Building Credibility – Fake It Till You Make It Is Wrong

Never let your ego try to make things up, because people in our world are smart, they’ll figure you out you’re an imposter and once this happens to you, you’ll have hard time to regain their trust. https://www.youtube.com/watch?v=EFbDciwtZ7w

Creating Security Culture in Startups and SMBs

Before you start working with engineers, make sure you have support of execs, learn what are the business objectives in your company, what are the points of focus for management and then adjust your latter engagements basing on the data you collected. It’s hard to provide a generic recommendations because each organization and each exec … Continue reading Creating Security Culture in Startups and SMBs →

Taking Baby Steps With Corporate Security Programme

Earlier you start, the most effective you’re going to be for two main reasons. One is that people won’t even have a chance to form bad habits if security was always in place and the second is that it’s more expensive to change architecture design and refactor a finished product. https://www.youtube.com/watch?v=X-ycICDBdg0

Learn how to run productive security meetings

In my experience, engineers are sometimes scared — for real — to join a meeting with a security team. Lots of engineers I’ve met had bad to at least poor experience in the past with security folks who either shouted over them or were blocking all initiatives and defaulting to NO each time someone asked a question. To build … Continue reading Learn how to run productive security meetings →

Do the work behind the scenes and don’t be a workflow bottleneck

InfoSec as an enabler Of one thing I’m certainly sure — there is no place for a NO person in security department. Long time ago already I’ve stopped counting how much time and effort I had to put to convince my coworkers that not all security people are rude bots whining about insecurities of everything and trying to … Continue reading Do the work behind the scenes and don’t be a workflow bottleneck →

Make security personal and never play the shame game | ESM part 8

Make it all about them Professionals want to constantly expand their horizons and develop their careers. Luckily for InfoSec folks, security is one of the things people want to learn about as they’re being bombarded about it from everywhere including TV news. If you frame it right by making the subject exciting and help them … Continue reading Make security personal and never play the shame game | ESM part 8 →

Internal security trainings and awareness awards | ESM part 7

Conduct recurring security trainings Videos and online presentations are good, but nothing can really replace quality in-person meetups. Show as many demos as possible and don’t stick do overloaded PowerPoint presentations which put people to sleep. It’s fine to share raw technical details as a recap materials, but while starting out you must make people … Continue reading Internal security trainings and awareness awards | ESM part 7 →

Embrace DevSecOps | ESM part 6

Concept of purple teaming is something I felt in love with many years ago when I was experimenting with various ways to make myself more effective. Everything has changed — in a good way — when I started embracing culture of collaboration where attackers and defenders work together to create best possible way of securing the products. We’re out … Continue reading Embrace DevSecOps | ESM part 6 →

Make security simple | ESM part 5

Simplify it for them Security is often perceived as complex and cumbersome which makes engineers unwilling to work on it. In order to get things done you need to simplify and carefully explain your requirements. Strive to make it easier to build secure products because cheaper it is to add security, more likely it’ll get … Continue reading Make security simple | ESM part 5 →

Outline SDLC/NDLC improvements | ESM part 4

Make it clear that security is a cost like any other in SDLC Security shouldn’t be seen as “addition” to the product development. It’s a part of it like all other activities and can be counted as a part of Quality Assurance, because nowadays customers demand high quality products and safety is one of elements … Continue reading Outline SDLC/NDLC improvements | ESM part 4 →