Activity
Mon
Wed
Fri
Sun
Dec
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
What is this?
Less
More

Memberships

The Surgery

Private • 127 • Free

9 contributions to Real Security Heretics
In the land of the Easter Bunny and the Tooth Fairy
So! Someone has recruited you to set up a full InfoSec department! It is a totally green field site. They have said you are in charge. The CEO is security aware and wants to do the right thing. You have the budgetary authority to spend on people (but not tech) You can build a full security division if you want. What does it look like in your world - and with those massive doobies you would need to smoke to make this a reality
2
6
New comment Jul '23
1 like • Jul '23
Some IT shit, oh. Proper answer pending…
1 like • Jul '23
I guess the initial part of this endeavour is going to primarily revolve around an initial discovery phase; building relationships, understanding the business, existing security architecture if any, and figuring out what is reasonably within my control to work on. I’d probably implement a basic working incident response plan that provides some structure to responding to any security incidents should any fuckery occur whilst in post and building out the initial security architecture. Once the dust settles I’d work on figuring out which high-level risk scenarios the business and CEO has the most concern about as they are already “security aware” and work on building a policy framework which influences any undesirable behaviour identified from the risk scenarios earlier that I could practically contribute towards or help mitigate. This would also present a good opportunity to understand the risk capacity of the organisation which could reflect the IR plan built earlier though I guess you might want to do this bit earlier. At this point I might be drowning and need some more staff, assuming I make it this far haha. Mad ramblings…probably need a holiday now and lots of drugs.
Your biggest career concerns
Which of the following is the biggest concern for you in your career?
Poll
28 members have voted
1
56
New comment Jul '23
1 like • Jun '23
@Phillipe McCracken “so what?” is such a powerful question, I often think about it whenever delivering or communicating about things and whether I’m hitting the nail on the head, especially with different audiences.
1 like • Jul '23
@Michael Fontner absolutely this! I have my specialisms but there are people who are much better than me at many other things, recognising this humility is crucial, you can’t know everything, but your team can have a good go!
What do you need?
Here's a quick poll. What do you currently think that you need to learn or improve on to develop the next stage of your career?
Poll
21 members have voted
1
11
New comment Jul '23
0 likes • Jul '23
From a tech heavy background I’d say; Business, governance and security, fundamentally it’s tying those pillars together and thinking critically about each of them and how they should work together. I don’t have all the answers, but I’ve been sending my brain into a spin each day trying to really challenge my thinking and shift my perspective 😂
Incident!
A large organisation has experienced an attack on their IT systems that has gone public, the technical elements have been contained and mitigated although the public, senior stakeholders and the press want answers. With this in mind and having read the Problem of Security, as an internal member of the security team or a consultant working on behalf of the affected organisation, what would your response and advice be to ultimately protect the organisation and its value creation given your new perspective and how much is too far? What would you do differently?
1
3
New comment Jun '23
Incident!
2 likes • Jun '23
I’ll go first. The book really made me think about how to better approach and converse with senior stakeholders and low level teams and appreciate how that conversation will change depending on the audience and concerns of the business during an incident. It isn’t about simply racing to try and resolve the IT security problems and key considerations have to be given regarding the business, people and wider security of an organisation.
1 like • Jun '23
@Dan Fellows I agree with your assessment, the point about communicating clearly is great, if you can’t translate word spaghetti then good advice wont contribute as well as it could have or not at all. What are your thoughts around the limitations of the scope of the advice you would provide? In essence I’m thinking whether there are things we should really consider talking about when factoring incident response or if it’s a case of “that’s not your job to worry about” Where is the line drawn if any, if our goal is to ultimately protect an organisation around various mechanisms that help it create value, whether that be IT systems, reputation, people or legal requirements etc. Ultimately I’ve been thinking about how things are normally done and whether the ball is being dropped with certain things not being considered at least in the context of general incident management/response.
Have you ever had this?
Ever attended a security course and sat there thinking to yourself...'I've heard all this before.' Ever walked out of an exam with the feeling that 'none of that really makes any difference?' Ever got your cert renewal and debated just shitcanning it? Ever blagged your CPEs just to get over the line but never really learned anything new? Ever felt frustrated that the things you feel you need in your job aren't being taught? Ever had an instructor who couldn't answer questions and just pointed to the slides or book and said 'if it's not in there, don't worry about it?' Yeah, I reckon. Ever considered taking a different approach to this security lark? Or is this just 'the way it is' ?
2
15
New comment Jul '23
1 like • Jun '23
Yup, its all just smoke and mirrors I guess and everyone is doing it, whatever it takes to feed the machine. I’ve heard many horror stories of exorbitant costs for training and exams taken by colleagues for entry level stuff which they didn’t actually learn much from or due to the way knowledge was taught it couldn’t then be applied in a practical sense within industry.
2 likes • Jun '23
@Mark Boyson I think this is compounded by certain frameworks and partnership programs that require specific credentials. “Just do the course and pass the exam” Which ends up being redundant at some point.
1-9 of 9
Luke Price
2
8points to level up
@luke-price-4128
Blood for the blood god…

Active 2h ago
Joined Jun 16, 2023
powered by