avatarTeri Radichel

Summary

Teri Radichel offers expert cybersecurity consulting services, focusing on cloud and application security, and invites professionals to schedule calls for guidance on a wide range of security topics.

Abstract

Teri Radichel is a cybersecurity expert specializing in cloud and application security, who provides consulting services through phone consultations. She has authored a series on automating cybersecurity metrics, offers insights into various security topics, and is available to review security documents and policies. Radichel emphasizes the importance of secure cloud governance, deployment pipelines, and cybersecurity architecture, and she encourages the use of her expertise to address specific security questions and challenges. Her independent viewpoint is backed by research and experience, as evidenced by her recognition in the field, including the SANS Difference Makers Award. She also shares free content on cybersecurity careers and invites professionals to engage with her through scheduled calls, presentations, and her various published works.

Opinions

  • Radichel values secure communication and prefers not to click on links in chats, requesting documents in advance of calls.
  • She does not use Zoom for video or chat, preferring to dial in for calls, and questions the necessity of video calls that have become common post-pandemic.
  • Radichel does not participate in surveys about product preferences, emphasizing that tool selection should not be based solely on popularity but rather on an overall strategy and the specific needs of an organization.
  • She advocates for a thoughtful approach to cybersecurity, suggesting that lists and tools alone are insufficient for achieving security and that a solid cybersecurity architecture is crucial.
  • Radichel is in favor of implementing proper cloud governance, secure deployment pipelines, and robust security architecture, including networking, IAM, and encryption controls.
  • She is currently researching AWS governance and has proposed revisions to the CIS Controls #1 and #2, aiming to enhance cloud security architecture design.
  • Radichel encourages the use of open-source tools and is open to donations for tool evaluations, ensuring honest assessments in her writings.
  • She emphasizes the importance of thoughtful error handling and has written about it from a unique perspective that she hopes others will reference.
  • Radichel is available for discussions on recent data breaches, offering insights on how to protect organizations from similar attacks, and has written about supply chain geopolitical risks.
  • She is not the go-to person for investment advice but can provide assessments related to M&A or venture capital for specific security products.
  • Radichel is conducting a black box assessment of Okta and has written extensively about her experiences and findings with various cloud services and security tools.

Want to Talk to a Cybersecurity Expert?

How to schedule a call with Teri Radichel

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Cybersecurity Careers | Pentesting

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

One of the things I do for a living is answer a call on any cybersecurity topic within my realm of expertise. You can learn more about those services here:

https://2ndsightlab.com/cybersecurity-phone-consulting.html

Cybersecurity and Cloud Security Questions

What kind of security questions can I answer on a call?

You can start with things I’ve written about on this blog:

Here are the types of questions I answer:

  • Questions about application security
  • How do you architect a secure CI/CD pipeline?
  • How can you implement cloud governance within your organization?
  • How do you bring your developers up to speed on cybersecurity?
  • Where does DAST fit into your deployment model?
  • Are there any gaps in our cloud security architecture design?
  • Differences between cloud providers
  • Container security
  • Kubernetes security
  • API Security
  • Source Control
  • Secrets in Code
  • Cloud Compliance
  • Cybersecurity for Executives
  • Speaking to Executives About Cybersecurity
  • Cybersecurity Metrics
  • How secure is our application design?
  • Questions about specific cloud services on AWS, Azure, or Google.
  • Cloud networking.
  • How do I build secure software?
  • How can I improve cybersecurity for development teams?
  • Where should a pentest fit into my development lifecycle?
  • Cloud IAM.
  • Secure development environments.
  • I’m currently working through setting up and testing Okta and can speak to various issues related to SSO/IDP systems I’ve used and SSO architectures.
  • Top problems I find on penetration tests that you’ll want to make sure your organization prevents.
  • Issues I find on security assessments that your organization will want to address.
  • How to prevent what happened in a recent cloud-related data breach in your organization.
  • How to get started in cloud security if you are brand new to the topic.

I have answered many other different kinds of security questions as well. Whether or not I can answer your question will depend on if I feel I know enough on the topic to adequately answer your question. Just ask IANS, they will pass the question along, I will take a look and tell them whether I can answer it or not. If I can’t (because it’s not related to cloud or application security in most cases), likely someone else on the staff can and I will try to recommend someone I know who might answer it.

Sharing Security Documents

Sometimes people want me to review their policies, plans, system designs, bug bounty findings, penetration test results, or cloud security architecture, for example. If you want to send me any documents send them in advance of the call:

You can send them encrypted or unencrypted depending on the nature of the document and how you feel about email security.

I especially do not want to click on links in chats. Unfortunately there are sometimes a lot of people on calls and I don’t know who they all are. If you want to send me something to look at, please do so in advance.

About Video

Note that I do not use Zoom for video or chat. I dial in. I’m not going into all my reasons for that here. It’s odd that before the pandemic no one expected you to be on a video. Now they do. So to set proper expectations, know that you’ll be hearing my voice on a call. You can use video if you like and the moderator likely will too. If you want to see my face, come to one of my presentations. I’ll be doing another one for IANS in Atlanta later this year.

Also, are you aware of the network requirements for Microsoft Teams? Not everyone trying to implement zero-trust networking will have these ports open:

Surveys — what product should I buy?

IANS also has surveys of faculty on particular topics. I don’t participate in those. If you want to speak to me or get my input, please schedule a call. But surveys are good for questions I don’t answer like — “what tool is everybody else using?” That’s the type of question I don’t answer and you’re likely better off getting a range of answers on that question. No one person has used every tool out there. Forums also exist for CISOs within IANS where you can ask those kind of questions and see what tools are and are not working or other people.

I’m not sure that doing what everyone else is doing is the best approach, but that input may be helpful as part of an overall strategy. For me, it would be to understand what tools absolutely are not working. But keep in mind that just because everyone uses a tool doesn’t mean you should too.

Tools are important, but as I have written before that a tool won’t save you. They are a starting point not an end goal. But sometimes tools are all a security team can do in an organization. If you can, push for more.

Cybersecurity Lists and Resources

Lists are helpful but lists alone won’t make you “secure.” They don’t replace a solid cybersecurity architecture.

Some lists may need revision over time to align with new threats and updated information. I have a request to update the CIS Controls here:

Although I don’t think lists solve all your problems, I can provide helpful resources including some I have written myself on various topics. These resources are for the organization I shared the list with only.

Alternative research-based and forward-looking viewpoints

If you are looking for an independent voice, not sponsored or paid by any company to promote their product, that’s me.*

If you want a viewpoint which may be focused on research, not the most common talking points, then you also might choose me to answer a question. I don’t always think or say what everyone else is saying — based on experience, analysis, and a point of view that is sometimes ahead of the industry.

That’s why SANS gave me an award for innovation in cybersecurity called the SANS Difference Makers Award in 2017. A lot of the things I’ve taught in classes, written about, or spoken about have turned out to be true over the years. I wrote about the importance of secure deployment pipelines in my book at the bottom of this post in 2020 and announced it at RSA that year. Then Solar Winds happened.

I’m always researching what is causing breaches and trying to recommend ways to stop it. If you want to prevent a breach, then I might have a viewpoint based on that which may or may not align with industry-standard thought processes.

Often what I write about gets picked up and promoted by other people, I have noticed.

I have a new idea I’m working through related to AWS governance in this blog post. It’s a way to segregate out your critical assets and apply stronger governance to them. I’ve already implemented it in part and going to be looking at the pros and cons of this approach in more detail in upcoming blog posts. If you see this topic anywhere else and this page is not referenced, now you know the source. I haven’t seen anyone else write or speak about this particular approach and I am researching cloud security all the time. I’ve partially implemented this approach in the past, and now doing a deep dive implementation to find any gaps.

Here’s my take on a few topics that I am commonly or have recently been asked about.

CSPM and SSPM are popular topics in cloud security. I wrote about those topics here. They are helpful, and sometimes your only option depending on your organization. I also use tools like this when performing cloud assessments, but with additional analysis of architecture, processes, and policies. I cannot tell you which CSPM or SSPM to buy. Check out this post for more information.

What would be better than simply purchasing tools alone, is to implement proper cloud governance and a secure deployment pipeline and security architecture (including networking, IAM, and encryption controls). That’s something I’ve been writing about in this blog series and since I started talking about cloud security years ago.

I’m ultimately going to be implementing something to track cybersecurity metrics — which will likely include a CSPM and other tools but possibly open source tools unless someone wants to donate some tools for me to write about and pay me to do it. I may or may not opt to accept the offer and use the particular tool in my posts and I will be honest in my assessment— which is why companies may be hesitant to do that.

Call me about governance! Call me about cybersecurity metrics. Call me about any of the services listed in this blog post if I haven’t answered all your questions here:

You can also call me with any software security related questions. I’m writing a book on software security here — ask me questions about this:

One particular post that I hope you will read is about thoughtful error handling. That was a post based on my experiences and ideas that I have not seen anyone talking or writing about from that particular angle. I really hope that people who use those ideas refer back others to that blog post as the original source.

Call me about how to protect your organization from the attacks that have affected other organizations in data breaches like the ones I wrote about here (and I have a few more coming soon including Circle CI and LastPass):

Someone recently wanted to interview me about TikTok. If you really want me to answer that question, let IANS know that you want me specifically to answer the question and I’ll give you my opinion on a topic. However, I don’t work in the government and am not privy to what they know about TikTok shared by US intelligence that is making governments around the world start to ban it. That topic is a bit out of my area of focus, but I have written about geopolitical risks in your supply chain. Feel free to call me about this — but you’d probably be better speaking to a lawyer in regards to any legal questions. Ask your vendors how they address this risk:

Another group wanted me to speak to them about cybersecurity investments. Once they got my opinion on an initial phone call they never called back, because I couldn’t tell them which security product to buy that would make them rich. Or perhaps because I don’t invest in security products. I’m not saying you shouldn’t. It’s just not what I do. I invest in things that pay dividends for the most part with a few minor exceptions. (Show me the money.)

It is interesting that a lot of security products are currently going private via private equity firms. I wrote about that above in my post on supply chain risks. I don’t have a crystal ball to tell you how that is going to work out. It’s something to watch.

I’m not the person you want to call for investment advice, with one exception. If you want to hire me to analyze a specific product and provide an assessment in relation to M & A or venture capital — which I have done in the past — I can tell you the pros and cons of a particular solution and where it fits in the market. That is not a phone call, that’s a project.

I’m currently working through a black box assessment of Okta here:

Hopefully that provides some insight into the types of topics and questions I can answer on calls. Again, you can learn more about options for scheduling a call with me here:

https://2ndsightlab.com/cybersecurity-phone-consulting.html

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Cybersecurity
Consutling
Call
Question
Expert
Recommended from ReadMedium
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read
avatarIndranil
How To Take Down Any Phishing Website In Minutes

Let’s take down the YONO SBI Phishing website mentioned in the previous post.

9 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarAndrew Blooman
Build Your Own Cyber Threat Intelligence System…at Home!

Learn how to collect Threat Intelligence for free

10 min read
avatarStefan Bargan
Essential Tools for SOC Analysts

As a Security Operations Centre (SOC) analyst, having the right tools at your disposal is crucial for effective investigation, reputation…

3 min read
avatarVickie Li
How to read more security + engineering books

And some book recommendations for 2022–23

5 min read