Kane’s Blog

Posts about Technology, Security and Finance

Securing Your Contingent Workers With Zero Trust

Business Process Outsourcing (BPO) is when you hire a group of contractors from a single company to complete long-term work for you. This is typically something like customer support, where you want to outsource first-line tech support to a cheaper region or get more coverage in a timezone where you don’t have an existing presence. The problem is that zero trust architecture requires every employee accessing your critical SaaS applications to come from a managed device....

September 24, 2024 · 11 min · 2200 words · Kane Narraway

Platform Engineering: Build vs Buy

Since I posted my Security Platform Engineering blog, one of the most common questions I’ve received is: “How do I know when I should build vs. buy?” In this blog, I aim to demystify some of the decision-making around this and, ideally, help you make better decisions if you’re faced with the same problem. This is my personal view, and you might need to tailor it to your company values and risk profile, but I’ll include specific examples from my past that have had input into my decision-making....

September 3, 2024 · 8 min · 1640 words · Kane Narraway

Crossing The Chasm: Getting to Senior/Staff Engineer

I talk to many people who feel stuck at the mid-level and can’t break into senior/staff-level engineering roles. The chasm you need to cross widens with each role, so it gets harder and harder with each jump. Many places adopt an “up or out” strategy, meaning that you need to get to a senior-level role, which is seen as a “cruising altitude” role where you can stay indefinitely. I wouldn’t feel pressured by this if you’re a mid-level engineer....

August 21, 2024 · 11 min · 2251 words · Kane Narraway

Threat Modelling Enterprise AI Search

Enterprise AI search tools are a simple concept. They take in all of the data from all of your productivity tools and give you a single pane of glass to search across your company’s entire corpus. This lets you search across all of the documents, email and chat regardless of what tool they are stored in. The productivity benefits are apparent here because who hasn’t spent half an hour searching for that doc you made three years ago?...

August 13, 2024 · 11 min · 2262 words · Kane Narraway

Building A Security Platform Engineering Team

I’m a big fan of building security into existing processes, a term coined as “secure paved roads” by Jason Chan, Ex-Netflix CISO. The idea behind this is that security should mostly be invisible. The average employee should simply not have to think about high-consequence security domains. They’ll use tools that make their life easier, and that tooling has security built in by default. Yes, they can divert from that paved path, but they’ll generally have a worse experience....

January 16, 2024 · 9 min · 1845 words · 

Improving Your Third-Party Risk Management Program

Background Third-party risk management (TPRM) has its challenges. It is a relatively new area that has been developing rapidly, but many programs face significant issues as their companies grow. TPRM rarely scales linearly with the business or the number of applications in use. There are no easy fixes, but you can make steady improvements. I will share some practices I have used to improve programs over time, which you can take away and adapt to your situation....

February 23, 2023 · 11 min · 2284 words · 

A Beginners Guide to Third-Party Risk Management

Summary In this blog post, I’ll go into the basics of third-party risk management, what the challenges are, and give you an overview of what an average Third-Party Risk Management (TPRM) program looks like. This is designed primarily for people new to the industry up to the mid-level, but there might be a few points valid for seniors with mature programs too. Background In recent years TPRM has become a growing chunk of work for cyber security teams....

February 14, 2023 · 11 min · 2245 words · 

8 Common Zero Trust Misconfigurations

I’ve seen a lot of zero trust setups, from off-the-shelf vendor tools to complex custom-built solutions. I’ve found that many of them share the same problems and below I’ve listed the most common 8 I see. These usually stem from the design phase so the earlier you catch them the better! Admittedly some are those gnarly enterprise security problems which require a culture change and effort shift, especially number 8 as increasing manual workloads is not usually the top priority....

December 6, 2022 · 4 min · 819 words · 

Building a Corporate Security Program From The Ground Up

Introduction I’ve seen a few blog posts lately about building corporate security but they are always… well.. so corporate. They are always viewed through the lens of extreme risk but the reality is that most places are not banks or government agencies. The examples given often lock things down to the point where manual work is required for every request which is unrealistic in most public companies. You can (and should) try to achieve your security goals while impacting your employee experience as little as possible in the process....

November 10, 2022 · 12 min · 2477 words · 

Phishing 2077: Zero Trust Edition

You wake up, alarm blaring. Your AI assistant notifies you there’s been another netrunner attack on the company. You chug down your synthesized meal replacement drink and hurriedly rush out the door, “hopefully the maglev isn’t delayed again” you think to yourself. You scan yourself into the office with facial recognition and check your metrics for security incidents, you realize you’ve gone below your allowed security KPIs this month and hope they don’t dock your pay again....

June 10, 2022 · 9 min · 1884 words ·