The Southern Fried Security Podcast
Join Andy Willingham, Martin Fisher,Steve Ragan, Yvette Johnson, and Joseph Sokoly as they discuss information security, news, and interview interesting people. Get in the discussion at

Episode 198 – Building a Security Strategy – Part 1


Strategy is the hardest thing a CISO will do in their career...except if they have to explain a massive breach…


  1. What is a Strategy?
    1. What’s the difference between a strategy and a policy?
      1. A policy is binding statements
      2. A strategy is thought out planning
      1. A list of tech you want to buy
      2. A remediation plan that follows an audit/assessment
      3. A continued justification for the way you’ve always done things
      4. The stuff your favorite vendor told you needs doing
    2. What a strategy isn’t…
      1. Based on the needs and desires of the org and its senior leaders
      2. Culturally relevant
      3. A guide to where investment (money and people) need to be made
      4. Balanced between boldness and reassurance
      5. Built on a set of capabilities that map to business success criteria
    3. A strategy is…
    1. Creates a consistent frame of reference for talking about the program
    2. Helps senior leaders understand the where/why of the investments
    3. Lays out a connected story for CFOrg to make budget less hard
    4. Provides a decision-making framework that enables effective choices
  2. Why do you want one?
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  3. How do I make one?


In our next episodes we’ll break down each of the steps and talk more about strategy…

Direct download: SFS_Podcast_Ep_-_198.mp3
Category:podcasts -- posted at: 8:53pm EDT

Episode 197 - After the Penetration Test 

We've kind of talked about how to choose your vendors, and we’ll get more into services soon, but we wanted to take some time to talk about penetration tests and especially what to do as they wrap up, how they affect the organization, and how you can manage your penetration tests to make sure they're actually effective.

  • Receiving the report
    • First and foremost, you are the customer. The report is not done until you say it is done.
      • That doesn't mean to massage the data, but you need to be sure that the penetration testers actually provided value.
    • If there isn't a solid executive summary, send it back. Period. Your testers should be able to summarize what they did, what they found, and what they think for your executives.
    • A Nessus or Burp scan is not a report. Ever.
    • Always ask “how did we do for this application/organization size” etc. You’re not just paying for someone to run Nessus on your network, you’re paying for their analysis. Ask for that.
  • Triaging the Results
    • Results rarely go to the same place in the organization. You might have findings for different teams, or entirely different parts of your org. Make sure they get to the right people.
    • Results may be inaccurate for your organization. A penetration tester isn't necessarily familiar with your organization’s risk profile, priorities, or anything else. What they mark as a medium may be a high or critical for you, or vice versa.
      • Example: Information disclosure in Healthcare is often rated much higher when triaging than in other types of businesses.
  • Working with the stakeholders
    • Work in systems that make sense to people that need to do the work. Rally, Jira, etc.
      • This can also give you traceability for when things are actually fixed.
    • Don’t dump on people in big group meetings, take the findings to the specific teams
      • That will give them time to develop a plan for the findings that are affecting them
  • Managing upwards
    • No matter how well or poorly the report is written, it’s still going to end up being your job to explain “how bad is this thing you handed me?”
    • Have to manage the findings and their perception upwards
      • Remediate, mitigate, or accept
      • That's an upper management call
  • Dealing with the Re-test
    • Most penetration tests have a clause in there for re-testing findings. Make sure you actually take advantage of that.
      • This looks good from both an actual security posture position and a management position
    • Some penetration testers will let you remediate quickly and have them re-test, which can be reflected in the final report
      • Especially if your report might going to customers, this is incredibly useful. Take advantage of this if at all possible.
Direct download: SFS_Podcast_Ep_-_197.mp3
Category:podcasts -- posted at: 10:46pm EDT