Security

I’ve been privy to some pretty intense exciting inter-security-team arguments discussions through my career. I’ve worked across both security compliance and security engineering, and currently operate somewhere between the two. That vantage point has shown me something uncomfortable: these teams clash constantly, and it’s not because either side is incompetent. They’re wrong in different directions, and that difference is worth paying attention to. In some ways, the fact they argue at all is the good news. It means there’s cognitive diversity in the room. The real danger is when everyone agrees. ...

Those of you who know me personally won’t find this hard to believe, but at times, I can be mischievous. Nothing illegal, often for my own amusement or to validate a point. Let me share a story with you. Winter 2024, a member of the vulnerability management team sent me an interesting article. Not a typical vulnerability, there was nothing to ‘patch’, but a feature in official Microsoft tool that could present a security weakness. ...

What the world doesn’t need right now is another CrowdStrike hot take… so here’s mine. I’m not here to throw any more at CrowdStrike. They’ve had enough. There was a mistake with big impact.1 It happens. There is a lesson to be learnt though: every security control carries a tradeoff, and in this case it’s operational risk. But this recent event serves to remind us. We cannot just blindly push security controls; there are tradeoffs which must be understood. ...