Blog

Last time, we talked through six user stories across three personas in IT Asset Management. Today, I’ll walk through what jumped out at me — please comment with your thoughts and considerations — there’s a lot going on here.

Consider the following user stories for managing IT Assets in the CMDB. Next week, we’ll unravel common threads, opportunities, and potential fixes.

We extend the principles of User Experience to a practical example: authenticating to a CRM.

This week we dial up the crazy: If you want to improve perception of your team, put some real energy into improving user experience.

Today, I expand on the challenges most security leaders face when explaining the value of security: usually people already don't like you. We discuss what you can do about it, focusing on how you can make your services and platforms support your message of helpfulness.

Today, I explore strategies to explain the value of security. This will be a key pre-requisite in credibly pushing your organization toward standard solutions. Luckily, there are already best practices in this space: educating people about value at scale is called Marketing and educating them about value individually is called Sales.

I am here to tell you now as a seasoned professional: security is not that important. The lie is tempting, and thematically similar to a lie common across cultures and topics: if everyone was like me, they would be a lot better off.

The biggest risk from software is vulnerabilities and packaged malware. CIS 2.3 tells you to get rid of the worst stuff.

The biggest risk from software is vulnerabilities and packaged malware. The best way to start addressing that is to know what software is out there.

10 years ago, The Phoenix Project took the IT world by storm. It spoke to the deep dysfunction in many teams, of a million departments blamed for when things go wrong but never credit when things go right.

The Critical Security Controls (CIS, aka CIS Top 20) is a great framework.  Many other people think so too; it’s exploded in popularity in the last 10 years.  There are 4 big reasons why.

CIS 2.1 contains the core mission of CIS 2: have an accurate Software Inventory.  The other CIS 2 controls are just supporting ways that help deliver that core mission. 

An Inventory of IT Stuff is a helpful thing: it's a necessary starting point for lots of other technical security work. But you know what would be even more helpful? Knowing what each thing does. Zowie! That would be wild.

CIS 13.9 is heavy.  It requires big investments in the most expensive network gear, requires a fair amount of work to maintain, and can break systems if people make mistakes.  It provides good protection from expert onsite attacks: nothing gets to talk unless it’s allowed.  

CIS 1.3 - 1.5 use technical solutions to find all the IT Stuff for you, and report it back to your central inventory. They suggest three approaches, but there are bunches.

There are several standard processes that most organizations will need to keep the inventory healthy and credible.  Some can be integrated with existing processes, but none can be totally eliminated.  CIS 1.2 proscribes the largest and most important kind of standard work: triage.  

CIS 1.1 contains the core mission of CIS 1: have an accurate Inventory of IT Stuff.  The other CIS 1 controls are just supporting ways that help deliver that core mission. 

CIS 1.1 contains the core mission of CIS 1: have an accurate Inventory of IT Stuff.  The other CIS 1 controls are just supporting ways that help deliver that core mission. 

The CIS Controls say the most important thing to do to secure your computers is to have a list of all your stuff. They’re a little unclear by what this means and how it helps.

I enjoyed this recent piece by Troy Hunt, the celebrity creator of havibeenpwned.  He departs from his usual technical topics, instead discussing the skills he's had to practice in the last year to stay effective while under more stress. 

Cyentia offers consistently high-quality insights about the security value proposition. They recently did statistical analysis of major incidents in the last 10 years. Some highlights:

At DevOpsDays KC, several people expressed interest in this CI/CD pipeline picture.

Agile in a nutshell