Activity
Mon
Wed
Fri
Sun
Dec
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
What is this?
Less
More

Memberships

The Surgery

Private • 129 • Free

Real Security Heretics

Public • 80 • Free

13 contributions to Real Security Heretics
README
I've done some thinking (dangerous, I know), and I have decided to shut Real Security Heretics. It makes no sense to have two community sites, so here's what will happen. On Monday 24th July, I will close this site. As buyers of my book, you are all invited to become members of The Surgery. This will be a free membership, which means that you'll get access to the community only. The webinars, Shorts and other exclusive content is reserved for my subscribers. If you want to join the Surgery (it's a lot more active over there than here), then email me at rd@realsecuritydoctor.com with the message title Surgery Request and I will then send you an invitation from that community site. If you want to become a full member, it costs £39.99 and you can do that here. https://pay.gocardless.com/AL0007JE9WF24V This is only beneficial for you, and it saves me the admin, time and money costs of running two sites.
6
3
New comment Jul '23
3 likes • Jul '23
As I'm in both communities, it's not that hard for me. I would like to keep some of the contacts I made here, as some of the discussions were quite interesting and nice. The offer to join the surgery crowd for free is fair. Hope to see - preferably all of you - on the other side.
In the land of the Easter Bunny and the Tooth Fairy
So! Someone has recruited you to set up a full InfoSec department! It is a totally green field site. They have said you are in charge. The CEO is security aware and wants to do the right thing. You have the budgetary authority to spend on people (but not tech) You can build a full security division if you want. What does it look like in your world - and with those massive doobies you would need to smoke to make this a reality
2
6
New comment Jul '23
0 likes • Jul '23
Uhhh, nice. All that I EVER wanted …. … wait a second … Ok, here goes: - Get to know the company and all the relevant people. Make friends or at least establish a proper working relationship. - Understand them and their pain points. - Help them to resolve their problems - Get to know your area of which you have control of. And those where you DON‘T! - Meanwhile establish some sort of governance from where u can draw policies which eventually will help to finally getting a grip on all of the issues the business is facing. - ALSO establish (very) good connections to IT! They‘re the ones who will most likely „suffer“ through all the policies you’re going to impose on them. Therefore it helps A LOT having them on your side as well. - See to it, that „business“ won’t suffer any incidents while you’re working through all of the above. … good luck! As for the tooth fairy: Ever watched hellboy 2? …
1 like • Jul '23
@Duncan Proffitt Yeah well, to be fair "you said green field". Aka dreamland. So, as a primarily positive person (don't ask how long THAT took me!!), I assume that greenfield equals NOT to burnt soil. Right? Therefore IF anything will happen, the ONLY way is through and with the people. Always! It's never been different in the whole history of men. (Learning that took me even LOOOONGER!) And to get people in the right direction takes "making friends". Even though I'd rather refer to acquaintances, as I've never been at any place long enough to really do friendship. As for my current role, I made damn sure that the CFO (until the founder's gone our hidden CEO) was on my side and got what I entended to do, BEFORE I signed the contract. Because, after all, if you need to implement change - and that's btw. our primary role, (!) we're change agents with a fancy title - you need the big bosses backup. If that's not a given, I leave. And I walked a few times already. I know that the job market in the UK might be different from Germanys, but I wouldn't have accepted a role within the place you seem to be stuck in. As for drugs: ... well, doobies don't work, that was quite a disillusioning experience when I was the only one being still sober ... as for alcohol, that gets me depressed if it's too much. In the beginning I had sucidal thoughts, later - and wiser - I had imaginations of a killing spree. ... both not very useful outcomes and definitely not helping to eleviate the situation. So ... ! These days I get my kicks out of stuff done properly I guess.
How a CISO does business
If you think that I am unreasonably scathing of CISOs..check this out. Someone (a CISO) who trained with me years ago contacted me for a 'chat'. I don't 'chat'. Eventually, after some tooth-pulling, I was able to understand what they wanted. In-house training, bespoke training and a possible partnership deal. A multi million number is floated. My bullshit detector goes off. I agree to a single meeting and send a Calendly link to book a Zoom call. They then ask their PA to arrange a Teams call. In September. Work that out. I have something they want. They pursue me to discuss it. They then ignore my chosen means of doing business and push a conversation THEY WANTED off 3 months. This fucking idiot is in charge of stuff. That's a no from me. I am not the hired help. If you want to do business with me - think about what you're doing. My default answer is NO until you prove that you are someone I can and want to work with. People with problems are everywhere. People with my class of solutions? Much, much rarer.
3
3
New comment Jul '23
0 likes • Jul '23
I get you in a way. Just the other way round. Funnily enough in my current position I'm flooded with people who "want to help me". Cold calls, e-mails, LI-Flooding you name it. Well, yeah, I get it, I'm the one dealing out the money. Nontheless, I certainly would appreciate if people actually read in which department I work. I'm not in IT per se, nor do I ITIL (even though that's obviously a qualification I have to pursue now in my position, sigh) or IT-Service optimizazion. No HR or processes either. Sigh. Even those who get it, I cannot work with everyone, nor want I. And I certainly don't have time to sort through hundreds of business proposals just to find the right one. I normally know whom I want to work with, what solutions I need and in which order I get the things rolling. After all, we're in 3 and we need to get 5000 people somehow involved in basic (IT-)security, next to handling all the IT-Shit. ... next to a CISO whom I explain the difference between his and my job. So time IS a factor. So, don't worry Doc, when I call I certainly won't waste your time like that dude. :)
This just went out on LinkedIn
What do you think?
3
20
New comment Jul '23
This just went out on LinkedIn
0 likes • Jul '23
@Duncan Proffitt
1 like • Jul '23
@Kaz Baker Probably it even was like that they wanted to actually do sth. helpful. I mean, when you look at where IT really comes from, nothing was taught at universities for quite some time. Even nowadays it’s mostly TOJ for many things. Especially testing and IT-Security. So, everything that has to do with somehow making IT useful and less error prone has basically zero appearance in university studies. It figures, that some felt that there should be at least some common denominator. Alas, as it’s Wild West capitalism, they soon found that there was (a lot of) money to be made. They got greedy. It went downhill from there. … my theory.
A problem of confidence
One of the biggest problems I have seen in security leaders is a total lack of confidence. Many feel that they have 'blagged it' into their roles. They admit that they have a loose idea of what to do (based on the perfect world of the cert industry) but no idea how to do it. Plagued by doubt, they cling to compliance or IT shit that they at least understand. This doesn't do anything for their confidence as they realise that it's all imperfect. Does that sound familiar to anyone?
Poll
14 members have voted
1
10
New comment Jul '23
0 likes • Jul '23
@Duncan Proffitt Why would you have sleepless nights? It’s only work.
1 like • Jul '23
@Duncan Proffitt I LOVE long stories. ;) Yeah, seems legit. After burn out and slow recovery I decided that my health is much more important than my duty. Especially the worrying about decisions I wasn’t able to influence anyways.
1-10 of 13
Michael Fontner
3
44points to level up
@michael-fontner-1364
Accountable Lead of IT-Security (+ team). Dabbling in "hacking humans" ... and playing with some IT. Getting shit done. No surprise: 80% people 20% IT

Online now
Joined Jul 7, 2023
Germany
powered by