I make security strategy practical by demystifying common security misconceptions to IT, developer, and cybersecurity teams. Each can be adapted to fill a slot between thirty and sixty minutes long. Custom topics and setups are available upon request.
Cop vs Lawyer: the Evolving Mindset of Security Leaders
At many organizations, the security team because synonymous with the word “no”. Progress was made in spite of security, not because of it. Today, some security teams have overcome that legacy and are building value through partnerships with technical, product, and even marketing teams. We talk about how your security department can do the same.
The Most Secure Platform is the one People Use
The world is full of examples where people bypass elaborate edifices designed by smart, well-meaning experts. Security teams love technically perfect solutions, but often spend too little time on how people will actually experience them. We discuss the basics of UI/UX design and how to select security features that enhance the value of a product instead of reducing it.
The Hidden Curse of Control Frameworks
To a GRC analyst, a control framework seems like a no-brainer. Those analysts organize and track compliance to countless different requirements, and combining them into a master structure seems like an obvious solution to all their problems. Unfortunately, putting such an edifice at the foundation of your overall strategy harms goals outside that GRC bubble. We discuss how this can happen, how you can avoid them, and how to keep your GRC folks happy through the entire process.
How to Gauge a Cloud Platform’s Security Strength in 20 Minutes
There is a huge difference in resiliency between cloud products. We walk through top indicators that a product was built well. This is a practical talk, where we apply the principles to platforms suggested by the audiences.
The Trouble with TPRM
You will never have much control over a vendor’s work, including in security. Yet many audit frameworks expect you to apply substantial oversight through them through Third Party Risk Management programs. We talk through what TPRM is good at, what they are not, and key indicators of a healthy program.
Three Objectives you Must get Right in Securing your Cloud
Traditional, datacenter-centric approaches to security do not translate well to cloud-native design. We talk through the most likely threats and risks in a cloud environment, and how teams can best avoid them.
Cloud Lift and Shift - When is it Right?
For 30 years, “Lift and Shift” has been a popular approach in IT to consolidating systems onto existing infrastructure, allowing significant cost-savings without the disruption of moving operations teams onto new systems. This approach rarely works for cloud: raw infrastructure costs usually increase, and older designs cannot take advantage of the biggest advantages. We discuss projects that most benefit from the cloud, and which should stay in the datacenter.