Cyber Resilience

“You’re not paid to think.” I’m sure this phrase will spark fond memories if you’re ex-military. It was a joke… or was it. I would hear this said as ‘banter’ after a baffling decision had come down the chain of command, from some lofty heights. Or traded as a knowing joke between people who knew better but didn’t dare say so. Sometimes it wasn’t a joke at all, but an excuse not to override an order they knew was sub-optimal or downright wrong, through fear of discipline… or simply because leadership was weak. ...

Keeping the status quo was a mistake. I was building a SOC, in-housing all the outsourced capabilities from a Managed Security Services Provider (MSSP), and I had been asked to provide some specific metrics for an internal governance board. The same metrics the MSSP had been reporting. I provided them without questioning whether they were still appropriate, or whether they’d be the right ones for us going forward. They were not. ...