Security FOMO
The Pursuit of Bright, Shiny Security Things
“I have all the resources I need, doing all the right work” — said no security leader, ever.
For most leaders running a security program, there is an ever-present sense that whatever they are doing isn’t enough, there is always more to do, there is some weakness that needs mitigating. It’s not surprising, really.
Start by taking a look at all the security frameworks and guides that suggest (or require) Things To Be Done. Even if you’re in one industry, in one geography, you are subject to a myriad of rules, regulations and guidelines. ISO, NIST, C5, IRAP, ISMAP, etc., etc., etc. Heaven forbid you support a multi-national organization, or a conglomerate of industries.
Then, go take a look at all the guidelines based on technology. Cloud Security Frameworks, OWASP, IoT Security. You could spend your entire security budget on Active Directory alone, and still not address all the vulnerabilities there. Every time your CIO decides to use a New Thing (cough, Artificial Intelligence, cough) it’s back to the drawing board to learn its threat surface, risk profile, attack sequence.
For giggles, go attend a few security conferences. Particularly ones which allow security researchers to demonstrate new findings. There you will find amazingly smart people…
