Saturday, December 21, 2019

Changing Blog Platforms

I'm changing my blog platform over the course of the Xmas holiday.

New blog platform:  https://medium.com/@opinionatedsec

You can read updates dated after 12/22/2019 over there.

Tony

Friday, December 20, 2019

Rediscover The Security In Cyber Security


Despite sharing a cyber security focus, different organizations value different outcomes in the security space. 


So, why do we seem to have lost our way?

Thursday, December 19, 2019

An Abdication Of Cyber Leadership To Consultants


Cyber leaders seem to proudly point to bringing in outside consultants to convince executive to take action on items that have lingered for years. Social media is full of threads of such proud proclamations by both cyber leaders and consultants.



Wait.  What?!? 
  
Critical items that have lingered for years?  An outsider with more trust?  Something else seems broken there. 

Wednesday, December 18, 2019

Learning From Your Own Malware


The best threat intelligence comes from your own organization’s own endpoints.  One aspect to this is treating every instance of unwanted software such as malware or adware that lands and installs on a machine as an indicator of a gap in controls coverage. 



A control that is present but somehow misconfigured.
A control that is missing or has been disabled.
An error by a user. 

So, when you encounter evidence of malware, a key followup item is to determine just how the malware got there.

Tuesday, December 17, 2019

Cyber Leaders And the Adult Table


So, we’ve got a seat at the table now.  In many organizations, we are seated with the executives that also have really hard problems to solve. Perhaps not security problems, but still hairy, relatively defined problems with serious impacts to the organization.


We asked for it and, in many orgs, received what we asked for.

Monday, December 16, 2019

Mentoring Around The Time-Value of Cyber Delivery


A good cyber leader wants to meet expectations of their executive team but a great cyber leader wants to consistently exceed their expectations. The smart cyber leader has a chance to do this consistently within the context of delivery.


So how do we mentor cyber leaders to consistently exceed expectations?  

Sunday, December 15, 2019

Cyber Leaders And Story Telling


Good story telling is an under-valued skill for cyber security leaders. It’s a skill that helps executives gain a deeper understanding of an organization’s cyber program and gaps. This includes the current state of the program, and properly set expectations about the resources needed to keep, or change, the current state. 


All wrapped up in an easily digestible, non-technical story.

Friday, December 13, 2019

Foundational Cyber Security Work Items


Cyber leaders have to prioritize. Yet, every vendor wants to convince the audience that their sizzling hot product should be the priority – even if the significant prep work needed for success remains unsaid.  We’ve also confused the balance of compliance with what is required to actually secure an organization.




And we wonder why even big name organizations get breached. 

If you are in a highly regulated industry or the government, your focus may have to be elsewhere but If you are in a lesser regulated industry and interested in security vs compliance, here are some completely unsexy fundamental work items that would fit most organizations …

Thursday, December 12, 2019

The K in Cyber Security KPIs


The stakes involved in flying are higher than in cyber security. No one should disagree with that statement. 



With all of those high potential stakes, think about the airline key performance indicators (KPIs) that matter to you as a passenger when flying.
  
That your plane arrives at the destination.
That the plane arrives on time.
That emergency procedures are in place.
That your luggage arrives with your flight.


Each of the above is an easily digestible end state, a business outcome. Simple questions that mask the “white space” or complex activities that comprise each of those outcomes.

Wednesday, December 11, 2019

The Hard Part Of Automating Cyber Security


Your cyber security program isn’t going to scale without automation. 



There is automation within tools, but also automation that creates efficiencies across tools and processes.

Tuesday, December 10, 2019

Security Connective Tissue Behind Digital Transformation


Digital transformation is what the business see and their customers experience. 


It’s the face of the transformation.

Exposing business value via APIs.

But there is also magic happening behind the scenes.

Monday, December 9, 2019

Mentoring Around Measuring Cyber Progress


Peter Drucker is famous for saying that you can only manage what you can measure. Nice thought but, by itself, not much help in terms of practical advice to the cyber security leader.



So how do we mentor showing progress?

Sunday, December 8, 2019

Kicking The Can Down The Road


Sometimes you might not have enough resources to do all of the things that really are important. 



We can model three types of execution: 


Critical projects tied to a commitment which has resources and a champion.

Key projects with resources that are important but for which you, as the senior cyber leader, might be the only champion.

Other projects that are important but without sufficient resources. 

Saturday, December 7, 2019

The Engagement Problem of Cyber Security Ownership


This post is part 2. Part 1 is “The Conceptual Problem ofCyber Security Ownership.


So, you decided to distribute ownership of securing business processes outside of the cyber security team within the standads set by the security team. You have a conceptual model. Now, we need to examine the mechanics of implementing that model.




Communications isn’t enough to transfer ownership to business process owners. If communications alone was sufficient, almost every cyber security team would have distributed ownership of cyber security by now. 


Communications infers one way directives. 


Easy to ignore proclamations. 

Friday, December 6, 2019

Success: The Bigfoot of Cyber Security


Success can be elusive in cyber security. Elusive, in that there is often a chasm between the cyber leader’s definition of success and the expectations of the Board and/or executives. That chasm is too often explained away as “the executives don’t understand cyber security,” or, worse yet, “a cyber team can’t be successful.”



So, for some organizations, finding success is like finding Bigfoot from the light of a UFO. 

Thursday, December 5, 2019

The Conceptual Problem of Cyber Security Ownership


Effectively securing the IT and information assets of an organization is as much a problem in modeling the right approach as it is in having the right controls and technical solutions in place. 



For instance, wanting to distribute ownership of cyber security across the organization isn’t a technical problem to solve.  It’s a business model problem that begins with a conceptual change that then leads to process change. 


If we want to distribute cyber security ownership, we can conceptually view the relationship of a cyber security team and a cyber program in two ways.

Wednesday, December 4, 2019

Play To Win In Cyber Security

Close your eyes and think of the goals for your cyber program.  Think of what a win looks like.



In American football, a prevent defense almost always means the other team has a chance to win. 


Are your cyber goals preparing your organization to win? Or, is your program playing the cyber equivalent of a prevent defense?

Tuesday, December 3, 2019

Cyber Leaders, Critical Thinking, and Team Colors


Purple teams confuse me.



To be more precise, small cyber teams thinking that they need some separate purple capability is what actually confuses me.

Monday, December 2, 2019

Mentoring Cyber Leaders To Say No (And Yes)


Being able to prioritize and being able to say no are two closely linked critical skills for cyber security leaders. The linkage is strong. Without being successful at one, it can be very difficult to be successful at the other.



Don’t get me wrong. The learned and practiced skill of being able to say no is really about the ability to say, “yes”.  

No to the wrong things, and yes to the right things. 

Sunday, December 1, 2019

Servant Leadership In Cyber Security


Servant leadership seems to be a growing buzzword in cyber security.




Robert K. Greenleaf coined the words "servant-leader" and "servant leadership" in 1970 with the publication of his classic essay, The Servant as Leader.