So here's a summary of what ISC2 is changing in its Bylaws and why you should vote NO in the upcoming Bylaws vote. Hold on to your wigs:
1/ The board will no longer have elections. Instead they will propose a slate of candidates equal to the number of open seats. They still call it an election, but it is officially a coronation. #VoteNo
2/ The board drops the Ethics Committee as a standing committee of the board. Rumor has it that the board will offload Ethics to management. I can't summarize how bad this is. #VoteNo
3/ The board is increasing the number of endorsements needed for a petition from 500 to 1% of the membership. It's already impossible to get to 500. It's unthinkable anybody would make it to 1600-2000. #VoteNo
4/ There are a lot of other small tweaks and changes that are detrimental to the association and the profession. I don't want to bore you all but if you're still a member of ISC2, this is your cue to #VoteNo
5/ It looks like this will be one vote for all changes. Not a vote per change. Given the three items listed here, there is no reason to vote yes.
6/ They’re making the chair an officer of the company. that gives them all rights to act individually in the name of the company. Imagine someone with a 4 year tenure allowed to make any and all decisions for almost 200.000 members. It’s redonkulous.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
For those who think I'm too hung up over ISC2. I don't care about the org, or the people currently leading it. I care about our profession (information security), and about my fellow professionals. There are people all over the world that invested their time ...
and effort into ISC2, to be recognized as a professional in our field. In many geographies, this meant not doing other things with their money. That was a serious investment. In and around DC alone, 60-70k people depend ...
on their cert for employment. Is that right? No. But it is still the case. As long as I am a member, and thus a fellow professional, to these people, I will do everything I can to stop the stupidity the ISC2 board and management are doing.
I have no opinion about the veracity of LAPSUS claims but I feel I need to reiterate the importance of communication during breaches, large and small.
As a vendor, your most important asset is not tangible. It is your customers’ trust. You can try to rank your customers by revenue, by size, by any metric you desire but as a SaaS provider, you’re a black box. The only thing that really matters is maintaining trust.
Herein lies an opportunity though…you can leverage small incidents to hone your communication skills. Unfortunately the perception is that this is bad. Why?
You should change the way you buy pentests. A thread.
Your adversary has time, and resources. Your pentest gives you limited time, and 1-2 people (with overlapping skill sets) at best.
Now let's look where your pentest team spends their time, primarily. 1) Building tradecraft. This is not done during the engagement but it is something that adds to the cost of your engagement. 2) (Assuming a black box scenario) reconnaissance and intel gathering.
1 is a given. A default question for your vendor should be how much time their teams spend, on average, building tradecraft. 2 is why your pentest isn't an adversary simulation.
We always say that the most important part of delivering security services is reporting. I agree. If you can't get your message across, the value of your service drops immensely. A thread.
(1) In essence, you're telling a story. Your report has a beginning, a middle, and an end. Let's call it the exec summary, the findings, and the conclusions. Pro-tip 1 : don't lose that structure. Stick to it like glue. Anything that doesn't fit in "the story" -> appendix.
(2) Exec Summary : target audience = non technical. They likely won't read the rest of the report. Be succinct, be direct, be authorative. (Give kudos where kudos are due). Use graphs, but ask yourself if your audience can "get them" at a glance.
Once upon a time I found myself in a London pub with a good friend of mine. Assisted by a steady flow of beer, we discussed our profession : "infosec". Now I must add that this friend is also incredibly smart, and a great person too.
They're also amazingly versatile. Apart from being a great hacker and researcher, they were also a magician, and well acquainted with the circus community. I'm drawing from memory here and I'm not as smart, great, or versatile but bear with me.
It was there and then that my friend drew the parallel between infosec and circus. Some of you may laugh, but it makes sense. Imagine you're a new person on the trapeze. It's freaking scary right, why would you?
(1) We all like to joke around "scope" all the time. Red teamers hate "scoped" engagements. This is *exactly* why you need a CLEAR scope for your engagements. If this existed, the guys would already be free.
(2) We can joke about the client not understanding. That's not their fault. If the client had known/understood, these guys would not be in jail.