Eric Haupt
Return to Archive
Sunday Musing

Sunday Musings Your First 90 Days

Happy Sunday Friend!

Welcome back to another musing! I’m glad you’re here. Here are your Sunday Musings, a quick dose of what I’m exploring and thinking about. If you find it useful, please feel free to forward this along to friends!

Know Your Role (the first 90 days)

As Cyber Security (and Information Security) leaders, we are members of a group of leaders; each with specific roles to fulfill and expertise to give. We have financial officers, legal officers, administrative officers, operations, you get the picture. If we start spouting off legal or financial advice (as examples), regardless of our intentions, at best, we create friction with our partners around the table. At worst, we introduce undue risk and posture the board for poor decisions.

So, we’ve just landed a great leadership role, doesn’t matter if it is technical or not. How do we begin? It’s important that we set the right tone, direction, and expectations. Remember, security is there to help the organization achieve its goals (make money, reduce costs and risks). You might need to apply the brakes, but those should be braking to go faster (like an F1 car), not brakes to stop momentum.

I like to start my first 90 days with the same strategy.

  1. Conduct organizational analysis.

    What are the strategic objectives, future forecast/goals, what are the issues, what is the risk climate?

  2. Understand the future state.

    Through honest and direct talks with stakeholders, ask questions to understand the system, application, network, infrastructure, and organizational architecture. Based on the forecast, where is the organization headed that we’ll need to work with legal and compliance?

  3. Assess the current state (Ask what’s working, what’s not working, how can I help).

    This includes systems, processes, policies, personnel, and relationships within the organization. Where are the fires (failures?), who are the power brokers (official and unofficial), who are the shadow brokers? Where is the shadow IT (there is always shadow IT)

  4. Gap Analysis.

    This is the future state minus the current state (with resources and capabilities available) ((Future - Current)). Through your analysis and discussions with peers, subordinates, and stakeholders in the company and consult outside the organization to identify a wide range of possible solutions. This is a critical step!

    Come up with a list of possible solutions and alternatives for leadership. Talk in terms of risk, controls, and costs (consult the CFO).

  5. Program Objectives and Milestones

    (Here’s where we are, where we want to be, and how we’re going to get there).

    Present the leadership with what you’ve observed. Provide multiple approaches to the change management required for your next 12-18 months. Think like the CEO. Speak in business terms and highlight the ways that align with organizational objectives (what are the aspects that support revenue growth). In terms of Cyber Security, we can ensure our internet facing nodes (apps, websites) are compliant and meet regulatory requirements.

  6. Inculcate the understanding that the Cyber (Info) Security element of the organization is there to help the organization meet its goals. Yes, we’re going to look at the organization. Yes, we’re going to ask questions over the first 90 days. Once that happens, we’re going to focus on making appropriate changes where appropriate to knock down the obstacles that prevent us from being as successful as our people can make us.

    Example: Availability from the CIA Triad equates to mainstream business. Making sure we have no operational disruptions to our core banking applications when it’s time to complete the books each month.

Interesting and In the News

IT security employee attempts to exploit ransomware attack.

Imagine your organization becomes the victim of a ransomware attack, terrible right? Now imagine you find out that one of your own employees is trying to steal the ransom money for themselves.

That’s exactly what happened to Oxford BioMedica back in 2018.

A member of the organization’s internal staff assigned to investigate the attack broke into the board member’s email account and modified the email to direct the potential payout to their own Bitcoin wallet and sent false emails pressuring them to pay the ransom.

This is one of those cases that makes you stop and think as a leader. How do you mitigate the risk of a security specialist going rogue? They’re there to have escalated privileges in order to conduct forensics. Logs, audits, and access controls; even on the ones meant to protect are my thoughts.

Ashley Liles just pled guilty after years of denials. He’ll head to sentencing on 11 July.

| More

OpenAI + Worldcoin + Iris Scanning = Tools For Humanity raises $115 million in Series C.

Why is this interesting? well, it’s a company co-founded by Sam Altman (of Open-AI) working on the Worldcoin project. Chasing the rabbit down the hole; Worldcoins stated mission is three-fold.

  1. Create a global ID

  2. Create a global currency

  3. Create an app that lets you use the currency in an agile way

Altman and team are doing this all out in the open; publicly working to be the first AGI and at the front of the projected massive disruption of human work. The interesting thing here is that the Worldcoin app uses “the orb” to scan the randomness of the user’s iris and generating a unique encoding based the scan (not storing the biometrics).

I’m an advocate of advanced biometrics as part of multi-factor authentication and this is a nice push. Being able to uniquely identify humans from A.I. (Global ID) and make sure it’s the correct human is going to become more important as we move forward.

The global crypto currency element has an interesting theme coming from Worldcoin CEO, Alex Blania. They intend to see Worldcoin as the mechanism for distribution of capital creation and the framework for Universal Basic Income. With the last several years of crypto instability, they have their work cut out for them; I’m always interested in big goals with targeted vision.

With OpenAI dominating the internet and the partnership with Microsoft to drive Bing’s searches, I’m willing to bet Worldcoin will see more people willing to stare into the orb and keep their eyes on the future.

| More

Neuralink Approved for in-human clinical trial.

In a recent tweet, Neuralink claimed FDA approval for clinical trials. Is this the real answer to how Full Self Driving in Teslas will work? Will we get our twitter feeds direct to the brain housing group? Ancient Alien Theorists say maybe.

On the more serious side. This is a quick turn from the early 2022 rejection. I imagine this is more an approval for safety testing the combination of surgical robots to implant devices than testing the actual devices yet; but that’s just my assessment. Regardless, I’m interested to see what developments come next.

| More

Quote I’m Musing

“It’s not because things are difficult that we dare not venture. It’s because we dare not venture that they are difficult.”

-Seneca

More times than I like to admit, I’ve put off doing something because it was going to be hard. Then, when I had finally done the task, it had only seemed hard because I didn’t want to do it.

Things that are new and unfamiliar are the things that become difficult because our imaginations trend towards exaggerated risk severity and likelihood. Doing things because they are difficult builds our character, our ability to learn from experience, and our skills to accomplish the task. Any of the three developments are reason enough to do the hard thing, so gaining all three makes it mandatory in my mind.

I would love your feedback!

Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.

Have a wonderful week, I’ll see you Sunday.
​-e

End of transmission.