Thursday, September 24, 2020

Episode #20 - Somebody's Got To Pay (for this)!

Alright, it’s my turn (Evan).

The issue is accountability, or (maybe) lack of accountability, in our industry.

Bad things happen and people either:

  • Sling mud.
  • Run and hide (hoping nobody will notice).
  • Defend why they didn't take accountability.

There are good examples out there too, so I don't want to paint a unnecessarily grim picture. I contend there are less good examples of accountability than there are bad examples.

This has been a topic that’s been dominating my thoughts again for the past couple weeks. I say “again” because this isn’t the first time we’ve talked about it.

During episode 18, a couple weeks ago, we were talking about ransomware. The talk was great, but the frustration felt by Chris, Ryan, and myself was obvious. Why do we keep doing the same things repeatedly? Why don’t people do the basics? 

My take was the lack of accountability. So, I drafted a Ransomware Recovery Contract to help.  

So, tonight I want to dig into the greater issue of accountability in general. 

  • The importance of accountability.
  • Repeating the same mistakes over and over.
  • Safe to assume people know?
  • People are dying.
  • When to define accountability.
  • Who’s ultimately accountable for what?
    • In tech – buggy software, social media (see the social dilemma), etc.
    • Big organizations.
    • Small organizations.
    • Public organizations.
    • School districts.
  • Examples of accountability disfunction.
  • Examples of good accountability.
  • What to do about it.
  • Get out ahead. Better now than never (or later).
  • Will CEOs be personally liable someday?

This discussion is sure to be good! Join us LIVE tonight at 10pm (2200) CDT for our thoughts (and some entertainment too).

Thursday, September 17, 2020

Episode #19 - How did we get here?

If you're wondering where our blog post for episode 18 went, well it didn't really go anywhere. It never existed!

We recorded our show last week without a blog post, and if you missed it live, you can watch it "Hands Up! Give Me All Your Money." here

This week is Chris' week. Chris has been busy as hell this week, so the fact he got this out is a miracle!

Here's his write up for this week's show:

Sometimes in order to keep moving forward, not only must you take one step at a time, but you must be willing to look back occasionally and evaluate your past, no matter how painful it is. Looking back lets you know whether or not you are headed in the right direction.” (G.K Adams)

Having just worked with the Semperis crew on delivering a lecture the other day on the historical tie-ins between how we ALL approach technology today and the influences ON those decisions from almost 12,000 years of documented history affect us it’s something I want to explore further.

So, this evening’s Shit Show we'll dig a little deeper with Evan Francen, Ryan Cloutier, CISSP and Rachel Arnold

We’ll go back to Jericho in 9600 BCE and work our way forward to see how we might better learn from some of the pitfalls that our ancestors found instead of simply continuing to jump into the bloody things each time they are presented.

For those of you who are brain diggers OR simply want to know why we continue to do the same daft things I encourage you to join in, for the rest, grab the popcorn and watch as we try to untangle the brain and humans in general.

This evening (Thur) 21:00 Mountain, links below:

‘all for now


This is going to a great discussion! Check in live here. If you are already asleep at 10pm CDT or if you have better things to do tonight, check back later for the recording.

Thursday, September 3, 2020

Episode #17 - Negativity is Bullshit


Ever met someone who’s seems negative all the time? The person who always has something negative to add to a conversation? 

These people are common, so common we have a nickname for them; “Negative Nelly”. 

You could be having the best day, then along comes Nelly. He/she shits on your parade and leaves you feeling gloomy. 

You don’t like Nelly, you don’t like talking to Nelly, and you certainly don’t like hanging out with Nelly.

We’re Nelly.

The information security industry is Nelly.

Don’t agree? How often do you read positive news about our industry versus negative news? Some recent headlines:

  • Online marketing company exposes 38+ million US citizen records.
  • Chinese professor on sensitive projects in US jailed for espionage.
  • Google removes Android app that was used to spy on protesters.
  • WordPress websites attacked via File Manager plugin vulnerability.
  • Vulcan Cyber study finds serious problems with vulnerability management.

We can’t help it, we're Nelly.

In our defense, this is the nature of our work. Information security is about managing risk and “risk” is always dependent on a negative outcome. What information security is and how we package it are two different things though.

How many times have we said things like these (or similar)?

  • “If the ^@&*! users would just stop clicking links!”
  • “People just don’t get it.”
  • “It’s a layer 8 problem. People are always the problem.”

The business doesn’t like Nelly.

Nobody invites Nelly to parties because dealing with Nelly is bullshit. The business doesn’t invite Nelly to their parties (meetings) because Nelly tells us why it’s not a good idea to do something or why we can’t do something.

  • No, we can’t do that.
  • It violates our security policy.
  • It’s too risky.
  • It violates regulatory requirements (GDPR, HIPAA, GLBA, etc.).
  • We can do that one thing but it’s gonna be a lot of work to secure it.

A business is in business to make money. Nelly is a cost center. Nelly is necessary evil, so we deal with him/her. Nelly is so damn negative though, so we're going to try avoiding him/her when we can.

Business users don’t like Nelly.

These people may be warming up to us, but that’s a helluva lot different than wanting to hang with us. Mandatory training, punitive reactions, etc. are common ways we engage. 

How do business users feel when we walk into a room?

Nelly doesn’t like Nelly.

Ever felt intimidated or dumb when asking someone a question or suggesting an idea or solution? Ever felt a little beaten up? 

It’s Nelly again. Nelly is a pain in the ass and he/she is bullshit.

So, what do we do about Nelly?

We’ll discuss this on tonight’s Security Shit Show! We’ve got some cool ideas, but here’s some to get you started:

  • Be intentionally positive even when delivering negative news.
  • Be aware of how your perceived by your audience.
  • Deliver value based on positive results not negative ones.
  • Make lives better, make businesses more money, and people will wanna hang with you (Nelly).


Chris, Evan, and Ryan will have some good shit to share!

Episode #71 You talkin' to me? You talkin' to me? You talkin' to me? Then who the hell else are you talkin' to? You talkin' to me? Well, I'm the only one here. Who do the f*** do you think you're talking to? Oh, yeah? Ok.

Every time I encounter an ego in our industry, I immediately think they are channeling their inner Robert Denerio. Or when I run into a vend...