A group of all-star players don't necessarily mean a winning team. Taking that into the Enterprise Security world, today I tackle a long-standing debate over the prioritization of people, process and technology as it relates to an enterprise security program.

"What do you say to organizations considering software security, but struggling with adoption due to the inevitable, additional drag on release cycles?" -- I say read this, because there is a discussion to be had, still...

Lots going on in the enterprise space right now, including the rush to push out mobile apps. They're springing up like weeds, replacing websites, and are gaining multi-factor authentication for security... but wait, does any of this added security make sense, especially on the mobile platform?

Let's investigate.

Have you ever had a vacuum salesperson come to your door and offer a free demo on why their vacuum is 10x better than your existing unit? I have, and a recent pitch from a vendor I saw reminded me of this little trick...

Wrapping up the 5-part series "Deconstructing Defensible" we need to talk about the what, why, from whom, how and when of defensibility. These are key questions that need to be asked - and answered - while shifting your mindset from 'security' to 'defensibility'.

Every time someone says "Big Data" a collective cringe travels across the information security industry, like a disturbance in the Force. Some security professionals simply shrug off the term as a fad, or marketing buzzword. While the hype around big data has absolutely been marketing-driven lately, there is a very real need for Big Data style analysis in security...

As we deconstruct 'defensible' further we dive into 'understanding what you're defending'. Altogether too many CISOs and their organizations plunge head-long into defending without having a solid idea of the assets that they're charged with protecting - and the end result isn't pretty...

In this third post in the “Deconstructing Defensible” series I build upon my first post, in which I cover why defensible is not necessarily the same thing as secure, and how there are more assets to defend than you have resources. Today’s post focuses on how — unfortunately in an large number of enterprises — the security resources can become weaknesses.

Continuing on part 2 of "Deconstructing Defensible" this blog post is dedicated to those who attempt to secure the entirety of their enterprise assets with security widgets, and are struggling. One of the fundamental laws of the new way of thinking is that you can't defend everything equally, or you'll fail at defense completely... 

It's time to move on, and if you're interested in what I'll be doing next, read this post...

This post is from a guest-blogger, Dan Houser, who read one of my previous posts and decided to expand on the point and add his own viewpoint on managed versus unmanaged technical debt ... it's a very interesting read I encourage you to take a minute to consume...

If you tell your CEO or board that there is no amount of money or resources to make your enterprise secure and that instead you want to work towards making your enterprise defensible you may be in for a strange conversation. This is a critical conversation to have, and a critical concept to understand - 'defensible' is not the same as 'secure'...

What's the difference between secure and defensible?

It becomes more clear when we revisit the old, tired analogy of the castle model of security. Tough outer defenses meant to keep the 'bad guys' out, but once you're inside you've got full access to everything as if you belong. This thinking just doesn't work in today's modern enterprise... Let's talk about why and what we should be doing about it.

It's hard to find someone who will argue that technical debt isn't a valid reason to do security (or really, any type of defects) fixes early and often. The further away from the point of origin, the more expensive - and this is definitely a valid argument except when it comes to a few edge cases... and then technical debt is gladly paid.

Strategy. Tactics.

These words are two very different but cannot exist without the other in the enterprise security context. While speaking on these two issues, I've found it important to write a post that explains how I think about these terms to help level-set the conversation...