Changing Blog Platforms

I'm changing my blog platform over the course of the Xmas holiday.

New blog platform:  https://medium.com/@opinionatedsec

You can read updates dated after 12/22/2019 over there.

Tony

Rediscover The Security In Cyber Security

Despite sharing a cyber security focus, different organizations value different outcomes in the security space. 

So, why do we seem to have lost our way?

An Abdication Of Cyber Leadership To Consultants

Cyber leaders seem to proudly point to bringing in outside consultants to convince executive to take action on items that have lingered for years. Social media is full of threads of such proud proclamations by both cyber leaders and consultants.

Wait.  What?!? 
  
Critical items that have lingered for years?  An outsider with more trust?  Something else seems broken there. 

Learning From Your Own Malware

The best threat intelligence comes from your own organization’s own endpoints.  One aspect to this is treating every instance of unwanted software such as malware or adware that lands and installs on a machine as an indicator of a gap in controls coverage. 

A control that is present but somehow misconfigured.

A control that is missing or has been disabled.

An error by a user. 

So, when you encounter evidence of malware, a key followup item is to determine just how the malware got there.

Cyber Leaders And the Adult Table

Moved to https://opinionatedsec.medium.com/are-you-as-an-infosec-leader-ready-to-sit-at-the-executive-adult-table-269129099e55?sk=8567d86985e13e40c42072e6a1b774f5

Mentoring Around The Time-Value of Cyber Delivery

A good cyber leader wants to meet expectations of their executive team but a great cyber leader wants to consistently exceed their expectations. The smart cyber leader has a chance to do this consistently within the context of delivery.

So how do we mentor cyber leaders to consistently exceed expectations?  

Cyber Leaders And Story Telling

Good story telling is an under-valued skill for cyber security leaders. It’s a skill that helps executives gain a deeper understanding of an organization’s cyber program and gaps. This includes the current state of the program, and properly set expectations about the resources needed to keep, or change, the current state. 

All wrapped up in an easily digestible, non-technical story.

MOVED: The Dark Underside Of Cyber Visibility

This post has moved to https://medium.com/ciso-cyber-leaders/the-dark-underside-of-cyber-visibility-4c3307fbd96?source=friends_link&sk=3efd7b4c7de0bd00a37c4988b8528916

Like what you've read enough to follow me on Twitter? @Opinionatedsec1.

SEE ALSO

Foundational Cyber Security Work Items

Framing Data Security Conversations To Executives 

The Easiest Cyber Unicorn To Find

Foundational Cyber Security Work Items

Cyber leaders have to prioritize. Yet, every vendor wants to convince the audience that their sizzling hot product should be the priority – even if the significant prep work needed for success remains unsaid.  We’ve also confused the balance of compliance with what is required to actually secure an organization.

And we wonder why even big name organizations get breached. 

If you are in a highly regulated industry or the government, your focus may have to be elsewhere but If you are in a lesser regulated industry and interested in security vs compliance, here are some completely unsexy fundamental work items that would fit most organizations …

The K in Cyber Security KPIs

The stakes involved in flying are higher than in cyber security. No one should disagree with that statement. 

With all of those high potential stakes, think about the airline key performance indicators (KPIs) that matter to you as a passenger when flying.
  
That your plane arrives at the destination.

That the plane arrives on time.
That emergency procedures are in place.
That your luggage arrives with your flight.

Each of the above is an easily digestible end state, a business outcome. Simple questions that mask the “white space” or complex activities that comprise each of those outcomes.

The Hard Part Of Automating Cyber Security

Your cyber security program isn’t going to scale without automation. 

There is automation within tools, but also automation that creates efficiencies across tools and processes.

Security Connective Tissue Behind Digital Transformation

Digital transformation is what the business see and their customers experience. 

It’s the face of the transformation.

Exposing business value via APIs.

But there is also magic happening behind the scenes.

Mentoring Around Measuring Cyber Progress

Peter Drucker is famous for saying that you can only manage what you can measure. Nice thought but, by itself, not much help in terms of practical advice to the cyber security leader.

So how do we mentor showing progress?

Kicking The Can Down The Road

Sometimes you might not have enough resources to do all of the things that really are important. 

We can model three types of execution: 

Critical projects tied to a commitment which has resources and a champion.

Key projects with resources that are important but for which you, as the senior cyber leader, might be the only champion.

Other projects that are important but without sufficient resources. 

The Engagement Problem of Cyber Security Ownership

This post is part 2. Part 1 is “The Conceptual Problem ofCyber Security Ownership.”

So, you decided to distribute ownership of securing business processes outside of the cyber security team within the standads set by the security team. You have a conceptual model. Now, we need to examine the mechanics of implementing that model.

Communications isn’t enough to transfer ownership to business process owners. If communications alone was sufficient, almost every cyber security team would have distributed ownership of cyber security by now. 

Communications infers one way directives. 

Easy to ignore proclamations. 

Success: The Bigfoot of Cyber Security

Success can be elusive in cyber security. Elusive, in that there is often a chasm between the cyber leader’s definition of success and the expectations of the Board and/or executives. That chasm is too often explained away as “the executives don’t understand cyber security,” or, worse yet, “a cyber team can’t be successful.”

So, for some organizations, finding success is like finding Bigfoot from the light of a UFO. 

The Conceptual Problem of Cyber Security Ownership

Effectively securing the IT and information assets of an organization is as much a problem in modeling the right approach as it is in having the right controls and technical solutions in place. 

For instance, wanting to distribute ownership of cyber security across the organization isn’t a technical problem to solve.  It’s a business model problem that begins with a conceptual change that then leads to process change. 

If we want to distribute cyber security ownership, we can conceptually view the relationship of a cyber security team and a cyber program in two ways.

Play To Win In Cyber Security

Close your eyes and think of the goals for your cyber program.  Think of what a win looks like.

In American football, a prevent defense almost always means the other team has a chance to win. 

Are your cyber goals preparing your organization to win? Or, is your program playing the cyber equivalent of a prevent defense?

Cyber Leaders, Critical Thinking, and Team Colors

Purple teams confuse me.

To be more precise, small cyber teams thinking that they need some separate purple capability is what actually confuses me.

Mentoring Cyber Leaders To Say No (And Yes)

Being able to prioritize and being able to say no are two closely linked critical skills for cyber security leaders. The linkage is strong. Without being successful at one, it can be very difficult to be successful at the other.

Don’t get me wrong. The learned and practiced skill of being able to say no is really about the ability to say, “yes”.  

No to the wrong things, and yes to the right things. 

Servant Leadership In Cyber Security

Servant leadership seems to be a growing buzzword in cyber security.

Robert K. Greenleaf coined the words "servant-leader" and "servant leadership" in 1970 with the publication of his classic essay, The Servant as Leader.

The Luck Factor In Incident Response

When malware passes through the perimeter and internal network controls, it’s going to land on something. That something is most often some sort of endpoint whether a server or user machine. 

Malware that lands on an endpoint as a result of a broad blind attack, the attacker most likely won’t know what machine it’s on, what privileges it has, or where it can easily laterally move. For some destructive attacks, this isn’t important but for many attackers, establishing basic information is.

A Security Culture From Nothing

There are organizations that have no cyber security culture. Others that have a cyber security culture that consists entirely of an annual video for all employees.  If the successful practice of cyber security relies on the corresponding ownership of secure practices throughout the company, real security awareness involves cultural change. 

A cyber security team will never be large enough to accomplish the task themselves. 

So you, as a cyber security leader, are starting from nothing. You’ll need a plan to get your organization from where they are today to where you want them to be. 

Thankful

Today is Thanksgiving in the United States. Today also means that I’ve been writing a blog post for over 130 consecutive days now. 

As of the 130 day mark, my goal of this blog remains unchanged from the day that I started on this endeavor. This is a place for me, a cyber leader in the daily fray and with nothing to sell, to share opinions often underrepresented in other social media content that help cyber security leaders understand what’s possible in a crazy good cyber program, define a clear strategic direction for their team, communicate with other executives, be resourced correctly, and reduce the level of exhausting, disruptive work.  

Building A Digitally Transformed Cyber Program

Digital transformation may involve IT and application development but it isn’t an IT process.  It’s a broader business process in which IT and application expose additional value to the business. 

As a cyber leader, you’ll have to support and secure this transformation from wherever your legacy systems are now into this new world. Unfortunately, you’ll won’t be able to hand wave away your legacy issues. Legacy systems are the transformation portion of all this. 

So how to proceed into this brave new world?

The Rest Of Cyber Security

There is some truth to the movement that you don’t need to be technical to be in cyber security. Some truth in that there are a number of roles that are clearly less technical and more framework oriented than others. The roles in which questions like, “are the correct configuration boxes checked?”, "can this person pass as a employee through security checks?" or, “is this particular business process mature to the clearly understandable standard?” can be answered in non-technical ways.

And then, there is the rest of cyber security. You know, the non-prescriptive, often technical part. 

Mentoring Execution Improvements In Cyber Security

A key moment in the career of a cyber leader is when they realize the difference between simple activity and a planned set of work designed to mature the security program in a purposeful direction. 

Activity isn't a reliable metric for improvement within a security program. And, yet, activity seems to be a popular justification for more resources. We have to think like a business leader to understand why it might not be.

Framing Data Security Conversations To Executives

Data is created, modified, moved and deleted as part of any number of business processes. These business processes and underlying technologies create transformative value for their organizations. The smart cyber leader will want to frame conversations with non-technical executives in a way that they can quickly grasp. 

A detailed explanation of NIST or other framework data security requirements probably is not the conversation format within you’ll find success. You won’t establish your expertise with execs with a deep dive into frameworks. 

An Example Of Managing Massive Cyber Change

Think that you have a hard time of managing cyber security expectations and change? Compare your change to the change that became Patch Tuesday.

Love Patch Tuesday or hate it, I worked at Big Software Company™ before Patch Tuesday was a “thing”. Prior to Patch Tuesday, patches had to be released as quickly as possible. Large customers that paid large support had thi expectation and, worse yet, there was a great deal of internal pressure to release.  

The result was a whiplash of patches released on any night of the week including Friday and Saturday and patching teams having to work whatever hours were required to patch systems. Change was needed and no one recognized the need for change.  It was just what it was. 

I ran a high profile product team for four years and, the Sunday before thanksgiving, we generally had an egregious security defect reported. We’d spin up the team to release a patch before Thanksgiving so the team could get some time off. After the first year, it became clear that the reporter wa generally holding a second defect in their back pocket to report just after the release of the Wednesday patch. That would require calling the team back in.  

And then came Patch Tuesday. Our customers didn’t think that it would.  Heck, I didn’t think it would work.

But, now, the industry and executives would be hard to imagine a different cadence.That’s managing change effectively.   

 

So, if you think that any change is too big, compare it to Patch Tuesday.

I’d guess that your change pales in comparison. 

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.

SEE ALSO

The Gift Of Post Cyber Breach Optics 

The Easiest Cyber Unicorn To Find

Next Level Marketing Of The Cyber Program