Kevin Beaumont

From experience: if you create culture inside an org where you acknowledge security breaches happen, and place protecting customers and society at the heart of discussions, you will by proxy protect org from reputation damage, and employees, as everybody wants to do best thing.

There are always trade offs - but if you nail the culture, lead by CEO, intentions start from a good place.

Cybersecurity effectiveness isn’t just playing with technical toys. If you get culture wrong, outcomes are bad.

May 5, 2023 at 12:56pmWeb
Show threadGabe The EngineerMay 5, 2023
@GossiTheDog after the basics (AV, vuln/dev mgmt, mfa, phishing def), I'll take an ounce of culture over a pound of tools any day of the week.
Show threadBex MarkwickMay 5, 2023
@GossiTheDog this is what I do for my job! Hard work but super rewarding
Show threadSensibleOtterMay 5, 2023

@GossiTheDog

Culture is the most important.

I will never forget the short term position I had, where I was participating in the response to an audit.

In the elevator up to the meeting room, my boss turned to me and simply said.
“These are (security) auditors. Do not speak unless they directly ask you a question. If they ask you a question, do not say anything that could be bad or make us fail. If you say anything that comes back on us, this will go badly for you”

Suffice to say, I never got out of the elevator for that meeting.

Show threadMike SpoonerMay 5, 2023
@GossiTheDog Quite. Why I quit my last post, in December.