Monday, September 30, 2019

Mentoring Cyber Security Professionals On Ambiguity


Ambiguity is a reality in cyber security, cyber risk mnagement, and cyber threat intelligence.



The path to answering, "what's going on here?" may simply not have a lot of clarity.

Less regulated industries in particular can be a hotbed of additional ambiguity as executives balance the very strong competing priorities of revenue generation and operational resilience with the friction that secure processes and security controls can bring. 

Team members new to cyber security need to be prepared for dealing ambiguity in its many forms. 

Read more »
Posted by at No comments:
Labels: , , ,

Sunday, September 29, 2019

A Pesky Cloud Security Use Case


You’ve loaded up the security controls to protect your data in any of those big name cloud providers. 



Ever think about the source network from which that authorized user is connecting to your internal cloud resources?
Read more »
Posted by at No comments:
Labels: , ,

Saturday, September 28, 2019

Never Waste A Good Cyber Emergency


It has finally happened. Some sort of cyber emergency. In your organization. Perhaps an emergency happening right now to someone that is reading this post.


The wise security practitioner will have already prepared their executive team for the eventuality of a large incident that pushes the limits of the team to contain.  No matter the level of your cyber maturity, you’ve been doing all of the right things.  Educating execs about your program. Clearly articulating your focus areas and gaps. Training the team. Your program is chugging forward. And then the emergency occurs.

It happens every day. All of us are due to have a really bad day at some point.  

Read more »
Posted by at No comments:
Labels: , ,

Thursday, September 26, 2019

What Do You Want In A Cyber Security Program?


There is no “one size fits all” approach when building or re-building a high performance cyber security team.


The team that you build depends on the cyber program that you currently have, the industry that you are in, and the type of program that you want to build.  


The definition of success for a security team in a regulated industry may be very different and require a different set of skills than a security team in a less regulated industry.
Read more »
Posted by at No comments:
Labels: , , ,

Wednesday, September 25, 2019

The Challenge of Cyber Security

Everything is in constant flux in cyber security.




The threats.

The tools.

The people.

The business strategy.
Read more »
Posted by at No comments:
Labels: , ,

Monday, September 23, 2019

Cyber Security Budget Season Possibilities

New year, just around the corner.




Full of hope and possibility.

Lining up the resources now. 


New tools. More projects. Fresh faces. 

Deeper engagement.


Each driven by your needs, not the vendor’s.


Adding to your program’ potential.


Make every choice count.


Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


SEE ALSO


Mentoring Cyber Security Professionals On How To Compromise  

A Forgotten Cyber Security Feedback Loop

The Cyber Maturity Audit Squeeze
Posted by at No comments:
Labels: , ,

Sunday, September 22, 2019

MOVED: Mentoring Cyber Security Professionals On How To Compromise


This post has moved to https://medium.com/@opinionatedsec/mentoring-cyber-security-professionals-on-how-to-compromise-7a62aca56050?sk=0dff8c854ff6a880448c96bbe5e23b82

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.

SEE ALSO

The Cyber Security Leadership Challenge

Mentoring Leaders Around Delegation

Knowing If You Have The Right Cyber Leader


Posted by at No comments:
Labels: , , ,

The Cyber Security Leadership Challenge


Cyber security doesn’t have a management challenge. It has a leadership challenge. 




The indicators are obvious.


Programs tend to have unhappy people and an executive team overloaded with process but short on continual positive change, communications about future direction, and the resources needed to effect that change. 
Read more »
Posted by at No comments:
Labels: , , ,

Friday, September 20, 2019

A Cyber Security Patchwork Weave


The cyber security team is part of a patchwork weave that represents the cyber security program.




Users.
Customers.
Business process owners.
Executives.
Auditors.
Vendors.


Each with a view and a color on what secure is.  Or, is not. 

Read more »
Posted by at No comments:
Labels: , ,

Thursday, September 19, 2019

Cyber Security’s Army of Shade Tree State Actors


At some point, organizations seem to have confused hacking certifications with the ability to breach systems at the level of state actors. An unfortunate side effect has been to equate penetration tests with actual breaches.




They aren’t the same.


You'll likely not guess this from the balance of conference topics and social media posts skewed towards red teaming but red teams are just another capability within a cyber security program. 

Really, they are.

Read more »
Posted by at No comments:
Labels: , , ,

Wednesday, September 18, 2019

A Perplexing Cyber Risk Management Question


Question: Your cyber risk management program is effective at proactively finding risks.  

Answer: Effective / Not Effective.  (circle one)

How do you know?  What is being measured?

After all, it’s a key program for proactively identifying cyber risks.

Lots of resources, and frameworks, and effort.


The same expectations of any other program with that size and scale. 

But no obvious formalized way or feedback loop to evaluate, measure, or compare just how good that proactive risk identification is.

Wait, what?!?

Maybe teams don't want to know how effective they are. Does the question even matter? Or is the question just not often asked?  So many perplexing follow-on questions in my head.

In my thinking, the risks identified outside of the cyber risk management process that didn’t find their way into the risk register would seem to be as significant as a software defect not caught by the QA team. 

Some potentially serious root causes as to why were those missed. by the cyber risk program:   

Training issue? Process hole? Lack of resources?

Or, just the historically comforting knowledge that they aren’t tracked, goaled, or owned?

I’m feeling like this should be important or that I have missed a key concept someplace…

….particularly with the resources and effort involved.

How do you demonstrate that your cyber risk management program is effective for the resources and effort you've put into it? 

Join the discussion at #crazygoodcyberteams on twitter or Linkedin . Alo, follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1

SEE ALSO

That Latest Cyber Security Media Darling 

Some Wrenching Cyber Security Tool Tomfoolery 

The High Prioritization Simplification 

Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)