Nice!
I love to hear that you turned that energy into positive outcomes! (it doesn't always happen :-)
10.03.2026 12:39
👍 1
🔁 0
💬 1
📌 0
Nice!
I love to hear that you turned that energy into positive outcomes! (it doesn't always happen :-)
100% agree!
Part of our job is to advise and educate our professional colleagues. I made this graphic for business leaders, but it also applies to practitioners supporting other folks
From Part 2 of publications.opengroup.org/s252
We must respect other professions and professionals the way we want to be respected as cybersecurity professionals. We are just people trying to do our jobs and so are they.
end 🧵
We need to explain things by making analogies to similar common things they already know (fire prevention, kids safety, etc.) or professional things they already know (safety briefings in petroleum industry, liability in legal industry, etc.) so its clear and easy to them.
If we think people should have basic cybersecurity knowledge (and we need them to!), we must take the time to talk to them in _their_ language.
I know a lot about cybersecurity, but you don't want me to do 'basic' medical tasks like finding a vein in your arm to inject medicine, designing a 'simple' bridge for people to drive over, mixing a 'simple' chemical formula, or other 'basic' tasks in a different profession.
We need to respect the skills and knowledge of other professionals and remember that their basic skills and our basic skills are very different.
Ever been tempted to call people "stupid users" because they make a basic security or technology mistake?
I would advise against saying this and encourage you to change your thinking patterns.
A short 🧵
▪️ The 'autonomous' sounds intellectual or technical, like it's been thought through or validated
▪️ We technologists have seen tech replace some legacy jobs over time, seen how repetitive some SOC work is, and wonder 'could it really happen?'
What are your thoughts?
end 🧵
I have been trying to think about why people may believe the myth of the autonomous SOC (and why it took me so long to see it myself).
So far, my best guesses are:
▪️ It appeals to the hope that we may finally 'win' the security battle against the attackers
No matter how well we automate what we do today, the attackers are paid to find some way around it by finding biases, oversights, seams, etc. in our preventions, detections, and response/recovery automation.
AI will change how people do their job, but it won't replace a human or automate the whole job. SecOps/SOC jobs are some of the least likely to be fully automated because they face the full brunt of creative intelligent human attackers finding ways to get around any defense.
I understand that people are excited by AI technology because it is very powerful and has a lot more ongoing potential to automate wasted repetitive human effort (just like SOAR and previous generations of automation tech did).
People that believe this are also effectively saying that leaders can replace security people/salaries with a one-time purchase of tooling (a common misperception many already have).
If a security team believes this, they have to believe that attackers do exactly the same attacks every time and will miraculously give up (and open a fruit stand?) if defenders just buy and implement the right tool(s).
(The term has bothered me since I first heard it, but I hadn't thought about it deep enough to see this until I was writing up this antipattern for the Zero Trust SecOps playbook).
I recently realized that the 'autonomous SOC' idea is the same old snake oil packaged up with a fancier and more intellectual-sounding name
The 'technology can prevent attacks / stop breaches' claim that has been disproven over and over (similar to compliance claims)
a 🧵
This will show you how to use the Security Roles and Glossary standards from The Open Group to overcome these challenges and get some wins on the board!
publications.opengroup.org/s252
This leads to ineffective defenses and internal conflict that threat actors regularly exploit. This session will talk about how we got here and how to get the whole team playing together.
Unfortunately, most of those players don't know their positions, roles, or goals - very few people know what they are supposed to do for security, why it's important, or how to do it.
Security will never be fully effective until everyone does their security job including boards of directors and CEOs, CISOs and CIOs, SOC analysts, everyday users, architects, IT engineers and operations, and more.
Security is like a sports team where very few players actually know they are on the team, only a few of them actually show up for games, and half of those are fighting with each other or playing like they are on the opposing team.
I am excited to talk about one of my favorite topics at BSides Tampa on May 16!
*Security is a team sport (and we are NOT playing like a team)*
No single solution will ever keep business assets safe from every creative attacker and their learnings/evolution.
end 🧵
Building security resilience is a journey of many steps and learnings, not a single plane flight to a predetermined destination. While we all wish there was a simple shortcut for security, the businesses and technical estates we defend are complex.
Regulatory standards can’t keep up with attackers, network security perimeters aren’t enough, and no single tool or technology can stop determined human adversaries.
Classic security approaches often focus on a perfect end state of compliance, a perfect network configuration, or a “perfect new tool” that fixes everything as their ideal end state.
There is no such thing as a single “silver bullet” solution that solves everything in security (despite what any security vendors may claim 🙂)
Pursuing perfect solutions is a perfect waste
From Chapter 6 - How to Scope, Size, and Start Zero Trust (Page 78) of www.amazon.com/Zero-Trust-O...
🧵
We documented security fiduciary duty and accountabilities in the Security Roles and Glossary Standard Part 2 and Part 3.1 - publications.opengroup.org/s252 (draft standard, feedback welcome). Some more description of this standard is at www.linkedin.com/pulse/securi...
end 🧵