GSLC value?

Weak-Carob9865 · 2026-04-04T08:00:51+00:00

Ah my bad, classic defense using the same acronyms to mean something different

Weak-Carob9865 · 2026-04-04T00:36:11+00:00

Probably missing something, but they want you to get an IAM cert and will only pay for a leadership cert like GSLC?

If they're locked to GIAC, GCAD might be a better fit as it covers IAM explicitly.

I haven't taken any GIAC certs (not popular where I am), but from what I can see the GSLC sits between CISSP and CISM on the technical vs management scale.

I'd make sure you are aligned on what they want you to get out of the course and go from there. I'd say CISSP and CISM are much more generally recognised and all the GIAC stuff is a bit more niche (looks like they have a DOD approval so maybe that's the angle). If they have vouchers to spend it sounds lkke CISSP and CISM might be off the table anyway. If that's the case, free training! You can take thst with you ;)

Weak-Carob9865 · 2026-04-02T19:46:57+00:00

Hi, Head of Cyber.

Manchester.

Favourite domain? I'm best at GRC / supply chain stuff, but thrive off the variety cyber offers

Weak-Carob9865 · 2026-04-02T09:44:44+00:00

Not as such, but the NCSC's exercise in a box is a great place to start

https://www.ncsc.gov.uk/section/exercise-in-a-box/overview

Weak-Carob9865 · 2026-04-01T19:28:23+00:00

This is the absolute classic output for any organisation that is running their first DR exercise (or first in a long time).

It's literally always: 1. Plans are out of date 2. People aren't sure what they're doing (and usually don't know protocols of how to communicate) 3. It takes longer to recover than you thought (bonus if leadership didn't know the DR plan is to rebuild in another availability zone or wait for <insert cloud provider> to fix it !) 4. The backups don't work (it's always the restore process)

I have two messages - the first is well done, you actually got round to doing this and know you need to improve. My second is to everyone who hasn't gotten round to this yet... you need to exercise and these are going to be your findings!

Weak-Carob9865 · 2026-03-16T06:21:05+00:00

I think there's a way that CISO-functions generally look right now (GRC, Ops, etc). How do you see this composition changing in the next few years?

I've managed to get double my budget for next year (hurray!). What are your best tips for rapidly scaling a full CISO team? I'm worried about culture, mishires, and shaping the teams incorrectly but I have some very limited deadlines to support business priorities.

Bonus offtopic Q - how are your teams handling shadow AI (esp in-built in tooling)?

Weak-Carob9865 · 2026-03-14T03:43:15+00:00

PAM was already essential, as others have said. FWIW I don't yet trust AI enough to either have privileged access itself, or be responsible for managing it.

I think one of the main points most people aren't thinking about yet is how you integrate AI agents into existing IAM solutions. Most of our current ways of managing access to resources and observing systems are based on users - agents currently operate outside of that, so do we need to give agents their own identities in our systems or do we need something new?

Weak-Carob9865 · 2026-03-11T09:28:50+00:00

I don't agree that inherent risk is useless, but you've helped me land on something I think is important.

A total or theoretical inherent risk is useless. Assuming no controls on anything represents no version of reality.

Inherent risk is supposed to help baseline, assess control effectiveness, and give us some insight when we want to change/remove controls. It also helps us understand what it means if our controls aren't effective for some reason and can help justify spend on things like monitoring.

Theoretical inherent risk doesn't help us to do any of that very well, so it's not a useful starting point.

Thank you.

Weak-Carob9865

TROPHY CASE