Outline SDLC/NDLC improvements | ESM part 4

Make it clear that security is a cost like any other in SDLC Security shouldn’t be seen as “addition” to the product development. It’s a part of it like all other activities and can be counted as a part of Quality Assurance, because nowadays customers demand high quality products and safety is one of elements … Continue reading Outline SDLC/NDLC improvements | ESM part 4 →

Build credibility and learn business language | ESM part 3

Avoid confusion and FUD at all cost Credibility is something you’re building from the day one to the last day of your career. Even if you’re great industry expert, you still need to build your internal reputation from the ground up by working nicely with people in your organization. Crucial thing you need to learn … Continue reading Build credibility and learn business language | ESM part 3 →

Educate executives and middle-management first | ESM part 2

Set common goals with management and executives It rarely happens that engineers themselves don’t want to build security into their products for no reason. The problem is that very often in startups and SMBs, middle management isn’t held responsible for product security, and the only thing they’re rewarded for is if the feature-rich product … Continue reading Educate executives and middle-management first | ESM part 2 →

Guide into Effective Security Management

After 10+ years in IT and 5+ in InfoSec I’ve learnt that for security initiatives to be effective, security must one of the core values of corporate culture. Security professionals can’t achieve their greatness if they’re not being actively supported by all stakeholders across the entire organization and if other employees don’t feel ownership for … Continue reading Guide into Effective Security Management →

Start small and early | ESM part 1

Start small Take baby steps to show everyone in your company that security doesn’t need to be tangled and complex. If you show people that it takes 3 clicks to secure their computer more, their mindset will change and they’ll be eager to implement more of such hassle-free solutions. Do the things that have … Continue reading Start small and early | ESM part 1 →

How to maximize ROI of Bug Bounties and penetration tests

I’ve been doing security bug hunting, penetration tests and managing in-house bug bounty programs for various companies, for over half a decade already. During that time I learnt that it doesn’t really happen too often that hiring company knows exactly what to do with security engagements results. I’d like to help and suggest what you … Continue reading How to maximize ROI of Bug Bounties and penetration tests →

Peerlyst ebook: Essentials of Cybersecurity

Essentials of CyberSecurity is a crowdsourced ebook written by @Peerlyst community. I wrote the chapter ‘Building corporate security culture’ with following preface, which should give you a solid context for the message I tried to convey in my article. All those years in InfoSec taught me that for security initiatives to be effective, security must … Continue reading Peerlyst ebook: Essentials of Cybersecurity →

Trust is what makes the Team out of a group of co-workers

Everyone talks about it, but I haven't really met many managers that would actually be committed to doing the work and building trust within an organisation. Trust isn't something that magically pops up when you talk about it. Trust is predicated on actions, interactions and leadership activities. That's one of the reasons why leaders are … Continue reading Trust is what makes the Team out of a group of co-workers →

Care – the most powerful quality in a workplace

Care drives everything I don't know a single person who would put 100% of his abilities into a work if he's there only for a paycheck. But I do know plenty of people who really care about the job they do, and whenever needed they'll make themselves better educated, learn new skills, adjust personality, and … Continue reading Care – the most powerful quality in a workplace →

Employment expectations’ mismatch and recruitment pitfalls in InfoSec

This article is considered to be a follow-up to the “Hiring your first security professional”, so if you haven’t yet, I recommend you to read it before you continue with this one. For a last few years there wasn’t a month when I haven’t read about InfoSec professionals shortage, security skills gap and what not. … Continue reading Employment expectations’ mismatch and recruitment pitfalls in InfoSec →