Enhancing Security through Human-Centric Practices

In this weeks edition of Cloud Control, cybersecurity meets mindfulness 🧘 And now it’s time for you to meet Jennifer (JJ) Minella, Founder and Principal Advisor at Viszen Security. From decoding the puzzle of network security architecture to exploring the mindful side of cybersecurity, JJ brings a fresh perspective to the table.

Read on to learn where zen and firewalls collide, exclusive insights, and expert commentary that goes beyond the conventional—because in the world of cybersecurity, JJ Minella is not just an advisor; she's disruptor of the status quo👇

P.S. Was this email forwarded to you? If so, sign up to receive Cloud Control interviews delivered to your email each week here.

Question 1 💭

You have a diverse background as an author, international speaker, and advisor to Fortune 50 companies. In your own words, what challenges and pivotal moments have had a lasting impact on your career? How have these experiences influenced your approach to cybersecurity?

Answer 1 🎯

I've had many pivot points in my career from being a technical individual contributor, to a manager, to an advisor/coach. But, the biggest moment of enlightenment for me was when I realized this truth -- that more than 90% of what I thought were technical issues were really just the ripened fruits of very fundamental human issues. 

Specifically, I came to understand that to be successful in cybersecurity meant better communication, giving and earning trust, and approaching work life with a mindfulness that would foster open-mindedness.

Question 2 💭

As the creator of mindfulness-based leadership workshops for CXOs, you advocate for a unique skill set obtained through mindfulness. How do you see mindfulness playing a role in addressing the evolving challenges in network security, especially in the context of emerging technologies like AI, or evolving solutions in cloud security?

Answer 2 🎯

First, I think it's important to get on the same page about how we define mindfulness. For example, "meditation" is often the first word people correlate when they hear "mindfulness", and that's not the goal here. 

Instead, I like to talk about mindfulness as a habit -- a way of thinking and being, versus something we're doing. 

In cybersecurity, the habit of mindfulness serves us at many levels. Engineers and architects can think outside the box with ease, solving problems in innovative ways. Managers and leaders can build strong relationships within and between teams. Mindful habits let us separate our personal preferences and feelings from fact, and offer a way to approach new challenges without the baggage of emotion. It's freeing in so many ways. 

And perhaps most importantly -- building mindful habits keeps everything in perspective and protects us from the overwhelm and stress this industry brings.

Question 3 💭

Beyond conventional approaches, how does mindfulness-driven leadership contribute to shaping solutions for the dynamic challenges often faced by cybersecurity leaders?

Answer 3 🎯

In the first workshop exercise, I always ask the  room, "what makes a good leader" or "what do good leaders do?" They say things like "build trust", "don't blame their team", "don't hide from criticism". They say good leaders are "authentic and approachable." There's always a long list. We write down the lists of what good leaders do and don't do. And then we talk about how each of those are connected to a way of thinking -- a habit. 

Here's a funny secret about mindfulness and leadership skills. Every leadership skill -- every feature or behavior of a "good leader" as described by team members -- they're all rooted in mindfulness. 

I've been reading Andy Ellis' new book "1% Leadership" and I really love everything in it. It aligns so well with what I teach in the workshops and bring to my work with clients. It’s a blueprint for being present and leading with authenticity.

Question 4 💭

Having served on the (ISC)2 Board of Directors and various program committees, you've played a critical role in shaping industry standards. Looking ahead, what initiatives or changes do you believe are important to improve cybersecurity certifications and standards?

Answer 4 🎯

Oh boy, that's a loaded question! There are two balls of yarn to unravel here - professional credentials (like the CISSP and certifications), and industry standards which are typically serving an organization's security practice. 

Professional certifications will move down the path of more micro-learning, with the possibility of stacking discrete mini-certificates as part of a larger credential. Take the CISSP for example. It's a whopper. Imagine if instead of one giant body of knowledge, there were eight or ten bite-sized pieces, each aligned with a domain perhaps. 

In full transparency, the CISSP is a bad example because it (like most of ISC2's credentials) is ANSI accredited, which imposes strict guidelines around building and issuing the cert. But you get the point. 

Today's professionals are overwhelmed. We need "just in time" information, not "just in case" information. A series of 20-minute videos or whitepapers about a specific topic is just-in-time. A week-long course composed primarily of knowledge you'll never use again is just-in-case.

Question 5 💭

In your experience working with Fortune 50 companies and as a security advisor, can you share instances of how regulation and compliance has shaped security or vice versa? Have there been moments of conflict or misaligned incentives?

Answer 5 🎯I love compliance and regulations.

Pause one moment while I grab the soapbox. 

Many of my peers in cybersecurity have a wealth of knowledge but have developed that in a vacuum of privilege. They've spent their entire careers in Fortune-sized and/or publicly-traded companies with a history of structure and maturity. They have teams for infosec. Most often, they have teams of teams within infosec. Some clients I work with have five people just to run the security awareness program. Many have an entire team to manage OT/ICS cybersecurity. 

But that's not normal. Well over 99.9% of the world's companies don't have those resources. Almost as many also don't have the time, support, or knowledge required to build a cyber security program. 

Compliance does not equal security. 

But here's the jagged little pill -- compliance does force many companies (and professionals) to pay attention to cybersecurity in ways they would have never pursued on their own.  

So for that, I love compliance and regulations. 

The flip side of that is that those compliance requirements need to be helpful. They need to be actionable, reasonable, educational, and they need to reduce risk. Otherwise it's a waste of time, and it puts our limited attention on the wrong things. 

I'll pick on OT/ICS for a moment. Many of the guidance put out there is simply ignorant. "Remove all remote access" and "replace legacy products" is asinine advice and proves that, while well-intended, the authors have never worked in those environments.

Read the Full Q&A on Gomboc.ai

What’s New at Gomboc

In the magical land of Silicon Valley, where dreams and code converge, a tale is about to unfold…Imagine a sunny day in the Valley, with Kubernetes on the horizon, ready to set sail into production waters. But, as fate would have it, chaos ensues, and our beloved character, Streamline Willie, finds himself in the midst of a cloud conundrum 🚢💻

Watch Mickey as he goes on a rollercoaster of tech shenanigans, only to be saved by Gomboc 💪

Latest AWS and Azure Updates You Don’t Want to Miss

1. Sellers can now resell third-party professional services in AWS Marketplace

2. Stream data into Snowflake using Kinesis Data Firehose and Snowflake Snowpipe Streaming (Preview)

3. Amazon ECS and AWS Fargate now integrate with Amazon EBS

4. Microsoft Cost Management Updates January of 2024

5. Generally available: Support for up to 100 TB of storage for the FHIR service

Top Articles and Resources of the Week

Articles

1. Belarusian National Linked to BTC-e Faces 25 Years for $4 Billion Crypto Money Laundering

2. Patchwork Using Romance Scam Lures to Infect Android Devices with VajraSpy Malware

3. US to Roll Out Visa Restrictions on People Who Misuse Spyware to Target Journalists, Activists

4. Cloudflare Suffers Breach After Failing to Rotate Stolen Okta Credentials

5. Cybersecurity M&A Roundup: HPE Agrees $14bn Acquisition, Deals Announced by SonicWall and SentinelOne

Resources

1. Major Cloud Security Events and Conferences

   1. Opt-in to this resource to receive updates on events and conferences in cloud security. Meet like-minded cloud-security professionals from around the globe to learn, exchange ideas, network, and more.

2. Top 50 InfoSec Networking Groups to Join

   1. Join these top 50 associations, LinkedIn groups, and meetups to stay ahead of the curve on all things InfoSec.

3. CIS Benchmarks

   1. The Center for Internet Security (CIS) is a fantastic resource for initiating, implementing, and upholding a robust cloud security strategy. Access their detailed benchmarks tailored for AWS, GCP, Azure, and more. For a deeper understanding, explore the CIS Controls Cloud Companion Guide.

4. SANS Practical Guide to Security in the AWS Cloud

   1. In collaboration with AWS Marketplace, SANS introduces an in-depth guide tailored for AWS enthusiasts. Whether you're a novice or an expert, this extensive resource delves into the intricacies of AWS security.

5. Security Best Practices for Azure Solutions

   1. Learn key security practices tailored for Azure solutions and understand their significance. This comprehensive guide offers insights into developing and deploying a secure Azure environment.