Activity
Mon
Wed
Fri
Sun
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
What is this?
Less
More

Memberships

Real Security Heretics

Public • 80 • Free

The Surgery

Private • 132 • Free

5 contributions to Real Security Heretics
Incident!
A large organisation has experienced an attack on their IT systems that has gone public, the technical elements have been contained and mitigated although the public, senior stakeholders and the press want answers. With this in mind and having read the Problem of Security, as an internal member of the security team or a consultant working on behalf of the affected organisation, what would your response and advice be to ultimately protect the organisation and its value creation given your new perspective and how much is too far? What would you do differently?
1
3
New comment Jun '23
Incident!
1 like • Jun '23
@Luke Price The line 'how much is too far?' made me think; from where I am, I don't think I'm best placed to make that decision. I can present benefits and risks or a control or any other proposal, but the final weighting of 'is this worth doing' isn't for me to decide. For me to communicate well and clearly, and my error if the decision is ill informed, but not to say what is too far. Or maybe more accurately, not for me alone.
Have you ever had this?
Ever attended a security course and sat there thinking to yourself...'I've heard all this before.' Ever walked out of an exam with the feeling that 'none of that really makes any difference?' Ever got your cert renewal and debated just shitcanning it? Ever blagged your CPEs just to get over the line but never really learned anything new? Ever felt frustrated that the things you feel you need in your job aren't being taught? Ever had an instructor who couldn't answer questions and just pointed to the slides or book and said 'if it's not in there, don't worry about it?' Yeah, I reckon. Ever considered taking a different approach to this security lark? Or is this just 'the way it is' ?
2
15
New comment Jul '23
0 likes • Jun '23
@Mark Boyson I feel like if the setup was more like the ITIL qualifications, it could be much more helpful; for ITIL, there is the Foundation course (real basic definitions and ideas), then the next one is called Practioner, and is all about how this might apply to different companies; lots of advice and principles, basically no 'thou shalts'. And the two instructors I had (I know, a very small sample size) were very knowledgeable and happy to make it relevant to the companies and settings we all came from. But then, I don't think ITIL was setup to be a gravy train 😕
Morning,fellow heretics!
These Friday things sure do roll around fast. Thank God for that. So...tell me something about security that you learned this week. It can be something about a theory, a specific area of practice or the industry. OR Tell me about some progress that you made towards a career goal. Let's go.
1
18
New comment Jul '23
2 likes • Jun '23
I hit a small goal that I set myself when I started my current job. I was new to the firm, and hadn't been working in security long and was aware that as the newbie, for a while, I'd be taking from the team (people's time and knowledge). The goal was to have given something back to the team before the end of year 1, be it some learnings from a course or whatever (beyond just actually doing my job, of course). On Wednesday, I sat down with a member of my team to give them an overview of a tool we started using quite recently and I have some familiarity with. That's a really small thing, but it felt like progress.
Your biggest career concerns
Which of the following is the biggest concern for you in your career?
Poll
28 members have voted
1
56
New comment Jul '23
1 like • Jun '23
@Shahnawaz Mohamed From my last round of job hunting, I found that different companies use the same words to mean very different things in the security space. What one calls a systems analyst is just a (not very) glorified level 1 support position, whereas another company with a similar sounding job description means 'competent human who knows what they are doing, who we will pay for what they do'. It made applying awkward, as I was having to guess what was meant by very similar sounding paragraphs. I imagine that makes the average pay look worse than is achievable.
Here's an observation...
We all know that the root of the word 'security' is Se (without) and Curus (care) in Latin. It literally translates as 'being without care'. Another word we can use for this is COMFORT. Now, how much of what you have been taught or done is focused on making people comfortable? None. Our messaging is all fear-based ('impact drives the conversation' and all that nonsense). Do people make better decisions when they are uncomfortable, do you think? How about learning a different approach?
7
15
New comment Jun '23
0 likes • Jun '23
@David Christian Would your argument be no use of fear at all, or that relying on it alone is a bad option?
1-5 of 5
Dan Fellows
1
1point to level up
@dan-fellows-1849
Two days in Standsted Novotel, and my brain still hurts.

Active 38m ago
Joined Jun 20, 2023
powered by