For those who think I'm too hung up over ISC2. I don't care about the org, or the people currently leading it. I care about our profession (information security), and about my fellow professionals. There are people all over the world that invested their time ... and effort into ISC2, to be recognized as a professional in our field. In many geographies, this meant not doing other things with their money. That was a serious investment. In and around DC alone, 60-70k people depend ...

So here's a summary of what ISC2 is changing in its Bylaws and why you should vote NO in the upcoming Bylaws vote. Hold on to your wigs: 1/ The board will no longer have elections. Instead they will propose a slate of candidates equal to the number of open seats. They still call it an election, but it is officially a coronation. #VoteNo

I have no opinion about the veracity of LAPSUS claims but I feel I need to reiterate the importance of communication during breaches, large and small. As a vendor, your most important asset is not tangible. It is your customers’ trust. You can try to rank your customers by revenue, by size, by any metric you desire but as a SaaS provider, you’re a black box. The only thing that really matters is maintaining trust.

You should change the way you buy pentests. A thread.

Your adversary has time, and resources. Your pentest gives you limited time, and 1-2 people (with overlapping skill sets) at best. Now let's look where your pentest team spends their time, primarily.
1) Building tradecraft. This is not done during the engagement but it is something that adds to the cost of your engagement.
2) (Assuming a black box scenario) reconnaissance and intel gathering.

We always say that the most important part of delivering security services is reporting. I agree. If you can't get your message across, the value of your service drops immensely. A thread. (1) In essence, you're telling a story. Your report has a beginning, a middle, and an end. Let's call it the exec summary, the findings, and the conclusions. Pro-tip 1 : don't lose that structure. Stick to it like glue. Anything that doesn't fit in "the story" -> appendix.

Once upon a time I found myself in a London pub with a good friend of mine. Assisted by a steady flow of beer, we discussed our profession : "infosec". Now I must add that this friend is also incredibly smart, and a great person too. They're also amazingly versatile. Apart from being a great hacker and researcher, they were also a magician, and well acquainted with the circus community. I'm drawing from memory here and I'm not as smart, great, or versatile but bear with me.

Let me explore this without joking. Ending up in jail is no fun, after all. theregister.co.uk/2019/09/13/pen… (1) We all like to joke around "scope" all the time. Red teamers hate "scoped" engagements. This is *exactly* why you need a CLEAR scope for your engagements. If this existed, the guys would already be free.

(thread) time to unload. Newsflash : if you are managing people in infosec it is highly likely that you are managing people more proficient in that field than you. Here's what to do and what not to do. DO : remove every possible red tape you can. For the red tape that remains, attempt to understand where you can help make it easier.