It’s a fuzzy feeling. That of anticipation, creativity and doing something new. When you find that one thing that no-one has done before that grant you new privileges and possibilities. Here we are, one week before the launch of my new company ready to teach and learn. Bringing 0day vulnerabilities in to the world you have to maintain a strategy to cause the least harm and yet make enough impact for vendors to fix and users to patch. With me it’s the same. I’m eager to make an impact and yet strive to remain focused enough to help users to a safer journey. To achieve this purpose my concept is simple, I need to do two things: identify risks and support mitigation.
Identify and mitigate
Too often have the security industry worked towards identifying risks, assign blame but withheld the support towards fixing the issue and its root cause. We can do better. Risk mitigation solutions have no silver bullets. There is not one solution for all security risks. Risk mitigation always require risk awareness and situational awareness. Commonly risk identificaiton is achieved by penetration testing and sometimes “threat hunting”. These tasks are performed by security specialists who share information and language within the CISO group of a company, where risk awareness is already higher than average. I want to increase risk awareness in the entire organisation (where the situational awareness is already high) by employing pedagogics, community building, information sharing, creative workshops and a process to lift risk awareness in R&D.
Can’t make any grand promises but I really want to stay in touch with you through this newsletter. I’ll share some of my personal highlights and some research findings. I have a few unpublished “research nuggets” I’d like to share with you that I hope you will find interesting.