Some IT shit, oh. Proper answer pending…

I guess the initial part of this endeavour is going to primarily revolve around an initial discovery phase; building relationships, understanding the business, existing security architecture if any, and figuring out what is reasonably within my control to work on. I’d probably implement a basic working incident response plan that provides some structure to responding to any security incidents should any fuckery occur whilst in post and building out the initial security architecture. Once the dust settles I’d work on figuring out which high-level risk scenarios the business and CEO has the most concern about as they are already “security aware” and work on building a policy framework which influences any undesirable behaviour identified from the risk scenarios earlier that I could practically contribute towards or help mitigate. This would also present a good opportunity to understand the risk capacity of the organisation which could reflect the IR plan built earlier though I guess you might want to do this bit earlier. At this point I might be drowning and need some more staff, assuming I make it this far haha. Mad ramblings…probably need a holiday now and lots of drugs.

@Phillipe McCracken “so what?” is such a powerful question, I often think about it whenever delivering or communicating about things and whether I’m hitting the nail on the head, especially with different audiences.

@Michael Fontner absolutely this! I have my specialisms but there are people who are much better than me at many other things, recognising this humility is crucial, you can’t know everything, but your team can have a good go!

From a tech heavy background I’d say; Business, governance and security, fundamentally it’s tying those pillars together and thinking critically about each of them and how they should work together. I don’t have all the answers, but I’ve been sending my brain into a spin each day trying to really challenge my thinking and shift my perspective 😂

I’ll go first. The book really made me think about how to better approach and converse with senior stakeholders and low level teams and appreciate how that conversation will change depending on the audience and concerns of the business during an incident. It isn’t about simply racing to try and resolve the IT security problems and key considerations have to be given regarding the business, people and wider security of an organisation.

@Dan Fellows I agree with your assessment, the point about communicating clearly is great, if you can’t translate word spaghetti then good advice wont contribute as well as it could have or not at all. What are your thoughts around the limitations of the scope of the advice you would provide? In essence I’m thinking whether there are things we should really consider talking about when factoring incident response or if it’s a case of “that’s not your job to worry about” Where is the line drawn if any, if our goal is to ultimately protect an organisation around various mechanisms that help it create value, whether that be IT systems, reputation, people or legal requirements etc. Ultimately I’ve been thinking about how things are normally done and whether the ball is being dropped with certain things not being considered at least in the context of general incident management/response.

Yup, its all just smoke and mirrors I guess and everyone is doing it, whatever it takes to feed the machine. I’ve heard many horror stories of exorbitant costs for training and exams taken by colleagues for entry level stuff which they didn’t actually learn much from or due to the way knowledge was taught it couldn’t then be applied in a practical sense within industry.

@Mark Boyson I think this is compounded by certain frameworks and partnership programs that require specific credentials. “Just do the course and pass the exam” Which ends up being redundant at some point.