Anyone that knows me, knows I love maturity assessments and tools (I’ve built a few, and run LOADS more) so this morning when I saw this on LinkedIn I had to start to get some understanding! I’ve not even had a cup of tea, but let’s see what this looks like!Read more “Cloud Adoption Security Review”
I’ve got 99 vulnerabilities but log4j ain’t one!
Most organisations have hundreds to thousands of vulnerabilities. They range across the spectrum from:
The challenge comes in trying to determine how to prioritise. Which ways could we go?
Where do we start?Read more “Vulnerability Prioritisation”
How an organization approaches the challenge of technology and security management, well that’s the difference between leveraging technology to deliver value efficiently and effectively vs technical debt and inefficient deployment of technology which may hinder the organisation in its pursuit of its mission.
When we consider how technology is managed, we need to look at it from multiple viewpoints with different views:Read more “Organisational Approach to Technology and Security”
New machines means it’s easy right?
Ok, another post on cyber essentials! I talk about this quite a lot (mainly driven by procurement requirements rather than orgs expressing a deep desire to “have better security” (which is a shame)) however, I want to show people what the real world is like and that meeting cyber essentials is a good thing, but also to look at real world challenges of meeting the standards. In this post we look at some thought provoking questions, then we look at an out of the box Windows and MAC device to see if they meet the standard!Read more “Cyber Essentials – Out of the Box”
Myth: you must be a “techie” to lead in the CYBERS
Ok so you might be sitting here going… but Dan you send pews and do “techy” stuff… do you not lead? Well, I mean I do all kinds of things, I write business cases, I play with spreadsheets (fun right!), I integrate systems and look at data and sometimes write really bad code! (hey, the pews aren’t going to send themselves!) but… I want to talk about some realities here.Read more “Cyber Leadership”
This post stated out as a technical post about commonalities found in the field that vary based on business operating model, IT capability and vectors used by threat actors. Whilst writing this it led more into business leadership, governance and investment risks. How do these two subjects’ interface? Well to be honest they are the same thing from a different lens.
In this post we are going to look at:
- Common Technology Deployment Models and the associated threats/risks/vulnerabilities
- Common challenges I find in organisations
- And finally, a question… is this the business outcome that you want
The gaps between strategic security improvement and keeping the wolves out, today!
The Cyber Realities in 2021
Most organisations today honestly don’t have great cyber security postures. Cyber security has improved since the 80’s and 90s’s but still common gaps can be found in the same old areas.
So, whilst security possibilities and technical capabilities for defence have greatly improved, this hasn’t really translated into the level of change we would like to see on the ground inside organisations.
I’m writing this post after giving a talk today about the challenges I see in cyber security across different organisations but also after watching a talk by Dave Kennedy which from my perspective emulates my experiences and largely my views. Read more “The Security Challenges of 2021”
What does it take to be a cyber leader? How do we address a broad challenge we have in today’s business world?
There are a huge number of organisations whereby the leadership do not have domain expertise in cyber and related disciplines. There are decision makers who are having to best guess. On the other end of the spectrum, we have thousands and thousands of people trying to “break into cyber” yet they face largely insane entry requirements with the forementioned adding things to junior and entry level role which include:
- Must have a CISSP (CISSP requires 5 years’ experience and is an Information Security certificate that is very broad and not very deep, it also covers a range of areas that in my opinion aren’t even required for many cyber security capabilities inside organisations)
- Must have a Certified Ethical Hacker (this exam includes remember historic malware dates, is that really what we need from our leaders?)
- Must have a very large level of experience of be from an existing cyber role
This is not meant to be an essay, but simply a rapid-fire view of things that I see that are major challenges with digital security in today’s age. So, without any further delay let us hit it:Read more “5 Major Challenges with Business Digital Security”
Security Planning 101
I have been thinking about how organisations manage (or do not manage) their security postures from both a governance and management point of view. To help organisations that are just starting on their security improvement journey I thought I have put together a list of activities they may want to have in a forward schedule document (you could even call it a roadmap). It is not going to be all things to all people and different organisations and markets will have different requirements.Read more “Routine Security Governance and Management Activities you should plan for”