7 Simple Truths In Infosec

Sometimes simple is better. This post was just going to be a straight list of bullet points, but I felt compelled to add some insight into each one. I think these are basics we need to understand as we embark on security leadership in our respective organizations.

1. Baking security early will save you in the long run

The earlier you involve the security team in your product release, changes, or new initiatives, the more resources (time, money, effort) you will save in the long run.

2. Compliance does not equal security, but it is a common driver

Companies and people feel like if they are compliant, then they are done and secure. Unfortunately, the hidden truth behind the compliance ecosystem is that it’s a lot of grey areas. From how you design your controls to the type of auditor you select. This can be a chapter on it’s own. See my next point.

3. Security is a Journey

Just like your career or entrepreneurship, security is a steady journey and not a point in time assessment. If you are continually assessing and re-assessing your security, then you have the right mindset.

4. The biggest threat to Security: Complacency

The opposite of the previous point. If you think you have done everything you need to do from a security perspective, you’ve already lost.

🚀Announcement: I have 5 slots left for my CISO to vCISO course! The beta is currently at 50% off and readers get an additional 10% off using coupon code “lastweek”.

Here’s what included only for beta students:

  • Teaching the course LIVE

  • Group coaching for 1 YR

  • Lifetime access to the published course

  • 1:1 Coaching/Working Session after the course

Email me if you have any questions! [email protected]

5. Companies will choose to survive over security any day

We are seeing an astonishing amount of layoffs in the security field, including CISO’s and entire security teams. There are several reasons to this, and assuming apolitical reasons, a company will choose to survive and stay alive any day. Even if it means taking a hit in security for the short term.

Same goes for any expanded engineering team, a company might focus on just core features vs experiments.

6. Guardrails vs Gatekeeping will get you further on your mission

So many people have been burned by gatekeepers in security. There is a whole generation of people that distrust security people. If you are acting as guardrail, preventing them from hurting themselves or shooting themselves in the foot, they will be every so grateful. This of course requires a consultative and empathetic approach.

7. Learn the language of your partners

As a security person you need to have the ability to understand the language of various teams, that includes:

  • The Executive Team - Business Language

  • Product Team - Product Management Language

  • Engineering - Technical Language

  • The Board - Strategy and Risk Language

  • Finance - Finance and Accounting Language

The more you are able to speak their language, the more you will get along.

Think about it, aren’t you impressed when someone new you meet knows a technical term in your industry? Or if you speak another language, if they know a few words in it?

That’s it for now. I have a few more, but maybe for another day. Thanks for reading!

How often would you like to see content like this and previous articles?

Login or Subscribe to participate in polls.

Join the conversation

or to participate.