Posts

IoT Broke the Network Perimeter ? Audit Is Still Looking for the Fence..

Image
  IoT Broke the Network Perimeter : Audit Is Still Looking for the Fence There is something quietly outdated about how many IT audits still “walk the network”. They trace boundaries, review firewall rules, validate segmentation, and confirm that traffic flows are controlled. The exercise assumes that somewhere in the architecture, a fence still exists — and that meaningful security assurance comes from checking its strength. IoT makes that exercise increasingly symbolic. The problem is not that organisations have added more devices. It is that they have introduced entities that do not behave like traditional IT assets , yet audits continue to assess them as if they do. Sensors, cameras, smart meters, medical devices, and embedded controllers operate continuously, authenticate weakly, and often communicate directly with cloud services outside organisational visibility. They are present everywhere and owned by no one in particular. Audit, meanwhile, still looks for the fence. Fr...
Post a Comment
Read more

When Vulnerability Scanners Define Security, We Are Already Solving the Wrong Problem !!

Image
  When Vulnerability Scanners Define Security, We Are Already Solving the Wrong Problem ! Most organisations today feel confident about their security posture. Vulnerability scans run weekly. Penetration tests are scheduled annually. Dashboards track patch compliance. Audit reports show progress. And yet, breaches continue to tell a very different story. When major incidents are analysed, particularly in financial services and large enterprises attackers rarely rely on sophisticated zero-day exploits. Instead, they exploit weak identity controls, excessive privileges, implicit trust between systems, and human behaviour. These are not gaps that appear clearly in a vulnerability report. They are gaps in how threats are understood . This is where threat modeling should play a central role. In practice, it is often treated as optional, theoretical, or something that belongs only in early design phases. That mindset has consequences. Threat Modeling: The Discipline We Acknowledge b...
Post a Comment
Read more

Is Your SOC the New Internal Auditor? (And… Who’s Auditing the SOC Back?)

Image
  Let me start with a vibe you’ve probably felt. You walk into a SOC and it  looks  like control. Big screens. Live dashboards. Red alerts. Ticket queues. People moving fast. It gives that instant “we’re protected” feeling. Then the annoying thought arrives:  If the SOC is already detecting risk in real time, documenting actions, escalating incidents, and triggering fixes… what exactly is IT audit doing months later when we say we’re “reviewing controls”? Not disrespect — just reality. The center of gravity has shifted. 1) What a SOC really is (not just “a room with screens”) In practice, a SOC is a  decision factory  for security risk. It sits where signals become judgments: “Is this normal or hostile?” “Do we contain now or watch longer?” “Do we wake up management?” “Do we isolate a server and break business?” That’s not just technical work — that’s  risk governance happening at operational speed . And that’s why SOCs feel like audit sometimes: they’...
Post a Comment
Read more