Tuesday, November 26, 2019

The Rest Of Cyber Security


There is some truth to the movement that you don’t need to be technical to be in cyber security. Some truth in that there are a number of roles that are clearly less technical and more framework oriented than others. The roles in which questions like, “are the correct configuration boxes checked?”, "can this person pass as a employee through security checks?" or, “is this particular business process mature to the clearly understandable standard?” can be answered in non-technical ways.



And then, there is the rest of cyber security. You know, the non-prescriptive, often technical part. 



The part in which knowledge of the tech stack determines if an organization’s compensating controls are sufficient. 


The part in which the details of the build process are important differentiators in whether security controls can enable the business goals of an organization or hinder them.


The part in which cyber security can safely enable “yes” in some not-so-yet-clear way.


I guess that there are two counter-arguments to the premise that some level of technical expertise is needed in the rest of cyber security. 


We can depend on the IT engineers or devs to make the hard technical calls or write the automated governance. The result here will likely be that the business needs will generally outweigh the security requirements. Not a value judgment, just a statement of fact and a reflection of human nature.


There is never any compromise to the security standards. I should add, “even when there can be”. The reality is that hardening often breaks things, many apps have odd requirements, and some accounts need to have privileges. This is the reality of your network, applications, and endpoints. You’ll need to enable the business at some point. You’ll want to be sure that you enable them as safely as possible and finding safe workarounds often requires some deep technical knowledge.


Those would be purposeful, impactful choices to your security profile and to your business.


Every hire will strengthen or take from choices and profile. The other part of cyber security plays a big role. 


Choose well.


Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


SEE ALSO


Mentoring Execution Improvements In Cyber Security

An Example Of Managing Massive Cyber Change

"A Teams" And Well Intentioned Mistakes In Cyber Security
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)