Accidental CISOIf you are doing vendor security assessments for your employer, it is your job to assess the risk associated with vendors so that your leadership can make decisions.
It is not your place to bully the vendor.
Thank you for coming to my Ted Talk.
The number of people in the replies here that think bullying is OK is alarming. Comments over on the bird site weren’t even that bad. 🤷♂️
Lul4l1f3
storyteller@accidentalciso I think we need to define "bullying" because I feel that's very subjective
@storyteller I think people know what bullying is.
Trevor@accidentalciso is it bullying to tell the vendor the SOC 2 report they provided is actually from their data center provider and doesn’t mean they themselves are SOC 2 compliant. Also insert HIPAA or PCI interchangeably.
WowSuchCyber@accidentalciso what if the vendor never answers questions properly? Or is full of "5th gen cyber dark Blochain protects us from any threat present and future" kind of bullshit?
David Warrington@WowSuchCyber @accidentalciso time to create/enact an exit plan, and seek an alternative provider!
FlemmingRiis@accidentalciso and here is a 247 questions in xls with our own namings that cant be mapped to iso or other standards , btw we need the answer on Monday for this 500 euro order we are about to place
NewsGoth Condensed (if you know you know)@accidentalciso It's also the vendor's job to answer your questions, not engage in cat-and-mouse games with you, and not lobby your internal business partner to short-circuit the assessment. Generally speaking, the incentives for vendor security assessments are misaligned and the odd person out is the assessor, who gets mostly complaints and little support or encouragement.
Viss@accidentalciso it is then the businesses job to flatly ignore your recommendations and use the vendor anyway, despite that you find all the data from your account exposed on an open s3 bucket, told them, and they downplayed it as not a problem
Jack Daniel (often offline)@accidentalciso Sorry, but that is a large-org-ist PoV. In the SMB world, "the computer guy" is the only one with the chops to do it, and the IDGAF attitude required to hold them accountable, and hopefully humiliate them during their lie-fests (sometimes called "sales pitches").
XenoPhage 
@jack_daniel @accidentalciso Having been the "IT Guy" in a number of these situations, I totally agree. If you're a vendor and I have to interact with you because you're providing me services, you're damned right I'll be going after the vendor if there are issues. As far as I'm concerned, you work for me at that point and I have expectations.
Bob Lord 🔐 
@boblord @accidentalciso let's see...
And yes, "only" ~47% of US employees work for small businesses.
And yes, "only" ~47% of US employees work for small businesses.
@jack_daniel @accidentalciso My analysis from the Census Bureau shows about the same numbers. _But_ when you get rid of all the mom-and-pop shops and focus on employers with at least 20 staff, the number drops way, way down to...<re-checks spreadsheet> 97%.
It's almost like you're saying we've been paying attention to the wrong parts of the landscape for years. 😜
It's almost like you're saying we've been paying attention to the wrong parts of the landscape for years. 😜
@boblord I am somewhat biased, having never worked for a company employing over 500 employees until a few years ago when Tenable grew past that point.
Wendy Nather@boblord @jack_daniel @accidentalciso It’s true that the loudest, most visible representatives of #infosec at conferences are military, financial institutions, and tech companies (along with security vendors, duh). It’s especially important in #policy to give a voice to everyone else, which is why I keep harping on the #SecurityPovertyLine. Nobody’s going to step on a stage and say “Our security sucks,” but these stories need to be told.
@wendynather @jack_daniel @accidentalciso And the 97% don't know about the conferences, or can't afford to go, or can't understand us when we talk, or can't afford to do what we tell them. They don't know about hardening guides, or can't figure out how to implement them, or don't have time.
But when they fail to patch a product that has yet another memory safety vuln (2/3 of CVEs for decades 😂) and get popped, you can count on us to blame them, revictimizing them. In infosec, "tsk tsk" is a renewable resource! We're great!
@boblord @jack_daniel @accidentalciso Not only that, but their breaches affect us too — even the big companies with robust security programs. We cannot afford to leave every org to fend for itself. We are an ecosystem. https://youtu.be/7c-HrJmPj2Q
Keynote: What Do We Owe One Another In Cybersecurity?
Wade Baker@wendynather @boblord @jack_daniel @accidentalciso Just gonna drop in a stat relevant to this conversation because that’s what I do…
Explanation: “Gartner defines a small business as one having less than $50M in annual revenue. So, that’s the distinction that appears here in red. It’s clear that the majority of loss events involving midsize and large firms (in blue) fall below 1% of their income, while the higher ratios on the right side of the spectrum are almost entirely populated by small businesses. Here’s a sobering stat: SMBs were the primary victim in 89% of all cyber loss events that exceeded 10% of revenue.” Source: https://www.cyentia.com/wp-content/uploads/IRIS-2022_Cyentia.pdf
Dave Wilburn @wade @wendynather @boblord @jack_daniel @accidentalciso Ugh. Practical security for the "have nots" is probably our field's most challenging problem.
@wade @jack_daniel @wendynather @accidentalciso @DaveMWilburn How do we get safety built-in and on by default? Products can be much safer, possibly eliminating the need for security expertise.
Alex@wendynather @DaveMWilburn @wade @boblord @jack_daniel @accidentalciso
I fear that the problem is only exacerbated as the "haves" move further and further away from the "have nots". We pay a premium for Data Science, Data Engineers, and a score of MBAs to explain why we should pay them all so much. In InfoSec, its seen as 'savings' or a 'risk aversion' with the primary goal to be shift the cost to anyone else.
How many billions are claimed yearly on the projects that could only exist because of the work ya'll do? Funny I only see InfoSec projects as cost drivers.
Scott 
@DaveMWilburn @wade @jack_daniel @wendynather @boblord @accidentalciso what happens when we compare this to another important business function like accounting, which should be a more mature, having been standardized for longer? (And is that a valid comparison?)
@DaveMWilburn @wade @wendynather @boblord @jack_daniel @accidentalciso Exactly why I started my own shop.
Now, to *find* these folks and convince them they need some basics ...
Aranjedeath@wade @wendynather @boblord @jack_daniel @accidentalciso I would love to see published advice for things a single individual running IT for a small company can do. I am that "IT guy", but let's be clear that isn't even half my job. All advice I see online is targeted towards companies who have a department of people already. I make jokes that I am the department.
@Aranjedeath @wade @boblord @jack_daniel @accidentalciso Start here: https://infosec.exchange/@cisohelen/109511188348488685
CisoHelen (@[email protected])
I've been thinking about what companies can do if they are under resourced in cybersecurity, and how they can improve security if they don't have a security team. https://hpatton.medium.com/improving-security-without-a-security-team-26b57cd9e801
@wendynather oh wonderful, thank you!
@Aranjedeath @wade @wendynather @boblord @jack_daniel I’d love to have you be a “caller” on my podcast at some point to ask a question or two on this topic.
@accidentalciso @wade @wendynather @boblord @jack_daniel That would be very cool. I have many questions. I am a generalist so I am doing everything from data collection minimization, standardized "OS Update recommendations", firewalling and access limitation... and we just had a friendly hacker report clickjacking issue with our site resulting in me rolling CSP headers out on all our sites. etc. and our clients ask us about this stuff as well.
Gunnar Peterson@wade @wendynather @boblord @jack_daniel @accidentalciso one small adjustment- there are literally millions of companies under $50m in revenue and only a few thousand w more than that.
Charl van der Walt 🌻🇵🇸@wendynather @boblord @jack_daniel @accidentalciso
Wendy what a great talk! I’d missed it at the time. You’re arguments are so on point you almost made me cry!
I’ve been giving some thought the idea of ‘neighbourhood watch’ as a structure through which to organize a community-oriented response to cyber threats for ecosystems. Let me know if you’d like me to share.
Also - im not sure if you’re aware of the work the Cyber Peace Institute does in terms of your notion of a cyber ‘peace corps’?
Nick Drage@charlvdwalt @wendynather @boblord @jack_daniel @accidentalciso I'm planning to finally making time to watch this video this Christmas, I assume - unfortunately - that all of the arguments will still apply, and that the situation hasn't changed in the last twelve months?
@SonOfSunTzu @wendynather @boblord @jack_daniel @accidentalciso
Hey Nick. Apologies for the late reply - I've been offline for while.
Sadly, yes, I think the arguments are all still the same...
Tarah Wheeler
RisuToInu@boblord then we need to do more to support grass roots work which is often something performatively done. The ones on the stages and the news yelling infosec stuff and being paid are never the ones we see in the public sector or non profit world. People doing that work are too busy to be on stage. They also bring real talk and that bruises egos. Often because the advice that gets sent out is so inaccessible. I also politely challenge “poverty line” as it implies $$ will fix it
Matt Franz@wendynather @boblord @jack_daniel @accidentalciso Amen! We really need to hear the mid-market security story (across multiple verticals) that is simultaneously messy and valiant. But those of us in the trenches have no time to speak at said conferences where thought leaders reign supreme.
Mechele G@wendynather @boblord @jack_daniel @accidentalciso It’s absolutely a numbers game. As a large software company, you need to hire tens of thousands of sales teams and consultants to understand the nuances and engage with the 99% of businesses, or you can hire hundreds of people to focus on the 1% of very large businesses and increase your profit margin exponentially. There’s also “trickle down security”, where you don’t engage the SMBs directly, but engage the software companies and services that they use. That sets up the same lower sales and consultation staff at the large software companies. And all of that starves the person in the SMB who is the “IT department” of needed security knowledge.
@mechele @wendynather @boblord @jack_daniel this is why my business strategy is to focus on small businesses only. They are completely underserved and there is no real competition.
Rob Landley@boblord @jack_daniel @accidentalciso I've worked at over a dozen employers in my career, from IBM to a partnership with one other person. Sometimes my cubicle is at Johnson Controls and my payroll is handled through a recruiter with seven people on staff. I've worked for undigested acquisitions, small companies working onsite at large clients, been a subcontractor of a subcontractor... I believe my personal matryoshka record is four nested companies at once.
@jack_daniel Jack - unrelated - but may I ask where you found that quote? I’ve been looking for good data on business sizes. Thanks!
@charlvdwalt that was just a quick Google result, it comes from the US Small Business Administration
Dan Kennedy @jack_daniel @accidentalciso Idk, I don't know that I've ever seen an interaction where someone is deliberately trying to humiliate a vendor and it came across as appropriate or professional. It never looks as good as the person doing it imagines it does. Anything other than a clinical approach signals trouble to a third-party observer (does this person lack experience with these evaluations, are they trying to cover up a failure, etc..), despite having to apply 'heat' sometimes in these SMB IT vendor relationships.
@jack_daniel Jack, bullying is not ok.
Falcon Darkstar@accidentalciso @jack_daniel what constitutes bullying here? If my organization is paying the vendor to do something and they do not do it, I will be polite about demanding it, but I'm not going to hold the punch on 3rd party audit, escalations to account managers, or terminating contracts if that's the only way to get what I need.
Ben@accidentalciso If you come to our house and lie to our face I’m gonna make you look like an idiot and it won’t be on me.
Name_Too_Long@accidentalciso Disagree.
It is your place. Your employer specifically put you in that place when they tasked you with the assessment. Your job is to "get the vendor to tell you the truth".
How much bullying that's going to require is determined by the vendor. If they're upfront and honest, we can keep it to a minimum... but, thanks to all the vendors who aren't, we still have to do the dance. The best vendors know the dance and lead.
@Name_Too_Long This is a load of crap. Sorry.
Seclovin@accidentalciso Why would someone bully a vendor ?
Nick Murison@accidentalciso I regularly find myself either being the one setting the security questions for our vendors or being the one answering them for our customers. A few thoughts I've ended up with:
- ISO 27001, SOC 2 and CSA CAIQ give us "common language", and help shorten many processes. If the VRM process isn't shortened by us as a vendor having those, it's usually a sign it's going to be a painful one. Compliance != security, but it should get rid of some questions about security basics.
- As a vendor, if we experience a particularly painful VRM process, we try to learn what was painful and make sure we're not inflicting the same on our own vendors.
- Vendors who respond "our Cloud provider is ISO27001 certified, so we're secure" need educating, not yelling at.
- If a customer asks us yes/no questions about whether we've got a specific technology deployed, it's often a sign that they are concerned about risk X and believe technology Y is the only way to mitigate it. If they can describe what risks they are most concerned about, we can describe to them how we mitigate those risks.
- Pragmatic, risk-based processes tend to be positive experiences that lead to good partnerships.
- Bullying and obstructive behaviour is likely a symptom of process or culture dysfunction.