Starting Up Security was not written in order. In 2018 these essays were organized and structured as you see it now.
These were written for security teams of varying size and maturity that are looking for direction or opinions on how to get started, or grow.
The eponymous article is a prescriptive starting point that works in the spirit of a maturity model. This section contains links to other high level guidance as well.
Risk Managementsection writes about more intentional, quantitative approaches to a security program. Working from scratch, you’ll organize risks into scenarios, build consensus, and roadmap your work. These are highly opinionated.
Anecdotes about team structure and the role of a security team and individual are laced throughout my essays. However, the more specific writings will go into
The most writing I have is around
Incident Response. Often these are based on my personal experiences during or following an incident.
I make it a priority to write about incidents that are public that have valuable lessons. These can be found in
Abuse, Fraud, Spamrelates to product issues that target consumers. Specifically, this categorically focuses on the bad things that occur when a product is working as intended, as opposed to something fixable like a vulnerability being exploited.
Nearly all of my clients are on
AWSor depend on it to some degree. As a result I’ve written some specific guides on AWS as well.
Some readers may be here because of a compliance need or customer demand to meet a requirement. I have some essays and policies written on this area in
Policy and Compliance.