2018-07-11

IT (and InfoSec) titles and descriptions are mostly BS



What's in a word?

The following is a true story. Only the names have been changed to protect the guilty.



So this morning (GMT+2) I perused LinkedIn [1] ;) and stumbled upon a few titles and headlines that immediately gave  food for thought - Not least combined with (some) knowledge of the suspects.

(Disclaimer: There's some genuinely good people using the word salads discussed below, so please be nice to them - or, actually, be nice to everyone).

General offenders

Anyone using the terms innovation or disruption appear to have never done any innovation or disruption themselves, but merely just talk about it. If You're copying (or repeating) what others have done You're not innovating, and certainly not disrupting. While we all stand on the shoulders of giants and are building on previous knowledge (which we should) there's nothing worse than listening to "Motivational Quotes" from someone you know as a mediocre developer and/or manager. Just stop it and use your time on becoming a good leader or whatever else makes you happy.
But that is likely too  hard when You've spent your career being a sycophant?

Digitalization; If You're in IT, maybe you should think hard about your career if you missed the digitalization part of IT.

But more about that below.

Other headlines/titles

During the self-flaggelation (remember; Perusing LinkedIn) I stumbled upon this gem:

"Collaborative strategy enabler by means of IT and Digitalization"

What does this even mean?

IT is needed for Digitalization, so redundant information here, and some (most?) companies have a collaborative strategy [2], but it is likely to be different depending on the organizations business strategy and vision, so how does that ensure you can enable company X's specific strategy?
 So basically it means "I'm in IT, maybe a leader"?

Last, but not least

Calling yourself a Rock Star or Thought Leader.....





Who the f... do you think you are, calling yourself a "Cyber Security Architect"?
Well, what's wrong with being a hypocrite! [3]

2018-07-08

How to get above the Security Poverty line


The Security Poverty Line

Failing miserably trying to communicate the basics of security?
Do everyone else believe in the stories told on the vendor floor of RSA/BlackHat/Whatever?
Do you feel like no-one listens (as depicted by @EFFINBIRDS below)?



Fear no more.

You just need to get above the Security Poverty Line.
And what is that, you may ask?
Well, as most things in Information Security this is pretty hard to quantify, but what if we used the CIS Critical Security Controls [4] as a baseline?

Would it be fair to say that if you don't do the Critical Security Controls at a CMMI level of at least 3, then Your Organization is below the Security Poverty Line?
In order to assess the maturity of your implementation of the 20 Critical Security Controls I find the Assessment tools from AuditScripts very useful. [1] & [2].

But what do you think?
Is this a valuable way of expressing security maturity?
How do we communicate Security better to management?
Please comment :)


Please note that I have no affiliation with AuditScripts, but just happen to like this free resource from them.