The whole point of security awareness is to protect company information. That's what they say, anyway.

Here in reality we're going to reference back to the things I spew at you rapid fire and blame you for our institutional shortcomings once we get breached. As your company's CISO, the most unkind yet accurate adjective people will ever apply to me is "ablative."

Confidentiality is important. Assume that people will read what you write. I know, it's a heavy lift for some of you who haven't figured out that the failure mode of "being clever on the internet" is "being a huge asshole," but pretend it'll be read.

In open court.

By a sobbing child.

Who's somehow on your Board of Directors.

Don't share private information.

Information should be presumed private until demonstrated otherwise. Don't assume that someone emailing you is who they claim to be. And don't insist on GPG signed email unless you never want to receive email again--wait.

WAIT.

brb generating a GPG key.

You probably also don't want to install a bunch of sketchy apps, browser extensions, or weird trinkets from dodgy vendors. If you're unsure, ask someone steeped in that area.

If they're rude dicks to you ("I work in infosec" being an unfortunately accurate early warning sign), pivot immediately to plotting their downfall instead and find a better trusted source.

You'll deal with a lot of information. Some of it is confidential. Some of it is public. If you're unsure, default to assuming confidential; it's less unfortunate for you that way.

The truth is, it's nearly impossible to listen your way into trouble, whereas running your big dumb mouth is going to end in tears before bedtime.

Be wary of phishing emails. Why's that? Because we collectively suck at computers to the point where you clicking the wrong link can take down Maersk for months, but somehow we're going to act like that's your fault.

If it's important and urgent, it shouldn't be an email out of hours.

Unusual senses of urgency, a CEO suddenly unclear how to spell their own name, and instructions to do things out of the ordinary are red flags unless your company is owned by Elon Musk.

Ask the requestor for confirmation on Slack, Teams, or some other side channel before doing something ill-considered. Delays are always better than mistakes.

If your boss texts you to buy some iTunes giftcards or whatnot to deal with a client emergency, it's either a phishing attack or you work for some kind of moron and you should find another place to be immediately.

The one time I had to have someone buy a whole mess of Amazon gift codes (for re:Invent swag) I told them to do it in person and explained my logic. Next year I'll do Google Cloud credits if AWS doesn't want to play ball...

Physical security is important. You're an accountant who's 5'4" and 105 lbs soaking wet, but you're somehow expected to stop and aggressively interrogate anyone who attempts to follow you into a secured area since the company can't afford security guards after paying my usurious fee for this presentation?

This is fantasyland horseshit that will not happen here in reality.

Some companies require staff to wear badges. This is where the terribleness of scale starts in many places. My choice is usually to leave before companies get that big. If you make different choices, don't share badges with colleagues.

Oh, and I don't care that you work at Google; nobody thinks you're cool for wearing your badge in public. It's not a fashion accessory, it's a cry for help.

That said, many of us are remote these days, so "physical security" takes on a different context. It's your home, I'm not fool enough to tell you how to live your life there.

If someone is, begin plotting their downfall while making plans to destroy their home life instead. Boundary issues can absolutely cut both ways.

@Quinnypig my physical security in my home office is focused on keeping my cats away from my keyboard.

It’s a real thing. #Space #Cats

https://www.theatlantic.com/science/archive/2020/04/nasa-cats-spacecraft-european-space-agency/610438/