Context setting: In my first article on cloud security, I talked about the journey to cloud migration. What are the things you need to consider when planning the big move? To realize the full value of this post, you must have already identified the motivations for migration and the locations of some resources you can use to enhance your security posture within yourself and/or your team.
In an ornate boardroom, a group of executives gathered at a large round table for their annual strategic planning meeting. Morgan, the CEO, was surrounded by Lana, the VP of Sales; Susan, the CISO, Smith, the COO; and Barbara, Chief Compliance Officer. There was much to get done in the next twelve months, so they were passionately debating how best to invest their limited budget to achieve their goals and to address various sources of risk.
Businesses are always looking for ways to control and reduce the cost of doing business as well as gain a competitive advantage over their respective competitors. The constant pressure of doing more with less has introduced many offerings designed to reduce the cost and complexity of the IT/OT infrastructures that support the business. Let’s take a look at some offerings that have been introduced to address these challenges.
Whilst working for a management consultancy, I learned a lot more about industrial control systems (ICS) than I ever imagined I would. In many cases, this wasn’t from working on them directly; it was from simply speaking to the technicians and reading documentation. Oftentimes, we have the false belief that our systems are safe from compromise because no one really knows how they work. It’s like security through obscurity.
In my line of work, it is often a requirement to provide our customers with background information on the employees who will be performing on-site professional services. This is not in itself an issue, but how the customer receives and handles that information can be. Tripwire best practice is for HR to provide an attestation of all requested background checks to our clients rather than providing detailed background reports or having the client run a background check on our employees.
After spending several decades in this industry, I have seen growth in many different security products and in many different areas. All the while, I’ve questioned whether specific technologies were offering real value or were just over-marketed to create more revenue opportunities for investors. As we have seen repeatedly, categories of security products blossom in many different ways. So many vendors, so much technology. Where do we go from here?
I am all about the baselines. I’ve made an entire career out of them. But if you were to ask a random person on the street what that means, the reaction would be: “Who the heck are you, and why are you asking me random weird questions.” So it would be better if you found someone in the tech industry at least.
I have wanted to do a series like this for some time. I frequently watch movies and point out social engineering and OSINT techniques or inaccuracies as well as OPSEC blunders. These blunders, in addition to the matrix style waterfall screens, are equally bad as the “hacking” you see in movies.
The City of Waco has warned residents that their online payments for water services may have been intercepted by hackers who stole credit card details. The heart of the problem lies in the third-party online payment software that Waco and several other cities and municipalities use to let residents pay their bills, pay parking fines, as well as make other financial transactions.
Finding a security vendor that is the best fit for your company’s business objectives, culture, risk profile, and budget is challenging today. The purpose of this blog is to suggest that working with a “vendor partner” is more than working with a standard technology vendor in that a partner aligns not only with “Technology” concerns but also with “People and Process” concerns.
