Internal security trainings and awareness awards | ESM part 7

Conduct recurring security trainings

Videos and online presentations are good, but nothing can really replace quality in-person meetups. Show as many demos as possible and don’t stick do overloaded PowerPoint presentations which put people to sleep.
It’s fine to share raw technical details as a recap materials, but while starting out you must make people excited about the subject, otherwise it’ll be just another corporate training which they’ve attended only because it’s obligatory.

Continue reading “Internal security trainings and awareness awards | ESM part 7”

Make security simple | ESM part 5


Simplify it for them

Security is often perceived as complex and cumbersome which makes engineers unwilling to work on it. In order to get things done you need to simplify and carefully explain your requirements.
Strive to make it easier to build secure products because cheaper it is to add security, more likely it’ll get included into SDLC.
You need to take an ownership over the processes and simplify the frameworks, knowledge base and other resources so they are easy to consume and use. Continue reading “Make security simple | ESM part 5”

Outline SDLC/NDLC improvements | ESM part 4


Make it clear that security is a cost like any other in SDLC

Security shouldn’t be seen as “addition” to the product development. It’s a part of it like all other activities and can be counted as a part of Quality Assurance, because nowadays customers demand high quality products and safety is one of elements defining quality.

Middle-management is more eager to spend resources on security, when they perceive it as a regular, necessary cost of software development, because there is never enough money and time to invest in “additional” activities. Security is often perceived as a no-ROI time-waster which adds complexity and slows down development process. Unless you explain how and why security is important you’ll have tough time pushing security related changes into existing SDLC. Continue reading “Outline SDLC/NDLC improvements | ESM part 4”

Build credibility and learn business language | ESM part 3


Avoid confusion and FUD at all cost

Credibility is something you’re building from the day one to the last day of your career. Even if you’re great industry expert, you still need to build your internal reputation from the ground up by working nicely with people in your organization.
Crucial thing you need to learn is how to weigh your words, especially while talking about severesecurity flaws and vulnerabilities you discovered. You may have great intentions, but if you speak unclear terms and dramatize too much you’ll get the opposite to expected results. Continue reading “Build credibility and learn business language | ESM part 3”

Educate executives and middle-management first | ESM part 2


Set common goals with management and executives

It rarely happens that engineers themselves don’t want to build security into their products for no reason. The problem is that very often in startups and SMBs, middle management isn’t held responsible for product security, and the only thing they’re rewarded for is if the feature-rich product is shipped. There is yet a long time till security will be by default included into quality assurance process and till everyone is aware of potential consequences of security negligence. If you don’t start from the top of an organization’s hierarchy there are small chances of succeeding with your security initiatives, because engineers don’t like to step out and do things their managers don’t want them to spend time on. Continue reading “Educate executives and middle-management first | ESM part 2”

Guide into Effective Security Management

After 10+ years in IT and 5+ in InfoSec I’ve learnt that for security initiatives to be effective, security must one of the core values of corporate culture.

Security professionals can’t achieve their greatness if they’re not being actively supported by all stakeholders across the entire organization and if other employees don’t feel ownership for the organization’s security/safety. Each time I have joined an organization, where security professionals wanted to do everything themselves, they miserably and painfully failed shortly after.
Fighting a broken security culture without any support from the top leads to burnouts for InfoSec folks and creates general anxiety, irritation and a toxic atmosphere within an organization. Continue reading “Guide into Effective Security Management”

Start small and early | ESM part 1


Start small

Take baby steps to show everyone in your company that security doesn’t need to be tangled and complex. If you show people that it takes 3 clicks to secure their computer more, their mindset will change and they’ll be eager to implement more of such hassle-free solutions. Do the things that have the biggest ROI and lowest cost of implementation and then steadily increase the complexity of security requirements. Continue reading “Start small and early | ESM part 1”

How to safely use EFSS solutions

Shameless plug — If you’re a fan of storytelling, I encourage you to read my previous article which is kind of a preface to this one: Software complexity as an enemy of security.
However, it’s not required to know the preface because both of them have an individual value.

I’ve been in EFSS‍ (Enterprise File Sync and Share‍) space for over 4 years already, which I believe makes me qualified to share some observations in terms of EFSS product security.
I started my journey in this industry by doing penetration tests and bug hunting for EFSS vendors, and for the last 3.5 years I’ve been working as a security architect‍ for a company that offers exactly that stuff.
My goal is to level up security awareness in the EFSS industry, because based on my observations, lots of users are still not aware of all the things they should know. Continue reading “How to safely use EFSS solutions”

How to maximize ROI of Bug Bounties and penetration tests

I’ve been doing security bug hunting, penetration tests and managing in-house bug bounty programs for various companies, for over half a decade already. During that time I learnt that it doesn’t really happen too often that hiring company knows exactly what to do with security engagements results.
I’d like to help and suggest what you can do to fully benefit from what you paid for.

FYI — Later in this post I’ll be using pentester/bug hunter interchangeably. Although I know there is a quite a difference between those professions, in a context of this article it doesn’t matter. Continue reading “How to maximize ROI of Bug Bounties and penetration tests”

Peerlyst ebook: Essentials of Cybersecurity

Essentials of CyberSecurity is a crowdsourced ebook written by @Peerlyst community. I wrote the chapter ‘Building corporate security culture’ with following preface, which should give you a solid context for the message I tried to convey in my article. Continue reading “Peerlyst ebook: Essentials of Cybersecurity”