Read on Twitter
🧙♀️ CISO Story Time
This is not exaggeration.
I have a good friend. He's a CISO of a multinational organization in the technology sector. We talk often.
Market trends, sales, and business regulations had the business decide to open an facility in China.
a 🧵 👇
This is not exaggeration.
I have a good friend. He's a CISO of a multinational organization in the technology sector. We talk often.
Market trends, sales, and business regulations had the business decide to open an facility in China.
a 🧵 👇
👩🏭 Construction was commissioned and completed within 4 years for the new site.
Everything was going pretty well. They had finished HVAC, and most furnishing.
Under suggestion from a CISO friend in a CISO Slack we are in, he commissions a bug sweep of the new office.
Everything was going pretty well. They had finished HVAC, and most furnishing.
Under suggestion from a CISO friend in a CISO Slack we are in, he commissions a bug sweep of the new office.
🐝🐞🐛 The bug sweep found 6 listening devices. Several in electrical, some in HVAC.
I'm not an *expert* in corporate espionage so I don't know if these were short or long range.
He never told me exact cost, but I know the team he flew in to do the sweeps was not cheap.
I'm not an *expert* in corporate espionage so I don't know if these were short or long range.
He never told me exact cost, but I know the team he flew in to do the sweeps was not cheap.
After removal, he felt relatively safe.
Staff began to come in and work, the rest of the furnishings were done. Operations were going well.
For extra safety, he commissioned the bug sweep service again, one month after they were up and running.
Staff began to come in and work, the rest of the furnishings were done. Operations were going well.
For extra safety, he commissioned the bug sweep service again, one month after they were up and running.
The team found an additional 7 listening devices. In signage, conference tables, and hardware.
We talked at length about his threat scenario on phone calls. We brainstormed a plan that included a lot of risk due to corporate espionage.
We talked at length about his threat scenario on phone calls. We brainstormed a plan that included a lot of risk due to corporate espionage.
In addition, since this was somewhat recently, new regulations like MLPS 2.0 gave the ability for local authorities to audit and take control of the site at-will.
We chatted and design the infrastructure and services with "kill switches" in case.
We chatted and design the infrastructure and services with "kill switches" in case.
To meet auditing standards, a separate network is maintained where relevant logs are copied, but the network is isolated. It has its OWN CONFERENCE ROOM.
No one uses this network or room, except when auditors come.
In some cases he PRINTS audit information for them.
No one uses this network or room, except when auditors come.
In some cases he PRINTS audit information for them.
There's no golden rules here. Many we have talked to say this is just part of business in China.
My calls with him are some of the most interesting CISO discussions I've been a part of.
My calls with him are some of the most interesting CISO discussions I've been a part of.
I'm sure there's a lot of intricacies and additional planning running a cutting edge tech company warrants in this situation...
Not many CISOs I know get exposed to this though. I thought the story might be useful to at least one person.
We just out here trying to our best 🤓
Not many CISOs I know get exposed to this though. I thought the story might be useful to at least one person.
We just out here trying to our best 🤓
Top of the thread =) 👇
https://twitter.com/21445961/status/1708868006325915752
• • •
Missing some Tweet in this thread? You can try to
force a refresh
