Recipe for a CISO
Karl Semich
0xloem at gmail.com
Mon Mar 4 07:36:06 PST 2024
yeah, and i’m crazy now
of course whether that reverse engineering is done by hand by individuals,
or entirely automated, or done by huge groups of people, has a big impact
on what kinds of threats are encountered, and how to effectively handle them
i think our current situations are hopefully temporary, where there is at
least for me a lot of obscurity around specifics of information power
layout. when conflicts find winners maybe that can change.
if instead the role of the vulnerability researcher goes away (i don’t
know, i’m not involved), this would of course also be a temporary situation
as things become more and more open to problems arising
something i didn’t mention in my email is the interception and mutation of
communications, intertwines the digital and the human.
hope you find good work if you are needing it
i guess what i’m saying is there was big potential building around
automation of analysis.
On Mon, Mar 4, 2024 at 08:08 J.M. Porup <jm at porup.com> wrote:
> If you will permit me to zoom out, the overall trend you have identified
> is that security has moved up the stack to higher and higher layers of
> abstraction. Since it is impossible to know all the systems, security
> has specialized. And since security issues lurk at greater quantities
> at higher layers of abstraction, it makes sense for someone in a CISO
> role to focus on higher layers of abstraction (as opposed to, say,
> focusing on reverse engineering a small cross-section of binaries
> of interest.)
>
> jmp
>
> * Karl Semich <0xloem at gmail.com> [2024-03-04 13:52:04 +0000]:
>
> > it used to be knowing systems meant learning to look inside obscure
> > binaries and figuring out how to turn them to your ends like an
> > anthropologist decoding ancient tablets (breaking into systems by hand),
> > and doing this so well that you could defend against others doing it
> > effectively. basically, nobody else had any idea how anything worked, it
> > seemed they were all living in fantasy worlds based on marketing
> materials.
> >
> > it’s been a decade or two now for me, and i don’t know how it is in the
> > present day. since the era of the dedicated hacker there are public tools
> > maybe starting with metasploit that magnify power immensely. various
> actors
> > have stimulated serious reduction in the quality of new code while other
> > groups have secured some systems very strongly, such as blockchains.
> >
> > phones and routers still languish without updates while vulnerabilities
> sit
> > in public databases to be used. things like this likely shift the power
> > away from the researcher.
> >
> > i took one brief intro in cybersecurity and it was all AI, training
> models
> > to detect and respond to anomalies.
> >
> > and those same powerful entities put backdoors straight in the hardware,
> > contributing to frustration of complete review.
> >
> > my personal experiences lend me to think that AI has been used on the
> > offensive for quite some time now. it seems things may have also shifted
> a
> > ton toward social influence, which may even simply be more familiar to
> most
> > people.
> >
> > On Mon, Mar 4, 2024 at 06:24 Cyber Cyber Cyber Cyber <
> > cybercybercybercyber at substack.com> wrote:
> >
> > > eye of newt and toe of frog
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏
> ͏
> > > ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
>
> > > Forwarded this email? Subscribe here
> > > <
> https://email.mg-d1.substack.com/c/eJxckr1yqzoUhZ8Gunj0A7YpKGJsEmkAX-cS89OcAUk2wsgQEAH89HfOzSmSU-xdrL32mlV8rNDi2vaLOw6if-pF1ywmd7FTgi1bm8KFG-DYa4CRZVbudstsDqDgwOHWGmGGBLaLDd4Ayyq2FjSliwCyAAYWxDYC1spBCGwFuiAo8JYVwrCAuj5xuBrGctAFu61Yq8zGrbTuBgM_G8g3kP_9aCC_F1z2gmkD-chAvlhoQ-pWFq9vgL2G62BxxiKxP7J_7VoktGEqsjN1XjLcyDylX5q0_3icB0_oI8O0y9T7L56-6RRHnzyldR7Dpkz8rvRyyF_gJUO-Zi9-lyPLyRNYFcmkGT5LhqKlSGhD78Qp9wc78vIxTyvwT1IB_rp70Dja0Zi-_J5SNWOhDuOPLj_6kfGPpwlv-fT7h6lzXaS7JkjyTyZhFSRRx9BWBh6dSN3O0Z5Mx5jM4f40kHsoj3VoH-NsDjyqSN0Bdj83gUchqVv7uD-AcP88ENVU3CPrMGbTMX6Hx30GomWSeVp9ZT4OSxi_T1F9woFHO4ZDeZR04gnRoUcGco9gJsmaqLkr1aCZOt-KlDYZPsnLaYV2tz7e5I4neF3Op4_k6VCRz6A9Xfn1EtaeGOT8Id_EPD8b2De7dtC_JHehhYCDILC-FL10wr2LaWiE1qI3e7dWhgW6th-7_zkZxpK3qpB3ly2l6P9apv4G8X8BAAD__xZ489g
> >
> > > for more
> > > Recipe for a CISO
> > > <
> https://email.mg-d1.substack.com/c/eJxcksuSojwYQJ8m7LByA5sFC2ikfvof8TK2PfbGCiFokEsqCSo-_ZTaM9U1myzOOalUffk4s-LQ6zEcjNCuFqoZnTIkQQFfuO-IEE1h4PmQYOocQ8jY1MOETBnxq6qgyC-mQSBgETAqfI85MsQQU0ggRcTDkE4CjOGLwBVGgrxwJgCF7cEt0cQMhbGMnya8b50mPFqrDCARwCnA6XcJcMqUchvZnQBOVW8sIKkaikZyZmXf7WUJSEKCwEcA-3f_JIhiGGAEKcD-YNu96QfNBSDJPXFFy2TjWmkb8eU5axWThw6Q5Ckf3Z9CmlSLBwcksXq4Mw1I0qDg_oDtT-Jxc3xDHG_HX7g5ZXXvLZIZnCeRybr4zMm6Yh8ruahncF5H3ryeXfLXi2QfKczq_prfIi_fvNO8XpEfr2-N-C-6t2S-ya75JsJ5wk3WNjc-Zn7WxWgn4W2xOeH5z8xkXY528sHPnKwsb7fHHVmrAlNZrSZBfl0t_9-WiPqsXJ6r-F2RFF7WaB_Vn7t4od3iM77GUbHcOV8TDP_O70nsqETYiYtphLVCOzqsW0Ch6vWgHn9ohqLsWya7kI-F0P8cjv22YL8DAAD__1MMzN0
> >eye
> > > of newt and toe of frog
> > >
> > > J.M. Porup
> > > <
> https://email.mg-d1.substack.com/c/eJxckL3O0zAYRq_G3hzZr53YGTwAbUSDQAgGJBbkn7eJS9JEjtMqd4_Et1Tf8gzPmc4JruCw5MPuG2aWcZ0OGq1sPTehoWiF5m3dcAmKjlarNmjf8Nq4qCVGgyoorhuvwXhsWposcFBcciVkDVxVLQA3CFcQKE1wSBSfBxZFte1-Ky78rcIy08mOpawbkR8IdAS6V0igyxhTxlAIdMZBE7URLF6vNVPaOWakA-ZC9D4a57gLRHY3Ik949OJyW5I_netvn_q2Yj_P_uOleY77euwsjZP6den6BAl_D-nR_xjZ0H9_jJ_3L1_pumzlT4pWKOAtCK7ennKsaO_43CYsBTPN9jYTxdcl7-t_k233cZlduttweMzvhpaXzP8CAAD__4dFeSM
> >
> > > Mar 4
> > >
> > > <
> https://email.mg-d1.substack.com/c/eJxckL3O0zAYRq_G3hzZr53YGTwAbUSDQAgGJBbkn7eJS9JEjtMqd4_Et1Tf8gzPmc4JruCw5MPuG2aWcZ0OGq1sPTehoWiF5m3dcAmKjlarNmjf8Nq4qCVGgyoorhuvwXhsWposcFBcciVkDVxVLQA3CFcQKE1wSBSfBxZFte1-Ky78rcIy08mOpawbkR8IdAS6V0igyxhTxlAIdMZBE7URLF6vNVPaOWakA-ZC9D4a57gLRHY3Ik949OJyW5I_netvn_q2Yj_P_uOleY77euwsjZP6den6BAl_D-nR_xjZ0H9_jJ_3L1_pumzlT4pWKOAtCK7ennKsaO_43CYsBTPN9jYTxdcl7-t_k233cZlduttweMzvhpaXzP8CAAD__4dFeSM
> >
> > >
> > >
> > > <
> https://email.mg-d1.substack.com/c/eJxcksFuozAQhp_G3BLZY6DhwCFbkpY2EKVKs8leKuM4yQAGC5tS9ulXTdvdai8-fL81o_lmpHDq3HZj3FvVTTpl6tE7xjwq6EyGnorZDY2CkHLwvUusJAcKJzFTUTFjRRjwE4RBoThl0U1EwcMYKPiUU5_xAKg_jQDoTMEJmOIzKRTxqT5Pjmxq-8I6IaupbLVXxxfnjCV8TmBJYPk9JLAUxkxqbCoCS9NaR_jS9EWNUjhsmxc8Ep7wKAoZgfA9_yDMBxoBoz6BsHf6xbZ9JxXhyVdxAiHaZaeUFlgTnriuVwRC2xca3Qor9Y-5tlIN4YkaH5iE3biHukrLNlgnC5olc5s2P14lfzqJnxtclwualfMgKxdDfjug1LvLgT-ZAnxc4wobscHV7YM57K9_eZZULN-eIU-kTfXOl7dpmG3lW1YuWJYcaD4OKPb577RsUd7vcLXNgvX28JbigJLv8Mq_9ThtpnfP8LxYmMe3u0s-9w8p1-A29nGw9_WkH35V5nW12Sc60vvnTzlaHbHX7xNeZXxAKbQReG6-8KRTQr4rJxB2hCc1i3zvU3j8V_cHcaNRcaMGWyvnVOd1camJT03b9ea6ctsXx1YLbGI5Fqr77_Hct3v8EwAA__-0T96V
> >
> > >
> > > <
> https://email.mg-d1.substack.com/c/eJyUks1uozwUhq_G7IjsY8cJCxakFH30m5Cmk7aTbipjnMQEA7JNE3r1o_6kU81uNpb8HPssnveVwqt9Z8d4cMqGVvXNGFQxjUo8lzxQMZnhaMoxBRYcYj6XlPDdDDOoxIzMIuCYiSqimM0ILeeBjgEDwxQzQqeA2SQCwHMFOyCKzqVQiGGzDysycUPpvJDHiexM0MQH73uHaIIgQ5B9HyLIRN-HjW6PCLK-cx7RrB_KRkvhddc-6wrRlEYRJwj42_yDEAY4AoIZAj548-y6wUqFaHpZ_smNqvRgEE2VEbpBwLXLrPq40NTbQSHgsjNGtd79Ib47qvbt13hDJDyMv6A55nU3XaXXeJkmLm8XL5Le7cTjWq_qa7ysk-myvj4VVyctHjOc1925eE2mxeaeFfWa_ri6adR_ydtbutzk52KTQJFKl5vmVY45z9sF2Wr8utocYfkzd3lbkK1-5y-Srr00D4ctvetLYHq3nkTFeX37_0NFGBfV7ctucd_TDJ_uyHNSP20XKxuWT4vzIilvtwi4RTRtSHRRJYXphd63FynhQTS70Ii9luGXiX-xGnzGEn-F8kH82Ku4VSfXKO-VDWxcG8Rw39mhfy-GG8qqM0K3sRxLZf86Av-ttb8DAAD__59t6jY
> >
> > >
> > > <
> https://email.mg-d1.substack.com/c/eJxckk1vozAQhn-NuSXyB5Bw4AClaOluSNOm7aaXypghMeHDsk0T-utXpE1V7cWSn_fRzEgzglvY93oMBwN6pkE1o1OGLCjwUvgOhGSBA8_HjLrOIYSF8IGQKhCLxdIvAqCEBEsKHq4IL33fkSHF1MUMu4R5FLvzgFK8BFpRAmwpOCAXt_tZSeZmKIzl4jgXfes04cFaZRCLEE0RTX-GiKZcqVkjuyOiqeqNRSxVQ9FIwa3suzdZIpawIPAJov6UfxLiUhxQgl1E_cG2b6YftADEkmvxL95CKYcWsQRaLpsvKPrOQmcn-8A1XClvFZf77irPriEX0yQ_bKvlfg_68fJlidXDRKVJNXy2-WYasaQhwTSl7Y9wqT3eEUGfx7-0OWZ1762TW7xKIpN18btgDxV_2ch1fYtXdeSt6ttTfnOS_CXFWd2f84_Iy7dPbl5v2J-buwZ-RZPLVtvsnG8jmifCZG3zIcbMz7qY7CT-WG-PdPWYmazLyU5e-LtgGyva58OOPaiCurLazIP8vLn__VwS1-fl_XsVPymW4tMDeYvq11281rPiNT7HUXG_c77WEH4v4ZPYUUHYwck0YC1oR4d1i1ysej2oyyGYoSj7lssuFGMB-r_HsT-u9F8AAAD__1su5LA
> >
> > >
> > > <
> https://email.mg-d1.substack.com/c/eJxck01zozgYhH8NviWlD3DMwQdjgwNj5JgAMlxSSCjhQ8IERGz867eSma2d2st76K563kN380KLj8swr6dRDA-D6OW8KNfYZmDFlwuxhk_AtpYAI3NRraHJn1ZPKwvBd8tcodX7qhTYFvj9qcA2xNaiXiOATICBCbGFgPloIwRWAr0jKPCKF8Iwgfp4KOHjOLFRF7x95Be1kOtK63408MZAnoG8v00DeYMo60FwbSAPGcgTcyD95lIXzxHgz-HyMNtffJ9Oh47ArCMgo2Q4KPLFXu1rSf2vDMs6PweNoIHkiliZSuffmv_Ft_acU9LzfaJzZc8H6uoMyTu727Dcw3eObMgVkS_n_9hBlwKW2jqnUV9SYOcUVgW9qvIc6TMiFTs7VUHL6YWmOqNyPJwDyXFUZWjUGbI1o-lUbvMqw1HPkGlzld7LvdcUM2wYgjqnFgg632Y71yLbHDCkJWugFMnllt0DKtKPme11UKgVjEHkhS50T2cSsDZA2Z285so7J1S-FG1yjWnvkAR-RufyeMJln6XlPnTlJ8PVUbQujGWUEtf6TGISnkA_5knlFIn9GcWEpK40Yxk5YWu5GSYBo7dlhmVAWjmdGi8vYmcZw2gIWxi__vw3b5T-8bu8CaEHMgRp4bX3pHPqsIn6XLrTMbHMJHUOqTrdyC6vcs9BeRukfEf24XP5Gqa2U8g-P7XfeQTFqau2Jxqc6Ks_-t2mPjYuCJuNFTbulWyvNZ_9ZXhvLdK4o6-y-thFc0mT0e-S-ti0ZhifruH2WhfUA35zuZH7xiJxYpLmhA_bQIrnHyYOY_9G4g0iOz76St6_uX7nwKwGV7--1hyn9Xfv2F5OxQzn7_y5SptyG9iPlKE3RPoVTz8hjh9gF7by195zmRNC4RC83HzMDza__covBvYMtJy0ehsv08CFgXf_Fv6PrkRZT8rAO6GKWi76y6jf6nINTQRsBIH5W9FzL9aduI5SaC2GxbBulGGC_jJM_c-sxomVF1XU3ZrPTAz_Owv91-b_CQAA___po1c4
> >
> > >
> > > READ IN APP
> > > <
> https://email.mg-d1.substack.com/c/eJxskM1uIyEQhJ8GbmM1DbaZA4eVrHkNi58em90ZgxrQat4-SnJJolzqUFWHT1_0nR6FDzca8cRUt0Mmp-cANl4kOXWF-XwBjUY-nZ6vNoFaA6pk0CZKXl3Jrzac0RtlZXYIaECDUfqMYE4zIljCFRVpGz0JA_tjSurURmjdx3-nWHa5uWfvtQn9R-AicCmVXt8eApc6gsAlHoH4R7yPAhemmCtNa-HJTzG3IvQy-n5vZXAkoW-0-7wJvDClzBS70Ddf69R6YZK1tH7PySmDMKMC89n0o5J70f-2Ue_Ekt3fXRiohUf9QG8jpLL7_HK_ocn-xetbAAAA___zlnjn
> >
> > >
> > >
> > > <
> https://email.mg-d1.substack.com/c/eJxckL2O1DAURp_G6Ty6vr7O2oULYDdigkAICiQa5J-biYeZTeQ4u8rbI0GzovmK71TnpND4stTD7xtXWXm9HV322kWwqe_YqwdwpgeN1M2eJpuzscYSR0WZyKYpTDkZM8FED6krHgEJNJDSBoFODhEs44SKtU2BBcH9IrM6bXvcWki_T2m5dzc_t7ZuQr8TOAgc3kKBQ-VcKqcmcLB9NFMMTkJQvSRjsnRGs4RIlFyAgDkLPVyFfuRjVOfrUuLjk_nyYXQn-f0pvj_3r_O-Hrss841-nIexYOGfl_IyfpvlZfz6Mn_cP33u1mVrv0r2ihAcKqB_TztW9s_8ut24Na5d9de7IFiXuq9_TbY95uUeyrNPR-T633TtTeY_AQAA___Jn3jz
> >this
> > > won’t hurt at all, promise
> > >
> > > What exactly is a CISO, anyway?
> > >
> > > I see CISO job ads asking for people’s GitHub handles, but you’re not
> > > hiring a developer, and you're not hiring an engineering manager,
> you're
> > > hiring a CISO.
> > >
> > > Thanks for reading Cyber Cyber Cyber Cyber! Subscribe for free to
> receive
> > > new posts and support my work.
> > >
> > > Pledge your support
> > > <
> https://email.mg-d1.substack.com/c/eJxcU812qkwQfBrY6ZkfUFmwMBIj8wnGyMffJgdmJjrICHcYgvj093jjIsmie1FdXdWLalpofmzU6PYdVxPF23o0mYudEizozOQunAPHngGMLPPk0oVTUDj_WDjUohbEwOYUI5tyNLfAnH6YwkUAWQADC2IbAWvqIAQWHH0gyPGCFtywgDxOGJx2fdnpgp6ntJFm7Z60bjsDLw20NtD6-9BAa8WZUJxqA62RgdZ8JLVfNaLYvAG6CWbb0emLxP6THeyKJ6SmMrQzGY8ZrkWeki9M2A-Oc2MJuWWYtJn8_52lbzrF4SdLSZVHcChxCMglBmXsVFkChyypL2UF6zJZt-UKVsVLXBXIgWyV93l6Aq_JCbDN041E4ROJyMu9Sln3hXzuf_j_uMnvH5w6OOfDfYfKuCrSp3qb5J9UwNM2CVuKFpJWsAuiM_DFIOjKnwXRfgy88xhES7BdkZtfNbdddEbBYRC58GdsQ2B-GAQ7-LNddLyG3nLYrkibpXuxq55x4J1hGB1R6NHOl7H1pUmvQfUMAy8D4TiIIg3vuoJuYrGNluLuwxJf7ATpisRW25TU-Us95kkI_AuY8uRms1GNh9dTZu9JcI03fHJVe_DZ7Ia58v_rWHB7m_SniBp4baBZr-W75Ez00sAel4WoH2DX9IpyA3v3AFAlSj4ZBDtyPWkVL2RZ8weRNhfNL9rAHrQQcBAEltk2nX4XzP2F6LHl7oUPXc215spUbiUNC7SN6tt_4ev6kjWyEBeXjiVXv5qpv33G3wAAAP__f_IQ1A
> >
> > >
> > > Security engineering is not about writing code, so even if you were
> hiring
> > > an Security Engineering Manager you still wouldn’t want to be measuring
> > > candidates based on the code they write.
> > >
> > > So if a CISO isn’t just a weird form of security engineering manager,
> then
> > > what exactly do we do all day long, anyway?
> > >
> > > What’s the recipe for a CISO?
> > > One bushel of technical systems knowledge
> > >
> > > How do things work? You can’t secure a system if you don’t understand
> the
> > > system at least as well as attackers. From my point of view, that
> means a
> > > good CISO is much more likely to come out of traditional IT or even a
> > > DevSecOps role than from a developer role. Developers are generally
> > > laser-focused on a specific tech stack—deep and narrow—but a CISO
> needs to
> > > spread themselves thin across everyone and everything in their
> org—shallow
> > > but broad.
> > > a demijohn of people, people, people
> > >
> > > Not just technology, but also process and people. Because the human
> > > systems you are defending are not technical. CISOs are focused on risk
> > > management, and the way you manage risk—since risk mitigation is almost
> > > always part of risk management—is to change things. To change the way
> > > people do things. In other words, change management. But people hate
> > > change! Oh my lord do people hate change. So exercising diplomacy and
> > > influence across an org is key to securing an org. That’s not a 133t
> > > supercoder job.
> > > a peck of security mindset
> > >
> > > No one can be successful in any security role without the security
> > > mindset. This is the adversarial thinking that distinguishes a builder
> from
> > > a breaker, and it’s the raw material I look for when interviewing
> > > candidates. You can teach technical skills, but you can’t teach
> adversarial
> > > thinking to someone who lacks the knack. It’s a raw talent that I’ve
> > > discovered in people both technical and non-technical. A CISO unable to
> > > think creatively about adversaries—whether the North Korean military, a
> > > ransomware gang, or the Irish Data Protection Authority—is not going
> to be
> > > effective in their role.
> > > two liters of leadership ability
> > >
> > > A one-man CISO is just a phony title. Ultimately a company of any size
> > > that needs a CISO is going to need a security team for the CISO to
> lead.
> > > But that means the CISO needs to be an effective team leader who knows
> how
> > > to delegate, to motivate, to discipline—to get the most out of their
> team
> > > for the benefit of their employer. This includes leading on both
> security
> > > engineering (managing real securiy risk) as well as security compliance
> > > (working with Legal to meet regulatory risk appetite, acquiring
> security
> > > certifications like ISO 27001 to enable the business to close deals,
> etc).
> > > a barrel of business mindset
> > >
> > > It is a tempting but fatal rookie error in security to be an absolutist
> > > about security. This is unhelpful and makes you a bad CISO. A CISO is
> not
> > > just a technical engineering manager—a CISO is a business executive
> whose
> > > job is to working closely with the CEO and Board of Directors to
> balance
> > > risk and opportunity to meet business goals. A CISO is not a high
> priest of
> > > security trying to achieve perfection or a Cassandra warning of doom.
> Risk
> > > is part of doing business, and security risk is part of doing business.
> > > Making sure the business understand that risk, and helping the
> business to
> > > choose between accepting risk or spending money to mitigate that risk,
> is
> > > the fundamental service the CISO provides.
> > > a heaping tablespoonful of lawyer
> > >
> > > I am not a lawyer and I don’t play one on TV. But I need a solid grasp
> of
> > > the law in order to do my job. As I explained to a disbelieving
> colleague—a
> > > software engineering manager—security straddles the fence between
> > > Engineering and Legal. Legal and regulatory risk are a major part of
> my job
> > > as a CISO. When my adversaries aren’t just criminal hackers but
> government
> > > regulators, I better understand the regulations that we aim to either
> > > comply with (or, as an executive decision involving the General
> Counsel, to
> > > not comply with because the risk of a regulatory fine is so low).
> > > a pinch of accountant
> > >
> > > You can either accept risk or spend money to mitigate risk. That means
> you
> > > need a solid beancounter mentality to be effective as a CISO. How much
> > > money should we spend? What's the cost/benefit analysis of that spend?
> > > (What's your Security ROI?) Are you spending money wisely, and being a
> good
> > > steward of company funds?
> > > a megaphone of hostage negotiator
> > >
> > > Negotiating contracts with security vendors sometimes feels like a
> hostage
> > > negotiation. "Pay us this crazy money for a substandard product, or the
> > > hostage gets it." In this case my employer is the hostage. It’s not
> > > racketeering but it sometimes feels like it! Being able to go to the
> mat
> > > with vendors and tear into their offering to get a better price is a
> > > crucial skill for a CISO. It’s not enough to just mitigate security
> risk,
> > > you should be optimizing for cost as well.
> > > Recipe
> > >
> > > Throw all the ingredients into a blender. Puree on low for twenty
> years or
> > > so. Pour into a suit hoodie (half suit, half hoodie) and serve with a
> > > heaping side order of ambiguity.
> > >
> > > Thanks for reading Cyber Cyber Cyber Cyber! Subscribe for free to
> receive
> > > new posts and support my work.
> > >
> > > Pledge your support
> > > <
> https://email.mg-d1.substack.com/c/eJxcU812qkwQfBrY6ZkfUFmwMBIj8wnGyMffJgdmJjrICHcYgvj093jjIsmie1FdXdWLalpofmzU6PYdVxPF23o0mYudEizozOQunAPHngGMLPPk0oVTUDj_WDjUohbEwOYUI5tyNLfAnH6YwkUAWQADC2IbAWvqIAQWHH0gyPGCFtywgDxOGJx2fdnpgp6ntJFm7Z60bjsDLw20NtD6-9BAa8WZUJxqA62RgdZ8JLVfNaLYvAG6CWbb0emLxP6THeyKJ6SmMrQzGY8ZrkWeki9M2A-Oc2MJuWWYtJn8_52lbzrF4SdLSZVHcChxCMglBmXsVFkChyypL2UF6zJZt-UKVsVLXBXIgWyV93l6Aq_JCbDN041E4ROJyMu9Sln3hXzuf_j_uMnvH5w6OOfDfYfKuCrSp3qb5J9UwNM2CVuKFpJWsAuiM_DFIOjKnwXRfgy88xhES7BdkZtfNbdddEbBYRC58GdsQ2B-GAQ7-LNddLyG3nLYrkibpXuxq55x4J1hGB1R6NHOl7H1pUmvQfUMAy8D4TiIIg3vuoJuYrGNluLuwxJf7ATpisRW25TU-Us95kkI_AuY8uRms1GNh9dTZu9JcI03fHJVe_DZ7Ia58v_rWHB7m_SniBp4baBZr-W75Ez00sAel4WoH2DX9IpyA3v3AFAlSj4ZBDtyPWkVL2RZ8weRNhfNL9rAHrQQcBAEltk2nX4XzP2F6LHl7oUPXc215spUbiUNC7SN6tt_4ev6kjWyEBeXjiVXv5qpv33G3wAAAP__f_IQ1A
> >
> > >
> > > Cyber Cyber Cyber Cyber is free today. But if you enjoyed this post,
> you
> > > can tell Cyber Cyber Cyber Cyber that their writing is valuable by
> pledging
> > > a future subscription. You won't be charged unless they enable
> payments.
> > >
> > > Pledge your support
> > > <
> https://email.mg-d1.substack.com/c/eJxck02TsjgUhX8N7LTyAbywYGFL25IRfG0ZvjZdIclokAgDoRF__ZTTTlX3LJJUPTk5J1X3Xka1OLX97I-D6Be96JrZ5D72KuAyxxQ-_AU82wEYWebZxxa3XQxtgW2Lua6LHGp5GAgMrapymGVKHwFkAQwsiG0ErKWHEHAF-gtBgV1GhWEBdVpwuBzGatCUXZasVWbjn7XuBgOvDLQx0Ob7pYE2veCyF0wbaIMMtBEzacK6lXT7Dtg2cnazN9LM_rs42rXISMNUbBcqnQvcyDInX0zaT4135xm5F5h0hfrzg-fvOsfxJ89JXSZwqnAMyDUFVerVRQanImuuVQ2bKtt01RrW9C2tKfIgX5djmZ_B7-wM-PblTpL4hSTk7bEq1YxUvY4_8n_8KRyfmia6lNPjDVNpTfOXZpeVn0zC8y6LO4ZcxWo4RMkFhHKSbB06UXKYo-AyR8kK7NbkHtbtfZ9cUHScZClDh28JLI-T5MfQ2SenWxyspt2adEV-kPv6FUfBBcbJCcUBG0KVWl-e7BbVrzAKChDPk6R5_PCVbJvKXbKSjxyehXIvyUAzu9_lpCnfmrnMYhBewVJkd5vP_Xz8fS7sA4lu6VYsbv0BfLb76Vcf_jHw6P6-GM8JM_DGQM6o1cfQjj0TBg7-q_WTK8HlqAwcCEVl84SsvWpx1QYOunbQTFPzcX5I7kMLAQ9BYH0RPXfCv4ppaITWojd7v1aGBbq2H7t_O20YK94qKq8-myvR_28z9bcx-CcAAP__5MIKwg
> >
> > >
> > > Like
> > > <
> https://email.mg-d1.substack.com/c/eJxcksFuozAQhp_G3BLZY6DhwCFbkpY2EKVKs8leKuM4yQAGC5tS9ulXTdvdai8-fL81o_lmpHDq3HZj3FvVTTpl6tE7xjwq6EyGnorZDY2CkHLwvUusJAcKJzFTUTFjRRjwE4RBoThl0U1EwcMYKPiUU5_xAKg_jQDoTMEJmOIzKRTxqT5Pjmxq-8I6IaupbLVXxxfnjCV8TmBJYPk9JLAUxkxqbCoCS9NaR_jS9EWNUjhsmxc8Ep7wKAoZgfA9_yDMBxoBoz6BsHf6xbZ9JxXhyVdxAiHaZaeUFlgTnriuVwRC2xca3Qor9Y-5tlIN4YkaH5iE3biHukrLNlgnC5olc5s2P14lfzqJnxtclwualfMgKxdDfjug1LvLgT-ZAnxc4wobscHV7YM57K9_eZZULN-eIU-kTfXOl7dpmG3lW1YuWJYcaD4OKPb577RsUd7vcLXNgvX28JbigJLv8Mq_9ThtpnfP8LxYmMe3u0s-9w8p1-A29nGw9_WkH35V5nW12Sc60vvnTzlaHbHX7xNeZXxAKbQReG6-8KRTQr4rJxB2hCc1i3zvU3j8V_cHcaNRcaMGWyvnVOd1camJT03b9ea6ctsXx1YLbGI5Fqr77_Hct3v8EwAA__-0T96V
> >
> > > Comment
> > > <
> https://email.mg-d1.substack.com/c/eJyUks1uozwUhq_G7IjsY8cJCxakFH30m5Cmk7aTbipjnMQEA7JNE3r1o_6kU81uNpb8HPssnveVwqt9Z8d4cMqGVvXNGFQxjUo8lzxQMZnhaMoxBRYcYj6XlPDdDDOoxIzMIuCYiSqimM0ILeeBjgEDwxQzQqeA2SQCwHMFOyCKzqVQiGGzDysycUPpvJDHiexM0MQH73uHaIIgQ5B9HyLIRN-HjW6PCLK-cx7RrB_KRkvhddc-6wrRlEYRJwj42_yDEAY4AoIZAj548-y6wUqFaHpZ_smNqvRgEE2VEbpBwLXLrPq40NTbQSHgsjNGtd79Ib47qvbt13hDJDyMv6A55nU3XaXXeJkmLm8XL5Le7cTjWq_qa7ysk-myvj4VVyctHjOc1925eE2mxeaeFfWa_ri6adR_ydtbutzk52KTQJFKl5vmVY45z9sF2Wr8utocYfkzd3lbkK1-5y-Srr00D4ctvetLYHq3nkTFeX37_0NFGBfV7ctucd_TDJ_uyHNSP20XKxuWT4vzIilvtwi4RTRtSHRRJYXphd63FynhQTS70Ii9luGXiX-xGnzGEn-F8kH82Ku4VSfXKO-VDWxcG8Rw39mhfy-GG8qqM0K3sRxLZf86Av-ttb8DAAD__59t6jY
> >
> > > Restack
> > > <
> https://email.mg-d1.substack.com/c/eJxck01zozgYhH8NviWlD3DMwQdjgwNj5JgAMlxSSCjhQ8IERGz867eSma2d2st76K563kN380KLj8swr6dRDA-D6OW8KNfYZmDFlwuxhk_AtpYAI3NRraHJn1ZPKwvBd8tcodX7qhTYFvj9qcA2xNaiXiOATICBCbGFgPloIwRWAr0jKPCKF8Iwgfp4KOHjOLFRF7x95Be1kOtK63408MZAnoG8v00DeYMo60FwbSAPGcgTcyD95lIXzxHgz-HyMNtffJ9Oh47ArCMgo2Q4KPLFXu1rSf2vDMs6PweNoIHkiliZSuffmv_Ft_acU9LzfaJzZc8H6uoMyTu727Dcw3eObMgVkS_n_9hBlwKW2jqnUV9SYOcUVgW9qvIc6TMiFTs7VUHL6YWmOqNyPJwDyXFUZWjUGbI1o-lUbvMqw1HPkGlzld7LvdcUM2wYgjqnFgg632Y71yLbHDCkJWugFMnllt0DKtKPme11UKgVjEHkhS50T2cSsDZA2Z285so7J1S-FG1yjWnvkAR-RufyeMJln6XlPnTlJ8PVUbQujGWUEtf6TGISnkA_5knlFIn9GcWEpK40Yxk5YWu5GSYBo7dlhmVAWjmdGi8vYmcZw2gIWxi__vw3b5T-8bu8CaEHMgRp4bX3pHPqsIn6XLrTMbHMJHUOqTrdyC6vcs9BeRukfEf24XP5Gqa2U8g-P7XfeQTFqau2Jxqc6Ks_-t2mPjYuCJuNFTbulWyvNZ_9ZXhvLdK4o6-y-thFc0mT0e-S-ti0ZhifruH2WhfUA35zuZH7xiJxYpLmhA_bQIrnHyYOY_9G4g0iOz76St6_uX7nwKwGV7--1hyn9Xfv2F5OxQzn7_y5SptyG9iPlKE3RPoVTz8hjh9gF7by195zmRNC4RC83HzMDza__covBvYMtJy0ehsv08CFgXf_Fv6PrkRZT8rAO6GKWi76y6jf6nINTQRsBIH5W9FzL9aduI5SaC2GxbBulGGC_jJM_c-sxomVF1XU3ZrPTAz_Owv91-b_CQAA___po1c4
> >
> > >
> > >
> > > © 2024 J.M. Porup
> > > 548 Market Street PMB 72296, San Francisco, CA 94104
> > > Unsubscribe
> > > <
> https://email.mg-d1.substack.com/c/eJxck7mSqzgUhp_Gzm6XFrBNQOAFuqEsuGCxJreQUDeLMDLLYPz0U9U9wa1JTvB9p85J_p8Xk_jqh9WcRzH8GoSS67Y0scHAge-2woR7YOg7gJG2rUxwMHhRsp2AUBy4VkJ4EHv8uQdMHJCO0LY2EUAawECDWEdAezMQAgeBPhEU-MALsdFA9_WrhG_jzMap4O0b77utNKtpUuMGHzfI3iD7b7lB9iDKehB82iAbbZAtVlc6TV8XHyHgH2R3XY25SPRHdtMbkbiSd56edfGaYVnnqfvDav2_HaPKcKgY0v7J3-UrS9wxjw3JEluxiwEYmiRroBRR_8xebiLir5W9T27RHSAFoU0saAWp57LWRdnLu-WdnUaJ_F200UITdfIi-AjT0g9wqbK4fCeWfDBc-aK1IJVh7Fn6I6IeCYAa86g6FZHxCKnnxZbUqAxPpNWtDHsuS567DEvXa-UcNHZe0NOOwnAgLaS37__aM0m-_RTdTw1pc5W1ZZJLlZKkqmJcqlxas0_leGvhOZL2K315NY_CntBqYTCcb52iN7sai2i6JzK2Y2t5cmjbRZKP-ZpL8XFSvItfvylBXhLU17O7OE3_9C7O4lPnSS7B6NxJ7TdE92n2vJ7dzmkU4PdYXs8udJpe9y8WIJfj6HSyKs_OjlC--DSC_iUD3rrUeVr93HxZK6HR4jUBvp5dxTGp_dpdysSZyNkZnbsHs9rZOd1TsW6ceBe3RerKDAf1Z_B2PHaRdyRhJ3R7xYBO7E--znm_uvv0U6f8-KrAac8_wsHaYHur-nH6U5cm1BAwEATaD5lWJcy7WEYppkkM28Fsuo0GVD_M6jun48zKvivqu8lXJob_je30V4n-DQAA__8q8h-2
> >
> > >
> > > [image: Get the app]
> > > <
> https://email.mg-d1.substack.com/c/eJxckLuO1TAURb_G7hzZx4_EhQtgJuIGgRAUSDTIj5PEl2QSOc6M8vdI0FzR7GKvaq3oK05budx5YGEF9-WiyUkbeBcNRSdabrXhEhSdnTYWubTSg-xaI6HDFNKYbItaC-9bmh1wUFxyJaQGrhoLwDuEEQTKLnokiq8TS6I5znBUH383cVvp4uZa94PIdwR6Av0jJNAXTLlgrAT6BBJUiIIZKxJToZXMxjEw40ehtGrRBE1kfyfyCa9B3O5bDk_P-suHwTbs-3N4fzNv87lfJ8vzon7c-iFDxp9Tfh2-zWwavr7OH89Pn-m-HfVXTk4o4BYEV_-eeu3oXvDtWLBWLLS4-0oU37dy7n9NjjOkbfX5xcUrYPlvaH3I_CcAAP__ugV4Cg
> >[image:
> > > Start writing]
> > > <
> https://email.mg-d1.substack.com/c/eJxckstyskoUhZ8GZrG6d4PaAwZGBbF-SPQoCJNU3xKbcCsuYvv0p8w5g9Q_2YO9Vn2DVZ9gg_pqOuONvepeOtWWxpYeoRwtxdxWHl4g6s4RAce-esyRC7oApAheSIcvCCcEGOVL7CKHUWxrDxA4iCAHExeQM6MAaKngE7AiS8GU5aDq60XiWT_yfmDieyaayi696zC0vUVWFvgW-L9DC_xOSd0pMVjggwW-MvsyLBrNdkckdtH8j6EPme4fMvALZtyCA7oJKGteJ9M7SRBP6IOTxGRwpoIkWpDjNYO-kpfjcAFc5kGJ-QmXPPVbvs6xDPBnBnSUQTLKDa44UJRfwv_78ZVfXq8sleN76mMZ0Iql9z5PD0Ne0ZsMErOvcpOnyenZkZdX_4e7QZMK7rc8xasc8JWl05gBHfZ1SPlm68brsA_rlX4rtigqVm5UbKd4PWlhwnn0-HbjYtuHVabf6qOR6bkP67N-K76d6HSYovWkWeqjsGju8WPlxqezExcH8me9L9Xuh0miU3iPTyuIN6IPq_Lx5Ib1K840mkI96ecuz015UI7MYJOnx1ZUSSHXezq7-dHLfL3fBuTT-IEK-IEniZ6Ue8x2VRSP_8QxOi3vH1l4sIhvt00_fGjpYQcQBYyc_z6DaZVXq6kv1TCozu68orIc1Dbd2P5Y0I9cNhXTtScMV91fxx5-KfpvAAAA__9Ao-U7
> >
> > >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 43513 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20240304/3c9967e0/attachment.txt>
More information about the cypherpunks
mailing list