Neil Batchelor2d ago
Jerry 🦙💝🦙
I get to speak to a masters in cyber security class at a major university on Monday. They are learning about interacting with senior leadership/BoD on topics of cyber risk. I have many stories to share with them, but curious if y’all have any ideas on what you thank that group should know
Mar 21 at 7:56pmWeb
Show threadJerry 🦙💝🦙2d ago
I should probably figure out what cyber security means before I go speak to a masters class about cyber security.
Show threadda_6672d ago
@jerry cybersecurity means being both the problem and the solution. ducks
Show threadKluthulhu' XOR 1=1--2d ago
@da_667 @jerry Computers solve the problems we didn't have without them 😎
Show threadWendy Nather2d ago
@jerry Nah. I didn’t, and it went fine.
Show threadXavier «X» Santolaria  2d ago
@jerry Call it Super Security.
Show threadPaul_IPv62d ago
@jerry
Show thread🇺🇦 haxadecimal 🚫👑2d ago

@paul_ipv6 @jerry
That's the great thing about the word "cyber" – it means whatever the speaker wants it toean.

That's also the awful thing about the word "security."

Show threadPaul_IPv62d ago

@brouhaha @jerry

cyber. isn't that something you're supposed to have more of in your diet so you're "regular"? :)

Show threadKrypt3ia2d ago
@jerry It’s when you “cyber” securely, e.g. door closed, lights off, all alone.
Show threadsoup2d ago
@jerry I put on my robe and wizard hat… securely 
Show threadJerry 🦙💝🦙2d ago
@hotsoup I doubt anyone there will be old enough to understand that reference
Show threadJeremy Baumgartner2d ago
@jerry @hotsoup Damn it, that means I'm the same age as old people.
Show threadCali2d ago
@hotsoup @jerry “I cast lvl 3 eroticism..”
Show threadkwayk422d ago
@jerry going all philosophical
Show threadbagmangood2d ago
@jerry if it is a professional focus - maybe something along the lines of "it is about influencing people, not saying no to them"
Show threadGraham Perrin2d ago

@jerry too fastidious.

Just say "3.0" at some point.

Show threadSimon Zerafa (Status:   😊)2d ago

@jerry

Go with the SANS retro-encabulator video and then ask for questions 😉

Show threadÆ Sea F.2d ago
@jerry generations of school kids keep asking me this exact question and I still can't come up with an answer that could make any sense
Show threadZachary Cutlip2d ago
@jerry Can you just speak about cyber insecurity and then tell them to imagine the opposite?
Show threadSpellucci2d ago
@zcutlip @jerry Um, what is the opposite of cyber?
Show threadZachary Cutlip2d ago
@spellucci @jerry “Security”
Show threadMelroy van den Berg2d ago
@jerry just ask Ai. You will be fine 😏
Show threadfan boy 🪭2d ago
@jerry
Hack all their accounts, before arriving.
Show threadjohnchiment2d ago
@jerry cybersecurity means never having to say you’re sorry.
Show threadImpeach||GTFO 2d ago
@jerry it's having a warm fuzzy feeling 🧸❤️ about the cyber 💻
Show threadwav32d ago
@jerry "risk acceptance and good insurance"
Show threadDavi Muir1d ago
@jerry yeah... I think you got this one. :)
Show threadda_6672d ago
@jerry relating any recommendations to financial impact is all they care about. How much it will cost to implement, vs. how much it'll cost if we don't implement it.
Show threadDamonHD2d ago

@da_667 @jerry Yes, indeed. Especially the bean counters need to have an NPV waved at them!

But the rest of the board should also care about reputational risk.

So the lesson is that while CxO should care about data security and operational integrity - and the tech and training that that implies - it may need to be translated into money and shame to be salient...

Show threadViss2d ago
@DamonHD @da_667 @jerry i dare you to ask them how many have any technical background whatsoever
Show threadda_6672d ago

@Viss @DamonHD @jerry I had a music major as my datacenter ops manager.

I want you to understand, I know that sometimes, someone changing majors and/or professions sometimes happens and that these people can be quite good in a totally difference space (edit:clarification), but this dude paid for a cleaning service that does datacenters to come and clean the datacenter. It didn't really need it, and was genuinely a waste.

Now, us replacing all of our network fabric, and re-doing our cable management, which was another huge endeavor, was a big win.

Show threadBill2d ago
@da_667 @Viss @DamonHD @jerry I have 7/8 of a music degree.
Show threadViss2d ago
@Sempf @da_667 @DamonHD @jerry sure, its totally possible for people to be nerds and that not match their major. ive just encountered so many people with a 'masters in cybercyber' that dont have even basic experience, like installing an os or configuring a linksys its tainted the whole degree for me
Show threadBradalot “2d ago

@Sempf @da_667 @Viss @DamonHD @jerry

3+4? 4+3? 2+2+3?

jaunty meters no frighten the stakeholders?

Show threadda_6672d ago
@jerry this also relates to budgeting for new tools, and head count. Learn to create proposals for head count and/or tooling. Including cost figures in those figures. I worked tech support at Sourcefire for a number of years, and had team leads who were bitching that we didn't have all the tools we need to do the job. One of them would put a draft together, submit it, the boss would ask "where are the costs?" and it would NEVER progress. It all comes down to cost. If you don't mention cost, they don't care.
Show threadBongoknight15h ago

@da_667

@jerry

That's what I'm trying to do, but I generally have doubts about my estimates. When it comes to cybersecurity trends or estimated losses if security features remain unimplemented, I always feel that the figures I have are pretty random and not sufficiently backed up by facts.

Show threadaburtch7h ago
@bongoknight @da_667 @jerry In my experience, that doesn’t matter as much. Just cite known examples of breached companies who had to pay damages, spend huge amounts to fix any damage, added costs for additional crisis PR management or the money spent on lawyers. Even just ballpark averages for those costs are usually enough to wake them up to the costs of disaster if things go unimplemented.
Show threadJan Eden2d ago
@da_667 @jerry Walk the fine line between fearmongering and allowing the BoD to snooze.
Show threadJ4YC332d ago

@jerry The importance of being able to marry technical jargon and precision with a layperson's understanding.

I have had so many senior leadership/Board discussions and it always boils down to being able to have a depth of understanding that allows for that ELI5 type of communication.

Show threadsͧb̴ͫƸ̴gͬᵉ2d ago

@jerry Knowing Corporate only gets you that far, at some point you must know the Individuals.

Risk perception and appetite is a deeply personal trait.

Show threadjoriki2d ago

@jerry

just enjoying the idea of referring to senior leadership as the blue screen of death 💀

Show threadVinterkarusell ⁂2d ago
@jerry ask if they are on this instance! 🤭
Show threadKrypt3ia2d ago
@jerry
Show threadJP2d ago
@jerry "Contemporaneous notes" are admissible as evidence in court. Cover your ass.
Show threadAlister Bulman2d ago

@jerry I'd suggest two things: a) Ethics - should you do something, or should you say something when you discover a problem?

b) A couple of stories about why security researchers/sysadmins can be like magicians - because we will spend an inordinate amount of time on doing some tiny thing to absolute perfection in order to find out something that is bugging us:

1/ Clifford Stoll found an unauthorized user who had apparently used nine seconds/75cents of computer time and not paid for it. It was a KGB Hacker. Oh, and "The Cuckoos Egg" had a nice cookie recipe too.

2/ The XZ Backdoor was found by a user, testing SSH, who saw that logins were taking too long.....

Show thread⠠⠵ avuko2d ago

@jerry Understand what the personal risks are for the board. Usually it is tied to shareholder value and/or profit loss.

Play on that. In for-profits, nothing else will work.

Sorry to sound so cynical.

Show threadSimple Nomad2d ago
@jerry Let them know that despite there being plenty of anti-AI sentiment out in the world, it is not only NOT going away but it is up to the security community to fix it. Just like we did with PHP when that came out spawning hundreds of vulnerable websites from non-HTML programmers. Just like we did when we moved from server rooms to the cloud. Before HTTPS. And on and on. Whether we like it or not, security pros have to fix things.
Show threadWulfy—Speaker to the machines2d ago

@jerry @simplenomad

GIVE THIS PERSON AN AWARD!!!
🎖️🏅🥇

Show threadJosh Bressers2d ago
@simplenomad @jerry I just make all my prompts end with “and be sure you make it secure” and everything is fine
Show threadSimple Nomad2d ago
@joshbressers @jerry I take a step further, repost the LLM’s code in a separate chat, and say “I wrote this code but strongly suspect it is insecure, please show me the flaws and give me a diff to fix things.”
Show threadJosh Bressers1d ago

@simplenomad @jerry it’s amusing to me that LLMs are better then the average security bug hunter

But they also can’t write secure code

Show threadWulfy—Speaker to the machines2d ago
@jerry
#Ai is a new attack surface.
Show threadɐssǝſ2d ago

@jerry relaying how their org is doing when compared with their peers. I get asked that on the weekly. Understanding the risk completely and how that impacts the org is really important too, and being able to explain that risk. Don't misspeak either, especially in consulting roles.

Don't be that nervous. They're just people at the end of the day who (hopefully) want to see their org mitigating future attacks. This one I notice a large difference between internal and consulting roles.

Show threadPesky Warlock2d ago
@jerry For high-level Corp. mgmt., communication governance in an incident is key. They may have to manage confidentiality while allowing the investigation to proceed, and they shouldn't allow info to propagate, even though high-ranked officials will demand access to the info. The story could get out before they could control this, which (obvs) will be detrimental to the stock price.