Stifling, Suffocating, Security?

Security risk management requires balancing a number of stakeholders needs. The risk owners, ultimately a board of directors of an institution, set a risk appetite (whether implicitly or explicitly) , the business managers and leaders then seek to operate within that appetite to drive growth or deliver their mission. There is commonly a tension between the hunger for growth versus the desire for safety which tends to be very easily handled at an executive level but becomes increasingly more contentious the further down an organisation a disagreement occurs.
Read the rest of this entry »

Portfolios of Risk

I’ve been thinking, and worrying, about portfolio risk and especially cross-portfolio risk in federated environments. In federated environments or extended enterprises it is not unheard of for strong programme management to have a good clear view of the risks in their scope of activity and in some more effective enterprises the dependencies that different activities within their scope have on each other but it is rare to have a coherent and complete view of external dependencies between portfolios and as the pace and variety of change increases this could be a problem.

Read the rest of this entry »

Talking Up Security

A keynote I gave to GDSCon 2017 on how security practitioners should engage with senior executives.

Strategic Security Management Challenges

I was recently asked by a consultancy firm to provide a keynote talking about the challenges I had facedĀ as a security leader during my career and how the consultancy could start thinking about how to help people in my position. I appreciated the customer-first orientation they were adopting, refreshing in a world of consultancies that have a habit of leading sales engagements with why it would be both foolish and dangerous not to buy their off-the-shelf industrialised services that were designed for smaller more focused firms with less in-house capability.

Large global enterprises share much in common but the key themes of concern for a security leader in my experience are:

  • Complexity (the old enemy of security),
  • Scale,
  • Availability of the right people and
  • Culture

Read the rest of this entry »

The Future of Security Automation.

It is entirely possible I am about to have a flying car moment. Recently I have been asked by a variety of product vendors and security consultancies for my opinions on the future direction of security and where they should be focusing their innovation efforts. I’m honestly not sure why I get asked this but I enjoy both the sound of my own voice and free lunches so i’m not complaining. Here is my view on the core of how we will be delivering security in large enterprises in the near-ish future.
Read the rest of this entry »

Twitter RSS