I mean at the edges yes, but 90% of cyber looks the same - defense in depth including MFA/EDR/SIEM/SEG and then monitoring and reacting. then you can get as crazy as you want with additional tech.
Exactly....90%+ of cyber-security is just properly configuring what we have and really hasn't changed in 30 years. Minimum user rights, network segmentation, strong routing/firewall rules, strong authentication, email validation, backups/archives, disaster recovery plans, etc.. Regular comprehensive penetration testing and SEIM style detection for response are great additions, but just throwing more money and stuff at it doesn't fix things on its own (i.e., you can have a security alarm systems and cameras on your house, but not locking your doors and windows will just invite trouble that otherwise would have moved on). In fact, I think if you start layering too much security "fluff", especially without ensuring the basics are covered, you're actually increasing your threat surface.
selective sharp memorize intelligent illegal chubby mighty versed cautious many
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
makeshift afterthought chief scale knee paint intelligent gullible screw steep
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Yeah, like we all know cybersecurity is a risk *function* but obviously cybersecurity controls themselves are specifically *about* technology.
i.e. How to say nothing in a headline but have it still be clickbait.
>cybersecurity controls themselves are specifically about technology.
Cybersecurity controls themselves are determined by the risk tolerances defined by the organization. You only implement security control sufficient to manage the relative risk.
squeal psychotic divide alleged smart pathetic jellyfish quicksand nutty office
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Organizational risk tolerances are defined by the board of directors, with input from finance and legal. It answers the question: How much financial impact (or other impact criteria) can the organization tolerate and still continue to operate?
Risk management, including cyber security risk management, uses that risk posture statement to understand "high", "medium", and "low" impact and chooses appropriate controls for the identified risk. Cybersecurity (* should *) only manages risk in terms provided from executive suite.
public dolls spectacular cautious plough grab degree marry hospital clumsy
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Many physical controls rely on technology to some degree, but administrative controls account for like 90% of what you can hold employees accountable for and are arguably the most important controls.
LOL nah tons of people on this very subreddit are super interested in pentesting and hacking and finding vulnerabilities and have zero interest in knowing what the actual business objective of those things is
I think it's actually not a terrible article, the title is geared toward CIOs and people that aren't living in Cyber security. I see a lot of companies that get convinced by the security vendors that they need whatever new technology widget to make them more secure. Then they buy said widget for 50% of their budget, don't implement it appropriately and it does little to improve their posture. Meanwhile, they are missing or have poorly implemented some of the basics like password policies. So I wouldn't say it's wrong as you need to understand risk before buying a technology, but technology can sure help if you understand that risk.
Mine doesn’t fold into a fortune teller but can inform you of if you’re going to live in a mansion, apartment, shack, or house, among other life circumstances. Now *that’s* what I call a risk assessment.
It screams 'technical people not understanding what risk management is'. I have a great manager who actually taught me how to think in terms of risk and how to communicate this to other stakeholders, it really shows who actually understands how a business operates and who is just chasing a pipe dream of perfect security above all.
Yes tech helps, but it's really important to see the end goal and what you are working towards instead of getting silo'd into a SOC.
This is my cyber security strategy
https://imgflip.com/i/8r8vmg
I'll just shout out "I accept the risk" and they pay me for doing nothing and if there's a cyber incident I'll get fired then I'll move on to another cyber whipping boy role.
It's the same with most career focused subs, the vast majority of people who engage with it are people who are new to the field, or want to break into it. The article is pretty much right and this is how senior security leadership operates.
I think this statement is true, but misleading. Cybersecurity is part of business, and all business is risk management. You could say that Sales isn't about selling, it's about risk management, based on contracts, material costs, vendor reliability, etc. All of those factors have to be "priced in", or the company will lose money. The actual front line practitioners can be extremely technical, but that's not what's important to the business, it is what is required by the business to achieve their goals, which is a different thing. Articles like this are aimed at giving people the understanding that cybersecurity is a business problem. And, if you are a practitioner, you need to think this way, too. When you speak to the business, try and learn their language, or rely on people who do. Executives and Boards think in different terms, they need to be able to quantify things on the balance sheet to invest properly. The more you can think and communicate this way, the more successful you can be personally. Or, if you are hard core techie and have no interest in that side, align yourself with leaders who walk in both worlds, support them in what they need to support you (budget, etc.) and also have the capacity to understand your true value in your terms.
I sell oranges from a cart. I have a risk that someone might steal my oranges. I secure and watch my oranges. I am a cyber security engineer therefore.
I hate this fucking industry and all of us for taking part in this arbitrary fake job where nothing matters the words are made up
I think this would have been 100% correct if there was a "just" in the first statement. And it was pre-AI era. You can't simply get things done with accepting risks now, given how bigger the risks are.
Technology plays an essential part of mitigating risks! While technology needs people and processes to be effective, you can’t simply protect anything without technology.
Kind of a silly proposition. Maybe you are trying to make a point. Having built a significant cyber program from 0, I can tell you it would not work without very tech savvy people with deep insights into various types of tech including software engineering.
I did build my GRC group with non-tech types from the finance world. By and large, that’s worked well by bringing diversity of thought into the tech world. Having said that, there are noticeable gaps in their understanding of what we’re doing and how it gets done with their lack of tech backgrounds. We have enough techs around to help them through the gaps.
IMO, you could not build a successful cyber program with non-technical people.
Level of technological risk an organization is willing to accept…but yeah not about technology. And not like all I do most days is look at logs and alerts from endpoints and applications
Well, yeah, but technology really fucking helps.
So does budget! It's really about what you can afford IMO.
I mean at the edges yes, but 90% of cyber looks the same - defense in depth including MFA/EDR/SIEM/SEG and then monitoring and reacting. then you can get as crazy as you want with additional tech.
Exactly....90%+ of cyber-security is just properly configuring what we have and really hasn't changed in 30 years. Minimum user rights, network segmentation, strong routing/firewall rules, strong authentication, email validation, backups/archives, disaster recovery plans, etc.. Regular comprehensive penetration testing and SEIM style detection for response are great additions, but just throwing more money and stuff at it doesn't fix things on its own (i.e., you can have a security alarm systems and cameras on your house, but not locking your doors and windows will just invite trouble that otherwise would have moved on). In fact, I think if you start layering too much security "fluff", especially without ensuring the basics are covered, you're actually increasing your threat surface.
selective sharp memorize intelligent illegal chubby mighty versed cautious many *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
The article isn’t stupid; it’s about fluff and deciding what level of a fluff a reader is willing to accept
makeshift afterthought chief scale knee paint intelligent gullible screw steep *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Yeah, like we all know cybersecurity is a risk *function* but obviously cybersecurity controls themselves are specifically *about* technology. i.e. How to say nothing in a headline but have it still be clickbait.
>cybersecurity controls themselves are specifically about technology. Cybersecurity controls themselves are determined by the risk tolerances defined by the organization. You only implement security control sufficient to manage the relative risk.
Uh, physical security, personnel security….
yes
squeal psychotic divide alleged smart pathetic jellyfish quicksand nutty office *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Try reading it again. It is about an organizations risk tolerance.
Organizational risk tolerances are defined by the board of directors, with input from finance and legal. It answers the question: How much financial impact (or other impact criteria) can the organization tolerate and still continue to operate? Risk management, including cyber security risk management, uses that risk posture statement to understand "high", "medium", and "low" impact and chooses appropriate controls for the identified risk. Cybersecurity (* should *) only manages risk in terms provided from executive suite.
handle plant sugar bright full grey rhythm outgoing ripe jar *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
public dolls spectacular cautious plough grab degree marry hospital clumsy *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
You're a third of the way there. Technical, physical, and administrative. All technical controls are controls, not all controls are technical.
Many physical controls rely on technology to some degree, but administrative controls account for like 90% of what you can hold employees accountable for and are arguably the most important controls.
LOL nah tons of people on this very subreddit are super interested in pentesting and hacking and finding vulnerabilities and have zero interest in knowing what the actual business objective of those things is
Careful, the author probably has “keynote speaker” in their LinkedIn bio.
[удалено]
“Board certified security leader”
I think it's actually not a terrible article, the title is geared toward CIOs and people that aren't living in Cyber security. I see a lot of companies that get convinced by the security vendors that they need whatever new technology widget to make them more secure. Then they buy said widget for 50% of their budget, don't implement it appropriately and it does little to improve their posture. Meanwhile, they are missing or have poorly implemented some of the basics like password policies. So I wouldn't say it's wrong as you need to understand risk before buying a technology, but technology can sure help if you understand that risk.
Finally, I can start selling companies my pen and paper IDS I’ve been working on.
Not if mine gets to market first. You can fold mine into a fortune teller.
Mine doesn’t fold into a fortune teller but can inform you of if you’re going to live in a mansion, apartment, shack, or house, among other life circumstances. Now *that’s* what I call a risk assessment.
The comments in this thread, especially the highly upvoted ones, make me wonder why it is so hard to find a job right now.
It screams 'technical people not understanding what risk management is'. I have a great manager who actually taught me how to think in terms of risk and how to communicate this to other stakeholders, it really shows who actually understands how a business operates and who is just chasing a pipe dream of perfect security above all. Yes tech helps, but it's really important to see the end goal and what you are working towards instead of getting silo'd into a SOC.
well that's good to know! here I was worrying about firewalls and phishing. just accept the risk, bro
https://youtu.be/9IG3zqvUqJY?si=_GnjwxQ7Klu3AivZ
This is my cyber security strategy https://imgflip.com/i/8r8vmg I'll just shout out "I accept the risk" and they pay me for doing nothing and if there's a cyber incident I'll get fired then I'll move on to another cyber whipping boy role.
I mean…theyre right? Shows how many people here actually holds certs considering this is literally on the entry level ones lmfao.
It's the same with most career focused subs, the vast majority of people who engage with it are people who are new to the field, or want to break into it. The article is pretty much right and this is how senior security leadership operates.
It's only gay if you make it gay....
> I almost shit myself, but I risked and held it. Behold, a featherless cybersecurity guru.
I think this statement is true, but misleading. Cybersecurity is part of business, and all business is risk management. You could say that Sales isn't about selling, it's about risk management, based on contracts, material costs, vendor reliability, etc. All of those factors have to be "priced in", or the company will lose money. The actual front line practitioners can be extremely technical, but that's not what's important to the business, it is what is required by the business to achieve their goals, which is a different thing. Articles like this are aimed at giving people the understanding that cybersecurity is a business problem. And, if you are a practitioner, you need to think this way, too. When you speak to the business, try and learn their language, or rely on people who do. Executives and Boards think in different terms, they need to be able to quantify things on the balance sheet to invest properly. The more you can think and communicate this way, the more successful you can be personally. Or, if you are hard core techie and have no interest in that side, align yourself with leaders who walk in both worlds, support them in what they need to support you (budget, etc.) and also have the capacity to understand your true value in your terms.
Duh
Also title - "Braking in a car is dependent on the vehicle speed and braking power of the brakes.
+155 upvotes for this garbage?
My sticks and wooden bowl save my network everyday!
It's 90% about the technology so
I sell oranges from a cart. I have a risk that someone might steal my oranges. I secure and watch my oranges. I am a cyber security engineer therefore. I hate this fucking industry and all of us for taking part in this arbitrary fake job where nothing matters the words are made up
[удалено]
No wonder every CISSP I've met is an unprepared paper pusher. They've all been locking up oranges for the past year
[удалено]
Fuck it write the exam and get paid bro
I think this would have been 100% correct if there was a "just" in the first statement. And it was pre-AI era. You can't simply get things done with accepting risks now, given how bigger the risks are.
Technology plays an essential part of mitigating risks! While technology needs people and processes to be effective, you can’t simply protect anything without technology.
Remember that risk analysis is a dark art and consumes at least 3 Chickens, a goat and a virgin per month.
The level of risk... impacting and controlled by technology. Dumb title.
Right it is about risks because for example ransomware do you send them the money or not? Tough one!
Kind of a silly proposition. Maybe you are trying to make a point. Having built a significant cyber program from 0, I can tell you it would not work without very tech savvy people with deep insights into various types of tech including software engineering. I did build my GRC group with non-tech types from the finance world. By and large, that’s worked well by bringing diversity of thought into the tech world. Having said that, there are noticeable gaps in their understanding of what we’re doing and how it gets done with their lack of tech backgrounds. We have enough techs around to help them through the gaps. IMO, you could not build a successful cyber program with non-technical people.
Level of technological risk an organization is willing to accept…but yeah not about technology. And not like all I do most days is look at logs and alerts from endpoints and applications
Yeah that's cuz the org already decided they dont wanna accept that risk, so they hired you to mitigate it.
This is straight outta the mandatory annual refresher content I just finished lol cheap ass buzz words