You Can Be Profound, or You Can Be Effective—Pick One
The pressure to be profound is such a stumbling block in our industry. It emphasises the sophisticated over…
risk
13 posts
From the Recorded Future Podcast: A Conversation with CISO Jason Steer About Identity Security
From my conversation with Recorded Future, two short, essential videos about identity security: how we got here, why it matters, and why it's so hard to do well.
Vulnerability Management: Reactionary Security FUD At Its Worst
There's no such thing as a critical vulnerability, generically. There's only a critical vulnerability that can be exploited in your environment, specifically.
“Materiality” Relies on Risk Quantification—Which Is Why Many Businesses Struggle to Understand It
The ambiguity of "materiality" is an invitation to risk management maturity.
Security and Compliance Aren’t the Same—But They Both Have the Same Objective
Two lenses, same objective: risk management.
Connect/Okta and Identity Sync Hardening
One area commonly overlooked (by defenders, but not by attackers) is identity sync infrastructure. If you harden your AD but don't do this, you are wasting your time.
G before RC
The order of the letters in "GRC" is not arbitrary. If you don't Govern your environment well, you cannot manage Risk and Compliance well.
Azure Has A Kerberos Problem, But It’s Not The One You Think
Blaming Azure for Kerberos exploits isn't a hot take—it's nonsense. Focus on the real root causes instead (which are different than you might think).
Integrating Threat Modeling with DevOps
Because DevOps has effectively joined the Operational and Dev domains, it introduces security dependencies which neither domain had to consider before.
Who’s Threat Modeling the Threat Modelers?
When an org's security personnel carry out threat modeling exercises, they tend to make unconscious assumptions about the efficacy of their own security controls. This is dangerous.