Welcome to a few thoughts on cybersecurity, and some occasional photography.
We’re becoming immune to the news about the latest data breach, and yet folks don’t change their own security practices. Often that’s because they don’t know where to start. Other times it’s because they’re focused on hitting the checkboxes for a compliance audit.
Cybersecurity tries to solve age-old problems using high tech solutions in a repeatable way (hence the clockwork in the logo). But the real power comes when we change how people think, and that means showing the way through the darkness (the lantern).
So that’s the purpose of this blog: to go through the smoke and past the mirrors and get beyond the FUD*.
Please note, all of the comments, opinions, and content on this site are my own and do not necessarily reflect the views of my employer.
* FUD – Fear, Uncertainty, and Doubt
State of Security
We’re in an era of industrialized threats that are increasing in size, scope, and sophistication. Hackers are your organization’s strongest competitive threat. To protect your business, we must begin with a fundamental question: do you fully understand how you get from customer to cash?
From that, how do you establish an effective security program aligned to business risk? Understanding the relevance of an event or threat in the context of your business is more valuable than being able to run an asset compliance report. Metrics are meaningless unless prioritized by threats and vulnerabilities – risk – to your business. Security workflow – instrumenting, collecting, analyzing, understanding, and responding to events, all relies on having the right information at the right time.
Unfortunately, security teams often play second fiddle to audit and compliance and focused on just meeting contractual or regulatory requirements, or are hidden within IT and only consider technical risk. That simply is no longer adequate, and your board knows it. When your breach goes public, you have liability to your victims, your business stakeholders, the government and ultimately your investors.
So what’s driving your security decisions: audit and compliance or real-world business risk?
I can help move your CyberSecurity program from yesterday’s reactive, compliance-oriented model to a forward-looking, risk-focused approach. My driver is your security need – it’s not about the latest and greatest tool or service, it’s about protecting your business reputation and cash flow.
Your brand and your career are on the line. We need to move through the smoke, past the mirrors, get beyond the FUD, and address security as an industrialized problem that needs tailored holistic solutions to reduce business – not just IT – risk.
My team and I can help – please reach out and connect.
Doug Lhotka, CISSP-ISSAP
Senior Security Strategist
Doug is a Senior Security Specialist team at Splunk, part of a diverse, high-performing team focused on helping security and business executives manage risk and secure strategic initiatives.
He has authored patents, articles, and books on subjects including cybersecurity, enterprise architecture, IT governance, human factors, photographic lighting and 3D printing for fine art. An accomplished technical storyteller, he regularly speaks on cybersecurity to executive, business, practitioner and end-user audiences.
Doug earned his Bachelor’s in Computer Science, Anthropology, and Psychology, and Master’s in Engineering Management from CU Boulder, and continues to support educational programs. He lives in the Colorado forest with his wife and their four-footed children, spending as much time as he can in the Rocky Mountains not doing cybersecurity.