Frustratingly Effective – BSW #220

Adrian Sanabria

1. 3 Ways CIOs Can Embed Resilience in Their Business
   It's an important topic, but I'm not sure this article hits the mark. 1 is Secure IT and business alignment. 2 is Create data-driven architecture, and prioritise reskilling, and 3 is To innovate within budget, seek flexible licensing arrangements
2. Self-Direction 2.0 – How to Successfully Scale a Flat Organization
   As larger security teams become more common, I thought this would be an interesting topic to explore - especially considering how important it is for security teams to be agile and self-directed to an extent. This framework, in particular, was interesting: One such mechanism used at Futurice is a 3×2 framework that’s designed to support strategic decision-making throughout the organization and across tribes. The idea is simple: You’re free to make a decision as long as you feel confident that it will benefit your clients, colleagues, and numbers (the “3” component of the 3×2), and that it will do so both today and tomorrow (the “2”). The company collectively articulates objectives and key results but gives its tribes a high degree of freedom in figuring out how to achieve them. Formal rules and processes are out. Instead, to share learning and information across teams and functions, the company encourages active dialogue on Slack and in community gatherings — a minimal approach to coordination that several companies in our cluster refer to as “no nonsense” or “no bullshit.”
3. Ransomware response: What CISOs really want from the federal government
   CISOs want the government to do more! No, less! No, we want them to do something, we're just not sure what! The quotes and responses from CISOs in this article are ALL OVER the place. Still, it's good that we're having the conversation, right?
4. How to Get Your Team to Stop Asking You Every Little Question
   Once you are established as a subject matter expert or just someone with a large amount of experience, it can be difficult to get staff and mentees to make decisions without checking in. While they absolutely can and should ask questions, it can be a nightmare with a larger staff, making it hard to get things done with all the interruptions. There are some important business culture lessons here - like managing expectations with asynchronous chat (no, I might NOT respond immediately) and giving employees the opportunities to safely make mistakes they can learn from.

Paul Asadoorian

1. Three Steps to Harden Your Active Directory in Light of Recent Attacks
   1. "A service that uses machine learning algorithms and other advanced detections to detect and block phishing messages and suspicious attachments must be in place in today’s threat landscape.", 2. "First, the local administrator password on each endpoint must be different. Microsoft offers a free solution called the Local Administrator Password Solution (LAPS) to achieve this. Second, you cannot nest domain accounts in the local administrators group to enable easy IT support." 3. "Two of the most common control sets we implement at Ravenswood Technology Group are the concepts of tiered security controls and privileged access workstations (PAWs). Tiered security controls prevent high-privilege credentials from being exposed to higher-risk assets such as client computers where the credentials might be stolen. PAWs isolate the tasks an administrator performs from their day-to-day workstation to a highly secured workstation,"
2. Demystifying RockYou2021
   "When any breach list pops up, you should check to see if the password you used is a part of it." - Better yet, this should be part of your Attack Surface Monitoring program, which will automatically discover credentials that are part of public breach disclosures, then operationalize it, and feed into your identity management program so that within 24 hours all affected users have passwords changed and established trusts/cached credentials reset.
3. How To Drive Value with Security Data
   Thoughts? "...discuss some of the challenges that we face today with managing all of our security data and expand on some of the trends in the security analytics space. In the third section, we focus on the future. What does tomorrow hold in the SIEM / XDR / security data space? What are some of the key features we will see and how does this matter to the user of these approaches."
4. CISOs Say Application Security is Broken – Security Boulevard
   Oh boy: "In addition, nearly all (97%) of organizations surveyed do not have real-time visibility into runtime vulnerabilities in containerized production environments, and nearly two-thirds (63%) of CISOs surveyed said DevOps and Agile development have made it more difficult to detect and manage software vulnerabilities." A suggestion: "While not security-related, supporting automated testing coverage will help the organization deploy changes in a safer manner and also make patching changes easier to deploy." - I'd argue that this IS security-related.
5. Ron Gula – Innovation and Emerging Trends in Cybersecurity
   "Gula stresses the need for an engineering focus and looking for solutions that can fundamentally change the game rather than just reacting to the latest attack trend. We talk about newer cybersecurity technologies like browser isolation and deception, and some of the companies Gula Tech Adventures is supporting to bring the next generation of cybersecurity tools to market." - What solutions fundamentally change the game for you?
6. We’re Tired Of Reading Cliché Self-Help Articles
   OMG, so much this: "They lure us in with the promise of being healthy, wealthy, or incredibly successful. Each article promises to “change your life” so you can “become a better person.” But more often than not, you’re left with a bitter taste in your mouth because the writer click-baited you just to get a few more views and dollars in their bank account." And this: "Self Improvement is ruined. Like a chocolate cookie, it’s crumbling apart and often doesn’t put the best interests of the reader at heart. It’s become a pitch-fest of courses and digital products to “help you live your best life.”"
7. You Might Be a Secret “Productive Procrastinator”
   I do this more often than I would like: "There are obvious forms of productive procrastination such as organizing your office before you start a project. You somehow convince yourself that the mess will distract you from your work." So true: "It’s spending 1-hour researching fonts as you are trying to revamp your resume. Or working on a 20+ page deck and wasting time looking for just the right image on slide 2. You are working on a task related to the project (yay!), but you are spending too much time on a particular aspect of it that is not going to deliver the right return on your time investment (boo!)." Not bad advice, set aside 15 minutes to choose the style for your presentation (as an example): "Time blocking enables you to think through how much time you want to spend on a task."
8. How is Automation Helping in Security?
   This is one aspect of automation that needs to be highlighted: "Human errors are playing a big role in security." We often do not want to admit that we, as humans, make mistakes. To combat this automation is important. Computers are are AMAZING at following directions, in fact, one could argue they are the best innovation of all time at following directions. This is a good and a bad thing, however, when programmed correctly, computers can help us automate those tasks that are boring but require a high degree of accuracy. What we also need is people on the team who can understand the possibilities that software and automation can bring, and guide that change into the organization and it's processes!
9. Attracting Talent During a Worker Shortage
   We really need to adjust this for cybersecurity...