Saturday, November 30, 2019

The Luck Factor In Incident Response


When malware passes through the perimeter and internal network controls, it’s going to land on something. That something is most often some sort of endpoint whether a server or user machine. 




Malware that lands on an endpoint as a result of a broad blind attack, the attacker most likely won’t know what machine it’s on, what privileges it has, or where it can easily laterally move. For some destructive attacks, this isn’t important but for many attackers, establishing basic information is.

Friday, November 29, 2019

A Security Culture From Nothing


There are organizations that have no cyber security culture. Others that have a cyber security culture that consists entirely of an annual video for all employees.  If the successful practice of cyber security relies on the corresponding ownership of secure practices throughout the company, real security awareness involves cultural change. 



A cyber security team will never be large enough to accomplish the task themselves. 


So you, as a cyber security leader, are starting from nothing. You’ll need a plan to get your organization from where they are today to where you want them to be. 

Thursday, November 28, 2019

Thankful


Today is Thanksgiving in the United States. Today also means that I’ve been writing a blog post for over 130 consecutive days now. 



As of the 130 day mark, my goal of this blog remains unchanged from the day that I started on this endeavor. This is a place for me, a cyber leader in the daily fray and with nothing to sell, to share opinions often underrepresented in other social media content that help cyber security leaders understand what’s possible in a crazy good cyber program, define a clear strategic direction for their team, communicate with other executives, be resourced correctly, and reduce the level of exhausting, disruptive work.  

Wednesday, November 27, 2019

Building A Digitally Transformed Cyber Program


Digital transformation may involve IT and application development but it isn’t an IT process.  It’s a broader business process in which IT and application expose additional value to the business. 



As a cyber leader, you’ll have to support and secure this transformation from wherever your legacy systems are now into this new world. Unfortunately, you’ll won’t be able to hand wave away your legacy issues. Legacy systems are the transformation portion of all this. 

So how to proceed into this brave new world?

Tuesday, November 26, 2019

The Rest Of Cyber Security


There is some truth to the movement that you don’t need to be technical to be in cyber security. Some truth in that there are a number of roles that are clearly less technical and more framework oriented than others. The roles in which questions like, “are the correct configuration boxes checked?”, "can this person pass as a employee through security checks?" or, “is this particular business process mature to the clearly understandable standard?” can be answered in non-technical ways.



And then, there is the rest of cyber security. You know, the non-prescriptive, often technical part. 

Monday, November 25, 2019

Mentoring Execution Improvements In Cyber Security


A key moment in the career of a cyber leader is when they realize the difference between simple activity and a planned set of work designed to mature the security program in a purposeful direction. 


Activity isn't a reliable metric for improvement within a security program. And, yet, activity seems to be a popular justification for more resources. We have to think like a business leader to understand why it might not be.

Sunday, November 24, 2019

Framing Data Security Conversations To Executives


Data is created, modified, moved and deleted as part of any number of business processes. These business processes and underlying technologies create transformative value for their organizations. The smart cyber leader will want to frame conversations with non-technical executives in a way that they can quickly grasp. 



A detailed explanation of NIST or other framework data security requirements probably is not the conversation format within you’ll find success. You won’t establish your expertise with execs with a deep dive into frameworks. 

Saturday, November 23, 2019

An Example Of Managing Massive Cyber Change


Think that you have a hard time of managing cyber security expectations and change? Compare your change to the change that became Patch Tuesday.



Love Patch Tuesday or hate it, I worked at Big Software Company™ before Patch Tuesday was a “thing”. Prior to Patch Tuesday, patches had to be released as quickly as possible. Large customers that paid large support had thi expectation and, worse yet, there was a great deal of internal pressure to release.  


The result was a whiplash of patches released on any night of the week including Friday and Saturday and patching teams having to work whatever hours were required to patch systems. Change was needed and no one recognized the need for change.  It was just what it was. 

I ran a high profile product team for four years and, the Sunday before thanksgiving, we generally had an egregious security defect reported. We’d spin up the team to release a patch before Thanksgiving so the team could get some time off. After the first year, it became clear that the reporter wa generally holding a second defect in their back pocket to report just after the release of the Wednesday patch. That would require calling the team back in.  


And then came Patch Tuesday. Our customers didn’t think that it would.  Heck, I didn’t think it would work.


But, now, the industry and executives would be hard to imagine a different cadence.That’s managing change effectively.   
 

So, if you think that any change is too big, compare it to Patch Tuesday.


I’d guess that your change pales in comparison. 


Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


SEE ALSO




Friday, November 22, 2019

The Gift Of Post Data Breach Optics


As cyber professionals, our job is to think about preventing breaches. We have controls that have put in place. We measure the efficacy of those controls. And we have a backlog of work that remains to be done. 
 


During an incident, we work to respond to the incident. If that incident rises to the level of a data breach, we work within the context of an enterprise crisis action team to contain every aspect of that breach, technical and non-technical.


But how often do you think about what happens post-breach after the exhausted response team has gone home?  By this, I mean the regulators. Depending on your industry and location, you'll likely have state and/or federal regulators knocking on your door.

Thursday, November 21, 2019

Starting With Not-So-Shiny Cyber Threat Intelligence


Cyber security is interesting in that there is encouragement and peer pressure to start with the most shiny of shiny things. Cyber threat intelligence is no exception. 




When starting a cyber security threat intelligence program, most organizations have some fixed amount of resources and a lot of choices.

Wednesday, November 20, 2019

Four Questions During Cyber Sales Pitches


If tools are the bones of cyber defense, then cyber security services comprise some of the connective muscle. As cyber leaders, we get pitched all of the time - bones, muscle, and a lot of filler . 




A fair number of organizations seem to be attempting to resolve complex cyber security issues by simply throwing money at potential solutions. Many vendors have pitches that reflect this reality.  

Some pitches simply make no sense. 

Tuesday, November 19, 2019

Transforming Cyber News Into A Value Add


Retweeting or forwarding news articles about a cyber breach seems somewhat mindless.  A company made the headlines for being breached...again. It might be mildly interesting if the breached party is a technology vendor or a management consulting company with a cyber practice.The frequency is overwhelming.


That said, is there really any value left in being the 10,000th person to retweet or forward the link about that latest breach?


Perhaps there is a different way to think about cyber news. 

Sunday, November 17, 2019

Some Cyber Security Value In Frustration


Frustration is a great trailing indicator for cyber leaders as it generally occurs when we keep trying to do something that isn’t working. Frustration isn’t the problem. It’s a symptom.



We clearly would not want to take actions that intentionally increase frustration for others. That’s not the intent of finding value in frustration.  The intent is that we want to be vigilant of early frustration so that the source of frustration, that underlying issue, can quickly be sussed out and remediated.  


Once recognized, frustration can become a tool for continuous improvement. 

Saturday, November 16, 2019

Blue Team Building In Cyber Programs


There is a well known blue team problem in cyber security.


Blue teams defend everything.  

They have little hand in choosing the time or place of incidents.
A lot of threat surface area to defend.
And, too much to try to tackle at once.

Perhaps it’s time to change the dynamics.