Podcast: Talking about CAASM and Community


Christian Buckley from the CollabTalk Podcast reached out to me to discuss building communities, given my involvement in supporting massive initiatives within multiple industry communities. We talked about the process and the ideas behind building large communities and how to build communities from scratch.

Our discussion led us to the concept of CAASM (Cyber Asset Attack Surface Management) and how to build a community around that concept. Listen to the full podcast (below), or jump directly to our talk about CAASM

Two types of communities

There are two types of communities at a basic level: those that supply a collaborative platform to an underlying group of people with similar interests and those that start from scratch with a new concept and no organized user base.

 I've been involved with three large communities: SharePoint, DevOps, and DevSecOps. These communities had massive uptake in engagement because there was already an underlying group of people looking for a central location to exchange ideas. These types of communities are relatively easy to build because the audience already exists. 

How to build a community... from scratch

The main issue Christian and I tackle is, "How do you build a community around a topic that doesn't have traction yet? How do you build a community from scratch?” Our discussion focused on a community approach to CAASM (Cyber Asset Attack Surface Management)

Asset visibility, especially as it pertains to attack surface management, will play a major role in building and maintaining software security. CAASM is positioned to be a critical concept, acting as the unifying factor between various communities of practice that are concerned with cyber asset management.  In a larger context, the assets themselves, are just the start. A much larger concern to CAASM advocates is evaluating and understanding the unintended consequences created by the relationships between those assets. 

The start of a CAASM community 

DevOps and DevSecOps principles were in use years before communities were built around them… they just didn’t have a name. So, just as Patrick Debois did with DevOps in 2009 and Shannon Lietz did with DevSecOps in 2015, we need to find a core group of people who are already using the principles of CAASM to create a community of recognition and support.

As Christian and I talked about how communities form, using CAASM as an example, we concluded  we need to invest time in finding CAASM advocates. We at JupiterOne are looking for like-minded voices working with the principles of CAASM, who want to collaborate in the exchange of ideas and work towards establishing the foundation of a CAASM community. 

An invitation to talk

I'd like to hear from you and talk about what you’re working on. Let’s begin the dialog by discovering who is using the concepts of CAASM and give their work wider exposure to the general security community. Is that you? If so, let's talk.

You can reach me personally at champions@jupiterone.com.  



Posted By Mark Miller

Mark Miller speaks and writes extensively on DevOps and Security, hosting panel discussions on tools and processes within the DevOps Software Supply Chain.

Mark actively participates in the DevOps/DevSecOps community by building DevSecOps tracks at security conferences such as RSA Conference, InfoSec Europe, CD Summit, AppSec USA and AppSec EU. He is the Senior Storyteller and Senior Director of Community and Content at JupiterOne.

As well, Mark is Executive Producer of the DevSecOps Podcast Series (300K+ listens), and the Executive Editor of the LinkedIn DevOps Group (124K+ members).

To hear more from Mark, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.


cyber-security 1

Ad Title Placeholder

Lorem ipsum dolor sit amet, consectetur adipiscing elit.