The author of this is ex-Board of Goldman Sachs Infosec, current GCP CISO, and is about the only security thought leader who puts up LI content that is not total garbage (Ron Ross of NIST is the other I can think of).
Yet, in the comments, people are explaining Phil’s view of the job to Phil, because Phil is apparently not an “actual technical security expert.” … what?
People like PV build and lead very competent security programs because they see nuance, and focus on biz value. Sec engs, aka “actual technical security experts” who burn out or their companies burn out on them usually don’t.
Edit: I just double checked his resume, forgot to add board if h1, BISO/CISO of a few other banks, former SWE, so on. Security culture is it’s own worst enemy sometimes when evaluating content like this.
I think one of my actually business oriented colleagues put it best, "I've read through 20,000 pages of NIST security material, and there is no sense of business prioritization, or cogent strategy between all of it."
Truth be told, some of this came out much later. As in, 5 - 7 years later. In the interim a huge amount of abstract security controls that significantly lag actual defensive industry, and the paper A&A / NIST 800-37 process.
Read about two sections that I thought were relevant, the rest was fluff.
LI is not normally a place for security thought leadership.
Ron puts out decent views on system security in his smaller formats, and pretty interestingly - if you have his cell phone, you can call and he’ll chat for advice.
Given the central points he sits on for his work, that level of access is at a minimum a great way to get some Intel into “govt’s” view on this world. This increasingly
matters as they step into the blue team fray vs FEYE leading it. More importantly, security world needs more of that open door policy from senior leaders.
linkedin. if you ever hear "thought leader" in a sentence you should default to "virtue signaling gas bag", the majority of which congregate on LinkedIn, trying to attain a weird sort of guru status and build a following. Sometimes you get people with a good point a view, like this guy. Most times not.
Yet, in the comments, people are explaining Phil’s view of the job to Phil, because Phil is apparently not an “actual technical security expert.” … what?
People like PV build and lead very competent security programs because they see nuance, and focus on biz value. Sec engs, aka “actual technical security experts” who burn out or their companies burn out on them usually don’t.
Edit: I just double checked his resume, forgot to add board if h1, BISO/CISO of a few other banks, former SWE, so on. Security culture is it’s own worst enemy sometimes when evaluating content like this.