Episode 200 - Building a Security Strategy - Part III


Fetch error

Hmmm there seems to be a problem fetching this series right now. Last successful fetch was on November 23, 2018 13:38 (22d ago)

What now? This series will be checked again in the next day. If you believe it should be working, please verify the publisher's feed link below is valid and includes actual episode links. You can contact support to request the feed be immediately fetched.

Manage episode 186820532 series 12330
By Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio streamed directly from their servers.

Episode 200 - Building A Security Strategy - Part III

  1. Recap
    1. Strategy vs Policy
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  2. The Question is “How do I make one?”
    1. Tech
      1. Tech, by itself, only consumes electricity and turns cool air into warm air
      2. So many choices….
      3. The tech selection is the *least* critical one for developing a capability
      4. http://www.southernfriedsecurity.com/episode-192-security-waste/
      1. This is the “Stuff You Have To Do”
      2. Usually determined by regulation, policy, or corporate edict
      3. Describes a desired outcome - not how to get there
      4. Examples include “Malware Detection”, “Email Security”
    2. Service
      1. How you do the crazy things you do
      2. Security is not a One-Off - things must be repeatable and consistent
    3. Process
      1. Describes value team brings to org
      2. While tech and service selection is important the biggest improvement usually comes from better process
    4. Capability
  3. Capability = (Tech + Service) * Process
    1. Armorguy’s Maxim of Life: “Start small and iterate larger”
    2. Try to do to much out of the gate and you WILL fail
    3. Define success criteria for each stage that allows for error and learning
  4. Crawl, Walk, Run
    1. Security cannot exist as an island
    2. Interdependence with business units is key - if you don’t you are the foreigner and will be rejected
    3. The relationship with IT Operations is going to be wonky at first
  5. It Takes A Village
    1. Where do you look for more info?
  6. Strategy - It’s What CISOs Do…

139 episodes available. A new episode about every 23 days averaging 28 mins duration .