Cybersecurity Is Easy.

Many executives think they can buy their cybersecurity problems away. They soon come to find that if they want to achieve real security, there is a lot of work to be done.

No it’s not. Security is not easy. If it was, it would not be such a big problem and difficult to solve.

Today I won’t be telling you how to solve security. I will try to get to you to empathize a little with security practitioners and leaders.

Security Is…

Here are some things a security leader has to deal with:

  • Dealing with the security scrutiny of a large enterprise client, and consequently your sales team

  • Scheduling and coordinate pentests

  • Dealing with inbound bug bounty bugs

  • Fixing issues from your pentest

  • Cybersecurity insurance renewal and their scrutiny

  • Hiring security people

  • Board level concerns around security

  • Customers abusing your platform

  • Transparency with your Engineering Team

  • Third parties abusing your platform

  • Hiring security people

  • Enabling sales people via security

  • Dealing with Data leakage issues

  • Secure SDLC / DevSecOps

  • Dealing with Insider Threat issues

  • Balancing Application Security priorities with Product Teams roadmap and priorities

  • Third Party /  Vendor risk

  • Security Awareness Training

  • Creating adequate security policies

  • Managing access control

  • Hiring security people

  • Giving your CEO an Infosec roadmap

  • Getting other groups to unblock your security initiatives

  • Dealing with changes to your threat model and reprioritizing that roadmap you gave your CEO last week

  • Updating your policies consistently and in a timely manner

  • Budget cuts

  • IPO Readiness

  • Gettiing SOC2 / ISO / PCI / XYZ compliance

  • Staying compliant

  • Social Media distractions

  • A Brian Krebs report

  • Choosing your battles and which hill to die on

  • Burnout and stress

  • Hiring security people

Security has so much going on. Everyone has a lot going on. Engineering, Product, Sales, Operations.

Just like anything else in Technology, you cannot achieve security overnight. It’s a continual process. Do the hard and foundational work ahead of time, and you will save time later. Avoid it, and you must pay the tech/security debt tax later.

Some Tips

  • Having top level insight into security will help keep everything balanced. 

  • Have realistic expectations regarding security, but keep moving forward

  • Make security a priority across the board

  • Shortcuts are band aids… they may protect you in the short run, but they don’t solve your problem

  • Data is your friend, the more information, the better. Have the big picture in hand.

  • Reprioritize often

You Still Have To Do The Work

If there is one takeaway from all this, it is that you cannot buy security. You still have to do the hard work. 

Like any project whether it’s a web app, infra projects, etc it takes time to tackle. If you take security with this mindset, it might help you achieve your goals towards real and effective security.

Reply

or to participate.