Doing the Security Thing

In a very refreshing article, Brendan Williams talks about the fallacies of securing systems based on compliance models, with an army of clerical staff working checklists to determine the security architecture for a new system. For a lot of my cyber security related activities, I have been trying to implement a risk management approach, where a security architecture is firmly rooted in the evaluated threats, their likelihood and impact, and most cost effective mitigations.

To address the problem, NIST has provided the SP 800-30 risk management process for some time now. And while high-level threats are very application specific, the National Vulnerability Database provides a low-level overview for what vulnerabilities a threat actor could attempt to exploit.


Leave a Reply

Your email address will not be published. Required fields are marked *