Re: Sage advise
A firesale perhaps?
6 publicly visible posts • joined 18 Sep 2017
I've 13+ years working in InfoSec for all manner of organisations.
In my experience there used to be a 50/50 split on InfoSec peeps who trust password managers of any stripe. Some of the most impressive people I've every worked with just point blank refuse to use password managers.
I can see both sides of the argument but in the last couple of years InfoSec people, in my experience, are trending towards password managers now...
Personally...I'll use my brain and continue to get pissed off every time I have to reset a password I've forgotten...
And yes I wear a tinfoil hat but only when I sleep.
So the advice from the NCSC above does have a point...however it also misses a lot.
I get it....strong passwords changed frequently is a pain, causes disruption etc etc. But there is a school of thought that writing complex and hard to remember passwords down can be a good thing in certain circumstances. https://www.schneier.com/blog/archives/2005/06/write_down_your.html
I know of one very large company now advocating the writing down of passwords.
Also moving away from a preventative to a detective control is a risky business and always makes me feel uncomfortable. Is your organisation capable of reacting to such detected anomalies? I'll bet it's not nearly as good as you'd like to think it is.
This advice does add something to the conversation but will likely be abused as there are so many other considerations that people won't take into account when deciding to bin their password reset policy.
Like all security controls...it's a pick and mix to overlap controls that are workable for the user, get the organisation into a compliant state and within it's risk appetite.
Poor show NCSC that shows a lack of real world experience.
Probably the most sensible comment I've read on this thread. Get the basics sorted - could not agree more...but without management support then you really are on a hiding to nothing.
I once did a consultancy gig with an ex-NHS CISO who was about as impressive as Jeremy Corbyn but with less vision.
Congratulations Equifax......You blame the very people who have, in all likelihood, been pressuring for more frequent security patching as well as other changes. This is why being a CISO is truly a terrible job. If you do it well nothing happens and it's BAU. But you are viewed as not making any money for the company, or bringing in more customers...in fact all you do is spend money and slow up project delivery. A CISO is always seen as a major thorn BUT the minute something goes bang all the eyes turn to the CISO....he or she is then screwed, and the most laughable part is that they are often not on the board (despite the C tag) and they are certainly earning far less than other C-Level execs.