On a webcast today, I contradicted that there were "two types" of companies, those who have been breached, and those who haven't been breached YET, was wrong.
We have to think about those companies that are being breached, and they don't know it YET.
We really need to think about bad controls, poor detection of control failure, insiders who know how to avoid internal controls... The breach didn't start when the ransom notice appeared on the screen.
Pals, I don’t know who needs to hear this but one of the most offensive things you can say to somebody who has bought something new - especially a big purchase - and is sharing the news with you is, “here is why you should have bought this alternative instead”, like they’ve fucked up or they should have spent 5x as much on something else. They already gave someone money. They’re invested.
Some people just don’t get this nuance when they want to share knowledge about something they’re really excited about, but I really have to warn you that’s an incredibly hurtful thing to say that folks don’t forget. They probably were working within a budget, or within specific constraints or needs you are not fully aware of.
They probably do know what they’re doing. You are talking down to them and basically implying they’re stupid. You’re not helping and you don’t look smart.
This month is the 30th anniversary of the announcement of the Clipper Chip, the first of many bad ideas for weakening cryptography with "key escrow" backdoors. Clipper is long dead, but its ghost continues to haunt us from time to time.
https://gizmodo.com/life-and-death-of-clipper-chip-encryption-backdoors-att-1850177832
Join us THURSDAY @ 12:30pm CT for THURSDAY DEFENSIVE! A 30min fireside chat with defensive people around the industry.
This week's guest: @likethecoins talking about threats to watch.
Lesley Carhart 
Matt Blaze
InfoSecSherpa
Recon InfoSec
Matthew Green