Accidental CISOIf you are doing vendor security assessments for your employer, it is your job to assess the risk associated with vendors so that your leadership can make decisions.
It is not your place to bully the vendor.
Thank you for coming to my Ted Talk.
Jack Daniel (often offline)@accidentalciso Sorry, but that is a large-org-ist PoV. In the SMB world, "the computer guy" is the only one with the chops to do it, and the IDGAF attitude required to hold them accountable, and hopefully humiliate them during their lie-fests (sometimes called "sales pitches").
Bob Lord 🔐 
@boblord @accidentalciso let's see...
And yes, "only" ~47% of US employees work for small businesses.
And yes, "only" ~47% of US employees work for small businesses.
@jack_daniel @accidentalciso My analysis from the Census Bureau shows about the same numbers. _But_ when you get rid of all the mom-and-pop shops and focus on employers with at least 20 staff, the number drops way, way down to...<re-checks spreadsheet> 97%.
It's almost like you're saying we've been paying attention to the wrong parts of the landscape for years. 😜
It's almost like you're saying we've been paying attention to the wrong parts of the landscape for years. 😜
Wendy Nather@boblord @jack_daniel @accidentalciso It’s true that the loudest, most visible representatives of #infosec at conferences are military, financial institutions, and tech companies (along with security vendors, duh). It’s especially important in #policy to give a voice to everyone else, which is why I keep harping on the #SecurityPovertyLine. Nobody’s going to step on a stage and say “Our security sucks,” but these stories need to be told.
Mechele G@wendynather @boblord @jack_daniel @accidentalciso It’s absolutely a numbers game. As a large software company, you need to hire tens of thousands of sales teams and consultants to understand the nuances and engage with the 99% of businesses, or you can hire hundreds of people to focus on the 1% of very large businesses and increase your profit margin exponentially. There’s also “trickle down security”, where you don’t engage the SMBs directly, but engage the software companies and services that they use. That sets up the same lower sales and consultation staff at the large software companies. And all of that starves the person in the SMB who is the “IT department” of needed security knowledge.
@mechele @wendynather @boblord @jack_daniel this is why my business strategy is to focus on small businesses only. They are completely underserved and there is no real competition.