Sign up to save your podcasts
Or
Share Welcome and Why Does Security Matter?
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Welcome and Why Does Security Matter?
Links:
- https://simonsinek.com/product/start-with-why/
- https://www.ted.com/talks/simon_sinek_how_great_leaders_inspire_action?language=en
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: Are you building cloud applications with a distributed team? Check out Teleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor authentication, list and see all SSH servers, Kubernetes clusters, or databases available to you, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport doesn’t get in the way. Download Teleport at goteleport.com. That’s goteleport.com.
Jesse: Welcome to Meanwhile in Security. I think we all need a personal assistant to sift through the flood of security news and innovations coming at us. But even if each of us had a PA—and who am I kidding, almost none of us do—our assistants would need their own assistants just to handle the flood of information. I think most of us agree that information overload poses a significant challenge to many of us. And with that challenge comes risk.
When I talk to people about security, most of them say they need a guide and translator to sort out the deluge of information they receive. More importantly, I've learned that missing key information related to security can jeopardize your organization's mission success, and security breaches are costly, both financially and in lost reputation. When my friends Corey and Mike at The Duckbill Group asked me to create Meanwhile in Security, I remembered my own struggle to stay on top of security news in addition to staying current with the IT operations I managed. I designed this newsletter and podcast with a goal of serving as your personal translator and guide. Each week, you can count on me to explain a security-related topic, whether it's a core security concept, a breakdown of the latest big security breach in the news, or a guide for implementing an operational security methodology.
Of course, you might wonder why me? Why Jesse Trucks? What do I bring to this discussion? For more than 20 years, I've been in the trenches, managing operations and security for networks, systems, and applications, and working with public and private organizations of all sizes and types. I've done system forensics, managed defensive security and audits, and more.
As both an individual contributor and in management, I've written documentation and reporting for users, system admins, and management, designed and implemented training, risk mitigation, and security programs, and helped companies, schools, hospitals, and government agencies in the US and elsewhere improve security operations and compliance, respond to breaches and develop and implement risk analysis and mitigation strategies. I've lived through the industry transformation from bare metal, to virtualization, to containerization, and to cloud. This breadth and depth of experience gives me a unique understanding of systems on micro and macro scales. I know how to manage business needs and people. And I've learned that security is as much about conception of risk and risk mitigation as it is about the technology used to manage risk.
Connecting business IT and security together is what I love doing. For me, translating security for all these audiences is one of my core personal missions. I've learned that having open dialogue and inviting questions is a powerful tool for creating meaningful change. So, here are my questions for you: what security concepts or topics confuse you? Be honest.
What keeps you up at night about security? How can I help you better understand the importance of security? How can I help you translate security topics for your peers and managers? Where in your cloud journey do you need to better understand security issues and potential risks? Please send me your questions, concerns, and feedback. I can't wait to hear from you.
Find your why, or how to convince people that security matters. As I mentioned earlier, one thing I've learned during my career is that security is as much about people's conception of risks and risk mitigation as it is about the technology used to manage risk. In this first episode of Meanwhile in Security, I want to establish the foundation for an effective security approach. Driven by management and budgetary concerns, it's easy to get caught up in choosing the tools to manage security without understanding the why of what you are managing. This often leads to financial waste, frustration, and organization-wide resistance to security-related changes. In addition, it usually leads to poor security practices due to misalignment with the risk mitigation needs of the business.
The first important lesson in managing security is to realize that security is a mindset, not a tool. We often hear security is a process, but this skips straight to implementation. I suggest that implementing and managing security is a process which encompasses people's actions with technical tools. Not every tool is a perfect fit for the job we need to complete. You wouldn't bring a hammer to a laundry pile any more than you would bring a washing machine to a building site.
We can't know the tools we need if we don't have a roadmap for the protection we're seeking. Thus, it's important to understand that security and compliance aren't your primary goals. Protecting something is the goal. Designing and implementing security programs is a painstaking and time-intensive task, and organizations often go through many iterations before finding a program that works. That's because they lose sight of the fact that your security plan is not your actual goal.
Protecting data or services, the infrastructure for those data or services, and the data integrity and services availability are the goals. We're all protecting something valuable, but if we lose sight of why we're protecting the things we're protecting, we lose the narrative on how to protect it. In other words, a security program is nothing without a why or a reason.
Corey: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the Cloud: low effort, high visibility and detection. To learn more, visit
View all episodes
By Jesse Trucks
3.7
33 ratings
Links:
- https://simonsinek.com/product/start-with-why/
- https://www.ted.com/talks/simon_sinek_how_great_leaders_inspire_action?language=en
Transcript
Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.
Announcer: Are you building cloud applications with a distributed team? Check out Teleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor authentication, list and see all SSH servers, Kubernetes clusters, or databases available to you, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport doesn’t get in the way. Download Teleport at goteleport.com. That’s goteleport.com.
Jesse: Welcome to Meanwhile in Security. I think we all need a personal assistant to sift through the flood of security news and innovations coming at us. But even if each of us had a PA—and who am I kidding, almost none of us do—our assistants would need their own assistants just to handle the flood of information. I think most of us agree that information overload poses a significant challenge to many of us. And with that challenge comes risk.
When I talk to people about security, most of them say they need a guide and translator to sort out the deluge of information they receive. More importantly, I've learned that missing key information related to security can jeopardize your organization's mission success, and security breaches are costly, both financially and in lost reputation. When my friends Corey and Mike at The Duckbill Group asked me to create Meanwhile in Security, I remembered my own struggle to stay on top of security news in addition to staying current with the IT operations I managed. I designed this newsletter and podcast with a goal of serving as your personal translator and guide. Each week, you can count on me to explain a security-related topic, whether it's a core security concept, a breakdown of the latest big security breach in the news, or a guide for implementing an operational security methodology.
Of course, you might wonder why me? Why Jesse Trucks? What do I bring to this discussion? For more than 20 years, I've been in the trenches, managing operations and security for networks, systems, and applications, and working with public and private organizations of all sizes and types. I've done system forensics, managed defensive security and audits, and more.
As both an individual contributor and in management, I've written documentation and reporting for users, system admins, and management, designed and implemented training, risk mitigation, and security programs, and helped companies, schools, hospitals, and government agencies in the US and elsewhere improve security operations and compliance, respond to breaches and develop and implement risk analysis and mitigation strategies. I've lived through the industry transformation from bare metal, to virtualization, to containerization, and to cloud. This breadth and depth of experience gives me a unique understanding of systems on micro and macro scales. I know how to manage business needs and people. And I've learned that security is as much about conception of risk and risk mitigation as it is about the technology used to manage risk.
Connecting business IT and security together is what I love doing. For me, translating security for all these audiences is one of my core personal missions. I've learned that having open dialogue and inviting questions is a powerful tool for creating meaningful change. So, here are my questions for you: what security concepts or topics confuse you? Be honest.
What keeps you up at night about security? How can I help you better understand the importance of security? How can I help you translate security topics for your peers and managers? Where in your cloud journey do you need to better understand security issues and potential risks? Please send me your questions, concerns, and feedback. I can't wait to hear from you.
Find your why, or how to convince people that security matters. As I mentioned earlier, one thing I've learned during my career is that security is as much about people's conception of risks and risk mitigation as it is about the technology used to manage risk. In this first episode of Meanwhile in Security, I want to establish the foundation for an effective security approach. Driven by management and budgetary concerns, it's easy to get caught up in choosing the tools to manage security without understanding the why of what you are managing. This often leads to financial waste, frustration, and organization-wide resistance to security-related changes. In addition, it usually leads to poor security practices due to misalignment with the risk mitigation needs of the business.
The first important lesson in managing security is to realize that security is a mindset, not a tool. We often hear security is a process, but this skips straight to implementation. I suggest that implementing and managing security is a process which encompasses people's actions with technical tools. Not every tool is a perfect fit for the job we need to complete. You wouldn't bring a hammer to a laundry pile any more than you would bring a washing machine to a building site.
We can't know the tools we need if we don't have a roadmap for the protection we're seeking. Thus, it's important to understand that security and compliance aren't your primary goals. Protecting something is the goal. Designing and implementing security programs is a painstaking and time-intensive task, and organizations often go through many iterations before finding a program that works. That's because they lose sight of the fact that your security plan is not your actual goal.
Protecting data or services, the infrastructure for those data or services, and the data integrity and services availability are the goals. We're all protecting something valuable, but if we lose sight of why we're protecting the things we're protecting, we lose the narrative on how to protect it. In other words, a security program is nothing without a why or a reason.
Corey: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the Cloud: low effort, high visibility and detection. To learn more, visit