Starting Up Security was not written in order. In 2018 these essays were organized and structured as you see it now.

These were written for security teams of varying size and maturity that are looking for direction or opinions on how to get started, or grow.

  1. The eponymous article is a prescriptive starting point that works in the spirit of a maturity model. This section contains links to other high level guidance as well.

  2. The Risk Management section writes about more intentional, quantitative approaches to a security program. Working from scratch, you’ll organize risks into scenarios, build consensus, and roadmap your work. These are highly opinionated.

  3. Anecdotes about team structure and the role of a security team and individual are laced throughout my essays. However, the more specific writings will go into Organization.

  4. The most writing I have is around Incident Response. Often these are based on my personal experiences during or following an incident.

  5. I make it a priority to write about incidents that are public that have valuable lessons. These can be found in Post-mortem review.

  6. Abuse, Fraud, Spam relates to product issues that target consumers. Specifically, this categorically focuses on the bad things that occur when a product is working as intended, as opposed to something fixable like a vulnerability being exploited.

  7. Nearly all of my clients are on AWS or depend on it to some degree. As a result I’ve written some specific guides on AWS as well.

  8. Some readers may be here because of a compliance need or customer demand to meet a requirement. I have some essays and policies written on this area in Policy and Compliance.