Internal security trainings and awareness awards | ESM part 7

Conduct recurring security trainings

Videos and online presentations are good, but nothing can really replace quality in-person meetups. Show as many demos as possible and don’t stick do overloaded PowerPoint presentations which put people to sleep.
It’s fine to share raw technical details as a recap materials, but while starting out you must make people excited about the subject, otherwise it’ll be just another corporate training which they’ve attended only because it’s obligatory.

Continue reading “Internal security trainings and awareness awards | ESM part 7”

Make security simple | ESM part 5


Simplify it for them

Security is often perceived as complex and cumbersome which makes engineers unwilling to work on it. In order to get things done you need to simplify and carefully explain your requirements.
Strive to make it easier to build secure products because cheaper it is to add security, more likely it’ll get included into SDLC.
You need to take an ownership over the processes and simplify the frameworks, knowledge base and other resources so they are easy to consume and use. Continue reading “Make security simple | ESM part 5”

Build credibility and learn business language | ESM part 3


Avoid confusion and FUD at all cost

Credibility is something you’re building from the day one to the last day of your career. Even if you’re great industry expert, you still need to build your internal reputation from the ground up by working nicely with people in your organization.
Crucial thing you need to learn is how to weigh your words, especially while talking about severesecurity flaws and vulnerabilities you discovered. You may have great intentions, but if you speak unclear terms and dramatize too much you’ll get the opposite to expected results. Continue reading “Build credibility and learn business language | ESM part 3”

Guide into Effective Security Management

After 10+ years in IT and 5+ in InfoSec I’ve learnt that for security initiatives to be effective, security must one of the core values of corporate culture.

Security professionals can’t achieve their greatness if they’re not being actively supported by all stakeholders across the entire organization and if other employees don’t feel ownership for the organization’s security/safety. Each time I have joined an organization, where security professionals wanted to do everything themselves, they miserably and painfully failed shortly after.
Fighting a broken security culture without any support from the top leads to burnouts for InfoSec folks and creates general anxiety, irritation and a toxic atmosphere within an organization. Continue reading “Guide into Effective Security Management”

Peerlyst ebook: Essentials of Cybersecurity

Essentials of CyberSecurity is a crowdsourced ebook written by @Peerlyst community. I wrote the chapter ‘Building corporate security culture’ with following preface, which should give you a solid context for the message I tried to convey in my article. Continue reading “Peerlyst ebook: Essentials of Cybersecurity”

Hiring your first security professional

I really enjoy attending security/business conferences. But it’s not that I’m going there to learn how to do security, because if that would be the case then I’d go for DEFCON or Derbycon and learn from top hackers on the planet. I go to business conferences because I want to listen to the problems others have and observe the way they’re approaching them.
One problem I see continuously since — pretty much — ever is a struggle of starting internal security department. Is it really that hard? May be, but how do you know if you’re keeping the same approach and attitude and make the same mistakes all over again? If your approach doesn’t work, maybe give this one a shot. Continue reading “Hiring your first security professional”

Pentests vs BugBounty for startups and SMBs

I’ve been thinking quite a lot about coming up with a series of articles on how to secure small and medium organizations from the ground up. It was waiting for the right moment and it’s time to start it out, especially that very recently this question appeared on Peerlyst where I’ve put my $0.02 on that subject. So as there is a need for decent guidance, let me welcome you to first article from series “Securing the business from the ground up”. Expect more articles on subject similar to this.

I’ve seen many companies struggling with a choice between penetration tests and bug bounties, and in the era of overhyped BugBounty programs this is a big question, both for PR/marketing and security teams.
There are as many answers to “pentest or bugbounty” as many people you ask. Everyone has slightly different POV on this, so I suggest you to gather opinions from many people and decide yourself what works best for your business.
I want to approach this from a bit different angle than I’ve seen so far, so this should be an interesting read for you. Continue reading “Pentests vs BugBounty for startups and SMBs”