BSW #276 – Karl Triebes

TL;DR - folks at the top of their game in all field need coaches. Why not yours? Much thanks to Ryan Naraine for bringing this one to my attention. One of the most profound pieces of wisdom I've learned in my years in security is that, though everything we deal with _seems_ unique and new, most of our problems are old ones. I think we're often guilty of thinking our work problems and personal problems all need new solutions. With all the money, marketing, and ink spent on new research and technologies, it's easy to see how we can fall into this trap. For example, this article was published in 2011. If I send this article to 100 people, I wouldn't be surprised if a third refused to read it because it's over a decade old. In fact, one of my favorite pieces I've ever written, an op-ed for Vice Motherboard, is now adorned with a large "THIS ARTICLE IS OVER FIVE YEARS OLD" warning, though nothing in it was time sensitive at all. In fact, in that article, I point to 20+ year old learnings from the quality assurance world. The moment we stop looking for new things to learn, I believe our skills and our value to those around us, begins to erode. A personal or executive coach doesn't need to know the first thing about security to be able to help you solve most of your problems. Some of my biggest epiphanies occur when I'm exercising with my personal trainer, bouncing thoughts and ideas off them.

This might be a polarizing one, but here's the synopsis of the article. Interviewing for CISO gigs, the author kept hearing the same answer: "I want my next CISO to be more like a General Manager" 1. Need the CISO to align with our mission, culture, and values, not try to change them 2. Need a CISO that understands how they can contribute 3. Need a CISO that's a good communicator - communicate with leadership in business terms The author's recommendations: We all need to take a step back and actively seek feedback on: - Are we fitting into the company’s culture and vision that was established before we got there? - How are we perceived as supporting the business? - How are we perceived as adding friction to it? Are we the Office of “No”, or the Office of “Yes, but…”? - Is the friction we may be adding rooted in data and risk, or is it just a HiPPO’s opinion? - What is it that our audiences need to hear about our security program? - How do we convey that in a way that isn’t security-speak? Each level of the organization requires a different level of communication. We need to adjust this for them, not the other way around. - How can we convey where our program is at today and where we’re taking it in the future? - How can we convey a level of conviction and high integrity commitments? - How can we seek to gain efficiencies in operations and budget?

Evergreen advice for handling breaches and security incidents: 1. control the narrative 2. update often, even if there's nothing new 3. be transparent It's good general business advice when it comes to public relations, not really something specific to security-related crisis communications. Not only did Patreon lose the narrative from the start... https://www.linkedin.com/feed/update/urn:li:activity:6973709234702032896/ ...their response was insufficient and felt false: "Patreon said that the layoffs will have no impact on its security program" My immediate response is "bullshit - there's no way you can dump your entire security team and claim no impact." Even if true, you need to _convince_ your customers of that - they're not just going to take your word for it. This statement effectively had the same impact as the classic "We care about your security and the privacy of your data" page on every Fortune 500 website. The backlash was deep and immediate. Just google "Patreon Security Team" and you'll see how comprehensively negative the reception of this news was. Every outlet covered it. It blew up on Reddit and Twitter. Experts were in agreement, saying, "I wouldn't trust my data with Patreon." What was Patreon thinking? How should they have handled this? Can they recover? What are they potentially replacing their team with? A crappy MSSP and some annual pen tests?

The investors on the latest All In podcast were talking about how traditional brands could be going away, replaced by personal brands. Talking about how influencers are quickly building the strongest and most valuable brands today. Kim Kardashian is a prominent example, but the discussion is more about the trend - how does security change when a multi-billion dollar brand is attached to a single individual executive? Some folks are still dismissive, but this is already happening - folks like Mr. Beast, Rihanna, and KimK, who were once merely 'influencers', are all already running $1B+ corporate empires.