infosec
Imported tag from Readwise
infosec
Addressing key business risks: Every business faces risks, but when you write them off as inconsequential or irrelevant, they become more dangerous. The Steel Man forces you to conduct a pre-mortem of each key business risk to understand how it creates a significant business disruption. In doing so, you are better prepared for managing these risks.
Sahil Bloom's Curiosity Chronicle • The Steel Man Technique, Attention Cottage, & More
Executives are often forced to make sense of a long list of sometimes conflicting metrics. By linking KRIs and KPIs, the cybersecurity team gives executives the ability to engage in meaningful problem-solving discussions on which risks are within tolerances, which are not, and why (see the sidebar, “Linking a KRI to a KPI”).
Jim Boehm • The Risk-Based Approach to Cybersecurity
For a long time, I thought the only way to run a successful pentesting practice was to have access to expensive tooling and software.
This is completely untrue. Here's what we use internally at @risk3sixty to run pentesting engagements (for little to no cost whatsoever):🧵
Ryan Basdentwitter.comThus, presenting a sky-is-falling scenario to justify a fatter security budget, “does not resonate at the board level,” she said in her talk. “Board members must be very optimistic; they have to believe in the vision for the company. And to some extent, they don’t always deal with the reality of what the situation really is.
bacohido • Best Practices Q&A: Guidance About What Directors Need to Hear From CISOs — From a Board Member
The answer, I believe, lies in fostering a strong cybersecurity culture within organisations. It’s not enough to simply implement technical solutions and hope for the best; we must fundamentally change the way we think about and approach cybersecurity. This means embedding security into every aspect of an organisation’s operations, from the
... See morej4vv4d • Protecting People, Not Just Data
Companies' cultures need to change. You need to become concerned about every new piece of software, every new connection and every new piece of data -- whether or not you're required by law to care. If some piece of software doesn't contribute to your core business, don't allow it. If some new Internet-connected service isn't part of your mission,
... See moreDon Jones • Creating a Culture of Security
Water suppresses fire by lowering the temperature below the kindling point (also called the ignition point). Water is the safest of all suppressive agents, and recommended for extinguishing common combustible fires such as burning paper or wood. It is important to cut electrical power when extinguishing a fire with water to reduce the risk of
... See moreEric Conrad, Seth Misenar, Joshua Feldman • CISSP Study Guide
What does a security leader want from a security program?
• The Board must meet regularly with the security leader formally and informally. Security programs are extremely nuanced, and board members (maybe not all of them, but at least the head of whatever sub-committee oversees technology and information risk) must take the time for confidential
... See more