Cybersecurity, resilience & enterprise risk - at scale. CISO - Google Cloud + 3 x CISO (25 yrs), Board Director, Chief Risk Officer. Opinions = own.
Security Leadership Master Class 6 : When Disaster Strikes
- Capabilities beat just plans
- Engineering resilience
- Building crisis management muscle memory
- Learning from events
- Shrines of failure
- and more…..
https://www.philvenables.com/post/security-leadership-master-class-6-when-disaster-strikes
Taking your established security program to the next level.
Preventative maintenance, risk quantification, navigating the uncanny valley, continuous assurance, architectural choices to reduce whole classes of risk and more.
https://www.philvenables.com/post/security-leadership-master-class-4-enhancing-a-security-program
Security Leadership Master Class - Part 1: Leveling up your leadership
https://philvenables.com/post/security-leadership-master-class-1-leveling-up-your-leadership
Everyone Has A Plan Until They Get Punched In The Face.
The most resilient organizations have a tremendous set of base capabilities (people, process and technology) already established, they have sustained organizational muscle memory to arrange (and constantly rearrange) those capabilities in response to a developing situation and the culture to constantly adjust both of those - quickly. They will have have plans but they don’t depend on plans.
https://www.philvenables.com/post/everyone-has-a-plan-until-they-get-punched-in-the-face
Decoding Cybercrime's True Scope: Beyond the Trillion-Dollar Hype
A new @theNASEM report reveals the truth about #cybercrime stats: our data is fragmented, inconsistent, & underreported. We can't fight what we can't accurately measure. The path forward is a coordinated data system.
https://www.philvenables.com/post/decoding-cybercrime-s-true-scope-beyond-the-trillion-dollar-hype
The Don't Fire Me Chart
A lot of premature CISO turnover is caused by the security program uncovering previously unknown risks and issues. So, paradoxically, the best CISOs make the situation *seem* worse before it then *actually* gets better. The answer to this is to regularly remind people of this and show them the "don't fire me chart". Then keep showing them it for every new piece of work.
https://www.philvenables.com/post/career-longevity-the-don-t-fire-me-chart-1
Cyber Insights Needed & Delivered
My analysis of the recent Cyentia Institute report.
Things are getting worse in absolute terms but it’s not clear (my take) they are getting worse relative to what the situation might be. If that is the case then it’s not clear if that is because of attackers’ capacity (too many targets to exploit) or because we have actually made real progress. I suspect the answer is a bit of both - but it’s clear we need to keep asking better questions of ourselves.
https://www.philvenables.com/post/cyber-insights-needed-delivered
Segmentation Technologies / Zero Trust
Thinking about doctrine vs. structure is a useful mental model to validate a technology’s adequacy for a particular task. In short, to know whether we are jamming a square peg into a round hole.
https://www.philvenables.com/post/segmentation-technologies---zero-trust-1
A different take on the CISO / Cybersecurity Leader Job Description.
https://www.philvenables.com/post/ciso---cybersecurity-leader-job-description
Starting a Security Program from Scratch (or re-starting).
Most organizations, with sufficient will and leadership can progress up a maturity curve on cybersecurity - but it’s important to start with getting some of the basics right so you have the time / air cover to build your program for your true strategic needs.
https://www.philvenables.com/post/starting-a-security-program-from-scratch-or-re-starting
Security Leaders’ Reading List
Not many security books. Security leader challenges are mostly, well, leadership along with a healthy dose of program mgmt, culture, attention to detail, risk mgmt and more.
https://www.philvenables.com/post/leadership-business-security-and-risk-reading-list-1
Turning the Security Flywheel
Want to enhance your security program's efficiency? This post explores the "flywheel" concept and its application to security, demonstrating how to create self-reinforcing cycles that improve effectiveness. Learn practical strategies for areas like control cost reduction, threat intelligence utilization, and continuous monitoring. Discover how to move towards a more proactive and sustainable security approach, leveraging momentum to amplify your program's impact.
https://www.philvenables.com/post/turning-the-security-flywheel
Cryptanalytically Relevant Quantum Computers (CRQCs) are coming. Perhaps sooner than we think, but we can conservatively (and usefully) assume in the 2032 - 2040 time frame. It’s going to be more complex to migrate to Post Quantum Cryptography than many organizations expect and so getting started now is vital. Adopting crypto-agility practices will mitigate the risk of further wide-scale changes as PQC standards inevitably evolve. Beware the snake-oil of non-standard solutions.
This post covers:
- Objectives and Scope of the Program
- Importance of Crypto Agility
- Forming and Sustaining the Team
- PQ(2K)C - An Important Emphasis
- What Not to Do
- Resources to Help You
https://www.philvenables.com/post/post-quantum-cryptography-migration-time-to-get-going
Keys to Career Success
Managing your career is your job and your job alone. You should seek help. If you’re lucky you will get it - perhaps more than you might reasonably expect or even deserve - because people are generally good and want you to succeed. But ultimately your progress is a function of your attitude, the skills you add to your “toolbox” and the grit you show in relentlessly showing up.
Top Ideas and Posts from 2024
In closing the year let’s take a look at the top 10 posts of 2024 in order of most read.
https://www.philvenables.com/post/top-ideas-and-posts-from-2024
1. Security Training & Awareness - 10 Essential Techniques
2. Risk Appetite and Risk Tolerance - A Practical Approach
3. Truths of Cyber Risk Quantification
4. Where the Wild Things Are: Second Order Risks of AI
5. A Letter from the Future
6. Security and Ten Laws of Technology
7. InfoSec Hard Problems
8. Incentives for Security
9. Why Good Security Fails: The Asymmetry of InfoSec Investment
10. Job Interviews: Part 2 Conducting the Security Interview - The Big 10
Looking ahead at the posts to come in 2025 I want to spend some time or revisit the following:
- What is actually transpiring in AI: the risks and the opportunities.
- Looking at mitigating whole classes of emerging threats.
- The interplay of different risks: security, privacy, compliance.
- Risk management and risk communications esp. to Board/Executive level.
Any other topics?
Cloud CISO Perspectives for end of Dec ’24 is up covering:
- Year end review from AI to Threats
- Forecast for 2025
- AI ISO certifications
- NIS2 compliance
- Threat intel. program development
- Detection as code
- and much more….
Leadership: One Day at a Time, One Step at a Time.
https://www.philvenables.com/post/leadership-one-day-at-a-time-one-step-at-a-time
Regulatory Harmonization - Let’s Get Real
Most cybersecurity controls are already relatively aligned. The calls for action on harmonization are really problems induced by obligations from other technology risk domains or broader. In many cases, focusing on reducing compliance toil is the right approach.
https://www.philvenables.com/post/regulatory-harmonization-let-s-get-real
Lessons in Crisis Management - Top 10 Disaster Movies
Which ones am I missing?
https://www.philvenables.com/post/lessons-in-crisis-management-top-10-disaster-movies
Risk Appetite & Tolerance - A Practical Approach
Defining risk appetite should support business decision making - ensuring risk taking is for strategic objectives while capping downside. Risk tolerance expression should permit choices and measurement.
https://www.philvenables.com/post/risk-appetite-and-risk-tolerance-a-practical-approach