Blog

Dial up the crazy

Better Security through solid UX

This week we dial up the crazy: If you want to improve perception of your team, put some real energy into improving user experience.

Security Teams could be more trusted.

Security Marketing and Sales, Part 2: Baggage

Today, I expand on the challenges most security leaders face when explaining the value of security: usually people already don't like you. We discuss what you can do about it, focusing on how you can make your services and platforms support your message of helpfulness.

Stealing the best ideas from sales and marketing.

Security Marketing and Sales

Today, I explore strategies to explain the value of security. This will be a key pre-requisite in credibly pushing your organization toward standard solutions. Luckily, there are already best practices in this space: educating people about value at scale is called Marketing and educating them about value individually is called Sales.

Picard

Security Is Not Job 0

I am here to tell you now as a seasoned professional: security is not that important. The lie is tempting, and thematically similar to a lie common across cultures and topics: if everyone was like me, they would be a lot better off.

This Control Contains Implications

CIS 2.3 - Unauthorized Software

The biggest risk from software is vulnerabilities and packaged malware. CIS 2.3 tells you to get rid of the worst stuff.

Messy desktops

CIS 2.4 - Discovery

The biggest risk from software is vulnerabilities and packaged malware. The best way to start addressing that is to know what software is out there.

The Phoenix Project

The 5 Types of Work

10 years ago, The Phoenix Project took the IT world by storm. It spoke to the deep dysfunction in many teams, of a million departments blamed for when things go wrong but never credit when things go right.

Why CIS

The Critical Security Controls (CIS, aka CIS Top 20) is a great framework.  Many other people think so too; it’s exploded in popularity in the last 10 years.  There are 4 big reasons why.

CIS 2.1 - the Mission

CIS 2.1 contains the core mission of CIS 2: have an accurate Software Inventory.  The other CIS 2 controls are just supporting ways that help deliver that core mission. 

CIS 2 Explained

An Inventory of IT Stuff is a helpful thing: it's a necessary starting point for lots of other technical security work. But you know what would be even more helpful? Knowing what each thing does. Zowie! That would be wild.

CIS 13.9 - NAC

CIS 13.9 is heavy.  It requires big investments in the most expensive network gear, requires a fair amount of work to maintain, and can break systems if people make mistakes.  It provides good protection from expert onsite attacks: nothing gets to talk unless it’s allowed.  

CIS 1.3-5 - Discovery

CIS 1.3 - 1.5 use technical solutions to find all the IT Stuff for you, and report it back to your central inventory. They suggest three approaches, but there are bunches.

CIS 1.2 - Standard Work

There are several standard processes that most organizations will need to keep the inventory healthy and credible.  Some can be integrated with existing processes, but none can be totally eliminated.  CIS 1.2 proscribes the largest and most important kind of standard work: triage.  

CIS 1.1 Part 2 - Useful Information

CIS 1.1 contains the core mission of CIS 1: have an accurate Inventory of IT Stuff.  The other CIS 1 controls are just supporting ways that help deliver that core mission. 

CIS 1.1 - the Mission

CIS 1.1 contains the core mission of CIS 1: have an accurate Inventory of IT Stuff.  The other CIS 1 controls are just supporting ways that help deliver that core mission. 

CIS 1 Explained

The CIS Controls say the most important thing to do to secure your computers is to have a list of all your stuff. They’re a little unclear by what this means and how it helps.

Troy Hunt on success

I enjoyed this recent piece by Troy Hunt, the celebrity creator of havibeenpwned.  He departs from his usual technical topics, instead discussing the skills he's had to practice in the last year to stay effective while under more stress. 

Telling a security story well - example #22

Cyentia offers consistently high-quality insights about the security value proposition. They recently did statistical analysis of major incidents in the last 10 years. Some highlights:

Sample CICD flow

At DevOpsDays KC, several people expressed interest in this CI/CD pipeline picture.