Mackenize Morris
Mackenize Morris is a Senior Industrial Consultant at the industrial cybersecurity company Dragos, Inc. where he assists the professional services teams in conducting network and vulnerability assessments.
Prior to joining Dragos, Mackenize worked as a process controls engineer and system architect for a DOE contractor. In addition to his responsibilities he became the system administrator of the DCS system until fully switching over to an ICS cybersecurity position within the DOE complex.
Mackenize received his B.S. in Chemical Engineering and MBA from the University of South Carolina and his Masters in Information Security Engineering from the SANS Technology Institute. He currently holds the following certifications: GCPM, GCIP, GSEC, GDSA, GREM, GCCC, GRID, GCIA, GISCP, GPEN, GMON, GCIH, GWAPT and CISSP.
Mackenize lives in Aiken, South Carolina down the street from his brother’s horse farm where he keeps his horse, Riley. Besides riding horses, Mackenize fences as part of the Augusta Fencers Club and coaches the University of South Carolina Aiken’s League of Legends and Overwatch teams.
Mackenize’s name is pronounced like Mackenzie; the IZE spelling was a result of a spelling error on his birth certificate.
Session
A common theme that has been extracted from the lessons learned of consulting on ICS cybersecurity for dozens of organizations has been that better practices beat out best practice recommendations with feasibility, cost, likelihood of implementation and improvement in security posture. Year over year of recommending best practices is met with reevaluating unchanged environments because lofty ambitions can lead to decision paralysis. This is a flaw in best practices, while they are theoretically the community agreed upon baseline for security, they leave something to be desired in the roadmap of an organization’s maturity. We have tried to remedy this with maturity roadmaps like C2M2 or CMMC but these too leave something to be desired as they offer abstract qualifications about practices that can be self-diagnosed into maturity class. In the meantime, all discrete and published security controls surround best practice implementation. Instead, lets focus on the better practices. A showcase of lessons learned from a few instances where a better practice to the current was a superior recommendation than a more often quoted best practice.