Accidental CISOIf you are doing vendor security assessments for your employer, it is your job to assess the risk associated with vendors so that your leadership can make decisions.
It is not your place to bully the vendor.
Thank you for coming to my Ted Talk.
Jack Daniel (often offline)@accidentalciso Sorry, but that is a large-org-ist PoV. In the SMB world, "the computer guy" is the only one with the chops to do it, and the IDGAF attitude required to hold them accountable, and hopefully humiliate them during their lie-fests (sometimes called "sales pitches").
Bob Lord 🔐 
@boblord @accidentalciso let's see...
And yes, "only" ~47% of US employees work for small businesses.
And yes, "only" ~47% of US employees work for small businesses.
@jack_daniel @accidentalciso My analysis from the Census Bureau shows about the same numbers. _But_ when you get rid of all the mom-and-pop shops and focus on employers with at least 20 staff, the number drops way, way down to...<re-checks spreadsheet> 97%.
It's almost like you're saying we've been paying attention to the wrong parts of the landscape for years. 😜
It's almost like you're saying we've been paying attention to the wrong parts of the landscape for years. 😜
Wendy Nather@boblord @jack_daniel @accidentalciso It’s true that the loudest, most visible representatives of #infosec at conferences are military, financial institutions, and tech companies (along with security vendors, duh). It’s especially important in #policy to give a voice to everyone else, which is why I keep harping on the #SecurityPovertyLine. Nobody’s going to step on a stage and say “Our security sucks,” but these stories need to be told.
@wendynather @jack_daniel @accidentalciso And the 97% don't know about the conferences, or can't afford to go, or can't understand us when we talk, or can't afford to do what we tell them. They don't know about hardening guides, or can't figure out how to implement them, or don't have time.
But when they fail to patch a product that has yet another memory safety vuln (2/3 of CVEs for decades 😂) and get popped, you can count on us to blame them, revictimizing them. In infosec, "tsk tsk" is a renewable resource! We're great!
@boblord @jack_daniel @accidentalciso Not only that, but their breaches affect us too — even the big companies with robust security programs. We cannot afford to leave every org to fend for itself. We are an ecosystem. https://youtu.be/7c-HrJmPj2Q
Keynote: What Do We Owe One Another In Cybersecurity?
Wade Baker@wendynather @boblord @jack_daniel @accidentalciso Just gonna drop in a stat relevant to this conversation because that’s what I do…
Explanation: “Gartner defines a small business as one having less than $50M in annual revenue. So, that’s the distinction that appears here in red. It’s clear that the majority of loss events involving midsize and large firms (in blue) fall below 1% of their income, while the higher ratios on the right side of the spectrum are almost entirely populated by small businesses. Here’s a sobering stat: SMBs were the primary victim in 89% of all cyber loss events that exceeded 10% of revenue.” Source: https://www.cyentia.com/wp-content/uploads/IRIS-2022_Cyentia.pdf
Dave Wilburn @wade @wendynather @boblord @jack_daniel @accidentalciso Ugh. Practical security for the "have nots" is probably our field's most challenging problem.
Alex@wendynather @DaveMWilburn @wade @boblord @jack_daniel @accidentalciso
I fear that the problem is only exacerbated as the "haves" move further and further away from the "have nots". We pay a premium for Data Science, Data Engineers, and a score of MBAs to explain why we should pay them all so much. In InfoSec, its seen as 'savings' or a 'risk aversion' with the primary goal to be shift the cost to anyone else.
How many billions are claimed yearly on the projects that could only exist because of the work ya'll do? Funny I only see InfoSec projects as cost drivers.