Lenny ZeltserToo often security teams feel that we're not only fighting threat actors but are also at odds with our colleagues. It doesn't need to be this way: https://zeltser.com/cybersecurity-vs-everyone/
Wombatadon@lennyzeltser I remember once reading something on project risk.
* Project risk increases if the stakeholders have different goals - seems obvious, but, often not considered. Cyber teams usually have very different goals to other business units.
* Project risk increases if stakeholders lack knowledge. Again, seems obvious, but I've seen it too often, again cyber teams / other business units.
Addressing those two issues can go a long way to decreasing risk, improving outcomes, and reducing friction.
* Project risk increases if the stakeholders have different goals - seems obvious, but, often not considered. Cyber teams usually have very different goals to other business units.
* Project risk increases if stakeholders lack knowledge. Again, seems obvious, but I've seen it too often, again cyber teams / other business units.
Addressing those two issues can go a long way to decreasing risk, improving outcomes, and reducing friction.
@tjbutt58 That’s very interesting!
throAU@lennyzeltser it not everyone. It’s just management, end users, accounts payable and the bad guys.
Chris Peterson@lennyzeltser one of the hardest tasks I have at work is to convince my colleagues that Security is not a brick wall. Instead it -enables- the business to do what it needs, in a secure manner.
It’s been an almighty task to fight the prevailing security attitude of “If we say no enough times they’ll go away and give up” Instead staff will work around security and end up with posture that is far worse.
It’s been an almighty task to fight the prevailing security attitude of “If we say no enough times they’ll go away and give up” Instead staff will work around security and end up with posture that is far worse.
Lewin@chrisp @lennyzeltser For one side, it's security without context; for the other it's context without security.
Security: "You *must not use PII in non-production systems*
Me: Ok, we have a thing that works out crop circles relying on lat/lon.Trouble with an arbitrary polygon of geo-json means debugging on a non-prod system with those values.
Me: lat/lon can be farmers PII because it's their home.
....
Security: err...
(Security isn't wrong, but this was just security by checklist). 😞
Nick has moved to Mathstodon@chrisp @lennyzeltser I always think of that line from Star Wars, "The more you tighten your grip, the more star systems will slip through your fingers."
kflanagan@lennyzeltser They often don't help themselves. Rolling out new ways of doing things with little communication or guidance. "Sorry, you can no longer use your own accounts to login to servers, you must use this one that's unique to the machine, and it's harder to get the password, effective in 7 days"
Also making work for other teams without lead time, or consideration for their planning.
Also making work for other teams without lead time, or consideration for their planning.