gather for the attack.
[904] Herrera places the number of the party at 50 or 60. dec. ii. lib. x. cap. xv.
Bernal Diaz speaks of the slaughter in Tochtepec of 72 men and 5 women, and he
leaves the impression that they were a part of the Narvaez force which had
followed the army at their leisure. Hist. Verdad., 108. This is no doubt the party
described in the text. Yet Herrera, in cap. xvii., refers to the destruction at
Tochtepec of a force of 80 men under Captain Salcedo, who was sent to reduce
this province a few months later. This incident, mentioned by no other original
authority, may be identical with the preceding. Had the party in question belonged
to the original force of Narvaez it would have accompanied Yuste and Alcántara.
Such not being the case, it must have arrived after their departure. This receives
confirmation from Gomara’s statement that several small parties, who had been
attracted to New Spain by Cortés’ conquests, were killed in Tepeaca and
Xalacinco. Hist. Mex., 173. The narratives of Bernal Diaz and Cortés specify some
of these, numbering from ten to eighteen men, who fell at Quecholac, Tepeaca,
and other places. It is not likely that so many small parties could have arrived on
the coast during the short interval of Cortés’ departure from Cempoala and his
retreat to Tlascala; nor that they would have ventured in small numbers into a
strange country, during so unquiet a period; nor would a mere dozen have been
allowed to penetrate so far as Tepeaca ere they met their fate. Hence they must
have belonged to the large party spoken of in the text, whose members, dead or
captive, were distributed among the different towns which had aided in their
defeat. This appears to be the only way to reconcile the differing statements,
which have so confused every writer as to lead them into apparent blunders or into
the omission of facts. See Robertson’s Hist. Am., ii. 99; Prescott’s Mex., ii. 409-10;
Brasseur de Bourbourg, Hist. Nat. Civ., iv. 353-5.
[905] Bernal Diaz intimates that only two vessels remained of Narvaez’ fleet, and
one of these was now destroyed so that the crew might be sent to Tlascala. The
reinforcements numbered four soldiers and three sailors, two of whom suffered
from swollen stomachs, and the rest from venereal diseases. Hist. Verdad., 109.
[906] Bernal Diaz, Hist. Verdad., 109, mentions only four deaths.
[907] ‘Se le pasmo la cabeça, o porque no le curaron bien, sacãdole cascos: o por
el demasiado trabajo.’ Gomara, Hist. Mex., 162. Solis describes the progress of
the cure with a minuteness that would do credit to a medical journal. Hist. Mex., ii.
212-14.
[908] The Cihuacohuatl, Tzihuacpopocatzin, Cipocatli, and Tencuecuenotzin. The

account of this tumult is given in a memorial on the conquest by an Indian,
possessed by Torquemada. i. 509-10. Brasseur de Bourbourg assumes
Tzihuacpopocatzin and the Cihuacohuatl to be sons of Tizoc, and the last two to
be the sons of Montezuma, the last named a bastard. Cipocatli, accepted by him
as the other name for Asupacaci, the legitimate heir of the emperor, he assumes
with Cano to have been murdered by Quauhtemotzin. Hist. Nat. Civ., iv. 345. But
we have seen that Cortés appears more correct in saying that the prince fell with
him during the Noche Triste. Brasseur de Bourbourg’s assumption serves merely
to show how hasty and untrustworthy his statements often are.
[909] Cortés assumes only two rivals, the natural sons of Montezuma, ‘el uno diz
que es loco y el otro perlático.’ Cartas, 153.
[910] Twenty days after Montezuma’s death. Ixtlilxochitl, Relaciones, 413, 304.
[911] Of which Sahagun gives some account. Hist. Conq. (ed. 1840), 137. See
also Torquemada, i. 511.
[912] ‘Él les hace gracia por un año de todos los tributos y servicios que son
obligados á le hacer.’ Cortés, Cartas, 155; Gomara, Hist. Mex., 173.
[913] Beaumont, Crón. Mich., MS., 68 etc.; Native Races, ii. 107-8; v. 508 et seq.
[914] ‘Entrarian en parte de todas las rentas de las provincias sugetas por el
imperio.’ Ixtlilxochitl, Hist. Chich., 304.
[915] ‘Tanto supieron decir á la señoría estos embajadores, que casi toda ella, ...
la redugeron á su voluntad y deseo.’ Old Xicotencatl being one of the most
devoted. Id. Herrera also assumes that this chief favors the Mexicans, but the
supposition is due to confounding the two men of this name. dec. ii. lib. x. cap. xiv.
[916] ‘A q̄ venistes, a comernos nuestra hazienda, anda que boluistes

destroçados de Mexico, echados como viles mugeres.’ Id.
[917] Bernal Diaz assumes that the young chief had been brought before the
council a prisoner, to be arraigned for his machinations. His father was so deeply
incensed against him as to decree his death, but the other chiefs were lenient out
of respect for the father; the conspirators were arrested. Hist. Verdad., 109-10. A
later writer states, on doubtful authority, that the chieftain was also removed from
the command of the army; and Solis assumes that the act of jostling him down the
steps in the council-hall was the form of degradation, which took place during a
special session, after the deliberation. He appealed to Cortés, who caused him to
be reinstated. Hist. Mex., ii. 220-3. According to Camargo, the elder Xicotencatl
had ceded his place as ruler to the son, owing to his advanced age. Hist. Tlax.,
173-4. In such a case no imprisonment or degradation could have been admitted;
perhaps in no case, since he merely advocated what he considered to be the best
for the country. Duran states that he was surrendered to Cortés, who ‘le puso en
prisiones, y creo que al cabo le mandó matar,’ Hist. Ind., MS., ii. 485, a statement
which may have aided to confuse Gomara, who allows Cortés to execute him
already during his first stay at Tlascala. On the present occasion he lets
Maxixcatzin strike the leader of the opposite faction. Hist. Mex., 90, 164. His
blunder and vagueness helped Herrera to confound the two Xicotencatls, and
Brasseur de Bourbourg to attribute to father and son the same opinion. Hist. Nat.
Civ., iv. 365-7. This is also the view of Ixtlilxochitl. The discussion was held in the
hall or oratory of Xicotencatl, where Cortés had planted the cross. While
Maxixcatzin was advocating the Spanish cause a cloud settled on the cross and
darkened the room. This miracle encouraged the orator, who threw down the
younger Xicotencatl and won all to his side. The Mexican envoys were now
dismissed with a refusal, whereupon the cloud dissipated, leaving the room bright
and the cross resplendent, and attracting many believers. Hist. Chich., 304-5.
Sahagun allows Xicotencatl, chief among the lords, to attack the second lord for
urging the murder of the Spaniards. Hist. Conq. (ed. 1840), 138.
[918] With reference to the attack on Xicotencatl in the council-chamber, Herrera

says, ‘Sin tener los Mexicanos otra respuesta se boluieron, con relacion de lo que
passaua,’ dec. ii. lib. x. cap. xiv., a sentence which Clavigero elaborates into a
flight of the envoy on observing the agitation of the people. ‘E’ però da credersi,
che il Senato mandasse degli Ambasciatori Tlascallesi per portar la risposta.’
Storia Mess., iii. 149. Prescott and others also suppose that they fled; but this is
unlikely, since personages so conspicuous as envoys could hardly have escaped
from the centre of the republic without the knowledge of the senate, who had,
beside, given them a guard, as well for their honor and protection as for preventing
the undue exercise of their curiosity. Envoys enjoyed great respect among these
peoples. Camargo and Ixtlilxochitl assume more correctly that the envoys were
notified and dismissed.
[919] Tlascala sealed her enslavement, as some view it, ignoring national interests
for the sake of shameful revenge. Behold now the punishment in her decay, and in
the odium cast on her descendants by other peoples. So says Bustamante, in
Sahagun, Hist. Conq. (ed. 1840), 140. They have certainly dwindled away ever
since Cortés began to scatter them as colonists in different directions; but this was
the natural and inevitable consequence of the presence of the stronger element.
During Spanish dominion they enjoyed some slight privileges, and since then no
odium has attached to them except in casual references to the conquest by
prejudiced writers.
[920] ‘En nombre de todos.’ Gomara, Hist. Mex., 166. Whereat Bernal Diaz is
exceedingly wroth. ‘We, the old soldiers, stood by Cortés,’ he asserts, ‘and
Gomara’s omission to say so is intended to exalt him at our expense.’ Hist.
Verdad., 110. Cortés himself intimates that the request was general. Cartas, 142.
But Herrera more justly attributes it to ‘la mayor parte.’ dec. ii. lib. x. cap. xiv.
[921] ‘Si mal nos sucediere la ida [of the next campaign] hare lo que pedis: y si
bien, hareis lo que os ruego.’ Thus Cortés, by his skill and firmness, saved not
only the conquest but the lives of his men, which must have been sacrificed in a
retreat. Had they reached Villa Rica they would not have remained there, but
would have passed on to the islands, thus abandoning the country. Gomara, Hist.
Mex., 167. Most of the points in the above speech are to be found in the lengthy
harangue prepared by this author. Oviedo’s is weaker, and loses itself in
repetitions and crude elaborations, adorned with learned references ill suiting a
soldier addressing rude men, although not altogether inconsistent with Cortés’
love of display. Toward the conclusion is said: ‘If any one there is who still insists
on leaving, let him go; for rather will I remain with a small and brave number than
with many, if composed in part of cowards and of those who respect not their
honor. Even if all fail in their duty I shall not. We shall now know who, being of us,
will drink water from the hand, and who will kneel to drink with the face to the
ground, so that they may be bidden to depart, as God said to Gideon.’ Oviedo, iii.
332-3. The test, if ever intended, was not made, since all acquiesced. Solis, the
inveterate speech-maker, has unaccountably subsided for this period; perhaps he
is piqued at finding himself so fully anticipated. Cortés gives a brief synopsis of
what he indicates to have been a long speech. On no account would he commit so
shameful, dangerous, and treasonable an act as to abandon the country. Cartas,
142-3; Clavigero, Storia Mess., iii. 151; Herrera, dec. ii. lib. x. cap. xiv.
[922] ‘Habiendo estado en esta provincia veinte dias, aunque ni yo estaba muy
sano de mis heridas, y los de mi compañia todavía bien flacos, salí della.’ Cortés,
143. Gomara follows, while Bernal Diaz, Hist. Verdad., 110, writes that after a stay
at Tlascala of 22 days Cortés announced the determination to march on Tepeaca,
which provoked murmurs from the men of Narvaez. Preparations for the campaign
appear to have intervened before the march began, and negotiations with the
province to be assailed. Herrera intimates that fully 50 days had passed before
negotiations were opened. dec. ii. lib. x. cap. xv.
[923] ‘Significa Tepeyacac, remate, o punta de zerro,’ owing to the position of the
city at the end of a mountain range. Id., cap. xxi.
[924] Their father, Chichtuc, had been sole ruler, but after his death the sons
divided the province. Id. This author assumes that it was merely an ally of Mexico,
but there is little doubt about its being tributary. ‘Ixcozauhqui, le principal de ses
trois chefs.’ Brasseur de Bourbourg, Hist. Nat. Civ., iv. 368.
[925] The suggestion of thus opening the campaign is claimed by native historians
for the Tlascaltec lords, Ixtlilxochitl naming Xicotencatl as the originator. Hist.
Chich., 303; Camargo, Hist. Tlax., 177.
[926] And out of gratitude for Cortés’ intercession in his behalf, as Solis claims.
[927] Half of the booty obtained in all conquered countries, with incorporation of
Cholula, Huexotzinco, and Tepeyacac. Camargo, Hist. Tlax., 176. This extent of
jurisdiction is doubtful. ‘Les haria en nõbre de su Magestad escriptura de
conservarlos en sus tierras, y govierno,’ is the moderate arrangement given in
Vetancvrt, Teatro Mex., pt. iii. 146. When in 1655 an attempt was made to
encroach on their rights they produced the document and obtained justice.
[928] Bernal Diaz, who alone enters into details, enumerates 420 soldiers, 4000
Tlascaltecs, 17 horses, and 6 cross-bows, without artillery or ammunition. Hist.
Verdad., 111. But this is hardly reliable, for a few lines before he refers to 440
men, and there is no doubt that some ammunition, field-pieces, and other war
material must have been obtained from Villa Rica. Herrera speaks of musketeers
and 6000 allies, 50,000 more to follow. dec. ii. lib. x. cap. xv. Gomara allows
40,000 allies to set out at once, with provisions and carriers. Hist. Mex., 168.
Ixtlilxochitl mentions only 4000, and names some of the leaders. Hist. Chich., 305.
Herrera states that a question arose as to the prudence of trusting so small a body
of soldiers with so large a force of allies—which soon swelled to over 100,000—
who might in case of disagreement overwhelm them. A council was held, which
decided that the loyalty of the Tlascaltecs had been sufficiently tried, and that a
small number of allies would be of no service. ubi sup., cap. xiv.
[929] Cortés’ first messengers returned with two Mexicans, who brought the
contemptuous reply. They were given presents, and told to summon the native
chiefs to a parley. On their return with a threatening answer ‘fue acordado, ... por
ante Escriuano ... que se diessen por esclauos à todos los aliados de Mexico, que
huviessen muerto Españoles.’ Bernal Diaz, Hist. Verdad., 112. ‘Respondieron que
si mataron Españoles fue con justa razon, pues en tiempo de guerra quisieron
passar por su tierra por fuerça, y sin demandar licencia.’ Gomara, Hist. Mex., 168.
[930] ‘Tuuierõ los Indios amigos buena cena aquella noche de piernas, y braços,
porque sin los assadores de palo, que eran infinitos, huuo cincuenta mil ollas de
carne humana.’ The Spaniards suffered from want of water and food. Herrera,
dec. ii. lib. x. cap. xv. Rather a strong story. The Spaniards could not well suffer
from hunger in the midst of maize fields, in harvest time. Oviedo takes occasion to
dwell on the common practice of devouring the slain on the battle-field, thus
saving the trouble of burial. iii. 334. ‘Mi pare una favola,’ is Clavigero’s comment.
Storia Mess., iii. 152. See Native Races.
[931] ‘Padeciendo siempre de agua, y comida.’ Herrera, ubi sup. But this could
hardly be the case in so rich a province, at this time.
[932] ‘En obra de veinte dias hobe pacíficas muchas villas y poblaciones á ella
sujetas ... sin que en toda la dicha guerra me matasen ni hiriesen ni un español.’
Cortés, Cartas, 143. ‘En obra de quarenta dias tuvimos aquellos pueblos
pacificos,’ but with great hardship, ‘porque de sangre, y polvo que estaua quajado
en las entrañas, no echauamos otra cosa del cuerpo, y por la boca,’ etc. Bernal
Diaz, Hist. Verdad., 112-13.
[933] The name of a beautiful bird, now San Martin de Huaquechula. This town
was known to the Spaniards under the name of Guacachula.
[934] ‘Á la entrada de un puerto que se pasa para entrar á la provincia de Méjico

por allí.’ Cortés, Cartas, 145. After the conquest it was moved to a more open site,
three leagues south. Torquemada, i. 316.
[935] Calcozametl. Brasseur de Bourbourg, Hist. Nat. Civ., iv. 372.
[936] Herrera reduces Cortés’ figure to 20,000.
[937] Bernal Diaz names Olid alone for the command, and Gomara adds Ordaz
and Andrés de Tapia, while Herrera substitutes Ordaz and Ávila. The latter is
probably wrong in giving them 300 soldiers, and Peter Martyr errs, through his
printer, perhaps, in allowing only 3000 allies.
[938] Cortés writes that this occurred in a town of Huexotzinco province, and that
here the Spaniards were alarmed by the report of collusion between the
Huexotzincas, the Quauhquechollans, and the Aztecs. The leaders described the
expedition as difficult. Cartas, 146. Gomara follows, naming the captain who
brought the chiefs captive to Cortés. Hist. Mex., 169. Bernal Diaz points out very
plausibly that Huexotzinco lay wholly out of the way; and, ignoring the accession
of volunteers, he assumes that the report of a vast gathering of Mexican troops
round Quauhquechollan was the cause for alarm, among the Narvaez party only.
Olid appealed to their honor, and did all he could to encourage them, but failed.
Hist. Verdad., 112-13. Clavigero believes, on the other hand, that Olid caught the
alarm as readily as the rest. Storia Mess., iii. 154. The joining of Huexotzincas
may have led to the belief that the march lay through their territory.
[939] Bernal Diaz states that Cortés did not go, but sent Olid a sharp letter, which
roused him to proceed with the expedition. But our chronicler was sick with fever
all this time, and has evidently not been well informed. Cortés’ description of the
route and of different occurrences indicates that he must have been present.
[940] ‘Cayeron muchos dellos [enemy] muertos y ahogados de la calor, sin herida
ninguna, y dos caballos se estancaron, y el uno murió.’ Cortés, Cartas, 149.
[941] ‘En Mexinca.’ Gomara, Hist. Mex., 169.

[942] ‘Y se les conservan el día de hoy,’ says Lorenzana, in Cortés, Hist. N.
España, 160.
[943] ‘Dos tiros de ballesta el uno del otro.’ Cortés, Cartas, 150.
[944] ‘Tres estados en alto, y 14. pies en ancho,’ says Herrera, dec. ii. lib. x. cap.
xvi. ‘Alto como cuatro estados por de fuera de la ciudad, é por de dentro está casi
igual con el suelo.’ Cortés, Cartas, 150. Meaning, in places.
[945] Herrera says two.
[946] Later Izucar; now Matamoros.
[947] Bernal Diaz assumes that Olid is the sole leader; that he was here wounded,
and lost two horses. Returning to Tepeaca he was received with great honor, and
joined in laughing at the alarm which had caused the army to turn back at Cholula.
He would never after have anything to do with the opulent and timid soldiers of
Narvaez, he said. Hist. Verdad., 114. Gomara supposes that the bridge had been
destroyed before the flight, so that few of the garrison escaped from the sword and
the stream. Hist. Mex., 171.
[948] Ixtlilxochitl extends the stay at Ytzocan alone to twenty days. Hist. Chich.,
305. Others make it less.
[949] Cortés calls it Ocupatuyo, which Lorenzana corrects into Ocuituco, and
Torquemada into Acapetlahuaca, i. 315, while Clavigero insists that it should be
Ocopetlajoccan. Storia Mess., iii. 157.
[950] ‘Vinieron asimismo á se ofrecer por vasallos de V. M. el señor de ...

Guajocingo, y el señor de otra ciudad que está á diez leguas de Izzucan.’ Cortés,
Cartas, 152.
[951] This name is badly misspelled. Chimalpain identifies it with Huaxtéca, which
is decidedly out of the way, Hist. Conq., ii. 12, while Orozco y Berra stamps ‘en
verdad errónea’ the suggestion of Lorenzana that it is Oajaca; but modern maps
do place it in Oajaca, very slightly modified in spelling.
[952] They had always been loyal, they said, although deterred by fear of Mexico
from sooner proclaiming it; the four remaining pueblos of the province would soon
send in their allegiance. Cortés, Cartas, 152-3.
[953] The construction of sentences in Cortés, Cartas, 152, and the complex
relationship, have misled nearly every one who notices this incident—as, Gomara,
Hist. Mex., 171; Vetancvrt, Teatro Mex., pt. iii. 147; Bernal Diaz, Hist. Verdad., .
[954] Alonso Coltzin. Chimalpain, Hist. Conq., ii. 12. Ixtlilxochitl calls him
Ahuecatzin. Hist. Chich., 305. Alvarado stood sponsor. Terrified by some idle
gossip, or by the preparations for his baptism, the boy asked the friar when he was
to be sacrificed; but received comfort in a pious exhortation. Torquemada, i. 520.
[955] Herrera gives the command to Olid and Juan Rodriguez de Villafuerte, the
owner of the much disputed first madonna image, accompanied by Juan Nuñez,
Sedeño, Lagos, and Mata. dec. ii. lib. x. cap. xvii. Olid may have been detached
from Quauhquechollan after the first success had made troops less necessary; yet
Herrera indicates that he set out before this expedition.
[956] ‘En lo de Cachula fue adonde auian muerto en los aposentos quinze
Españoles.’ Bernal Diaz, Hist. Verdad., 112.
[957] B. V. de Tapia, in his testimony against Cortés, states that about 6000
prisoners were sent to him from these districts by Olid, all of whom had
surrendered without resistance, and that he ordered the men, 2000 in number, to
be executed, the women and children being sold or distributed. Cortés,
Residencia, i. 59-60.
[958] ‘Boluierõ a Tepeaca, y auiendo estado treynta dias en esta jornada hallaron
a Hernando Cortes, que era buelto de Guacachula.’ Herrera, dec. ii. lib. x. cap.
xvii. These successes are said to have been dimmed by a severe defeat at
Tochtepec, on Rio Papaloapan, whither Salcedo had been sent with 80 men. It
was the entrepôt for trade in this region, and was held by a strong Aztec garrison,
aided by native warriors with Chinantec pikes. Owing partly to the efficient use of
this weapon, and partly to the carelessness of Salcedo, the troops were surprised
and slaughtered to a man, after selling their lives as dearly as possible. The
disaster being a blow also to Spanish prestige which it would never do to overlook,
Ordaz and Ávila were sent not long after with a larger force, some horses, and
20,000 allies, to exact retaliation in death, captivity, and rich spoil. The victors
came back with ample plunder. Herrera, ubi sup. See note 4 this chapter for
doubts on the massacre.
CHAPTER XXIX.
KING-MAKING AND CONVERTING.
October-December, 1520.
Conquest in Detail—Barba Caught—Other Arrivals and Reinforcements

—The Small-pox Comes to the Assistance of the Spaniards—Letters to
the Emperor—Establishing of Segura de la Frontera—Certain of the
Disaffected Withdraw from the Army and Return to Cuba—Division of
Spoils—Head-quarters Established at Tlascala.
Thus all was going gayly with the Estremaduran once more. It
was easy work overcoming the divided Aztec forces, which
combined had proved so formidable. And there was little trouble now
from factions. None advocated a station by the sea-side, with ships
ready for flight; none thought of abandoning New Spain for Cuba.
The simple presence of the general was as the shield of Abas, which
performed so many marvels, and the mere sight of which could on
the instant stay a revolt or reduce a province to submission.
The successes of the Spaniards were rapidly enlarging the fame
and influence of their leader, bringing among other fruits, as we have
seen, alliances and reinforcements, not alone from native sources,
but from Spanish. The first accession of the latter was thirteen
soldiers and two horses, brought in a small vessel under the hidalgo,
Pedro Barba, formerly commandant at Habana. Commandant
Rangel at Villa Rica had received instructions to secure any vessel
that might arrive, both with a view to obtain recruits, and to prevent
news from travelling to Cuba of the defeat of Narvaez, or other
incidents. As the vessel entered the roadstead he accordingly
approached it in a well manned boat, with hidden arms. “How fares
Narvaez?” was Barba’s first inquiry. “Exceedingly well,” replied
Rangel. “He is prosperous and rich, while Cortés is a fugitive, with a
score of miserable followers at the most; or he even may be dead.”
“All the better,” rejoined Barba; “for I bear letters from the most
magnificent Velazquez, with instructions to secure the traitor, if he be
alive, and send him at once to Cuba, whence he shall go to Spain,
as commanded by our most illustrious Bishop Fonseca.” As a matter
of course, Señor Barba will accept the proffered hospitality; he will
go ashore and deliver his message to Narvaez in person. And he will
catch this slippery fox from Estremadura, and carry him hence to be
hanged; he will carry him to his worshipful master Velazquez to be
hanged. So entering the boat he is conveyed away, but only, alas! to
be declared a prisoner; only, alas! to learn that though damned,
Cortés is not dead, and is by no means likely at once to meet
strangulation at the hand either of Barba, Narvaez, or Velazquez.
Meanwhile other visitors in other boats proceed to secure the crew.
The vessel is dismantled; and since Cortés is the king, and not
Narvaez, the so lately fierce and loyal Barba, nothing loath, declares
for Cortés. Indeed, Barba was by no means unfriendly to the
general, as proven by his attitude at Habana two years before. Any
such reinforcement was gladly welcomed at Tepeaca, and Cortés
sought to insure Barba’s loyalty by making him captain of archers.
[959] A week later arrived another small vessel, under the hidalgo
Rodrigo Morejon de Lobera, with eight soldiers, a mare, a quantity of
crossbow material, and a cargo of provisions. It was secured in the
same manner, and the soldiers and sailors proceeded to join the
army. Thus Cortés draws them in, friend and foe alike being his fish,
if once they enter his net.
More substantial reinforcements were in store, however.
Governor Garay, of Jamaica, had in no manner been discouraged by
the failure of his last expedition to Pánuco, and the rumors of his
rival’s success in New Spain fired him to renewed efforts, the more
so since he possessed the royal grant, the vessels, and the men,
with ample means to sustain them. In the spring of 1520 he had
despatched three vessels, with about one hundred and fifty soldiers
and sailors, a few horses, and some artillery, under the former
commander, Pineda.[960] Ascending the Pánuco the expedition
came to a town,[961] and met with good reception, but the natives
soon tired of giving their substance to strangers, who may beside
have been guilty of excesses, and they made hostile
demonstrations. Pineda showed a bold front, and proceeded to
attack the town, but was surprised and killed, together with a number
of soldiers and the horses.[962] The rest escaped as best they could
in two of the vessels, pursued by a fleet of canoes. One of the
caravels was wrecked not far above Villa Rica, whereupon a portion
of the men resolved to proceed by land rather than suffer starvation
on board, for in the hurry of the flight the lockers had received no
attention. Both the sea and land parties arrived at the Spanish port,
where every care was given them.[963] Thence they were forwarded
to Tepeaca, where their cadaverous complexion and swollen bodies
procured for them the nickname of ‘panzaverdetes,’ or green
paunches. Hardship and bad food had carried a number past relief,
and even in Tepeaca several died, including Camargo, as Bernal
Diaz believes.
A month later, after the Quauhquechollan expedition, another
vessel arrived with about fifty soldiers,[964] under Miguel Diaz de
Auz, an Aragonian cavalier. He had been sent to reinforce Pineda,
but after remaining at Rio Pánuco for a month, without seeing even a
native, he had come down to search for the fleet. The fame of Cortés

Full Chapter Managing Risk and Information Security Protect To Enable 2Nd Edition Malcolm W Harkins Auth PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Full Chapter Managing Risk and Information Security Protect To Enable 2Nd Edition Malcolm W Harkins Auth PDF

Uploaded by

Copyright:

Available Formats

Managing Risk and Information

Security Protect to Enable 2nd Edition

Information security in healthcare managing risk

The Plot to Hack America Malcolm W. Nance

IT Auditing Using Controls to Protect Information

Microsoft 365 Compliance: A Practical Guide to Managing

Information Security Planning A Practical Approach 2nd

Gender Roles in Peace and Security: Prevent, Protect,

Advances in Information and Computer Security 9th

Managing and Using Information Systems Galletta

■Chapter 1: Introduction .................................................................. 1

■ Chapter 9: Corporate Social Responsibility: The Ethics of

Index .............................................................................................. 181

■Chapter 1: Introduction .................................................................. 1

■Chapter 2: The Misperception of Risk .......................................... 17

How Security Professionals Misperceive Risk ...................................... 20

How Decision Makers Misperceive Risk ............................................... 23

How to Mitigate the Misperception of Risk ........................................... 24

Communication Is Essential .................................................................. 26

■ Chapter 3: Governance and Internal Partnerships:

Influencing Regulations and Standards .................................................................. 62

Finding the Balance............................................................................... 80

The Rise of Edge Case Insecurity ........................................................................... 92

Key Threat Activity Areas ....................................................................... 94

The Web Expands to the Internet of Things ........................................... 94

New Architecture ................................................................................. 105

Conclusion ........................................................................................... 116

Cloud Computing ................................................................................. 122

Conclusion ........................................................................................... 127

The CISO as a Leader .......................................................................... 148

Voicing Our Values ................................................................................................ 150

Conclusion ........................................................................................... 153

Conclusion ........................................................................................... 169

Index .............................................................................................. 181

We assign Malcolm’s book to our Carnegie Mellon CISO-Executive

Malcolm is a top-notch executive, security leader, and innovator, with

I could go on and on about what I liked specifically—there was

Malcolm Harkins is a foremost expert at managing risk and information

Malcolm Harkins is a visionary thought leader on cyber security and risk

Malcolm Harkins’ take on information security and risk is a refreshing

technological abilities without fear because we have defined their purpose

In today’s rapidly evolving security landscape, security professionals are

Malcolm generously shares through personal experiences and story

In the second edition of his book, Malcolm seamlessly articulates the

Malcolm Harkins is the Chief Security and Trust Officer

• March 2015: Google’s Project Zero hacking team demonstrates

© Malcolm W. Harkins 2016 1

Four leagues south of Quauhquechollan lay Itzocan,[946] a well

[908] The Cihuacohuatl, Tzihuacpopocatzin, Cipocatli, and Tencuecuenotzin. The

[916] ‘A q̄ venistes, a comernos nuestra hazienda, anda que boluistes

[918] With reference to the attack on Xicotencatl in the council-chamber, Herrera

[934] ‘Á la entrada de un puerto que se pasa para entrar á la provincia de Méjico

[935] Calcozametl. Brasseur de Bourbourg, Hist. Nat. Civ., iv. 372.

[936] Herrera reduces Cortés’ figure to 20,000.

[941] ‘En Mexinca.’ Gomara, Hist. Mex., 169.

[945] Herrera says two.

[946] Later Izucar; now Matamoros.

[950] ‘Vinieron asimismo á se ofrecer por vasallos de V. M. el señor de ...

Conquest in Detail—Barba Caught—Other Arrivals and Reinforcements

You might also like