The Luck Factor In Incident Response

When malware passes through the perimeter and internal network controls, it’s going to land on something. That something is most often some sort of endpoint whether a server or user machine. 

Malware that lands on an endpoint as a result of a broad blind attack, the attacker most likely won’t know what machine it’s on, what privileges it has, or where it can easily laterally move. For some destructive attacks, this isn’t important but for many attackers, establishing basic information is.

A Security Culture From Nothing

There are organizations that have no cyber security culture. Others that have a cyber security culture that consists entirely of an annual video for all employees.  If the successful practice of cyber security relies on the corresponding ownership of secure practices throughout the company, real security awareness involves cultural change. 

A cyber security team will never be large enough to accomplish the task themselves. 

So you, as a cyber security leader, are starting from nothing. You’ll need a plan to get your organization from where they are today to where you want them to be. 

Thankful

Today is Thanksgiving in the United States. Today also means that I’ve been writing a blog post for over 130 consecutive days now. 

As of the 130 day mark, my goal of this blog remains unchanged from the day that I started on this endeavor. This is a place for me, a cyber leader in the daily fray and with nothing to sell, to share opinions often underrepresented in other social media content that help cyber security leaders understand what’s possible in a crazy good cyber program, define a clear strategic direction for their team, communicate with other executives, be resourced correctly, and reduce the level of exhausting, disruptive work.  

Building A Digitally Transformed Cyber Program

Digital transformation may involve IT and application development but it isn’t an IT process.  It’s a broader business process in which IT and application expose additional value to the business. 

As a cyber leader, you’ll have to support and secure this transformation from wherever your legacy systems are now into this new world. Unfortunately, you’ll won’t be able to hand wave away your legacy issues. Legacy systems are the transformation portion of all this. 

So how to proceed into this brave new world?

The Rest Of Cyber Security

There is some truth to the movement that you don’t need to be technical to be in cyber security. Some truth in that there are a number of roles that are clearly less technical and more framework oriented than others. The roles in which questions like, “are the correct configuration boxes checked?”, "can this person pass as a employee through security checks?" or, “is this particular business process mature to the clearly understandable standard?” can be answered in non-technical ways.

And then, there is the rest of cyber security. You know, the non-prescriptive, often technical part. 

Mentoring Execution Improvements In Cyber Security

A key moment in the career of a cyber leader is when they realize the difference between simple activity and a planned set of work designed to mature the security program in a purposeful direction. 

Activity isn't a reliable metric for improvement within a security program. And, yet, activity seems to be a popular justification for more resources. We have to think like a business leader to understand why it might not be.

Framing Data Security Conversations To Executives

Data is created, modified, moved and deleted as part of any number of business processes. These business processes and underlying technologies create transformative value for their organizations. The smart cyber leader will want to frame conversations with non-technical executives in a way that they can quickly grasp. 

A detailed explanation of NIST or other framework data security requirements probably is not the conversation format within you’ll find success. You won’t establish your expertise with execs with a deep dive into frameworks. 

An Example Of Managing Massive Cyber Change

Think that you have a hard time of managing cyber security expectations and change? Compare your change to the change that became Patch Tuesday.

Love Patch Tuesday or hate it, I worked at Big Software Company™ before Patch Tuesday was a “thing”. Prior to Patch Tuesday, patches had to be released as quickly as possible. Large customers that paid large support had thi expectation and, worse yet, there was a great deal of internal pressure to release.  

The result was a whiplash of patches released on any night of the week including Friday and Saturday and patching teams having to work whatever hours were required to patch systems. Change was needed and no one recognized the need for change.  It was just what it was. 

I ran a high profile product team for four years and, the Sunday before thanksgiving, we generally had an egregious security defect reported. We’d spin up the team to release a patch before Thanksgiving so the team could get some time off. After the first year, it became clear that the reporter wa generally holding a second defect in their back pocket to report just after the release of the Wednesday patch. That would require calling the team back in.  

And then came Patch Tuesday. Our customers didn’t think that it would.  Heck, I didn’t think it would work.

But, now, the industry and executives would be hard to imagine a different cadence.That’s managing change effectively.   

 

So, if you think that any change is too big, compare it to Patch Tuesday.

I’d guess that your change pales in comparison. 

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.

SEE ALSO

The Gift Of Post Cyber Breach Optics 

The Easiest Cyber Unicorn To Find

Next Level Marketing Of The Cyber Program 

The Gift Of Post Data Breach Optics

As cyber professionals, our job is to think about preventing breaches. We have controls that have put in place. We measure the efficacy of those controls. And we have a backlog of work that remains to be done. 

 

During an incident, we work to respond to the incident. If that incident rises to the level of a data breach, we work within the context of an enterprise crisis action team to contain every aspect of that breach, technical and non-technical.

But how often do you think about what happens post-breach after the exhausted response team has gone home?  By this, I mean the regulators. Depending on your industry and location, you'll likely have state and/or federal regulators knocking on your door.

Starting With Not-So-Shiny Cyber Threat Intelligence

Cyber security is interesting in that there is encouragement and peer pressure to start with the most shiny of shiny things. Cyber threat intelligence is no exception. 

When starting a cyber security threat intelligence program, most organizations have some fixed amount of resources and a lot of choices.

Four Questions During Cyber Sales Pitches

If tools are the bones of cyber defense, then cyber security services comprise some of the connective muscle. As cyber leaders, we get pitched all of the time - bones, muscle, and a lot of filler . 

A fair number of organizations seem to be attempting to resolve complex cyber security issues by simply throwing money at potential solutions. Many vendors have pitches that reflect this reality.  

Some pitches simply make no sense. 

Transforming Cyber News Into A Value Add

Retweeting or forwarding news articles about a cyber breach seems somewhat mindless.  A company made the headlines for being breached...again. It might be mildly interesting if the breached party is a technology vendor or a management consulting company with a cyber practice.The frequency is overwhelming.

That said, is there really any value left in being the 10,000^th person to retweet or forward the link about that latest breach?

Perhaps there is a different way to think about cyber news. 

MOVED: Mentoring Cyber Leaders Around Prioritization

This post has moved to https://medium.com/ciso-cyber-leaders/learning-the-important-cyber-security-skill-of-prioritization-567ad7657ada?source=friends_link&sk=a8c9213f925b54960af8d78cd2f884f9

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.

SEE ALSO

Mentoring Scope of Authority Within Cyber Security Teams

Mentoring Around Reducing Distracting Cyber Work

Mentoring Around Waiting In Cyber Security

Some Cyber Security Value In Frustration

Frustration is a great trailing indicator for cyber leaders as it generally occurs when we keep trying to do something that isn’t working. Frustration isn’t the problem. It’s a symptom.

We clearly would not want to take actions that intentionally increase frustration for others. That’s not the intent of finding value in frustration.  The intent is that we want to be vigilant of early frustration so that the source of frustration, that underlying issue, can quickly be sussed out and remediated.  

Once recognized, frustration can become a tool for continuous improvement. 

Blue Team Building In Cyber Programs

There is a well known blue team problem in cyber security.

Blue teams defend everything.  

They have little hand in choosing the time or place of incidents.

A lot of threat surface area to defend.

And, too much to try to tackle at once.

Perhaps it’s time to change the dynamics.

MOVED: Finding The Easiest Cyber Unicorn

This post has moved to https://medium.com/@opinionatedsec/finding-the-easiest-cyber-unicorn-9476e20a67c5?sk=efe2561a492c6c4c019b784af01a88e5

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.

SEE ALSO

The Potential Downside of Cyber Metrics

Transforming Into A Cyber Security Culture Takes Guts

Cyber Security As a Shared Service