Phil Venables Profile picture
Tweets about cybersecurity, resilience & enterprise risk - at scale. CISO - Google Cloud + 3 x CISO (25 yrs), Board Director, Chief Risk Officer Tweets=own.
4 subscribers
Mar 8, 2020 8 tweets 2 min read
Management 101 (+ remote working)

More detailed post here : philvenables.com/post/managemen…

I have run organizations, large & small, local & remote, for many years. I have been the beneficiary (& victim) of many management and leadership approaches. This list is some I've used.

1/8
I’m not going to write down the anti-patterns of good management, they’re pretty obvious and mostly boil down to: if you’re an egotistical, narcissistic, a-hole then no amount of HBR articles/other topics are going to stop you from creating a poor work environment.

2/8
Mar 1, 2020 16 tweets 3 min read
Cybersecurity Macro Themes for the 2020's. A thread.

Full post here : bit.ly/2vtS5Vw

There will be 5 major themes that differentiate great security products/features - not risk trends/controls, rather, these are more about the way to develop/deploy controls.

1/16 Specific control trends all center on continuity: continuous access assurance/least privilege, continuous software assurance, continuous & adaptive micro-segmentation, continuous control monitoring, continuous anomaly detection and adjustment according to threat intel.

2/16
Feb 9, 2020 13 tweets 3 min read
Risk Mega Trends. A thread.

(post here: bit.ly/2S9QAUV)

I've been thinking more about mega trends applied to risk, specifically operational risk. Planning for these immense & relentless forces that shape the world is critical. This list is likely not complete.

1/13 1. Mass Digitization – "Software Eats the World". All businesses have or are becoming digital businesses, the amount of software and infrastructure is increasing dramatically. Everything is connected and expected to work 24x7.

2/13
Feb 2, 2020 24 tweets 4 min read
Dealing with the Deluge of Vendors. A thread.

[full post here : bit.ly/2u33n2s]

Everyone is deluged by product and service vendors, small and large. Even vendors struggle to keep track of who are their competitors in an ever crowded market place.

1/24 There's no way you can evaluate them all, take a meeting with many of them or even read their product white papers. You have to have some way to screen vendors. Here’s some criteria you can use that might help with screening, great vendors pass many, probably not all:

2/24
Jan 24, 2020 13 tweets 3 min read
The Leading Indicators of a Great Info/Cybersecurity Program. A thread.

[see also : bit.ly/2TNgkb0]

It can be hard to effectively assess, with a suitable degree of rigor, the security of your suppliers, counter-parties or companies you are about to invest in.

1/13 It is possible to get a good view and to go really deep if you devote the time with on-site reviews, detailed examinations, security testing results, people capability assessments, governance check-ups and so on.

2/13
Dec 22, 2019 17 tweets 3 min read
Predictions and Calls to Action. A thread.

It’s that time of year for all the predictions of what to expect for the next year, and now - the next decade. I’m generally not a fan of these - they’re either too obvious or too obviously written to sell some angle.

1/17 But, there’s a set I like to look back to. It was written nearly 20 years ago at a CERIAS event where I first met Gene Spafford, Dan Geer, Whit Diffie, Howard Schmidt, Becky Bace & others. Sadly, some are no longer with us.

2/17
Dec 15, 2019 7 tweets 2 min read
Non-Technical Books. Recommended List.

For some reason, first at a @TAG_Cyber event and then coincidentally at 2 other events, the question of what books security people should read to develop their executive management and leadership skills has come up.

Here is my list.

1/7
1. Soul of a New Machine by Tracy Kidder. Story of the build of a Data General mini computer in the 1980’s. Riveting story of design choices amid intense competition.

2. High Output Management by Andy Grove. The definitive book on effective management and leadership.

2/7
Dec 7, 2019 16 tweets 4 min read
The Art of Influencing. A thread.

A critical measure of success for most security roles is the ability to influence. I’ve often found people think influence skills are innate - you have them or you don't. But, as with most “soft skills”, they can be learnt. Here are some:

1/16 1. Be very clear on the outcome you want. Write it down in a clear way. I love the Amazon (bit.ly/340TVZ2) press-release technique. If *you* cannot clearly state what it is you want then you’ve no chance of influencing others - except in a bad way.

2/16
Dec 1, 2019 16 tweets 3 min read
Insider Threat Risk - Blast Radius Perspective. A thread.

The management of insider threats is a complex and often under-thought process - people who work on it appreciate the subtlety and difficult trade-offs. Some who don’t think it is straightforward. Let’s unpack it.

1/16 First of all, this short thread isn’t going to even come close to covering all aspects of well managed insider threat programs - instead there is excellent coverage by SIFMA (bit.ly/2OBPYWu) and CERT (bit.ly/361PS0j).

2/16
Nov 24, 2019 14 tweets 3 min read
Alternative Risk Management Strategies. A thread.

Much focus of risk mitigation is about implementing controls: preventative, detective and reactive. This is necessary in most cases, and continuous sustainment of those controls is critical, but it is not sufficient.

1/14 There are additional ways of reducing risk, much been written on this that is dry/academic. I like to think of these more simply and practically, specifically : inherent risk reduction (risk avoidance), threat neutralization, and risk transference. Let’s take each in turn.

2/14
Nov 18, 2019 11 tweets 2 min read
Simple Rules of (InfoSec) Career Success. A thread.

Over the years I made note of what behaviors I’ve seen from successful people. By success, I mean getting results, increase span of influence and are highly regarded as coaches for improving the lives of their teams.

1/11 Naturally, all of these behaviors are markers for success in any role, and this could be a much longer list - but, in my experience, these are the ones I’ve observed make the most difference consistently.

2/11
Nov 10, 2019 6 tweets 1 min read
Shrines of Failure. A short thread.

I was at an event recently where one participant talked passionately about a disaster they had that they have since preserved artifacts from in a physical space, among other things, to encode the lesson's learnt.

1/6
They take new hires and existing teams through this at key moments - like new projects, launches and other events. They find this an immensely sobering process for leaders and teams to reflect on the priorities to uphold at the time of major design choices.

2/6
Oct 26, 2019 8 tweets 3 min read
Career longevity, setting expectations and the “don’t fire me chart”. A thread.

To fix anything sustainably requires long term action. This is especially true in technology risk and cybersecurity.

1/8
The trouble is this is also a space where there is often impatience to get results fast. Sometimes this is workable, many times it is not. The end result, in a number of organizations, is constant turnover in the C-ranks (CISO, CTO etc.). Let’s examine why.

2/8
Oct 19, 2019 11 tweets 2 min read
Risk management is not only about reducing risk. A thread.

It seems most risk and security programs, and instruction on how to run risk and security programs, focus exclusively on assessing risk, to then implement controls or take other actions to reduce that risk.

1/11 Once the risk is at an acceptable level the focus is to keep it like that - but essentially do nothing more - except for a periodic or trigger based revisiting of the assessment. However, a big part of the more successful risk & security programs is to never stop there.

2/11
Oct 4, 2019 14 tweets 2 min read
The Stress and Joy of Security Jobs. A thread.

A few months ago there was this whole thing about the stress of security roles, CISOs self-medicating, and a whole range of burn-out talk. Ok, yes, security is a tough job. A very tough job.

1/14 To do the job well requires broad and deep technical / risk skills, leadership augmented by a wide range of emotional intelligence and a whole lot of personal resilience. Despite efforts to be “never silently awesome” it can be most visible when things go wrong.

2/14
Sep 29, 2019 15 tweets 3 min read
Cybersecurity is not the only technology risk. A thread (hopefully obvious).

In fact, when you total up actual losses it is likely not even the biggest risk. Although I think it is the risk which is increasing the most and has the highest potential existential impact.

1/15 Ignoring wider business risks (process, financial, strategic, legal/regulatory) - just focusing on technology risks:

- Failed projects. Actual and opportunity costs of large-scale failed projects and the organization consequences of failed transformation.

2/15
Sep 15, 2019 15 tweets 3 min read
Security Program Tactics. A thread.

When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects - as well as diving into the immediate and very specific things that need improving.

1/15 Here are 5 of those I’ve found useful or have seen over the years in various companies (large and small) and various contexts (public and private). This is not an exhaustive list.

2/15
Sep 1, 2019 13 tweets 2 min read
Vulnerability Management. A thread.

I don’t see much written on vulnerability management in more holistic terms vs. patch/bug fixing. This might be ok given a lot of vuln. mgmt. should be contextualized into enterprise risk/control. But still worth a short thread.......

1/13 I’ve always found it immensely useful to think of vulnerability management as four layers - building on each other and in turn becoming more powerful as a risk mitigation approach.

1. Coverage completeness, criticality ranking and dependency mapping.

2/13
Aug 17, 2019 12 tweets 2 min read
Cybersecurity as a first class business risk. A thread.

I see a lot of commentary on the need to “treat cyber/info-security as a business issue not an IT issue”. The problem is it implies that this is not still also a technology issue. This is, of course, incorrect.

1/12 The reality (being generous, what I think people really mean) is that we need to treat cyber/info-security as a first class business risk. So how do we do this, as opposed to just wishing it so. In my experience there are 3 themes you need to drive.

2/12
Jul 20, 2019 9 tweets 2 min read
Fundamental Drivers of Information Security Risk. A thread.

As I get older and (hopefully) wiser it has become ever more apparent that all the issues and risks we face arise from a small number of basic “forces”.

1/9
These manifest in different ways in different contexts - strip away the detail and most issues usually stem from one of these. I don’t claim originality here - some have been said and used by others before me. I’m also not convinced this list is actually complete.

2/9
Jun 30, 2019 15 tweets 3 min read
Controls. A Thread.

Many well-known security incidents appear to have a common pattern. They are not the result of some awesome attacker capability to exploit some hitherto unknown vuln. or to realize a risk from some combination of controls weakness not contemplated.

1/15 Rather, a remarkably common pattern is that the control or controls that would have stopped the attack (or otherwise detected/contained it) were thought to be present and operational but for some reason were actually not - just when they were most needed.

2/15