TFW I realized I'll miss the @riskybusiness @riskybiz live podcast recording at RSAC because it is EXACTLY at the same time as I'm on stage presenting.

I mean, anything else I could have tried to move around. This is THE ONE THING I can't reschedule... 😢

If you are attending #RSAC this year, Alex Pinto and I are presenting session CLS-W09 "The Impact of Security Usability Challenges in Cloud Environments".

We will present research that reviews 500+ organizations and 5,000+ distinct #cloud environments that demonstrate how the available secure configuration options are being used and reveals how usability, standardization choices in UI / #UX can shape #security outcomes.

Learn more and register now at https://path.rsaconference.com/flow/rsac/us26/FullAgenda/page/catalog/session/1755192044047001WRoa

To be clear, I don't have direct evidence or public reporting to corroborate what Troy is saying. I'll keep an eye out and share if and when more information comes to light.

But if you listened to this podcast episode @sawaba and I did on the subject 5 months ago with AJ Yawn, you won't be surprised that what Troy describes has probably been happening to various degrees for a while now: https://www.tenchisecurity.com/en/alice-in-supply-chains/episode-7-hoxz2

It is worth understanding that "independent" audit reports like SOC 2, even more so than security certifications, have very important economic incentive issues. They give auditees too much control over the process, and are most likely severely overrepresenting how secure third-parties are.

The auditors are chosen and paid for by the third-party, so their economic incentive is not to be thorough, truthful and provide those companies with tough love that leads them to be transparent about (and hopefully improve) their security posture.

The selling pitch and criteria for the auditor and compliance automation vendor selection by a third-party is, overwhelmingly, "we'll make you look good with your customers and close more deals, faster". As the podcast episode makes clear, there are little to no effective processes to desincentivize or punish those providers from misbehaving giving their customers an undeserved clean bill of health.

First parties I talk to give less and less weight to self-assessment questionnaires, trust centers and "independent" audits paid for by the third-party because of that. So the compliance automation and security audit and certification industry is destroying the very value it is promising to provide.

Original LinkedIN post: https://www.linkedin.com/posts/sieira_details-have-emerged-regarding-a-widespread-activity-7415394996184424449-CSzO

UPDATE: https://www.reddit.com/r/soc2/comments/1q7u90o/real_or_fake_the_delve_scandal_or_conspiracy/

Seems like @alexcpsec and I will actually have to write the presentation now that we got the confirmation that our talk submission for RSA Conference 2026 was accepted!

We'll discuss the intersection of UX, licensing and architecture choices by cloud providers with security outcomes, combining Verizon DBIR and Tenchi Security datasets to bring data-driven insights, debunk fallacies and confirm wise intuitions of the security practitioners around this aspect of hashtag#cloud hashtag#security.

Add session CLS-W09, "The Impact of Security Usability Challenges in Cloud Environments", to your conference schedule now! See you all on March 25th, 2026 at 2:25 PM.

#RSAC #RSAC2026

@securitytrails (acquired by @recordedfuture , acquired by Mastercard) is effectively down for hours now.

Their billing and license enforcement systems went haywire and it's blocking legitimate customer API calls.

Our credit card on file is gone (it was there last Friday) and they converted us back to the free plan. All with no warning. Trying to reconfigure the credit card, or even creating a completely new paid account, is not working.

Sent urgent request to support, no reply yet.

Status page shows all clean, not a peep.

#epic #fail