I get to speak to a masters in cyber security class at a major university on Monday.
-
@da_667 @jerry Yes, indeed. Especially the bean counters need to have an NPV waved at them!
But the rest of the board should also care about reputational risk.
So the lesson is that while CxO should care about data security and operational integrity - and the tech and training that that implies - it may need to be translated into money and shame to be salient...
-
I get to speak to a masters in cyber security class at a major university on Monday. They are learning about interacting with senior leadership/BoD on topics of cyber risk. I have many stories to share with them, but curious if y’all have any ideas on what you thank that group should know
@jerry ask if they are on this instance! 🤭
-
@jerry relating any recommendations to financial impact is all they care about. How much it will cost to implement, vs. how much it'll cost if we don't implement it.
@jerry this also relates to budgeting for new tools, and head count. Learn to create proposals for head count and/or tooling. Including cost figures in those figures. I worked tech support at Sourcefire for a number of years, and had team leads who were bitching that we didn't have all the tools we need to do the job. One of them would put a draft together, submit it, the boss would ask "where are the costs?" and it would NEVER progress. It all comes down to cost. If you don't mention cost, they don't care.
-
@Viss @DamonHD @jerry I had a music major as my datacenter ops manager.
I want you to understand, I know that sometimes, someone changing majors and/or professions sometimes happens and that these people can be quite good in a totally difference space (edit:clarification), but this dude paid for a cleaning service that does datacenters to come and clean the datacenter. It didn't really need it, and was genuinely a waste.
Now, us replacing all of our network fabric, and re-doing our cable management, which was another huge endeavor, was a big win.
-
I get to speak to a masters in cyber security class at a major university on Monday. They are learning about interacting with senior leadership/BoD on topics of cyber risk. I have many stories to share with them, but curious if y’all have any ideas on what you thank that group should know
@jerry I'd suggest two things: a) Ethics - should you do something, or should you say something when you discover a problem?
b) A couple of stories about why security researchers/sysadmins can be like magicians - because we will spend an inordinate amount of time on doing some tiny thing to absolute perfection in order to find out something that is bugging us:
1/ Clifford Stoll found an unauthorized user who had apparently used nine seconds/75cents of computer time and not paid for it. It was a KGB Hacker. Oh, and "The Cuckoos Egg" had a nice cookie recipe too.
2/ The XZ Backdoor was found by a user, testing SSH, who saw that logins were taking too long.....
-
I get to speak to a masters in cyber security class at a major university on Monday. They are learning about interacting with senior leadership/BoD on topics of cyber risk. I have many stories to share with them, but curious if y’all have any ideas on what you thank that group should know
@jerry Understand what the personal risks are for the board. Usually it is tied to shareholder value and/or profit loss.
Play on that. In for-profits, nothing else will work.
Sorry to sound so cynical.
-
I get to speak to a masters in cyber security class at a major university on Monday. They are learning about interacting with senior leadership/BoD on topics of cyber risk. I have many stories to share with them, but curious if y’all have any ideas on what you thank that group should know
@jerry Let them know that despite there being plenty of anti-AI sentiment out in the world, it is not only NOT going away but it is up to the security community to fix it. Just like we did with PHP when that came out spawning hundreds of vulnerable websites from non-HTML programmers. Just like we did when we moved from server rooms to the cloud. Before HTTPS. And on and on. Whether we like it or not, security pros have to fix things.
-
I get to speak to a masters in cyber security class at a major university on Monday. They are learning about interacting with senior leadership/BoD on topics of cyber risk. I have many stories to share with them, but curious if y’all have any ideas on what you thank that group should know
-
I get to speak to a masters in cyber security class at a major university on Monday. They are learning about interacting with senior leadership/BoD on topics of cyber risk. I have many stories to share with them, but curious if y’all have any ideas on what you thank that group should know
@jerry relaying how their org is doing when compared with their peers. I get asked that on the weekly. Understanding the risk completely and how that impacts the org is really important too, and being able to explain that risk. Don't misspeak either, especially in consulting roles.
Don't be that nervous. They're just people at the end of the day who (hopefully) want to see their org mitigating future attacks. This one I notice a large difference between internal and consulting roles.
-
@jerry Let them know that despite there being plenty of anti-AI sentiment out in the world, it is not only NOT going away but it is up to the security community to fix it. Just like we did with PHP when that came out spawning hundreds of vulnerable websites from non-HTML programmers. Just like we did when we moved from server rooms to the cloud. Before HTTPS. And on and on. Whether we like it or not, security pros have to fix things.
GIVE THIS PERSON AN AWARD!!!
️
-
@Viss @DamonHD @jerry I had a music major as my datacenter ops manager.
I want you to understand, I know that sometimes, someone changing majors and/or professions sometimes happens and that these people can be quite good in a totally difference space (edit:clarification), but this dude paid for a cleaning service that does datacenters to come and clean the datacenter. It didn't really need it, and was genuinely a waste.
Now, us replacing all of our network fabric, and re-doing our cable management, which was another huge endeavor, was a big win.
-
@jerry Let them know that despite there being plenty of anti-AI sentiment out in the world, it is not only NOT going away but it is up to the security community to fix it. Just like we did with PHP when that came out spawning hundreds of vulnerable websites from non-HTML programmers. Just like we did when we moved from server rooms to the cloud. Before HTTPS. And on and on. Whether we like it or not, security pros have to fix things.
@simplenomad @jerry I just make all my prompts end with “and be sure you make it secure” and everything is fine
-
I get to speak to a masters in cyber security class at a major university on Monday. They are learning about interacting with senior leadership/BoD on topics of cyber risk. I have many stories to share with them, but curious if y’all have any ideas on what you thank that group should know
@jerry For high-level Corp. mgmt., communication governance in an incident is key. They may have to manage confidentiality while allowing the investigation to proceed, and they shouldn't allow info to propagate, even though high-ranked officials will demand access to the info. The story could get out before they could control this, which (obvs) will be detrimental to the stock price.
-
I get to speak to a masters in cyber security class at a major university on Monday. They are learning about interacting with senior leadership/BoD on topics of cyber risk. I have many stories to share with them, but curious if y’all have any ideas on what you thank that group should know
I should probably figure out what cyber security means before I go speak to a masters class about cyber security.
-
I get to speak to a masters in cyber security class at a major university on Monday. They are learning about interacting with senior leadership/BoD on topics of cyber risk. I have many stories to share with them, but curious if y’all have any ideas on what you thank that group should know
@jerry ROI , risk management, and throw in whaling examples. Have them think of a DFIR budget as insurance.
-
R relay@relay.an.exchange shared this topic
-
I should probably figure out what cyber security means before I go speak to a masters class about cyber security.
@jerry cybersecurity means being both the problem and the solution. ducks
-
I should probably figure out what cyber security means before I go speak to a masters class about cyber security.
@jerry Nah. I didn’t, and it went fine.
-
I should probably figure out what cyber security means before I go speak to a masters class about cyber security.
@jerry Call it Super Security.
-
I get to speak to a masters in cyber security class at a major university on Monday. They are learning about interacting with senior leadership/BoD on topics of cyber risk. I have many stories to share with them, but curious if y’all have any ideas on what you thank that group should know
@jerry This is broader than just risk, but my advice on talking to top leadership is to pay very close attention to the questions they ask. They are trying to make decisions about what the company should do, and if you are talking to them, it's likely because someone thinks you have information that could help them make that decision.
Have understandable answers and plan for the follow-up questions. Identify the key points you think the leaders need to know but may not know to ask.
-
I get to speak to a masters in cyber security class at a major university on Monday. They are learning about interacting with senior leadership/BoD on topics of cyber risk. I have many stories to share with them, but curious if y’all have any ideas on what you thank that group should know
@jerry Also, it absolutely has to be established that Infosec runs the investigation, and can be allowed to turn things off. I once ran an incident communications workshop where the PR dept. said flatly: we will be running the investigation, as if they knew anything about systems. They wanted to govern the story completely.
