Eric Alexander

March 3, 2018

Dishes in the Sink

Have you ever witnessed a broken process that was obviously broken and doomed fail? Not because it couldn’t work. The process would never work simply because the owner of the process was blind to why it didn’t work: The human factor. I’ve seen this in security all too often. We often want to ignore how our brains work and blame the training or blame human nature. Proposed fixes are often more training or threats of termination. ... Read more

January 27, 2018

Security Awareness Training - What Works?

Need to be PCI, CJIS, or NIST 800-53 compliant? If so, Security Awareness Training (SAT) isn’t optional. What if you’re not bound by those security requirements? What if you could take a pragmatic approach and do it, not because you have to; rather, your only motivation is to reduce risk. Let’s say you’re launching a new cryptocurrency exchange. You’re not bound by any compliance requirement, but, you’re also a major target. ... Read more

January 10, 2018

Make Change Happen

“Look at email, go to meetings, discuss designs, have my head explode because people are retarded, look at vuln reports on production servers, head explodes because people haven’t patched shit in 2 fuckin years, send emails, write power point presentations telling management how bad their people suck, talk to some lawyers, respond to an incident then go the fuck home to do it all over again the next day.” ... Read more

November 24, 2017

Uptime Is the Evil of Secure

Who hates uptime? If we’re talking system uptime, then yeah, this guy hates uptime. Service uptime? Love it. Metrics? Love those also. My favorite metrics are aggregates. I love single values that can tell a story. Uptime is one of the best aggregates. Uptime tells us the obvious: How long has it been up? It also tells us the not so obvious: How good are we at patching systems and how good are we at designing resilient services? ... Read more

November 12, 2017

Can They Code?

We have a coding skill set requirement for engineering candidates at The Trade Desk. It’s a requirement for everyone from our DBAs to our Information Security Engineers. I can probably guess what you may be thinking. Let’s get some common arguments out of the way. “Software Engineers should focus on writing code. Let me focus on my discipline” “There’s a shortage of InfoSec candidates. Why further limit the talent pool?” ... Read more

November 8, 2017

Infosec Hierarchy of Needs

Ever pondered the natural order of reducing risk in InfoSec or the natural order of working towards compliance? It’s something I’ve been thinking about lately. Maybe it’s related to the recurring conversation my wife and I have on the topic of Maslow’s hierarchy of needs. Maslow’s hierarchy helps us understand the essential nature of needs and why some needs are only achieved when we’ve built the right foundation by solving needs in lower tiers. ... Read more

November 5, 2017

Getting the Blog Back Together

I used to have a blog. My old blog content is probably still hiding somewhere on The death of my last blog was the culmination of a fading interest in blogging and a desire to simplify by reducing the number of things that needed my attention and time. I eventually came to the realization that I wanted to do other things and maintaining a blog wasn’t one of them. ... Read more

© Eric Alexander 2017