Eliezer commented how someone in charge of security must have a natural security mindset, something most people, including technology experts, do not (which matches my observations). Your LinkedIn profile shows a wealth of technical expertise, but not much in terms of opsec. I wonder if this is an issue.
Valid point. I guess I have ordinary paranoia only. At my current company, where we do well in the pentests, I have a specialist for security, and using specialists will be my approach when we scale beyond the Improving level.
Security experts are great at details and evaluation, but you can never delegate the question of priority. Beyond the basics (improving level), there’s not a lot of low-hanging fruit—mitigations aren’t free, and threats aren’t so dire as to be obviously necessary. The question of what a mitigation costs and what shape of protection it brings becomes the main decision point.
Once you’ve done the fairly standard basics (solid access control and logging, encryption in flight and at rest, regular and traceable processes for deployments and operational changes, etc.), there are only tradeoffs that remain—generally things that take time/energy away from your actual mission, or worse, things that get in your way and slow you down as you pursue your mission. Many of these will be worthwhile for at least some of your data/operations. But many won’t be, or at least won’t be this year.
Eliezer commented how someone in charge of security must have a natural security mindset, something most people, including technology experts, do not (which matches my observations). Your LinkedIn profile shows a wealth of technical expertise, but not much in terms of opsec. I wonder if this is an issue.
Valid point. I guess I have ordinary paranoia only. At my current company, where we do well in the pentests, I have a specialist for security, and using specialists will be my approach when we scale beyond the Improving level.
Security experts are great at details and evaluation, but you can never delegate the question of priority. Beyond the basics (improving level), there’s not a lot of low-hanging fruit—mitigations aren’t free, and threats aren’t so dire as to be obviously necessary. The question of what a mitigation costs and what shape of protection it brings becomes the main decision point.
Once you’ve done the fairly standard basics (solid access control and logging, encryption in flight and at rest, regular and traceable processes for deployments and operational changes, etc.), there are only tradeoffs that remain—generally things that take time/energy away from your actual mission, or worse, things that get in your way and slow you down as you pursue your mission. Many of these will be worthwhile for at least some of your data/operations. But many won’t be, or at least won’t be this year.