Security is hard. Today this is even more so. In order to have a good security program you need to move past the defense-only mindset and begin to think differently. There are two sides to security, and both are needed in order to have a successful, resilient program.Read More
Over the years, a pattern has emerged. A pattern that worries me. A pattern that indicates that security "professionals" still don't get it.
This pattern suggest a big majority of high level security professionals (I.E. CSOs, CISOs, CIOs,, CTOs, Sr VPs) still approach security is either a purely technical problem, or one that only serves a "mandatory checklist" or certification.
With that kind of approach and mindset, there is no question security will remain an endless loop of the same old problems solved by the same old (unsuccessful) solutions.Read More
In order to proactively address security gaps, and raise the bar in your defense, you need to first understand who is coming after you. It is critical to understand how they think and plan.
A big part of this understanding, is the knowledge that, to prevent you first need to understand what you are trying to secure.
Take a look at your adversaries, create a theoretical profile, and then take it to the field. Look at yourself as a target and how, based on the adversaries you just profiled, things can be exploited and manipulated. Figure out what you would do as a bad guy.
Take the adversarial approach of thinking.Read More