Thankfully I managed to keep up the pace of 1 post every 2 weeks throughout 2023. Just when I think I might be running out of ideas, and the backlog of topics is running low, then something always manages to come up to illustrate the need to cover a range of topics. I’m grateful I continue to be in a position at the nexus of various fields (technology, a range of customer sectors, government, academia and investing), of various disciplines (risk, resilience, security, privacy, compliance and trust), all while being somewhat in a front row seat for the vast changes that keep occurring in and around various innovations (AI, hardware, operating systems, cryptography, risk management).
So, in closing the year let’s take a look at the top 10 posts of 2023 in order of most read.
1. Caricatures of Security People
It seems everyone recognized someone in this post, and there was some self-reflection from many as well. I guess it’s a sign of our growing collection of roles that we can even assemble this cast of characters.
2. Ceremonial Security and Cargo Cults
From compliance, password rules to audits and security awareness training there are many ceremonies in our profession. This post examined a collection of these, drawing out the subtle difference between ceremonial security and the previously well trodden discussions on “security theater”.
3. Work / Life Balance
Judging by the huge amount of feedback and broader engagement I got from this post it seems most of us struggle to keep this balance. So, the central idea here, that you have to think of balance as not some continuous goal but rather a goal for the long-run resonated with the reality of our roles. It’s also essential to work at achieving balancing and making some difficult trade-offs to realize this. Often we’re our own worst enemy. Easy choices, hard life. Hard choices, easy life.
4. You Only Get 3 Metrics - Which Ones Would You Pick?
This attracted some interesting feedback. The theme of moving from lagging to leading indicators coupled with stepping back and looking at some more fundamental approaches to drive progress is an idea that is becoming more widely accepted. But for some this idea of “Pareto metrics” wasn’t appealing - it seems mainly because it omitted their particular favorite metrics. Fair enough. But I still think this 80/20 approach of finding the 20% of leading indicators that, if done well can drive an 80% risk reduction in your environment is as close to a "Holy Grail" as we’ll ever likely get. The three metrics I selected were:
High Assurance Software Reproducibility.
Cold Start Recovery Time.
Data Governance Coverage.
5. Confessions of a Public Speaker - Tips for Security Practitioners
The popularity of this surprised me. In hindsight, though, it’s understandable that this is a subject more people study and want to develop in themselves. Not just because of the occasional conference speaking gig but also because, as for any executive, a big part of the security role is speaking in front of groups. Doing this in effective, authentic, and hopefully inspiring ways is a force multiplier for your program and for your career.
6. Delivering Security at Scale: From Artisanal to Industrial
This is something I am ever more fixated on. The need to take innovation and individual superlative practice (from our security artisans) to a level of scale and reliability through a process of industrialization is essential for most large security programs. It’s vital to do this in a way that does not diminish the capability of individually excellent people. In other words, you want your industrialization to amplify individuals to a highest common factor and make their actions scale rather than commoditize performance to a lowest common denominator.
7. The 6 Fundamental Forces of Information Security Risk
What started off as 4 forces has become 6 over the years. At one level, thinking about this can be a bit academic. But, it’s nevertheless true in my observation that every issue we have stems from one or more of these fundamental “forces”. Recognizing this lets you develop mitigations that can reduce the risk from whole classes of issues and events - handling the macro not the myriad of the micro. I still don’t know if this list is actually complete:
Information wants to be free.
Code wants to be wrong.
Services want to be on (unless you really want them to be on and then they often fail).
Entropy is King.
Complex systems break in unpredictable ways.
People, organizations and AI respond to incentives (and inherent biases) but not always the ones we think are rational.
If I were to add a 7th force it would be: At sufficient scale you are guaranteed that something bad (a threat manifested, a failure or issue) will happen constantly - so plan accordingly. But, perhaps this is simply a consequence of forces 4 and 5.
8. Security Budgets - Supply and Demand
The annual, perhaps quarterly or more frequent cycle of trying to get the resources you need to achieve your goals is never easy. On the one hand you hear security leaders thinking they’ve never got enough resources to get the job done. On the other, you hear other executives perpetually wondering how much will ever be enough. In reality it’s more complex than this and all sides are often more reasonable than it appears. This post further explored an approach of viewing this as a supply and demand problem (of security resources available vs. demand generated by risks to consume those resources) and in doing so reveals a wider range of options, as opposed to only a “please sir, can I have some more” approach. These include resource efficiency, inherent risk reduction and a means of managing accumulated risk and technical debt.
9. The Illusion of Choice : A Review
One of several book reviews this year. This one proved popular I think because behavioral approaches learnt from the sales, marketing and psychology worlds can be so useful for enterprise security and risk programs - from gentle nudges to more wide-ranging ways of representing and measuring risk.
10. Attack Surface Management
The most popular of the set of blog posts that explored in more detail the approaches to counter each of the 6 fundamental forces that drive security issues. In this specific case, attack service management as a means to counter the force that more and more services, features and functions are forever added or otherwise inflicted on you by the world. So, attack surface management should be more about reducing your attack surface at source rather than a never-ending cycle of discovery, embrace or kill. But as you continue to do discovery make sure it is fast, holistic and relentlessly feeds back into your architectural secure-by-default work to truly get to the root cause of drift.
Now, looking ahead at the posts to come in 2024. It’s hard to be too predictive, a lot of 2023’s posts were developed not according to a laid out plan but what seemed right to cover at the moment. But I do want to spend some time or revisit the following in 2024:
Security implications and opportunities from developer operations research.
Security awareness training approaches.
Exploration of the coming second order risks of AI.
Hard problems and grand challenges in cybersecurity.
Getting involved in the various cybersecurity communities.
A two part post on acing the security job interview and conducting the job interview.
and much more…..
As ever feel free to suggest some topics via the social channels.