@brianhonan @mweiss Absolutely, how can you negotiate resources or change with peers if you’re not speaking their industry-specific language, or manage risk if you don’t have some sense of the impact side of the risk equation.

@bks That sounds like it might be an example born of personal experience. ;)

@mweiss I concur, these 'security doesn't understand the business' arguments didn't spring from thin air, they have some grounding.

I was reading some post where the thesis was that people have to stop talking about 'security needing to understand the business', because it's insulting to suggest security professionals don't understand the business.

The suggestion is that security practitioners, especially in leadership, understand budgeting, accounting, finance, etc..

I agree a little, in the sense that this topic is treated superficially most of the time. Yes, security leaders can make a spreadsheet. It's also not what anyone is talking about when someone fails for this reason.

When someone says a security leader 'doesn't understand the business', they're suggesting a handful of things that happen when someone who is good at a sometimes hard to explain technical thing ascends into a messier 'leadership' role:

- That they choose to stay in their comfort zone, carefully polishing their SecOps tool chain while avoiding the messiness of dealing with peers and their problems in business groups. There's nothing wrong with that, but it's important to admit to yourself you didn't really want to be CISO, or whatever that leadership job is.

- That they are not playing the political game well in terms of organizational behavior, when compared to their peers. Most of executive management is talking other people into things, and having those things turn out to be the right things (some version of influence+judgement).

And to be sure, some simply don't take the time to learn the nuances, inside language, or rhythms of the business they are in, which is why the aren't 'playing the game' well.

If I could see just a few more developers post on X about the existential crisis they’re experiencing using Claude Code, what will they do with their lives now, and hey also they just happen to sell this AI thing…

@krypt3ia https://www.youtube.com/watch?v=nnKh6SFEaLg

@krypt3ia The guy who ripped off Johnny Long's DefCon 15 presentation, 'No-Tech Hacking' for a Ted Talk.

https://www.youtube.com/watch?v=hqKafI7Amd8

https://www.youtube.com/watch?v=5CWrzVJYLWw

So...less emergent AI and more a giant API key leaking machine? (being facetious, but beware the vibe)

https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys

@euroinfosec Criminalizing victim responses to business survival, driving responses and reporting away from transparency…

”We’re from the government and we’re here to help.”

I don't usually get a laugh from auto-reply emails, but this one struck me.

Basically, "I don't do email, I'll reply when I get around to it."

Is it wrong to find this honesty strangely refreshing?

@chetwisniewski Happens enough it almost seems like a common career path in security, something about the mythos around 'it takes a thief to catch a thief'.

Maybe he's coming around to the fact that he wasn't Robin Hood ;).

@djchateau Intrinsically? Probably nothing, and fair point raising the entire quote, "but oftentimes better than a master of one". There are plenty of polymaths walking around.

The role in an organization feels problematic however, based on the prescribed responsibilities, an appropriate separation of duties and the organizational tension that should exist between governance and other roles.

For this exercise though, my concern is the way it's being presented. Rather than think, "wow, this guy's good at a lot of stuff", it hits as the kind of role confusion I mention in paragraph two. I'm trying to decide if that's just me, or there's a better way or more targeted way to present that one could do a lot of jobs for an organization (but not all at once, but call if you need any of the following).

@dangoodin Given the limited nonsensical BS I've dealt with from that profession as a small time blogger, I can't even imagine what you have to tolerate, or how much 'education' you have to dish distribute.

Maybe someone will develop a LLM that auto-responds to these types of inquires (without hallucinating case law).

I received a message earlier from someone who is looking, and they stated they wanted CIO or CISO or Director of Networking roles.

While there's certainly enough overlap that a single capable person could perform in all three roles, it still hit me wrong, but I'm struggling to explain it in the context of a modern job search. It just sounds like 'jack of all trades, master of none' type stuff.

Part of it is my own internal bias against people who introduce themselves to me as 'the CIO/CISO', a bias rooted somewhere between ideas on separation of duties, about how you can't both be part of the problem and part of the solution and the Swansonesque philosophy about not half-assing two things when you can whole-ass one.

My advice is to split this up into three different posts each addressing why one would be good at each position, but I'm still not sure that's the right approach either...

@dangoodin Lawyers sure are good at wasting their client's money though, that's almost an invitation.

@hacks4pancakes Is that an actual job someone can get?

@wendynather

@wendynather You said you were going out for a pack of cigarettes, and it's been ten years.

@wendynather Same, when are you coming back?

📣 Help needed! For our upcoming #RSAC talk, @boblord and I are studying cyber near misses, moments where serious harm was narrowly avoided, and what we can learn from them. These near misses might apply to software development, or to network defense. (Please boost for reach! 🙏)

We are hoping to surface general patterns using some (anonymized) examples.

If you’re willing, reply with a high-level response to one or two of these prompts. Anonymize as appropriate, and/or send to us in DMs if you prefer:

* What lesson did an organization fail to learn after a near miss, even though it seemed obvious at the time?
* Describe a time when you discovered something and thought “If we didn’t catch this now, it would have been baaaaad”.
* Describe a time when you dealt with a software vulnerability in your systems that was being actively exploited elsewhere, but (as far as you could tell), not in yours. What saved the day?
* What repeated “almost failures” do you see getting normalized or waved away as acceptable risk?
* Can you recall a near miss triggered by a third party such as a researcher report, customer question, bug bounty submission, or vendor advisory that revealed a bigger issue than expected?
* Can you think of a near miss where the most important factor was not a security control, but a human action like someone double-checking, questioning an alert, or escalating a “weird feeling”?

Thanks!