Accidental CISOIf you are doing vendor security assessments for your employer, it is your job to assess the risk associated with vendors so that your leadership can make decisions.
It is not your place to bully the vendor.
Thank you for coming to my Ted Talk.
Jack Daniel (often offline)@accidentalciso Sorry, but that is a large-org-ist PoV. In the SMB world, "the computer guy" is the only one with the chops to do it, and the IDGAF attitude required to hold them accountable, and hopefully humiliate them during their lie-fests (sometimes called "sales pitches").
Bob Lord 🔐 
@boblord @accidentalciso let's see...
And yes, "only" ~47% of US employees work for small businesses.
And yes, "only" ~47% of US employees work for small businesses.
@jack_daniel @accidentalciso My analysis from the Census Bureau shows about the same numbers. _But_ when you get rid of all the mom-and-pop shops and focus on employers with at least 20 staff, the number drops way, way down to...<re-checks spreadsheet> 97%.
It's almost like you're saying we've been paying attention to the wrong parts of the landscape for years. 😜
It's almost like you're saying we've been paying attention to the wrong parts of the landscape for years. 😜
Wendy Nather@boblord @jack_daniel @accidentalciso It’s true that the loudest, most visible representatives of #infosec at conferences are military, financial institutions, and tech companies (along with security vendors, duh). It’s especially important in #policy to give a voice to everyone else, which is why I keep harping on the #SecurityPovertyLine. Nobody’s going to step on a stage and say “Our security sucks,” but these stories need to be told.
@wendynather @jack_daniel @accidentalciso And the 97% don't know about the conferences, or can't afford to go, or can't understand us when we talk, or can't afford to do what we tell them. They don't know about hardening guides, or can't figure out how to implement them, or don't have time.
But when they fail to patch a product that has yet another memory safety vuln (2/3 of CVEs for decades 😂) and get popped, you can count on us to blame them, revictimizing them. In infosec, "tsk tsk" is a renewable resource! We're great!
Stacey Holleran@boblord @jack_daniel @accidentalciso Not only that, but their breaches affect us too — even the big companies with robust security programs. We cannot afford to leave every org to fend for itself. We are an ecosystem. https://youtu.be/7c-HrJmPj2Q
Keynote: What Do We Owe One Another In Cybersecurity?
Wade Baker@wendynather @boblord @jack_daniel @accidentalciso Just gonna drop in a stat relevant to this conversation because that’s what I do…
Explanation: “Gartner defines a small business as one having less than $50M in annual revenue. So, that’s the distinction that appears here in red. It’s clear that the majority of loss events involving midsize and large firms (in blue) fall below 1% of their income, while the higher ratios on the right side of the spectrum are almost entirely populated by small businesses. Here’s a sobering stat: SMBs were the primary victim in 89% of all cyber loss events that exceeded 10% of revenue.” Source: https://www.cyentia.com/wp-content/uploads/IRIS-2022_Cyentia.pdf
Dave Wilburn @wade @wendynather @boblord @jack_daniel @accidentalciso Ugh. Practical security for the "have nots" is probably our field's most challenging problem.
@wade @jack_daniel @wendynather @accidentalciso @DaveMWilburn How do we get safety built-in and on by default? Products can be much safer, possibly eliminating the need for security expertise.
Alex@wendynather @DaveMWilburn @wade @boblord @jack_daniel @accidentalciso
I fear that the problem is only exacerbated as the "haves" move further and further away from the "have nots". We pay a premium for Data Science, Data Engineers, and a score of MBAs to explain why we should pay them all so much. In InfoSec, its seen as 'savings' or a 'risk aversion' with the primary goal to be shift the cost to anyone else.
How many billions are claimed yearly on the projects that could only exist because of the work ya'll do? Funny I only see InfoSec projects as cost drivers.
Scott 
@DaveMWilburn @wade @jack_daniel @wendynather @boblord @accidentalciso what happens when we compare this to another important business function like accounting, which should be a more mature, having been standardized for longer? (And is that a valid comparison?)
storyteller@DaveMWilburn @wade @wendynather @boblord @jack_daniel @accidentalciso Exactly why I started my own shop.
Now, to *find* these folks and convince them they need some basics ...
Aranjedeath@wade @wendynather @boblord @jack_daniel @accidentalciso I would love to see published advice for things a single individual running IT for a small company can do. I am that "IT guy", but let's be clear that isn't even half my job. All advice I see online is targeted towards companies who have a department of people already. I make jokes that I am the department.
@Aranjedeath @wade @boblord @jack_daniel @accidentalciso Start here: https://infosec.exchange/@cisohelen/109511188348488685
CisoHelen (@[email protected])
I've been thinking about what companies can do if they are under resourced in cybersecurity, and how they can improve security if they don't have a security team. https://hpatton.medium.com/improving-security-without-a-security-team-26b57cd9e801
@wendynather oh wonderful, thank you!
@Aranjedeath @wade @wendynather @boblord @jack_daniel I’d love to have you be a “caller” on my podcast at some point to ask a question or two on this topic.
@accidentalciso @wade @wendynather @boblord @jack_daniel That would be very cool. I have many questions. I am a generalist so I am doing everything from data collection minimization, standardized "OS Update recommendations", firewalling and access limitation... and we just had a friendly hacker report clickjacking issue with our site resulting in me rolling CSP headers out on all our sites. etc. and our clients ask us about this stuff as well.
Gunnar Peterson@wade @wendynather @boblord @jack_daniel @accidentalciso one small adjustment- there are literally millions of companies under $50m in revenue and only a few thousand w more than that.
Charl van der Walt 🌻🇵🇸@wendynather @boblord @jack_daniel @accidentalciso
Wendy what a great talk! I’d missed it at the time. You’re arguments are so on point you almost made me cry!
I’ve been giving some thought the idea of ‘neighbourhood watch’ as a structure through which to organize a community-oriented response to cyber threats for ecosystems. Let me know if you’d like me to share.
Also - im not sure if you’re aware of the work the Cyber Peace Institute does in terms of your notion of a cyber ‘peace corps’?
Nick Drage@charlvdwalt @wendynather @boblord @jack_daniel @accidentalciso I'm planning to finally making time to watch this video this Christmas, I assume - unfortunately - that all of the arguments will still apply, and that the situation hasn't changed in the last twelve months?
@SonOfSunTzu @wendynather @boblord @jack_daniel @accidentalciso
Hey Nick. Apologies for the late reply - I've been offline for while.
Sadly, yes, I think the arguments are all still the same...