Profile picture
, 13 tweets, 3 min read
My Authors
Read all threads
I don't understand a CISO resigning over differences over how to manage information security. My definition of a CISO is somebody who isn't so childish as to get upset when the organization is insecure.
I mean, there's lots of reasons a CISO might resign. If a company's insecurity is harming its customers, then of course that's a reason to resign. But if a company's insecurity is only harming itself, then it's not a good reason.
Infosec workers are usually disgruntled because the organization hires them to secure things, then prevents them from securing things. It's not just that, it's how truly silly their resistance to security becomes.
You: "There's an obvious SQL bug that any teenager can exploit"
Them: "It's purely theoretical, we won't fix it"
You: "It's not theoretical, it's obvious and easy to exploit, let me show you"
Them: "No"

...time passes...
...the bug gets hacked by a teenager...
Them: "Why didn't you prevent this?"
You: "...grrrr...."
So it's not that they won't listen to you, it's the absurdity of this resistance that causes disgruntlement. That your entire security team is perennially disgruntled is just a standard part of infosec.
So for me, the most important part of being a CISO is somebody who can deal with the absurdity without getting disgruntled. I mean, there's still ethical problems I can imagine they'd have to confront that might cause them to resign, but not simple disgruntlement.
Of all the ethical issues I've had to confront in the past, none of them apply to presidential campaigns. The biggest I can imagine is exposing donor lists, but since they have to be exposed anyway in FEC filings, it's not an issue.
So this thread lists some reasons to resign. One of which is simply money. I'd love to work with any presidential campaign -- but not for the money they'd be willing to pay:
And another reason: the damage to reputation when the organization you are responsible gets hacked.
Another reason I've had to stop working with people is legal issues, when I disagree with their interpretation about their legal duties. Nobody explicitly breaks the law, but there's grey area, and if you are unsure, you are at risk and should get away.
But I wouldn't phrase it as "differences on how to manage security". That phrase implies disgruntlement. I'd simply phrase it as "I no longer wanted to work there".
The point is that when you part from your employer, you really don't want to do so in a way that makes you look "disgruntled", as it does here. This is especially true for higher levels of management.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Rob ☃️ Graham

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ErrataRob see all

Profile picture
Rob ☃️ Graham
@ErrataRob
And yet, the FBI headquarters are named after the guy who grossly violated MLK's constitutional rights and used their spying on him to try to convince him to commit suicide.
There's no way the FBI can convince us they care about our civil liberties by continuing to honor the enormously corrupt J. Edgar Hoover who indiscriminately violated those rights.
FBI: "We need crypto backdoors. Trust us, we won't abuse them".
Also FBI: "J. Edgar Hoover was a great man who created our organization".
Read 3 tweets
Profile picture
Rob ☃️ Graham
@ErrataRob
My periodic disagreement. Yes, you shouldn't use MD5 or SHA1 in anything new. But no, I can't recommend what you should use instead. It depends.
Maybe what you actually want is authenticated encryption, like AES-GCM. Maybe what you want is random number generation. If it was using MD5 in the past, then maybe it's not just about replacing the hash function.
Things like "BLAKE2" or "Argon2" are arguably the "best" or "optimal" at what they do, but you probably don't need the "best". What you are instead looking for is probably simply "adequate". SHA-2 is probably adequate and easily dropped in as a replacement.
Read 3 tweets
Profile picture
Rob ☃️ Graham
@ErrataRob
Whelp, this about wraps it up for memcpy_s(). It looks like we need to go back to the drawing board and find a new secure function to copy memory in C.
The C programming language that run almost all of the world's compute infrastructure has both the feature and the flaw that it doesn't double-check memory. Thus, bugs in one part of the code can overwrite memory used in other parts.
It's a necessary feature for some "systems" programming, but is also dangerous for other tasks. Language like Rust solve this by being inherently "safe" for most accesses, allowing "unsafe" access only when needed.
Read 7 tweets

Related threads

Profile picture
Vianesa Vargas
@vianesavargas
@Patrick_TAA BLM, as well as other socio-political movements of the past were brought down because they thinned themselves out and lost focus. They put their capital into helping everyone, instead of the organization they proclaimed to be about—black lives. 1/
@Patrick_TAA The movement seemed to be co-opted. Transitioning from a group focused on justice for black people harmed by law enforcement, to one that fights for Transgender rights, and issues at the southern border. Why? 2/
@Patrick_TAA Tariq is entertainment. Always has been. I like that he uses his platform to highlight issues of injustice, but he shouldn’t be confused with a SJW, or someone who goes hard in the paint for reparations. His followers have been with him a long time and aren’t going anywhere 3/
Read 8 tweets
Profile picture
Lulu Friesdat
@LuluFriesdat
#Security for #Election2020 is at stake right now.
1) #ElectionSecurity is for our national defense. It is worth investing in.
2) If we do not have security REQUIREMENTS w/funding some states will spend poorly. That is bad for tax payers & bad for voters. #SMARTelections
At our #Senate briefing on #ElectionSecurity we brought national experts on #computer systems, #security and #audits together to demonstrate why it's critically important that congressional funding for election security includes REQUIREMENTS for security.
smartelections.us/congressional-…
3/ How EASY is it to change election results? #Princeton Prof of #Computer Science AndrewApppel says it's basic. Voting machines are computers. Computers can be programmed to run malware. It could be done w/ a USB stick & via modem.
Read 9 tweets
Profile picture
TheBridge
@TheBridgeWork
Ahead of @DEFCON, we're highlighting professionals from our Leaders Directory who work in #security & #cybersecurity. And check out our full Leaders Directory for who to know in #tech, #policy, & #politics. #thebridgeleaders thebridgework.com/profiles
@defcon .@CISAManfra, Assistant Director for Cybersecurity @CISAgov says, "Cybersecurity is a significant challenge that requires innovation not just in technical solutions but also in our policies." #thebridgeleaders bit.ly/2YMsoMJ
U.S. Congressman @HurdOnTheHill told us, "I think it’s important for innovators to understand some of the concerns that regulators are going to have further on down the line." #thebridgeleaders bit.ly/2LW4w39
Read 12 tweets

Trending hashtags

#TrumpShutdown #राममंदिर #terrorist #GoebbelsGhafoora #US #SyrianAirForce #SAA #FISA #Aleppo #terrorism #any #Syria_News #RegimeChange #without #Christians #Palestinian #alHawl #UK #ecosystem #Azaz #genocide #international #fakewatchdogs #FLOTUS #forces
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!