Posts

Over the past few weeks, my feed has been filled with a juxtaposition: security people warning about the risks of AI browsers and SF tech bros saying they have 10x’d their performance by using an AI browser to order lunch from DoorDash. A lot of people are crying about prompt injection, but that isn’t the only risk posed by AI browsers. The guidance seems to be very much “just block them” at this stage, and while that’s a pragmatic short-term solution, I don’t think it’ll work for very long....

I attended RSA this year for the first time in over a decade. What stood out to me the most was the sheer number of vendors that exist today. You can’t help but notice how many more there are than back then, with more than 600 total this year. Of course, these are only those who attend RSA, and plenty choose not to participate for various reasons. There are estimated to be around 5,000 total security vendors, but even that number likely doesn’t include the small consultancies and open source teams out there....

Absolutely nobody likes the hiring process. Not the managers hiring, not the recruitment people, and certainly not the candidates. Tech interviews are one of the worst parts of the process and are pretty much universally hated by the people taking them. We’ve all heard stories of people being asked comp sci questions about O(n) efficiency, only to connect APIs with basic middleware in their day job. I think the image below pretty much sums it up:...

Business Process Outsourcing (BPO) is when you hire a group of contractors from a single company to complete long-term work for you. This is typically something like customer support, where you want to outsource first-line tech support to a cheaper region or get more coverage in a timezone where you don’t have an existing presence. The problem is that zero trust architecture requires every employee accessing your critical SaaS applications to come from a managed device....

Since I posted my Security Platform Engineering blog, one of the most common questions I’ve received is: “How do I know when I should build vs. buy?” In this blog, I aim to demystify some of the decision-making around this and, ideally, help you make better decisions if you’re faced with the same problem. This is my personal view, and you might need to tailor it to your company values and risk profile, but I’ll include specific examples from my past that have had input into my decision-making....

I talk to many people who feel stuck at the mid-level and can’t break into senior/staff-level engineering roles. The chasm you need to cross widens with each role, so it gets harder and harder with each jump. Many places adopt an “up or out” strategy, meaning that you need to get to a senior-level role, which is seen as a “cruising altitude” role where you can stay indefinitely. I wouldn’t feel pressured by this if you’re a mid-level engineer....

Enterprise AI search tools are a simple concept. They take in all of the data from all of your productivity tools and give you a single pane of glass to search across your company’s entire corpus. This lets you search across all of the documents, email and chat regardless of what tool they are stored in. The productivity benefits are apparent here because who hasn’t spent half an hour searching for that doc you made three years ago?...

I’m a big fan of building security into existing processes, a term coined as “secure paved roads” by Jason Chan, Ex-Netflix CISO. The idea behind this is that security should mostly be invisible. The average employee should simply not have to think about high-consequence security domains. They’ll use tools that make their life easier, and that tooling has security built in by default. Yes, they can divert from that paved path, but they’ll generally have a worse experience....

Background Third-party risk management (TPRM) has its challenges. It is a relatively new area that has been developing rapidly, but many programs face significant issues as their companies grow. TPRM rarely scales linearly with the business or the number of applications in use. There are no easy fixes, but you can make steady improvements. I will share some practices I have used to improve programs over time, which you can take away and adapt to your situation....

Summary In this blog post, I’ll go into the basics of third-party risk management, what the challenges are, and give you an overview of what an average Third-Party Risk Management (TPRM) program looks like. This is designed primarily for people new to the industry up to the mid-level, but there might be a few points valid for seniors with mature programs too. Background In recent years TPRM has become a growing chunk of work for cyber security teams....