Videos and online presentations are good, but nothing can really replace quality in-person meetups. Show as many demos as possible and don’t stick do overloaded PowerPoint presentations which put people to sleep.
It’s fine to share raw technical details as a recap materials, but while starting out you must make people excited about the subject, otherwise it’ll be just another corporate training which they’ve attended only because it’s obligatory.
Concept of purple teaming is something I felt in love with many years ago when I was experimenting with various ways to make myself more effective. Everything has changed — in a good way — when I started embracing culture of collaboration where attackers and defenders work together to create best possible way of securing the products.
We’re out there to help secure business by working with all stakeholders, not to just pwn stuff and laugh at people who made a mistake. Being a pwn-all-the-things rockstar asshole is overrated and while fun in short term, gives terrible results long-term.
Purple teaming for the win and let’s see how this great concept can be applied into day to day business operations that go beyond security red and blue teaming. Continue reading “Embrace DevSecOps | ESM part 6”→
Security is often perceived as complex and cumbersome which makes engineers unwilling to work on it. In order to get things done you need to simplify and carefully explain your requirements.
Strive to make it easier to build secure products because cheaper it is to add security, more likely it’ll get included into SDLC.
You need to take an ownership over the processes and simplify the frameworks, knowledge base and other resources so they are easy to consume and use. Continue reading “Make security simple | ESM part 5”→
It rarely happens that engineers themselves don’t want to build security into their products for no reason. The problem is that very often in startups and SMBs, middle management isn’t held responsible for product security, and the only thing they’re rewarded for is if the feature-rich product is shipped. There is yet a long time till security will be by default included into quality assurance process and till everyone is aware of potential consequences of security negligence. If you don’t start from the top of an organization’s hierarchy there are small chances of succeeding with your security initiatives, because engineers don’t like to step out and do things their managers don’t want them to spend time on. Continue reading “Educate executives and middle-management first | ESM part 2”→
Take baby steps to show everyone in your company that security doesn’t need to be tangled and complex. If you show people that it takes 3 clicks to secure their computer more, their mindset will change and they’ll be eager to implement more of such hassle-free solutions. Do the things that have the biggest ROI and lowest cost of implementation and then steadily increase the complexity of security requirements. Continue reading “Start small and early | ESM part 1”→
For a last few years there wasn’t a month when I haven’t read about InfoSec professionals shortage, security skills gap and what not. To give you a proper context I’ll rant a bit about why I don’t believe in those dramatic claims and then we’ll jump into action items for organisations that want to improve their recruitment processes.