The whole point of security awareness is to protect company information. That's what they say, anyway.

Here in reality we're going to reference back to the things I spew at you rapid fire and blame you for our institutional shortcomings once we get breached. As your company's CISO, the most unkind yet accurate adjective people will ever apply to me is "ablative."

Confidentiality is important. Assume that people will read what you write. I know, it's a heavy lift for some of you who haven't figured out that the failure mode of "being clever on the internet" is "being a huge asshole," but pretend it'll be read.

In open court.

By a sobbing child.

Who's somehow on your Board of Directors.

Don't share private information.

Information should be presumed private until demonstrated otherwise. Don't assume that someone emailing you is who they claim to be. And don't insist on GPG signed email unless you never want to receive email again--wait.

WAIT.

brb generating a GPG key.

You probably also don't want to install a bunch of sketchy apps, browser extensions, or weird trinkets from dodgy vendors. If you're unsure, ask someone steeped in that area.

If they're rude dicks to you ("I work in infosec" being an unfortunately accurate early warning sign), pivot immediately to plotting their downfall instead and find a better trusted source.

You'll deal with a lot of information. Some of it is confidential. Some of it is public. If you're unsure, default to assuming confidential; it's less unfortunate for you that way.

The truth is, it's nearly impossible to listen your way into trouble, whereas running your big dumb mouth is going to end in tears before bedtime.

Be wary of phishing emails. Why's that? Because we collectively suck at computers to the point where you clicking the wrong link can take down Maersk for months, but somehow we're going to act like that's your fault.

If it's important and urgent, it shouldn't be an email out of hours.

Unusual senses of urgency, a CEO suddenly unclear how to spell their own name, and instructions to do things out of the ordinary are red flags unless your company is owned by Elon Musk.

Ask the requestor for confirmation on Slack, Teams, or some other side channel before doing something ill-considered. Delays are always better than mistakes.

If your boss texts you to buy some iTunes giftcards or whatnot to deal with a client emergency, it's either a phishing attack or you work for some kind of moron and you should find another place to be immediately.

The one time I had to have someone buy a whole mess of Amazon gift codes (for re:Invent swag) I told them to do it in person and explained my logic. Next year I'll do Google Cloud credits if AWS doesn't want to play ball...

Physical security is important. You're an accountant who's 5'4" and 105 lbs soaking wet, but you're somehow expected to stop and aggressively interrogate anyone who attempts to follow you into a secured area since the company can't afford security guards after paying my usurious fee for this presentation?

This is fantasyland horseshit that will not happen here in reality.

Some companies require staff to wear badges. This is where the terribleness of scale starts in many places. My choice is usually to leave before companies get that big. If you make different choices, don't share badges with colleagues.

Oh, and I don't care that you work at Google; nobody thinks you're cool for wearing your badge in public. It's not a fashion accessory, it's a cry for help.

That said, many of us are remote these days, so "physical security" takes on a different context. It's your home, I'm not fool enough to tell you how to live your life there.

If someone is, begin plotting their downfall while making plans to destroy their home life instead. Boundary issues can absolutely cut both ways.

Data privacy is super important. Maybe keep the sensitive customer data contained to a small place, and if you don't need it, don't collect it?

People get upset when you leak their info--particularly if they didn't choose to give it to you in the first place, Facebook.

Some places tell you not to use "unapproved software." And you're never to do any personal work on company machines.

Be certain to raise your hand and ask permission before going to the bathroom if that's your workplace.

I spent too long in IT seeing pictures of employees that I wish I could burn out of my brain to believe that anyone obeys this rule, so let's stop pretending otherwise.

If your company asks you to install their corporate spyware on your personal device, the correct answer is "LOL no." If it's that important that they reach you at all times (spoiler, it is not or they'd staff multiple shifts), they can give you a corporate phone, laptop, and car.

Forget to charge all of these should you want a moment of peace.

No one is going to email you to give you money, sell you reputable pharmaceuticals, or blackmail you. No, they didn't watch you flog your dolphin via your webcam, and no they will not send video of it to your friends and family unless you pay them. (If someone ever gets a video of me flogging my metaphorical dolphin, my greatest fear will be them releasing it to the public without letting me narrate it first.)

If someone somehow does get compromising video of you, narrate it.

These scams invariably involve cryptocurrency, the trusted nightmare scam currencies of grifters everywhere. Just like the VISA logo demonstrates security and convenience, cryptocurrency demonstrates you're about to be bamboozled out of a bunch of money.

It's 2023; the grift is obvious by now.

Make sure that your computer hard drives have full disk encryption turned on; it's the difference between "your company has to replace a $2K laptop" and "your company is now in the headlines."

Increasingly you have to go out of your way to NOT do this.

Use multi-factor authentication, like a Yubikey. When pressed for time, you can whack the button on the device to let it name an AWS service right before it launches.

Failing that, an email code, an authy or similar time based code app, or at last resort an SMS or phone call will suffice.

Use a password manager because you're bad at passwords. Trust me on this one. I like 1Password but there are lots of others that are absolutely not LastPass that are well respected.

If your password manager is reluctant to fill in your password on a site, believe it. Similarly, it's very hard to be conned out of a password you don't actually know.

You should know fewer than three to five passwords yourself.

"My data is sensitive so it shouldn't live in a cloud provider" is naive in the extreme. They are better at protecting data than you are unless we're talking about Azure in which case all bets are off; those people apparently do not give a SHIT about cloud security.

The rest are great at it, whereas your datacenter's nighttime security guard is out drinking with your usual CISO and forgot to lock the door on their way out.

Don't share credentials with other people. They can get their own account. If your supervisor demands your credentials, be sure to get the request in writing first; the odds are terrific that a bunch of money is going to go missing and you're about to be the prime suspect.

Protect corporate money so it can instead be lost to a scam that starts with a "Contact Us" button on a pricing page, and ends with an enterprise sales team and a PowerPoint presentation.

This is the part where many companies will start emailing you fake phishing tests. This leads to just wonderful relationships between colleagues; I don't recommend doing it unless you're looking to nurture a culture of backstabbing and character assassination.

Personally I find it easier to just go work for some shithead founder's first startup.