Here’s my first piece of advice for tech teams trying to build secure technology. Specifically, for the exec, business owners out there. If you can’t afford it, don’t do it. Instead of writing a long boring document, I thought I’d try a comic narrative for this post 🙂
While ranting about shit IT security is a little cathartic and raises awareness, it doesn’t solve any immediate issues. And let’s face it, nobody likes hearing about problems. So to be more positive, I’m going to share some solutions you won’t like instead. I want to focus on advice for tech teams and execs, but there is one thing that everyone can do to improve cybersecurity, across every aspect of the tech industry. It’s even free.
Absolutists are annoying, smug, pain’s in the ass. They piss everybody off and make them uncomfortable. I should know, I’m an absolutist. I got feedback from someone I respect about one of my recent posts. It was along the lines of: “I get what you’re saying, but…”. Then they explained how I am describing/proposing things that can’t always be done in the real world. Practical limitations, politics, personalities etc get in the way of the goal. While I’ve heard it before, and made me cringe with an “ah fuck, I’ve done that thing again…”
With the amount of data breaches in the news of late, many people keep asking why companies are not doing more to secure customer data. The public tends to assume that companies have people trained to look after cybersecurity and an obligation to secure customer data At the top of the “who” list, is typically the Chief Information Security Officer (CISO). Unfortunately, the CISO’s primary job is not protecting customer data or IT systems.
If you have worked in tech for more than ten minutes, you’ve heard of DevOps. You can’t scratch your ass without someone preaching its benefits or talking about a tool that will deliver DevOps nirvana. You know it’s a real thing because anybody who’s anybody has a DevOps solution to sell you. There’s an excellent chance that DevOps has been implemented in your organisation, and you are actively fucking it up right now.
Ok, so the Office of the Australian Information Commissioner has put out the latest Notifiable data breaches report, and they are very cross.
I am always amazed at just how many people don’t take even basic steps to secure their AWS root account. From large organisations to individuals. That includes all those “DevSecOps Professionals” that know better.
I came back from a holiday in Italy with a case of pneumonia recently, which means I had some spare time on my hands. What else is there to do but create a website?