Securing Your Contingent Workers With Zero Trust
Business Process Outsourcing (BPO) is when you hire a group of contractors from a single company to complete long-term work for you. This is typically something like customer support, where you want to outsource first-line tech support to a cheaper region or get more coverage in a timezone where you don’t have an existing presence. The problem is that zero trust architecture requires every employee accessing your critical SaaS applications to come from a managed device....
Platform Engineering: Build vs Buy
Since I posted my Security Platform Engineering blog, one of the most common questions I’ve received is: “How do I know when I should build vs. buy?” In this blog, I aim to demystify some of the decision-making around this and, ideally, help you make better decisions if you’re faced with the same problem. This is my personal view, and you might need to tailor it to your company values and risk profile, but I’ll include specific examples from my past that have had input into my decision-making....
Crossing The Chasm: Getting to Senior/Staff Engineer
I talk to many people who feel stuck at the mid-level and can’t break into senior/staff-level engineering roles. The chasm you need to cross widens with each role, so it gets harder and harder with each jump. Many places adopt an “up or out” strategy, meaning that you need to get to a senior-level role, which is seen as a “cruising altitude” role where you can stay indefinitely. I wouldn’t feel pressured by this if you’re a mid-level engineer....
Threat Modelling Enterprise AI Search
Enterprise AI search tools are a simple concept. They take in all of the data from all of your productivity tools and give you a single pane of glass to search across your company’s entire corpus. This lets you search across all of the documents, email and chat regardless of what tool they are stored in. The productivity benefits are apparent here because who hasn’t spent half an hour searching for that doc you made three years ago?...
Building A Security Platform Engineering Team
I’m a big fan of building security into existing processes, a term coined as “secure paved roads” by Jason Chan, Ex-Netflix CISO. The idea behind this is that security should mostly be invisible. The average employee should simply not have to think about high-consequence security domains. They’ll use tools that make their life easier, and that tooling has security built in by default. Yes, they can divert from that paved path, but they’ll generally have a worse experience....
Improving Your Third-Party Risk Management Program
Background Third-party risk management (TPRM) has its challenges. It is a relatively new area that has been developing rapidly, but many programs face significant issues as their companies grow. TPRM rarely scales linearly with the business or the number of applications in use. There are no easy fixes, but you can make steady improvements. I will share some practices I have used to improve programs over time, which you can take away and adapt to your situation....
A Beginners Guide to Third-Party Risk Management
Summary In this blog post, I’ll go into the basics of third-party risk management, what the challenges are, and give you an overview of what an average Third-Party Risk Management (TPRM) program looks like. This is designed primarily for people new to the industry up to the mid-level, but there might be a few points valid for seniors with mature programs too. Background In recent years TPRM has become a growing chunk of work for cyber security teams....
8 Common Zero Trust Misconfigurations
I’ve seen a lot of zero trust setups, from off-the-shelf vendor tools to complex custom-built solutions. I’ve found that many of them share the same problems and below I’ve listed the most common 8 I see. These usually stem from the design phase so the earlier you catch them the better! Admittedly some are those gnarly enterprise security problems which require a culture change and effort shift, especially number 8 as increasing manual workloads is not usually the top priority....
Building a Corporate Security Program From The Ground Up
Introduction I’ve seen a few blog posts lately about building corporate security but they are always… well.. so corporate. They are always viewed through the lens of extreme risk but the reality is that most places are not banks or government agencies. The examples given often lock things down to the point where manual work is required for every request which is unrealistic in most public companies. You can (and should) try to achieve your security goals while impacting your employee experience as little as possible in the process....
Phishing 2077: Zero Trust Edition
You wake up, alarm blaring. Your AI assistant notifies you there’s been another netrunner attack on the company. You chug down your synthesized meal replacement drink and hurriedly rush out the door, “hopefully the maglev isn’t delayed again” you think to yourself. You scan yourself into the office with facial recognition and check your metrics for security incidents, you realize you’ve gone below your allowed security KPIs this month and hope they don’t dock your pay again....