CISO at @sardineai. Treasurer of @OWASP Board of Directors. (he/him) qatta' mIghtaHghach.
Phoenix, AZ
Joined July 2009
- Tweets 8,305
- Following 139
- Followers 776
- Likes 17,402
Banks in EU are solving a different problem, they want to ensure only account holder can get through the auth process, and if attacker makes it through, liability is on the account holder, not the bank. Frictionless means more transactions to offset loss from fraud borne by bank.
1
When your threat model includes nation-state adversaries.
New from me: An in-depth look at how the DNC has overhauled its cybersecurity operations since 2016. politico.com/story/2018/10/1…
Under @raffi's leadership, the DNC is sharing more info with more people than ever before.
In an interview at DNC HQ, he walked me through the changes.
For those handling Security Culture work, this report is interesting...
2018 State of Privacy and Security Awareness
mediapro.com/wp-content/uplo…
I got my break into security at @whitehatsec too. Small world for sure...
1
New: “Joint report on publicly available hacking tools”
ncsc.gov.uk/joint-report
1
The CIPP/US study guide from @PrivacyPros has the following example question that even I know is outdated. Makes me wonder how inaccurate the actual test is...
You know it’s bad when cities are allowing exchanges within the police lobby. Eg mesaaz.gov/residents/police/…
2
It’s a real risk, this happened near me.
azcentral.com/story/news/loc…
1
Heartbleed affected ~500k websites and countless other services, if the litmus test is “exposed“ then that’s a lot of breach notifications. And depending on required timelines, could force disclosure of embargoed vuln details, which endangers users rather than protect them.
When you give an organization your data, and then it gets exposed or stolen, you probably want to know about it. Seems simple enough. But a seemingly endless parade of massive data exposures reveal just how complicated that practice of disclosure can be. wired.trib.al/xmHWgk1
Depends on the industry, but companies that don’t focus enough on security are not because CISO failed to raise the red flag, it’s because financial incentives lie elsewhere. Other issue is CISO almost never reports to CEO, so messaging from security team is through CTO/CIO lens.
I suggest replacing “demanding” in your tweet with “enabling” - I’ve never seen the CEO want more security than what the security team already wants, the problem is almost always the reverse, not enough resources allocated to the security team.
1
3
Great party! That’s me second from the left...
5
I’m at @appsecusa - say hi and ask any questions about my running for the Board or anything about @owasp in general!
4