Internal security trainings and awareness awards | ESM part 7

Conduct recurring security trainings

Videos and online presentations are good, but nothing can really replace quality in-person meetups. Show as many demos as possible and don’t stick do overloaded PowerPoint presentations which put people to sleep.
It’s fine to share raw technical details as a recap materials, but while starting out you must make people excited about the subject, otherwise it’ll be just another corporate training which they’ve attended only because it’s obligatory.

Continue reading “Internal security trainings and awareness awards | ESM part 7”

Embrace DevSecOps | ESM part 6

Concept of purple teaming is something I felt in love with many years ago when I was experimenting with various ways to make myself more effective. Everything has changed — in a good way — when I started embracing culture of collaboration where attackers and defenders work together to create best possible way of securing the products.
We’re out there to help secure business by working with all stakeholders, not to just pwn stuff and laugh at people who made a mistake. Being a pwn-all-the-things rockstar asshole is overrated and while fun in short term, gives terrible results long-term.
Purple teaming for the win and let’s see how this great concept can be applied into day to day business operations that go beyond security red and blue teaming. Continue reading “Embrace DevSecOps | ESM part 6”

Make security simple | ESM part 5

 

Simplify it for them

Security is often perceived as complex and cumbersome which makes engineers unwilling to work on it. In order to get things done you need to simplify and carefully explain your requirements.
Strive to make it easier to build secure products because cheaper it is to add security, more likely it’ll get included into SDLC.
You need to take an ownership over the processes and simplify the frameworks, knowledge base and other resources so they are easy to consume and use. Continue reading “Make security simple | ESM part 5”

Educate executives and middle-management first | ESM part 2

 

Set common goals with management and executives

It rarely happens that engineers themselves don’t want to build security into their products for no reason. The problem is that very often in startups and SMBs, middle management isn’t held responsible for product security, and the only thing they’re rewarded for is if the feature-rich product is shipped. There is yet a long time till security will be by default included into quality assurance process and till everyone is aware of potential consequences of security negligence. If you don’t start from the top of an organization’s hierarchy there are small chances of succeeding with your security initiatives, because engineers don’t like to step out and do things their managers don’t want them to spend time on. Continue reading “Educate executives and middle-management first | ESM part 2”

Start small and early | ESM part 1

 

Start small

Take baby steps to show everyone in your company that security doesn’t need to be tangled and complex. If you show people that it takes 3 clicks to secure their computer more, their mindset will change and they’ll be eager to implement more of such hassle-free solutions. Do the things that have the biggest ROI and lowest cost of implementation and then steadily increase the complexity of security requirements. Continue reading “Start small and early | ESM part 1”

Employment expectations’ mismatch and recruitment pitfalls in InfoSec

This article is considered to be a follow-up to the “Hiring your first security professional”, so if you haven’t yet, I recommend you to read it before you continue with this one.

For a last few years there wasn’t a month when I haven’t read about InfoSec professionals shortage, security skills gap and what not. To give you a proper context I’ll rant a bit about why I don’t believe in those dramatic claims and then we’ll jump into action items for organisations that want to improve their recruitment processes.

If you already have a great security team, and you don’t have any problems with hiring then awesome and I’m happy for you. However, if you’re somewhat struggling with building an InfoSec Team, then it’s likely that you’re making some of the mistakes I described below.  Continue reading “Employment expectations’ mismatch and recruitment pitfalls in InfoSec”