So, information security finally has a seat at the same table as the other executives. That seat is at the metaphorical adult’s table and the invitation has been opened at many organizations now. We, as infosec practitioners, asked for that seat and, in many ways the potential reputational and regulatory consequences operating in today’s threat landscape demanded that a seat opened. But are we ready?

That seat at the adult’s table represents recognition that we are ready to join a set of other executives that. like us, also have really hard problems to solve. Perhaps not security problems, but still…


Long the domain of ex-developers, application security as its own discipline is maturing and beginning to gain interest from traditional information security practitioners and information security leaders. These more recent converts to the app sec world and security leaders with these new responsibilities are often lacking application development backgrounds, but still are enthusiastic about wanting to expand their experience and influence into the shiny new appsec space.

The current thought leadership often omits or glosses over the complications and pitfalls that can make the journey to a successful application security program perilous. Not only do vendors drive much of the…


As information security professionals, we love the easy answers when easy is available. We should because, well, there is so little that is easy about our career path. That said, the easy path may help us but often doesn’t help to accomplish our goals of protecting the organization that we serve.

We can take a path that seems right at the expense of putting the process work in place to better serve our organization. …


Application security is finally getting the visibility the discipline deserves. Multiple blog posts and new books are bringing the craft of application security to the infosec masses. That’s a good thing.

What might not be clear to aspiring application security practitioners or to CISOs and other senior cyber security practitioners wanting to grow an application security program are the very real challenges to being successful at both the individual contributor level and at the program level.

Looking into the developer community from the outside might give the false sense that securing the software development lifecycle is the same as securing…


Servant leadership seems to be a growing buzzword in cyber security.

Robert K. Greenleaf coined the words “servant-leader” and “servant leadership” in 1970 with the publication of his classic essay, The Servant as Leader.

Greenleaf wrote: “The servant-leader is servant first… It begins with the natural feeling that one wants to serve, to serve first. ….That person is sharply different from one who is leader first, perhaps because of the need to assuage an unusual power drive or to acquire material possessions…The leader-first and the servant-first are two extreme types……The difference manifests itself in the care taken by the servant-first…


As cyber practitioners, we are often keen on activity. The problem is that activity doesn’t always move our cyber program if the activity isn’t measurable. This post discusses how non-measurable activities, no matter how cool or fun, are antithetical to the success of a healthy or improving cyber security program. By stuff and things, I mean activities within the cyber program that can’t be measured and described as to their value or are so non-specific in nature that the value isn’t clear.

I took to using the term, stuff & things, because I once knew of a second, or more…


The internet makes finding examples of sound leadership principles easy. Finding examples of great leadership and world class program development within the cyber security community is a bit harder to find. This blog post explores if this is the case because so much thinking and movement within the cyber security industry is generated by vendors and consultants.

If we assume that a sound cyber leadership principle is that cyber leaders must own, define, and communicate the goals, resourcing, gaps, and roadmap for their cyber security program, then the counter example to doing these things would be the complete abdication of…


Presenting complex programs such as 24x7 monitoring is often a multi-slide exercise that does little to help executives or the Board to understand your your level of maturity or progress. You can’t just dump a bunch of log data in front of executives and expect them to understand what it means. There has to be a better way.

NIST provides guidance around set of tactical reports so that might be a starting for many organizations…

Trend analyses can include, for example, examining recent threat information regarding the types of threat events that have occurred within the organization or across the…


Is the cyber security team performing their duty, if, without further action, they accept any cyber risk that could potentially put the company at significant risk including potentially a position that may be considered negligent? There has to be a more reasonable answer to the increasing trend of allowing any risk to be accepted because in the name of “enabling” the business.

Cyber teams are often between a rock and a hard place. Cyber teams can’t abdicate their responsibility to inform the company about cyber risks in the name of enabling the business. …


In the bosom of one of those spacious second-tier digitally transformed technology tax zones that dot the coast, you can find the small newly gentrified section of the city in which resides Blue Team Pat.

Blue Team Pat had always been considered an odd lot by friends — never having worked a shift in a SOC and with no desire to be a red teamer. The doctor that birthed Blue Team Pat still to this day swears that Pat mouthed the word, “syslog”, at birth.

Blue Team Pat had joined the security team out of college about 10 months ago…

Opinionated Security

Tony Grey * CISO for an insurance company * grew team from 3 to 22 * led large software teams at Microsoft * blogs about cyber leadership & program development

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store