Insight Questions
About Insights
The StrategyMix Insights Online Forum operates in much the same way as our roundtables in the sense that they deploy a Q&A format and are run under the Chatham House Rule. The group is also tightly moderated, so there will be no spam - just quality content.
The group is only open to Senior IT Executives and to carefully screened Trusted Advisors, who we believe will add value by providing valuable answers to the forum questions.
Note: If you are already an Insights member, the link to logon is: https://insights.strategymix.com/
Some context: I’m working with our head of DevOps on securing the global DevOps program. So, I’m focused on creating a custom framework for securing the “production line” of software developed in-house. I’m looking at OWASP’s DevSecOps maturity framework plus Gartner’s content (I have a sub). Both aren’t exactly what I’m looking for. My question: I’m interested to know which frameworks and controls companies are considering for securing repositories for source code, artifacts and containers, commits and CI/CD pipelines. We’re standardising on GitHub, including GH Advanced Security, and are looking at tools like Cycode and Legit Security.
Last Update: 19 Sep 2023 - (Cyber Leaders)
We have been PCI compliant for a decade now and we have used PCI as a de facto cyber framework despite its limitations (it is very prescriptive and very narrow in scope). We want to adopt one of the broader frameworks (NIST, Essential 8 etc) while avoiding too much duplication and added work – does anyone have any recommendations or experiences to share in this area? We looked at this in panel discussion and there were some suggestions that NIST works best as a basis but the best answer may be a tailored mix. I like that (and I think it is always inevitable to some extent) but I do also like the certainty when interacting with partners, insurers and board of being able to state compliance to a particular framework. Any further thoughts?
Last Update: 19 Sep 2023 - (Cyber for CIOs)
How are others handling threats like juice-jacking, or staff plugging in random USB drive/disk? What combination of approaches do you use?
Last Update: 13 Sep 2023 - (Cyber for CIOs)
With all the leakage of personally identifying data happening around the globe, will we ever see a digital or other ID that can’t be faked?
Last Update: 11 Sep 2023 - (Cyber for CIOs)
In the privileged access management (PAM) world, how do you best remediate the risk when service accounts are being automatically managed? ie: credentials changed (or not changed)
Last Update: 06 Sep 2023 - (Cyber Leaders)
Ransomware Payments - Should you pay, if so in what circumstances?
Last Update: 27 Jul 2023 - (Cyber Leaders)
Quotes and Cliches - love, hate, overused, fresh? Are there quotes you rely on to support your message that you think really resonate, or you now realise are terrible distractions from your message?
Last Update: 27 Jul 2023 - (Cyber Leaders)
CASB - cloud access security broker - advice? Currently assisting an org that doesn’t have a CASB solution, but has an audit finding recommending it be implemented. I have not heard “CASB” discussed recently or seen any big marketing campaigns but I might have been looking the other way. Perhaps everyone has bought one and the advertising has moved on. Do you have one, and if so, can you share any feedback on the capability, effectiveness and operating overhead needed?
Last Update: 27 Jul 2023 - (Cyber Leaders)
What tools are people using for container security to secure container storage, runtime and environment? We have limited on-premises infrastructure these days and use mainly AWS, Azure and GCP.We currently use Wiz; this is currently agentless and can scan both container storage as well as container environment (e.g. AWS Fargate) and will soon have an agent that can scan a container’s runtime. We are looking at Crowdstrike and SentinelOne for general endpoint protection and EDR, and these also have the facility to scan containers. Does anyone have any recommendations or information based on comparisons?
Last Update: 27 Jul 2023 - (Cyber Leaders)
Is anyone looking at tools for application security orchestration and correlation (ASOC), application security posture mgt. (ASPM) and software supply chain security? Any recommendations? We are looking at ArmorCode, CyCode, Dazz, Legit Security, and Ox Security.
Last Update: 20 Jul 2023 - (Cyber Leaders)
