One thing that surprises me more than it probably should when I speak with people about their security programs is how much “The Cloud” freaks them out. And, after speaking with them for a while, it’s clear they should be worried. But their habitual response to that worry is…you guessed it: “We brought in vendor/solution/tool […]
How to make your own security luck
In response to a previous email, a reader raised the challenges of actually practicing proper security architecture in organizations where the title says “Enterprise Security Architect” and yet they expect you to “roll up your sleeves” and do everything from incident RCA to security strategy to organizing the company piss up. And he’s right: it […]
Are you drinking the “Zero Trust” Kool-Aid from a poisoned chalice?
I subscribe to a lot of lists. All kinds of lists, actually, but of course, I subscribe to a lot of the “security” lists out there to see what people are talking about and keep up to date with things—just like you do. However, I’m seeing an uptick in the “Zero Trust” phrase in the […]
Hey, don’t feel bad…even the “experts” don’t understand security architecture
I truly don’t know where to begin. No, really. I don’t. In the last 3 weeks, I’ve heard so many well-meaning but violently misguided takes on security architecture by otherwise intelligent people that, well…it actually left me a little stunned. Let’s get the definition out of the way first. If “architecture” is “the complex or […]
5 things your security architecture MUST do
What do you really know about security architecture and what it should do for you? I’ve mentioned it a couple of times over the last few weeks, but I haven’t yet given it the attention it deserves. So today, we’re going to start fixing that problem. Tomorrow, we’ll do a slightly deeper dive on the […]
