It has long been a truism of security practitioners that security is not an IT problem. This is an attempt to lift the gaze of the security team from technology to the wider business. A laudable and useful goal. However, IT is a security problem.
Category: Management
Misinterpreted policy?
A couple of months ago I was home ill from work and frankly a little bored. While idly reading my twitter feed I reflected on a challenge I had been facing at work; a very technology-focused, agile, team that seemed to move faster than the security team could handle. I had…
Security Analytics Beyond Cyber
I presented at 44con 2014 on moving security analytics on from network defense and rapid response towards supporting data-driven and evidence-driven security management, my presentation is on slideshare below: Security Analytics Beyond Cyber from Phil Huggins
Protecting Information About Networks, The Organisation and Its Systems
I recently wrote a report with a number of colleagues for the Centre for the Protection of National Infrastructure (CPNI) on the Network Reconnaissance phase of a targeted attack following initial exploitation. The report covers what is targeted, how the attackers operate and what controls help. Below is a summary infographic…
Follow the Money
When we talk about security with the business we need to talk about money. I have occasionally run into colleagues whose answer to risk-based governance approaches and performance-based management approaches has been to say “Show me the money!”. I understood their desire to see security operate in the language of…