Enterprise Security

I’m a big fan of building security into existing processes, a term coined as “secure paved roads” by Jason Chan, Ex-Netflix CISO. The idea behind this is that security should mostly be invisible. The average employee should simply not have to think about high-consequence security domains. They’ll use tools that make their life easier, and that tooling has security built in by default. Yes, they can divert from that paved path, but they’ll generally have a worse experience....

Background Third-party risk management (TPRM) has its challenges. It is a relatively new area that has been developing rapidly, but many programs face significant issues as their companies grow. TPRM rarely scales linearly with the business or the number of applications in use. There are no easy fixes, but you can make steady improvements. I will share some practices I have used to improve programs over time, which you can take away and adapt to your situation....

Summary In this blog post, I’ll go into the basics of third-party risk management, what the challenges are, and give you an overview of what an average Third-Party Risk Management (TPRM) program looks like. This is designed primarily for people new to the industry up to the mid-level, but there might be a few points valid for seniors with mature programs too. Background In recent years TPRM has become a growing chunk of work for cyber security teams....

I’ve seen a lot of zero trust setups, from off-the-shelf vendor tools to complex custom-built solutions. I’ve found that many of them share the same problems and below I’ve listed the most common 8 I see. These usually stem from the design phase so the earlier you catch them the better! Admittedly some are those gnarly enterprise security problems which require a culture change and effort shift, especially number 8 as increasing manual workloads is not usually the top priority....

Introduction I’ve seen a few blog posts lately about building corporate security but they are always… well.. so corporate. They are always viewed through the lens of extreme risk but the reality is that most places are not banks or government agencies. The examples given often lock things down to the point where manual work is required for every request which is unrealistic in most public companies. You can (and should) try to achieve your security goals while impacting your employee experience as little as possible in the process....

You wake up, alarm blaring. Your AI assistant notifies you there’s been another netrunner attack on the company. You chug down your synthesized meal replacement drink and hurriedly rush out the door, “hopefully the maglev isn’t delayed again” you think to yourself. You scan yourself into the office with facial recognition and check your metrics for security incidents, you realize you’ve gone below your allowed security KPIs this month and hope they don’t dock your pay again....

What is Client Platform Engineering? One of the growing ideas in tech is the idea of a “Client Platform Engineering” (CPE) team. I looked around and to my surprise I couldn’t find much in the way of content for what these teams do. I managed the Client Platform Engineering team at Shopify and worked closely with our team in Atlassian when I was leading the enterprise security team there so I figured I would attempt to demystify the team and what they do....

Background Update: This blog was posted back in 2021 on my previous blog and was based on a 2020 talk I did. In migrating to a new platform I’ve gone through and applied a few updates for 2022 mostly focusing on new features available on the market and upcoming changes such as WebAuthN improvements with passwordless. I spent the last few years building out a Zero Trust architecture as the Head of Corporate Security in Atlassian and I figured it’s time to write a blog going into some of the design decisions we made and how we implemented the changes at enterprise scale....