Excellent article on security risk management from Black Swan Security:
“…but I don’t hear any formalisation of measuring and assessing controls that are beyond the Control Tolerance of an organisation. We care about risk tolerances and exceptions, the risk owners care about these but the risk owners and the business managers also care about the ‘Control Tolerance’ or at least they care about controls beyond it.”
“If the practical risk tolerance that the security teams are working to is below the control tolerance then such a reset is inevitable. If the control implementations are below the Control Tolerance but the Risk Tolerance would practically have allowed for less stifling control environments then such a reset will likely not only reduce the impact of stifling controls but also unnecessarily increase the overall risk tolerance and associated exposure to security risk. Ironically over-zealous security controls lead to a less well-secured environment.”
Recently I read an interesting analysis (by the talented Chris Sanders) reflecting on passion; how we use it to screen infosec candidates and asking the question if what we really mean (or should mean) is ‘curiosity‘.
“Passion is very difficult to attribute to a source. In fact, most people aren’t good at identifying the things they are passionate about themselves. The vast majority of security practitioners are not passionate about information security itself. Instead, they’re passionate about problem-solving, being an agent of justice, being intelligent, being seen as intelligent, actually being intelligence, solving mysteries, making a lot of money, or simply providing for their families.”
One particularly interesting observation which caused me to pause and reflect was the line:
“Not everyone is extraordinary and that’s okay. There is this myth that we all must be the best. As Ricky Bobby famously said, “If you ain’t first, your last!”. But, by constantly trying to be the best it breeds things like imposter syndrome, self-doubt, and depression.”
It is sometimes difficult to not constantly look to the ‘next-step’ overly focusing on comparisons with other members of the infosec community. Staying grounded is important and using self-awareness and reflection to identify areas for steady development; but not at the detriment to your own well-being or the people around you.
Sending out a thank you to Chris for drawing further attention to both the issue of misplaced searching for ‘passion’ and also to the dangers of trying to be in that 5% of practitioners who truly are exceptional but who also often sacrifice other areas of their life to fuel their passion.