Saturday, August 31, 2019

The Cyber Maturity Audit Squeeze

Often just another squeeze on a security team's time, maturity assessments are a key part of any cyber security program. 

While the scores behind maturity can be misinterpreted as a measure of how secure an organization is, capability building around maturity does create resiliency and strengthen many of the cross-company business processes underlying a sound security program. 

Thursday, August 29, 2019

A Cyber Security Mentoring Impression

Twitter has recently filled with requests for mentors and volunteers to be mentors.

I’m a huge fan of mentors and mentoring. Mentoring forms the bulk of my role as a senior leader. 

But, if the idea of mentoring to the “more than curious” or the “new” is to have them know what they don’t know, why should mentoring stop there?

Wednesday, August 28, 2019

The High Prioritization Simplification

We've all heard that, when everything is important, nothing is important.

And yet we keep creating ever more important sounding labels to what should just be “most important”. The problem isn’t just with security issues, but also bug prioritization, tickets, and everything else. 

When there are too many Priority 1s, we create Priority 0 which are higher priority.

That works for a while. 

When there are too many Priority 0s, perhaps we create a “Critical Situation” which are higher priority.

An Application Security Defect Misunderstanding

Functional software defects and security defects aren’t different.

Both born from developers. Found with automated tools. Neither achieving a standard. 

Same remediation process. 

Yet, treated differently. In process. In perception. 

Tuesday, August 27, 2019

The Vendor Best Practice Excuse

When vendors suggest unsafe things and say it’s best practice, I have two questions to ask.

“How many any other organizations allow you to do that?”

“Why do you think that can be done here?”

Outsourcing business processes doesn’t mean outsourcing risk. 

Monday, August 26, 2019

A Cyber Security Spend Alternative

Executives want value out of every dollar spent. Demonstrate value and increase your chances of being funded.

Scale is a compelling rationale in conversations with executives. Getting more spend for a cyber security program means scaling the program beyond just the cyber security team.  Scale demonstrates value

If a cyber security program is essentially the team, security can only scale to the ability of team to do work. And if the work of that that team is to secure business processes, the work is far larger than any team can handle. 

Sunday, August 25, 2019

Improving Cyber Security Program Predictability

If there’s nothing otherwise blocking something meaningful being done, prioritization or procrastination could be reasons why. 

Procrastination is always lurking even in the best cyber security teams. Some teams more so than others. Weighing down the program. Inhibiting forward progress. Hiding in disruptive work as an excuse.

I think of security commits as key to prioritization and kryptonite for procrastination. With a laser sharp focus on sacrosanct delivery of something meaningful and achievable on a regular basis across each team member, you’ll create a drumbeat within your security program. And define some predictable forward motion during that time period. 

Saturday, August 24, 2019

The Application Security Thought Process

I’m a believer in specialists.

Why? I know the principles behind flight but I couldn’t build an airplane, how internal combustion engines work but bring cars to mechanics, and share the same key board as prize winning novelists but couldn’t write one.

Specialists know something deeper than the tools and basic principles for their craft.

The difference that makes the difference in the value of the end product. 

Friday, August 23, 2019

A Second Cyber Security Metaphor

Safely enabling yes is different from always saying yes. 

Not letting a child run with scissors isn’t saying that they can’t ever use scissors.  It means arriving at the same desired outcome of cutting paper but in a more thoughtful way.

We know the homework assignment is due tomorrow.

Completing that assignment in a timely manner may mean going a bit out of our way to buy scissors made for kids rather than the very sharp large sewing shears that are up on the counter right now. That way, the child can succeed with the assignment without a lot of additional attention from us. 

Safely enabling yes comes from a place of love. 

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


Thursday, August 22, 2019

A Legacy Infrastructure Security Swan Song

The new and the old like black and white often co-exist.

But human nature doesn't always balance that coexistence. 

Focusing on the new is easy. The new is where we are headed. A new song. The shiny. The future. 

The new in which security is planned. Built in. 

But there is still the old too. Only named in transition. The stuff that works just so. The undocumented mess supported solely on tribal knowledge, scotch tape, and clarinet reeds.  

And the old is frustrating. 

Frustrating enough that we can choose to ignore it. Stop additional investment. Pretend that it’s going away. 

"Another two years and that old song is over."

Which is great. Assuming that you meet your timeline. That you can make the new work and make it work just so. 

Otherwise, the new becomes frustrating, while the old remains chugging along. A swan that keeps singing.

Without ongoing investment. Another two years. 

And still unsecure. 

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


Wednesday, August 21, 2019

The Cyber Security Fear Factor

Fear is often used as a lever for action in cyber security.

Fear arrives in our inbox and onto our browsers daily. Fear looms, persists, dwells.

Fear is disruptive and, when a constant planning factor, exhausting. 

Tuesday, August 20, 2019

The Cyber Recruiting Value-Add

Every scene in a good movie pushes the story forward. Adds value. Expands the narrative.   

The same is true with each member of the cyber security team. Each hire will define your program's story and value.

Building a top performing cyber security team is the most important thing that you can do as a cyber leader. Your choices or compromises in hiring will play a large role in making or breaking your career. 

Hire well. 

Know What Security Skills For Which You Are Hiring: Are you hiring for someone to look at a console all shift? Someone to capability build?  Do they need to engage with stakeholders? Write policies? Are they working from a playbook, compliance, or risk checklist? Security skills run a wide specrum and the candidate’s certifications won’t tell you how they fit in the range of roles that you might have to fill.  In addition to these, natural smarts and enough technical curiosity to understand what is happening behind the console screens are important to me.  I’ve “no hired” candidates for an incident response role with a masters in cybersecurity and candidates with 10 years of SOC experience because neither had the technical curiosity to understand key concepts about operating systems or malware as part of their very different experiences. You might feel differently.

Write Every Position Description For The Ideal Candidate: My bar for position descriptions is that the ideal candidate should immediately see themselves in the description. I can’t tell you the number of times that recruiting has said, “we will never find someone like that” and the perfect fit knocks on the door the next week. A lukewarm, warmed-over, bland position description just like all the others will only get you lukewarm, warmed over, and bland candidates just like all of the others. Be brave. Be different.

Be Participative Upstream With Recruiting: Review every resume and tell Recruiting what you like and don’t like about a resume…even the ones that aren’t the right fit. This will help them better understand how candidates fit and help them find you more ideal fits. 

Pass Prospective Candidates To Recruiting: I like to do my own candidate search and pass the Linkedin links to Recruiting to reach out. Not all of the prospects work out for various reasons and that's ok. Again, the value is that it brings clarity to the experiences that the ideal candidate might have.

Help Recruiters With A Few “Rough Cut” Phone Screen Questions: The questions will help recruiters see if the candidate knows the basics for that specific role. 

Phone Screen For Resume & Experience: Spend your time during phone screens on the resume and experience of the candidate. This will allow you to keep these to a minimum if you bring them in for an interview loop. You should be spending interview loop.

So you own pushing your security program’s story forward. Here’s your chance. You know the stakes. Write that script. Start adding value with each hire rather than just hiring.

It's your future. Don't compromise.

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.