Hailing from Australia, I’ve been working in tech for 30 years, from the humble beginnings of a Netware 3.x CNA. In Australia I worked in healthcare, banking & finance, and since relocating to the United States I’ve spent time at Microsoft, Facebook, Wealthfront and Cyral.
While configuration management has been iterating through the years: from handcrafted config.sys, INF files, and IaC, I’ve always been biased towards automation. As tooling has improved, and source control has become more mainstream (trying to get software engineers working in VSS 6 was a challenge 20 years ago), I’m a big believer in pushing a self-service security model within organizations.
About a decade ago, I started feeling the war of escalation between attackers and defenders seemed to be both endless and pointless. Attack surface will continue to increase as we adopt new tools, technologies, and enable new team members to be more self-sufficient and autonomous. Rather than trying to pursue every new endpoint or attack vector, my paradigm changed to just focusing on protecting data at the source – this way I can sleep a little easier assuming that an employee’s laptop will be compromised at some point, but the organization’s sensitive data will still be protected.
Ross Haleliuk’s recent analysis of there being as many security vendors as buyers, made me reflect on the type of challenges I’ve previously worked through and not needed a vendor … but now there’s 4 different vendor solutions … so figured it’s worth publishing my thoughts and tips on reducing data security risks without listening to another 20 vendor pitches.
Any opinions expressed here are my own, and any examples I reference are from personal experience: in my day to day work, or while working with friends & colleagues on tackling security issues.
You can find me on LinkedIn @ https://www.linkedin.com/in/mononymous
Mononymous? Yes, it’s a thing 🤷♂️