G before RC
The order of the letters in "GRC" is not arbitrary. If you don't Govern your environment well, you cannot manage Risk and Compliance well.
paradigmshifts
18 posts
What Moves the Cyber Resilience Needle the Most? It’s Probably Not What You Think
It's simple, but it's not easy: if you change the tech but not the culture, none of the gains you realize in the short term will be sustainable in the long term.
Azure Has A Kerberos Problem, But It’s Not The One You Think
Blaming Azure for Kerberos exploits isn't a hot take—it's nonsense. Focus on the real root causes instead (which are different than you might think).
Who’s Threat Modeling the Threat Modelers?
When an org's security personnel carry out threat modeling exercises, they tend to make unconscious assumptions about the efficacy of their own security controls. This is dangerous.
How (not) to Waste Your Time Chasing Vulnerabilities
There is a very good chance that your vulnerability management efforts are not actually reducing your risk. The data tells us why.
3 Reasons Security Folks Roll Their Eyes When They Hear “Zero Trust”
The principles still matter, more than almost everything else in security...even if we're tired of hearing about it.
Your Expensive PIM/PAM Solution Won’t Save You—But This Might
If <that one PAM tool everyone uses> was good enough on its own, then no one in banking would get hacked, because they all use it. Clearly there's more to the story.
Boy Were We (Mostly) Wrong (aka Security Reflections on a 2010 Cloud Model)
Ground-breaking paradigms from Jericho Forum are still meaningful today, but some more than others. How have things evolved since then, and why does it matter?