Tag Archives: process

When Can Cybersecurity Professionals “Wing It”?

In my career, I’ve experienced all levels of process maturity, ranging from “process for process’ sake” to “winging it.”

  • Many, many years before Marie Kondo popularized the term “spark joy,” one of my former employers shut down the entire office for the afternoon so that we could spend that time cleaning up. Thankfully this was not instituted (institutionalized?) as a weekly occurrence.
  • On the other extreme, some organizations resist process and just wing it. To the point that I literally hide when I use a process.

Now the ability to “wing it” can be used in some circumstances but not in others. Obviously improvisational comedians “wing it” by definition. But Ike (pre-matrix) couldn’t have used the “wing it” approach on D-Day.

What about cybersecurity? Can you “wing it” when you’re attacked?

Jack Freund says no:

The evolving threat landscape demands robust governance architectures and well-defined board duties to ensure resilience against cyberthreats. Effective cybergovernance not only protects an organization’s digital assets but also reinforces trust among stakeholders. 

Governance is a critical component of cybersecurity, if for no other reason than to prove that your organization actually HAS cybersecurity. Ideally an organization will govern its cybersecurity by some type of “maturity model.”

And that’s more than refraining from calling someone a poopy head.

(AI image from Imagen 3)

Secretly Using WOMBAT for Positive Impact

We create things for maximum impact. But is the impact positive or negative?

Move fast and break things

In 2019, Hemant Taneja wrote the following in a Harvard Business Review article, “The Era of ‘Move Fast and Break Things’ Is Over”:

“The technologies of tomorrow—genomics, blockchain, drones, AR/VR, 3D printing—will impact lives to an extent that will dwarf that of the technologies of the past ten years.”

Although not mentioned in the sentence above, Taneja subsequently references artificial intelligence—not as a technology, but as an underpinning of the others.

And the overall theme of the piece is a questioning of what all these things DO—and that it may not be good to break things. Destroying society may have an impact, but it’s a negative one. Can anyone think of any recent examples?

Which leads to keeping processes secret. But not all of them.

Bredemarket’s not-so-secret process

If you’ve ever read my CPA page, you may have noticed the phrase “before I write a word.”

Perhaps that’s the point where some people stopped reading the page. After all, Bredemarket provides writing services. Write stuff! Don’t wait.

And I do write stuff, creating a draft 0.5, sleeping on it, and only then creating a draft 1.

But there’s something that I do even before my draft 0.5.

“Before I write a word, I work with you to make sure that I understand your needs. I start by asking seven important questions. This ensures the best possible deliverable.”

In case you’re curious about those seven questions, you can read about them here. These questions certainly aren’t so secret, since I’ve talked about them for a long time. (There used to be six.)

But there’s something I’ve learned not to talk about.

Bredemarket’s secret process

I don’t want to reveal Bredemarket’s secret process, so I’m just going to call it WOMBAT. Not that WOMBAT is unique to Bredemarket; far from it. Many companies use WOMBAT.

And many companies don’t use WOMBAT. In fact, they abhor WOMBAT and call it stifling. (Emotion words. Geddit?)

But I’ve found over the years that if you don’t use WOMBAT, there’s a very good chance that you’ll break things.

And who catches hell? The consultant. “Why did you do what we asked you to do? Now look at the mess you made!”

So out of a sense of fear and self-preservation (geddit?), there are times that I’ve secretly used WOMBAT and not told my clients I’m doing it.

Because it helps my clients make an impact.

A positive one.

(Imagen 3)

21 Days of Bredemarket “CPA” Services

What in the heck does Bredemarket do?

Content, proposal, and analysis (“CPA”) marketing and writing services.

But what in the heck does Bredemarket DO?

During the first 21 days of March, my biometric, identity, and technology clients received blog posts, an ebook, emails, a landing page, slides, a press release, a Request for Information (RFI) response, a process, and other things.

Can I help your firm? Let me know on my “CPA” page.

CPA

Want to know how many blog posts and emails I wrote? Watch the video.

21 days of CPA.

(CPA wildebeest Imagen 3)

This Week’s Acronym is ASOCMM: the MM part should be a giveaway

(AI image from Imagen 3)

I just read a post by SentinelOne, but it’s too early to tell if this is just a string of buzzwords or a legitimate endeavor.

The post about a proposed “Autonomous SOC Maturity Model” (ASOCMM?) includes buzzwords such as “autonomous,” “SOC” (system and organizational controls, or security operations center – take your pick), “agentic AI,” and of course “maturity model.”

Having done my maturity model time during my days at Motorola Solutions predecessor Motorola (although our group stuck with CMM rather then moving on to CMMI), I’ve certainly seen the benefits and drawbacks of maturity models for organizations large and small. Or for organizations large: I shudder at the thought of implementing a maturity model at a startup; the learning curve at the Printrak part of Motorola was bad enough. You need to hit the target between no process, and process for process’ sake.

So what of this autonomous SOC maturity model? Perhaps it can be real.

“At SentinelOne, we see the Autonomous SOC through the lens of a maturity model. We welcome debate on where we, as an industry, are on this evolutionary revolution. We hope most will agree that this is a better way to look at Autonomous SOC innovation and adoption – far better than the binary, all-or-nothing debates that have long fueled analyst, vendor, and industry watcher blogs and keynotes.”

If nothing else, a maturity model approach lends (or can lend) itself to continuous improvement, rather than just checking off a box and saying you’re done. A Level 5 (or Level 4 on a 0-4 scale) organization, if it believes what it’s saying, is ALWAYS going to improve.

Something to watch…and not just with SentinelOne.

(Adapted from original posts on LinkedIn and Facebook)