Security-Leadership
- Buy now
- Learn more
- Discussions
  Feb 24
Governance, Risk, and Compliance

An Analysis of Governance, Risk, and Compliance
Activity - Governance and Security Leadership
NIST Cybersecurity History with Dr. Ron Ross (10 Min)
The Strategic Imperative - Systems Lifecycle Management
Activity - Systems Lifecycle Management (Part1)
Contracts - Security point of view
Activity - SDLC - Part 02
Risk Management

The Strategic Evolution of Cybersecurity Risk Management:
IBM: Cybersecurity Trends in 2026: Shadow AI, Quantum & Deepfakes (20 min)
Activity- Risk Management
IBM (9 min) - Cybersecurity Framework
Laws and regulations

101 - Due Care vs. Due Diligence
Trans-Border Data Flows and Digital Sovereignty
Activity - Laws and regualtions
Optional: USA versu EU model
Legal Jurisdictions and the Global Regulatory Environment
Activity - Digital Forensics
Records Management and Employee Monitoring
Activity - Legal terminology
Security Operations and BCM

YT: How is Software built? (8min)
Contingency Management
Activity - SecOps - The Sociotechnical Evolution of Cyber Defence
The Architectural and Sociological Foundations of Modern Contingency Management
Activity - BCM from ISO point of view
(optional) Microsoft: Understanding Chaos Engineering (20 min)

Activity - Systems Lifecycle Management (Part1)

1. Did you know?

In the context of formal security management frameworks, an "Associate" is strictly defined as an individual who is directly under the Security Management Professional's chain of command.

Examples: Security analysts, security engineers, shift guards, or IAM administrators reporting to the CISO or Security Director.

2. The Power Dynamic: Authority vs. Influence

The term "associate" is intentionally used to draw a hard line between who you command and who you influence.

Managing Associates (Formal Authority): You possess administrative and directive control. You are responsible for their performance reviews, budget, task allocation, and daily accountability. You can issue direct orders (e.g., "Analyse this log file today").
Working with Others (Informal Influence): You do not manage stakeholders (the Board), asset owners (Business Unit Leaders), or functional managers (the Head of HR or IT). For these groups, you must rely on expert power (your knowledge) and referent power (your relationship-building skills) to negotiate and integrate security into their workflows.

📚 Concept Breakdown

1. DevSecOps & Software Security (AppSec)

SBOM (Software Bill of Materials): A comprehensive inventory of all third-party and open-source components used in an application. It is crucial for supply chain security; if a zero-day drops (like Log4j), your SBOM tells you instantly if you are vulnerable.
DevSecOps & "Shift Left": Moving security checks to the earliest possible phases of the Software Development Life Cycle (SDLC). It relies heavily on automation to avoid slowing down developers.
SAST vs. DAST:
- SAST (Static Application Security Testing): Analyses the raw source code (white-box) before the app runs to identify coding flaws.
- DAST (Dynamic Application Security Testing): Interacts with the running application (black-box) from the outside to identify runtime vulnerabilities such as Cross-Site Scripting (XSS) and SQL Injection.
Break the Build: A DevSecOps automated control where the continuous integration (CI) pipeline automatically halts and refuses to deploy code if a critical vulnerability is detected by SAST/DAST tools.
Injection Attacks & Input Validation: Injection occurs when an application is tricked into executing user input as code (e.g., dropping a database table). Input validation ensures the system strictly treats input as harmless data.

2. Security Architecture & Engineering

NIST SP 800-160: A standard that treats security not as an IT checklist, but as a fundamental, engineered quality of a system (like durability or safety in building a bridge).
Zero Trust & Policy Decision Point (PDP): Zero Trust abandons the idea of a "trusted internal network." The PDP is the engine that evaluates every request (checking identity, device health, and context) before granting access, effectively serving as the new microscopic perimeter.
Golden Image vs. Snowflakes: A Golden Image is a perfectly configured, hardened template used to deploy all new servers. Snowflakes are servers that have been manually tweaked over time, creating a nightmare for configuration management and security baselining.
Immutable Infrastructure: The practice of never modifying or patching a running server. Instead of patching a live server (which could allow malware to persist), you build a newly patched Golden Image, destroy the old server, and spin up the new one.
Security by Obscurity vs. Kerckhoffs's Principle: Hiding the login page URL is "obscurity." Kerckhoffs's Principle dictates that a system should remain secure even if the attacker knows everything about how it works, except for the key/password.

3. Risk Management & Governance

Authorizing Official (AO): The senior executive (often a business leader, not IT) who accepts the residual risk of a system and formally grants the ATO (Authority to Operate). The CISO only advises; the AO owns the risk.
Verification vs. Validation: * Verification: "Did we build the app exactly as the blueprint stated?"
- Validation: "Does the app actually solve the business problem we needed it to solve?"
Technical Debt & Cost of Defect: Putting off security fixes (like using End-of-Life/EOL libraries) creates "debt." Fixing a security flaw in the design phase is cheap; fixing it after the software is in production is exponentially more expensive and disruptive.
Context-Aware Prioritisation (Reachability): Not all critical vulnerabilities need immediate fixing. If a system has a critical flaw, but the vulnerable code is utterly impossible to reach or trigger from the outside, the actual risk is lower.
Security Impact Analysis (SIA): A formal change management step. Before a change is approved, you analyse how it will affect the organisation's overall security posture.

4. Operations & Physical Security

Degaussing vs SSD Shredding: Degaussing uses a powerful magnet to erase data from traditional Hard Disk Drives (HDDs) and tapes. Solid State Drives (SSDs) use microchips, not magnets, so degaussing an SSD is useless. SSDs must be physically shredded or cryptographically erased.
Hot Site Synchronisation (Configuration Management): A hot site is a fully operational backup data centre. If you patch your main production servers but forget to patch the hot site, your disaster recovery plan is fundamentally broken and vulnerable.
Compensating Controls (Mitigation): If you cannot apply a permanent fix (like a vendor patch), you apply a temporary workaround—like writing a rule on a Web Application Firewall (WAF) to block the specific attack—until the patch is released.
Administrative Controls: Security controls are generally Technical (firewalls), Physical (locks), or Administrative. Training is an administrative/directive control because it dictates human behaviour through policy and education.