Share this page!

π‹πšπ€π¬π‘ π‘πšπ π‘πšπ―πšπ§ Profile picture
Twitter logo
21 Oct, 7 tweets, 4 min read
1/6 A thread 🧡on the intersection of #Cybernetics #SystemsThinking #Leadership and #CyberSecurity:

For context, first read this blog by @harish_josev: harishsnotebook.wordpress.com/2021/10/03/tow…

It is AMAZINGLY well-articulated and a MUST read for security practitioners & leaders in general!
2/6 Quote: "... we should stop setting targets and instead, provide a direction to move towards."

Wait, don't manage by goals?

Is a goal-less company/org possible? Yes πŸ™‚
E.g. @basecamp led by @jasonfried
3/6 If you focus on the goals, you'll compromise your means. E.g.: Today's education #system makes kids focus on grades, not on learning .

Basically what is being advocated for is "Management by Means":
4/6 Related Quote: "... we should see safety in terms of resilience and not as absence of something (accidents, missed days etc.) but rather as the presence of something."

Here is a proposal to operationalize this for #cybersecurity (in an Amazonian fashion πŸ™‚):
cc: @jeffawilke
5/6 Focus on *input variables* (E.g.: Do we have automated XSS & CSRF prevention controls in all of our WebApp Frameworks so that developers don’t have to worry about those vulnerabilities?) instead of *output variables* (E.g.: Zero XSS & CSRF findings in a PenTest or Scan).
6/6 And move the terminology from security controls to control *mechanisms*. A mechanism is a tool or process where you achieve adoption and more importantly is periodically reviewed to see if it is doing its intended job given what's changed over time & if it can be improved.
@threadreaderapp unroll

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with π‹πšπ€π¬π‘ π‘πšπ π‘πšπ―πšπ§

π‹πšπ€π¬π‘ π‘πšπ π‘πšπ―πšπ§ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @laraghavan

π‹πšπ€π¬π‘ π‘πšπ π‘πšπ―πšπ§ Profile picture
7 Apr
1/8 Now that the poll has closed, I'd like to disclose that I'm with the minority (No) on this one. Rationale summarized in this thread πŸ‘‡

#pci #training #appsec #swsec

cc: @shehackspurple @bilcorry @robertauger @cigitalgem
2/8 Note: My position is mostly for large enterprises - especially the ones that operate in different sectors/countries (jurisdictions) & thus are subject to multiple compliance mandates & regulations. But, one can philosophically embrace this approach for other enterprises too.
3/8 First up, if you are subject to various compliance regulations and standards, it is best to make sure that your internal security standards account for them all so that you can present a unified set of security requirements to product/engineering. No need to mention "PCI".
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @laraghavan has new unrolls!

Check out other threads from @laraghavan!

Read all threads by @laraghavan

:(