CISO Risk Dumpster Fires: SEC Turns Up the Heat by Liz Wharton (@LawyerLiz), Danette
Edwards, and Cyndi Gula (@cyndi_gula) at @shmoocon.

As always, “put nothing in writing that you don’t want to see in a disposition.”

🧵 Pointed out how interesting it is that the one between Caesars and MGM that had a smaller breach word vomited into their 8K while the company with a much larger cost gave 3 sentences.

Caesars:

MGM: investor.caesars.com/node/33686/html
d18rn0p25nwr6d.cloudfront.net/CIK-0000789570…

Intel is a Fallacy, But I May Be Biased by Andy Piazza (@klrgrz) at @shmoocon.

Most companies aren’t using Intel properly. Most people aren’t reading the reports.
Most aren’t using it properly.

“Words matter.” Title has irony in it. Intent and Capability is what will be focus.

Fallacy 1 - “Targeted Activity”

Spectrum:
- Target of opportunity
- Targeting an industry?
- Targeting a specific company?
- Targeting a specific user/role?

Derivative reporting changes the intent. Something based on another source.

I recently conducted a business case analysis presentation around implementing a GRC tool in our org over the current use of Excel and a few other tools to get things done. While I can't share the entire slides, I decided to share some to help those of you also trying. 1/10 Here is the overall agenda. I can show you the example use case scenarios, but I can't share the current workflows/future workflows. So make sure you show them the current way you perform actions and explain what is coming and the problem that GRC software will solve. 2/10

At a discussion today on cyber litigation and what you can do to reduce your cyber legal risks. Almost every breach today comes with a lawsuit or lawsuits. And it’s only growing.

Everything you do, you are producing evidence for when you get breached that will be used against you by prosecutors.