Homepage
Open in app
Sign in
Get started
Starting Up Security
Guides for the growing security team
Follow
Starting Up Security
Starting Up Security
Your startup is growing fast. Your customers are starting to ask tough security questions. Your investors and board members have asked for…
Ryan McGeehan
Feb 20, 2015
Building a Product Security Team
Building a Product Security Team
Ryan McGeehan
Nov 20, 2015
Red Teams
Red Teams
You’ve spent millions on security products that aren’t escalating incidents. You have a 24/7 SOC that hardly pays attention to their tools…
Ryan McGeehan
Mar 30, 2015
Prioritizing Detection Engineering
Detection Engineering is a concept that has emerged in the detection space. It acknowledges the complexity of a detection stack and the…
Ryan McGeehan
Sep 10, 2024
Managing a quarterly security review
Managing a quarterly security review
I like an approach that combines my favorite quarterly review practices I’ve been exposed to. Here’s the general meeting structure:
Ryan McGeehan
Aug 14, 2024
Follow-Up: SolarWinds Response to SEC Lawsuit
SolarWinds has responded on their blog regarding the SEC’s lawsuit against them following their breach. Here is some analysis:
Ryan McGeehan
Nov 9, 2023
Lessons from the SEC’s Lawsuit against SolarWinds and Tim Brown
Lessons from the SEC’s Lawsuit against SolarWinds and Tim Brown
A few days ago, the SEC filed a lawsuit against SolarWinds and their CISO that shares some similarities with the blameless post-mortem of…
Ryan McGeehan
Nov 6, 2023
Vulnerability Management: You should know about EPSS
Vulnerability Management: You should know about EPSS
The Exploit Prediction Scoring system (EPSS) is great. You might like it, too, if you deal with large amounts of vulnerabilities.
Ryan McGeehan
Oct 9, 2023
Talking about risk with thresholds 🔥
Talking about risk with thresholds 🔥
Imagine you encounter a fire in the woods. You’d instinctively decide to do one of two things:
Ryan McGeehan
Mar 20, 2023
A blameless post-mortem of USA v. Joseph Sullivan
A blameless post-mortem of USA v. Joseph Sullivan
Our industry deserves a complete retrospective into the incidents behind the criminal case against Uber’s former Chief Security Officer.
Ryan McGeehan
Dec 8, 2022
Endpoint Security: Intuition around the Mudge Disclosures
Endpoint Security: Intuition around the Mudge Disclosures
The Mudge disclosures bring up specific pain points around how endpoint security is measured and communicated and what baselines are…
Ryan McGeehan
Aug 24, 2022
Classifying types of “Security Work”
Classifying types of “Security Work”
Applying the types of work from The Phoenix Project to security
Ryan McGeehan
Dec 9, 2019
A key performance indicator for infosec organizations
A key performance indicator for infosec organizations
Using probabilistic risk KPIs to direct complex risk engineering efforts.
Ryan McGeehan
Sep 16, 2019
Measuring “In the Wild” Exploitation
Measuring “In the Wild” Exploitation
Exploring our security expectations across browsers.
Ryan McGeehan
Feb 5, 2019
Forecasting NPM Advisories
Forecasting NPM Advisories
This forecasting essay describes the likelihood of a malicious NPM package being introduced into a javascript development environment.
Ryan McGeehan
Jan 3, 2019
Forecasting a headline risk: NetSpectre
Forecasting a headline risk: NetSpectre
Understanding short term likelihood of an in-the-wild attack.
Ryan McGeehan
Jul 28, 2018
How to measure risk with a better OKR.
How to measure risk with a better OKR.
I’ve become a big fan of the Objective and Key Result (OKR) at companies that take them seriously. I’ll describe an opinionated method that…
Ryan McGeehan
May 21, 2018
On Attribution: Avoiding “We Got ‘Em”
On Attribution: Avoiding “We Got ‘Em”
Consensus and quantitative rigor for complex intelligence efforts.
Ryan McGeehan
Mar 7, 2018
Measuring a red team or penetration test.
Measuring a red team or penetration test.
Quantifying “success” after an “unsuccessful” red team.
Ryan McGeehan
Jan 25, 2018
Learning from California’s Data Breaches
Learning from California’s Data Breaches
Trends found within every CA breach notification in 2017.
Ryan McGeehan
Dec 22, 2017
Learning From Security Breaches in 2017
Learning From Security Breaches in 2017
Read last year’s summary here for 2016.
Ryan McGeehan
Dec 20, 2017
Killing “Chicken Little”: Measure and eliminate risk through forecasting.
Killing “Chicken Little”: Measure and eliminate risk through forecasting.
View the “Risk Forecasting” presentation on GitHub.
Ryan McGeehan
Dec 6, 2017
The “five factors” used to secure systems.
The “five factors” used to secure systems.
Common patterns that security teams use to mitigate risk.
Ryan McGeehan
Nov 8, 2017
Communicating risk across complex teams
Communicating risk across complex teams
Using threat modeling techniques for organizational risk planning.
Ryan McGeehan
Oct 24, 2017
An Infrastructure Guide for Founders
An Infrastructure Guide for Founders
How to avoid security debt with early AWS design patterns.
Ryan McGeehan
Oct 19, 2017
Understanding the Security Questionnaire
Understanding the Security Questionnaire
A customer wants to know about your startup’s security practices
Ryan McGeehan
Sep 8, 2017
Decomposing security risk into scenarios
Decomposing security risk into scenarios
How to express risks with well understood tabletop phrasing.
Ryan McGeehan
May 8, 2017
Tabletops for Bug Bounty
Improving a bug bounty program with fictional problems.
Ryan McGeehan
Mar 28, 2017
About Starting Up Security
Latest Stories
Archive
About Medium
Terms
Privacy
Teams