Security, Risk, Privacy, Leadership & More...

Information security is a broad area touching various fields, cultures, organizations and a business as a whole. In order to maintain a healthy and security focused organization, following aspects should be taken into consideration:


Tell me who is the leader and I will tell you how his/her team performs
Vision - Every leader should have a vision on how information security shall work for the organization
Strategy - Should be clearly communicated and understandable to everyone
Decisions - Shall be made independently and sometimes in a matter of seconds


If it is not written, it does not exist
Policies - Foundation of all procedures, high-level combination of vision and strategy
Guidelines - Precise, short and clear step-by-step guide
Instructions - Extension of policies, provides more detailed view on issues laid out by policies


Every leader needs a team, team is people and people are strength
Morale - If people are not motivated their morale falls, morale depends on victories and victories on leadership
Dedication - Pushes teams to the limits, boosts morale and lays a foundation for growth
Awareness - Not everyone is dedicated to information security, but everyone can learn something new to boost organization's security posture


There is no need for information security if there are no risks, but fortunately risks are everywhere
Assets - Shall be assessed against sensitivity to risk, to understand how important they are for an organization
Projects - There is a project everyday, carrying various risks along the way, it can be software, cloud solutions, applications, hardware and anything that can affect the risk stance
Vendors - Show me how secure your friends are and I’ll tell you what risks you have


Politics is great, lets talk about cyber
Incidents - Detect, triage, contain, learn ... Repeat!
Threats - Exploit vulnerability and realize risk, don't let the threat know your weakness
Attack Vectors - Search for the route, find the source, close the route, intimidate the source


Know what you are defending and why
Inventory - Always up-to-date with every information needed including: IPs, hostnames, racks, locations, owners and more... Maybe some day!
Ownership - Everything has an owner and owner is responsible for securing their assets
Patches - It's not easy to have everything up-to-date at a given time, but having a proper change management process can facilitate achievement of this goal


That's why you got hacked last time
Pen. Tests - Provides a vision on how an organization can be compromised with something that seems so irrelevant. Internal for everything before DMZ, external for everything in DMZ and beyond
Assessments - Scan regularly and translate to risks
Fixes - It does not make sense to conduct penetration tests or vulnerability assessments for something that has been popping up for past 2 years. Eliminate the threat by fixing those vulnerabilities


If you find this content useful, feel free to share it with your friends and family. Owls love humans, so if you want to keep in touch make sure to sign up for CypherOwl Newsletter. Let me know what you think from the comments section below.

You've successfully subscribed to CypherOwl
Welcome back! You've successfully signed in.
Great! You've successfully signed up.
Success! Your account is fully activated, you now have access to all content.