Posts

  • What’s The Relationship Between Security Governance and Organizational Maturity?

    What’s The Relationship Between Security Governance and Organizational Maturity?

    Organizational and security governance is touted as a key component of any successful security program. However, I’ve been thinking about governance lately and how it relates to the overall maturity of an organization. This has prompted some questions such as: what happens if you have too much governance? and What’s the relationship between security governance Read more

  • Are Traditional IT Roles Still Relevant In Today’s Modern Security Org?

    Are Traditional IT Roles Still Relevant In Today’s Modern Security Org?

    As more and more businesses shift to the cloud and micro-services, the scope of responsibility for security and operations gets pushed up the stack. As a result of this scope compression, teams no longer need to worry about maintaining physical infrastructure like deploying servers, provisioning storage systems or managing network devices. As this scope falls Read more

  • The Dichotomy Of Security

    The Dichotomy Of Security

    If you have ever read Extreme Ownership or The Dichotomy of Leadership by Jocko Willink, then you will be familiar with the concept of dichotomy and how opposing forces of a skill set can compliment each other. Mastering both sides can allow flexibility and increase the effectiveness of that skill set when dynamically applied to Read more

  • We Are Drowning In Patches (and what to do about it)

    We Are Drowning In Patches (and what to do about it)

    Last week I had an interesting discussion with some friends about how to prioritize patches using criticality and a risk based approach. After the discussion I starting thinking about how nice it would be if we could all just automatically patch everything and not have to worry about prioritization and the never ending backlog of Read more

  • Are Phishing Campaigns Worth It?

    Are Phishing Campaigns Worth It?

    Phishing campaigns are often touted as a complementary exercise to security training as a way to measure training effectiveness. The thought is, if your training is effective, users will be less likely to fall for and click on phishing emails, which will correlate to a decrease in the number of phishing incidents at your company. Read more

  • Using Exceptions As A Discovery Tool

    Using Exceptions As A Discovery Tool

    Security exceptions should be used sparingly and should be truly exceptional circumstances that are granted after the business accepts a risk. In mature security programs the security exceptions process is well defined and has clear criteria for what will and will not meet the exception criteria. In mature programs exceptions should be the exception, not Read more