Accidental CISOIf you are doing vendor security assessments for your employer, it is your job to assess the risk associated with vendors so that your leadership can make decisions.
It is not your place to bully the vendor.
Thank you for coming to my Ted Talk.
Jack Daniel (often offline)@accidentalciso Sorry, but that is a large-org-ist PoV. In the SMB world, "the computer guy" is the only one with the chops to do it, and the IDGAF attitude required to hold them accountable, and hopefully humiliate them during their lie-fests (sometimes called "sales pitches").
Bob Lord 🔐 
@boblord @accidentalciso let's see...
And yes, "only" ~47% of US employees work for small businesses.
And yes, "only" ~47% of US employees work for small businesses.
@jack_daniel @accidentalciso My analysis from the Census Bureau shows about the same numbers. _But_ when you get rid of all the mom-and-pop shops and focus on employers with at least 20 staff, the number drops way, way down to...<re-checks spreadsheet> 97%.
It's almost like you're saying we've been paying attention to the wrong parts of the landscape for years. 😜
It's almost like you're saying we've been paying attention to the wrong parts of the landscape for years. 😜
Wendy Nather@boblord @jack_daniel @accidentalciso It’s true that the loudest, most visible representatives of #infosec at conferences are military, financial institutions, and tech companies (along with security vendors, duh). It’s especially important in #policy to give a voice to everyone else, which is why I keep harping on the #SecurityPovertyLine. Nobody’s going to step on a stage and say “Our security sucks,” but these stories need to be told.
@wendynather @jack_daniel @accidentalciso And the 97% don't know about the conferences, or can't afford to go, or can't understand us when we talk, or can't afford to do what we tell them. They don't know about hardening guides, or can't figure out how to implement them, or don't have time.
But when they fail to patch a product that has yet another memory safety vuln (2/3 of CVEs for decades 😂) and get popped, you can count on us to blame them, revictimizing them. In infosec, "tsk tsk" is a renewable resource! We're great!
@boblord @jack_daniel @accidentalciso Not only that, but their breaches affect us too — even the big companies with robust security programs. We cannot afford to leave every org to fend for itself. We are an ecosystem. https://youtu.be/7c-HrJmPj2Q
Keynote: What Do We Owe One Another In Cybersecurity?
Charl van der Walt 🌻🇵🇸@wendynather @boblord @jack_daniel @accidentalciso
Wendy what a great talk! I’d missed it at the time. You’re arguments are so on point you almost made me cry!
I’ve been giving some thought the idea of ‘neighbourhood watch’ as a structure through which to organize a community-oriented response to cyber threats for ecosystems. Let me know if you’d like me to share.
Also - im not sure if you’re aware of the work the Cyber Peace Institute does in terms of your notion of a cyber ‘peace corps’?
Nick Drage@charlvdwalt @wendynather @boblord @jack_daniel @accidentalciso I'm planning to finally making time to watch this video this Christmas, I assume - unfortunately - that all of the arguments will still apply, and that the situation hasn't changed in the last twelve months?
@SonOfSunTzu @wendynather @boblord @jack_daniel @accidentalciso
Hey Nick. Apologies for the late reply - I've been offline for while.
Sadly, yes, I think the arguments are all still the same...