As a fellow #infosec practitioner I enjoy maturing the Cyber Security capabilities of the organization I work for. And as we make progress almost every day, I keep thinking about what the perfect state will be like and whether a state of perfection can ever be reached.

So, what does a perfect state of Cyber Security Operations look like?


On my Mastodon profile the following is written:

Cyber blue team leader by day, tinkerer/hacker at night. Architecting secure systems and traveling the world is what I like. Unfair, harsh, inconsiderate behavior is what I don't like.

I work in #infosec, have a history with #opensource, and am passionate about #decentralization. I especially dislike business models that rely on sales of personal information. When I was studying the impact of computer science and the Internet on societies in college back in the early 2000's, I was doubting that anyone will want to give away their info in return for free services. History has taught me otherwise.

One of my hobbies is soccer – I play in the meat space as well as in cyberspace. if you'd like to challenge my team, please send me a message.

As a way of giving back to the OSS community, I run two Mastodon instances:

How to contact me?

Mastodon: SSB: @FF0i8Xz++yzW7N8HFsKFc0cwPZMchYuKQDeGzceqzA0=.ed25519


It probably is a good time to share books worth reading – Below you can find my favorite #infosec books.

Sandworm (Andy Greenberg)

Sandworm (Amazon) is currently my favorite because it gives you an understanding of nation-state actor capabilities. It gives you good reasons for making excellence in cybersecurity a habit and not an act.

The Cuckoo's Egg (Cliff Stoll)

The Cuckoo’s Egg (Amazon) I like because it plays in a time that is so long ago with inferior tech and is a good reminder that things used to take forever. Today we do so many amazing things in a matter of minutes or hours (our adversaries do too) that we forget about all the little details that have been automated by tech.

Cult of the Dead Cow (Joseph Menn)

The cult of the dead cow (Amazon) is a book that explains a lot about the hacker culture in the US. This one might be a little nerdy but also gives some insight on how the US government came to understand cybercrime.


Key Performance Indicators (KPI) are what people in business generally use to measure the performance of a business function or team. In the Cybersecurity world we are blessed (or cursed) with plenty of KPIs. And even in the cyber sub-section of phishing we still have a lot of metrics that email security vendors force on us – Here are some examples:

  • Number of hard spoof emails blocked
  • Number of soft spoof emails blocked
  • Number of phishing emails quarantined
  • Number of malicious attachments quarantined
  • Number of phishing URLs blocked
  • Number of phishing emails reported by users
  • Number of phishing test failures

Now, let's take a step back! Does any of the above metrics make any sense to a normal (non cyber) person? And who is giving you your cyber budget again..?



Over the last couple of years there have been numerous debates on whether it is a good idea to get rid of password expiration. The arguments against password expiration are usually variations of the below:

Forcing users to change their passwords on a regular basis leads to widespread use of weak passwords. Frequent password changes in many systems lead to password re-use (aka user is using the same password everywhere) Putting the burden of security on the user is wrong, technology should do the heavy lifting. What is interesting about most of the conversations I read, is that they seem to ignore all the other password improvements that the advocates for getting rid of password expiration usually cite – When you get rid of password expiration, you are supposed to also do the following:

A. Improve password length significantly (switch from passwords to pass phrases)

B. Get rid of some password complexity requirements (Special characters are really hard to remember!)

C. Introduce a Password Blacklist (e.g. block the word 'password' or its variations like 'p4ssw0rd')

D. Monitor your user accounts for leaked credentials and force password changes once you detect a leaked credential!

Now, A,B,C are really easy to deliver – You can just install and configure some tech, which will do the job for you. It is pretty much a set and forget kind of thing to implement. However, D is a completely different beast – See the paragraphs below.