Cybersecurity focus with an emphasis on industry vendor products that help solve cybersecurity challenges.
We all know about Shadow IT, and we know it is a big issue (bigger these days with the ease of workload deployment in the cloud). But are we also aware that there is Shadow Security? What is Shadow Security, and is it a problem? Here's my take on today's #CyberSunday. #shadowit #shadowsecurity #cloud #cloudsecurity #workloads #risk #cybersecurity
Knowing your audience when you're giving information about your #cybersecurity program, efforts, etc. is extremely important. Are they technical? Are they even in the field? Is the information helpful to YOU or to THEM? Make sure you're not wasting their time or yours by taking into consideration to whom you are speaking before you actually speak. On today's #CyberSunday, I talk about three real scenarios in which I have been involved where the audience was not fully taken into consideration, an...
Operational/Operations Security is the practice of making sure sensitive data/information about your operations doesn't leak out. in today's #CyberSunday, I give a few real examples of OpSec failure I have noticed recently and what some of the consequences could be. #OpSec #cybersecurity
A friend of mine recently experienced a #breach in his organization. There were two lessons that stood out to me as he was going through the post-mortem, and I'm sharing them on today's #cybersunday. #Cybersecurity #lifelessons
It's flooding a bit in Houston, and that made me... of course... think of #cybersecurity. On today's #CyberSunday, I am talking about making sure you pay attention to the small things in your program, so that they don't turn into bigger things.
Credential stuffing is an often-used attack. But for the love of all that is holy, your master password in your password manager should not be susceptible to this!!! Today, I talk about what credential stuffing is, what password manager has been hit by it recently, and generally get grumpy about the whole thing. #CyberSunday #credentialstuffing #bigmistake #cybersecurity
The CI/CD OWASP Top 10 came out last month (not sure how I missed that!). What does that mean? Well, that depends on what you're responsible for in the CI/CD pipeline! Here are some thoughts form me on the topic on today's #CyberSunday. #cicd #cicdpipelines #owasp #owasptop10 #development #appsec
The holidays should be a time to celebrate food, friends, and family (and football). Maybe this is also a good time to measure the effectiveness of your #managedsecurity provider. #mdr #securitymetrics #Thanksgiving #cybersecurity #CyberSunday
How you set priorities around building a #cybersecurity program differs based on your perspective. On today's #cybersunday , I talk about how the perspective of the advisor must be tempered by the perspective of the practitioner working day-to-day in the trenches. #prioritization #perspective...
I was quoted in an article last week about the latest CISA directive on #assetmanagement and #vulnerabilitymanagement (link below). I was the cynical voice in that article, and I wanted to explain a little more on this #CyberSunday about whether these two #cybersecurity #fundamentals should be paired as closely as they are by #CISA . Link to article: https://securityboulevard.com/2022/10/cisa-directs-federal-agencies-to-boost-system-visibility/...
In today's #CyberSunday, I go a little outside the normal #cybersecurity discussion and talk about how #liftandshift isn't always negative when it comes to moving workloads into the cloud. I specifically talk about my experiences with a couple of different security vendors (I didn't name anyone specifically) who took different approaches and the positive and negatives associated with those cloud moves. #cloud #cloudinfrastructure #digitaltransformation
Securing the digital transformation is not a new problem. It is actually an old problem with modern concerns. A lot of people are talking about how concerned they are with machine identities, APIs, IoT, etc.. But these things aren't new. They've actually been in existence for quite a long time. What we're REALLY saying is that these things are proliferating out of control, and they're not properly secured. But why has it become a problem? Today's #CyberSunday is all about my take on this issue. ...
Dr. Gerald Auger and I gave a talk last week at the Houston Technology Summit titled "Building Cooperation and Understanding Between Security and IT". We talked a lot about the differences in skills and mission between the two groups, and how there should be more empathy between them. Here's my #CyberSunday quick take on our presentation. #cybersecurity #informationsecurity #informationtechnology #empathy #cooperation
Is regulatory compliance fundamental to your #cybersecurity program? In this #CyberSunday, I compare regulations against standards and talk about which one comes before the other. #regulations #compliance
There have a been a few times in the history of #cybersecurity product development when a new solution has been truly innovative. But what is extremely rare is when a tool is innovative, fills a true need, and is practical to install/deploy. In this #cybersunday , I give some examples of what I see as innovative products, talk about whether they filled a big need at the time they came out, and whether they were practical to deploy. #innovation #productdevelopment #practical...
There were two big themes from discussions with our customers at #BlackHat. One is a commonly discussed problem these days (lack of people). The other takes us back to the fundamentals of #cybersecurity (asset management). And neither were buzzwords or #vaporware. #CyberSunday #SecurityFundamentals #SkillsShortage #assetmanagement #people...
I'm headed out to Vegas tomorrow for the #BlackHat #cybersecurity conference, and it made me think about a couple of questions that have been on my mind for a bit: do you prefer local cons or national cons, and do you mainly go to cons for the talks or checking out the vendors? I weigh in with my opinions (sorta - I'm a bit biased because I run #HouSecCon). What's your take? #CyberSunday #CyberConferences #HackerSummerCamp
Low-Code/No-Code dev tools are fueling the rise of the "Citizen Developer", but there are real security implications around the tools that enable the non-developer to build applications. I'm just starting to research this more, but here are some of my initial thoughts on today's #CyberSunday . #lowcodenocode #appsec #cybersecurity...
While feature comparisons are important when choosing a #cybersecurity product, what do you do when two products are essentially the same? On this #CyberSunday , I talk about making sure the vendor has #alignment with your business when you've done the rest of your due diligence on features and functionality....
On this #cybersunday , I am talking about #threatintel . Specifically, I am talking about how you need to know your use case when you're asking about threat intel vendors or feeds. Are you looking for a full #threatintelligence platform (TIP)? Or do you just need an intel feed or two to give you context in your SIEM/SOC? Or is it something else? Choose wisely!...
On this #CyberSunday , I'm talking about how #SASE (Secure Access Service Edge) and #SSE (Security Service Edge) are not exactly the same. You need to know what problem you're trying to solve (use cases are always important), and you have to be aware of the differences between them so you can choose the right solution/vendor. #cybersecurity #sdwan #casb #SDN...
Today's #CyberSunday is about some observations I've made recently regarding feature gaps in #cybersecurity products that are trying to solve for the same problem. It's an interesting problem with some real implications for your security program. If you aren't careful in your product selection, you could end up taking a budget line item without actually solving your need. I also wrote a blog post about this....
On today's #CyberSunday , I am talking about a couple of #cybersecurity books you should pick up. One is Doug Landoll 's Security Risk Assessment Handbook. The second is by Corey Ball, and it is called Hacking APIs. Buy Doug's book here . Buy Corey's book here ....
