Must have more data…

So, I wrote the first book, Unsecurity based more on experience and less on research. It was easy (well, not “easy”) because the audience for the book were the people in my own tribe (information security people). It was like writing a book to myself.

Now I’m writing the second book, and the audience has changed. It’s a book written to and for non-information security people whom I’ve affectionately called “normal” people. This doesn’t mean that a normal person isn’t awesome or exceptional, they are.  It’s just the word I chose to reference people who aren’t information security folks. Maybe “the masses” is a better reference. We’ll see what makes it into the book.

Anyway, I have a problem. Sort of.

The Problem

I had a revelation while I was writing this book. It came to me while I was writing about how we (security people) make the mistake of assuming we know what the masses think. Even worse, we sometimes tell the masses what the masses think. It’s wrong!

Well, I was about to make the same mistake that I was rebuking other security people about.


Don’t you think it makes better sense to ask the masses what they think about information security rather than to assume I know what they think? This book will make a lot more sense and be much more helpful if it uses the same language that the masses use and addresses their concerns!

The Solution

The best way I know how to get answers to the questions I have was to create a simple survey, one that can be completed in five minutes or less. So, I did.

So far I’ve received more than 500 responses to the thirty question survey, and the data is awesome! As I’ve mulled through some of the preliminary data, it’s amazing to see what people think! Who’d a thunk?

500 results gives the survey a lot of credibility. The margin of error is ~5%, which is great! Wouldn’t it be great to get a margin of error of <=3%? I think so, and the only way to get there is to ask for more responses. This is where I’m asking for your help.

Would you be so kind as to take this survey (it’s a safe link) and send it to as many of your contacts as you feel comfortable? The survey link is here:

The better the data, the better the book. That’s the theory at least.

I’ll be writing more about the upcoming book in future articles. I think it’s going to be fun, and it’s going to help a lot of people!


P.S. The word map you see as the “featured image” in the title is mapped from the raw input (answers without any filters or changes) to the question “What could information security experts do to help people better?” (in the survey).

Are Information Security People Arrogant?

I hate speaking in generalities, even though I do so often, but I’ve been thinking about something lately.

Are information security people arrogant?

This thought came to head a while back while I was visiting my mother. We were talking about life, and I was sharing some of my frustration in my line of work (information security). I was telling her that it frustrates me when people can’t seem to grasp the obvious.

She replied, “You’re arrogant. Plain and simple. You actually believe that people think the same way you do?”

My reaction to being called arrogant was a childish one (hindsight), so it’s fitting that my own mother called me out. I was offended. How dare she call me arrogant?! I’m frustrated that people can’t follow simple directions and basic logic. I’m not frustrated that they can’t figure out finite mathematics of anything!

Wait. Calm down. She’s right.

After five minutes or so of trying to defend myself against her attack (which wasn’t even an attack), I realized that I had no defense. She was right, I was being arrogant. I am arrogant. Actually, I have plenty of arrogance to go around. Not only do I have enough for myself, I have enough to share with my peers too, as we laugh together at the dumb things people do.

Thanks Mom!

Here’s the deal though, I’m not alone. Truth be told, there’s an abundance of arrogance in our industry. It seems as though some of the most esteemed information security people in our industry, or at least some of the ones in some high places, are full of arrogance.

Do we, as an industry, place a premium on being arrogant and full of ourselves? Good question. Scary thought, but I think there some truth here.

What is Arrogance?

Before I just start throwing words and accusations around any more than I already have, I should make sure I’m using them correctly. God knows, in our society we like to call people names and attach labels, regardless of accuracy or true meaning.

Let’s go to the dictionary and see.

Definition of arrogance is an attitude of superiority manifested in an overbearing manner or in presumptuous claims or assumptions.

Yep, I think I’m using the right word. Do you know of any information security people who have an attitude of superiority? Do you have an attitude of superiority, especially when referring to less skilled information security people or non-information security people (“normal people”)?

Is it manifested in any of these ways?

  • An overbearing manner
  • In presumptuous claims
  • In assumptions

If your honest, you can probably thing of times when you’ve been arrogant. How often you are arrogant is another question. It’s something we all need to keep in check. We can all stand a little more introspection, like looking at ourselves in the mirror.

Common examples of arrogance

Here are five examples of arrogance that I’ve either been a part of or heard in the last week alone:

  • Believing that you think what someone else thinks without asking.
  • Getting frustrated when someone else doesn’t understand what you’re saying, and maybe even believing that they’re less intelligent.
  • Telling someone what they think.
  • Griping about some “stupid” thing someone else did.
  • Calling or thinking someone is “stupid” for doing something that seems obvious to you.

None of these thoughts or actions are productive in our mission; making information security better (I hope).

Not All and Not Always

The downside in speaking or writing in generalities is the fact that I lump everyone together, even though I know there are exceptions.

  • Not all information security people are arrogant, but too many are.
  • Not all highly esteemed information security people (industry influencers) are arrogant, but some are.
  • Even the arrogant information security people are rarely arrogant all the time.

I won’t call out the industry influencers that I think are arrogant. That wouldn’t help the cause at all.

I will call out some of the humble and less arrogant ones people in our industry. These are information security industry leaders that I respect, and that I feel are more humble and modest. This is based on my observations, and you may know them differently than I do.

Here are (only) ten of my favorites (in no particular order) along with links to their Twitter feeds if you want to follow:

  1. Richard Bejtlich @taosecurity
  2. Aloria @aloria
  3. Tony Cole @NoHackn
  4. Roger Grimes @rogeragrimes
  5. Jane Frankland @JaneFrankland
  6. Dave Kennedy @HackingDave
  7. Dejan Kosutic @Dejan_Kosutic
  8. Chris Roberts  @Sidragon1
  9. Eleanor Dallaway @InfosecEditor
  10. Mikko Hypponen @mikko

NOTE: This list is based on opinion. My opinion. Not fact, but my opinion. I stated that this is my opinion three times (now four) because you are welcome to disagree with me! If you’d like to add to my list, please do!

There are many, many more that can be added to this list, but back to our problem, assuming there is one.

Humble Yourself

Arrogance is bad, and there’s no place for it in our industry. When we see it in others, we should respectfully call it out. When we see it in ourselves, we should change our attitude. If we can’t change our attitude, maybe we should get some help.

Are you honest with yourself? Ask yourself the question, “Am I arrogant?” Get in the habit of doing this regularly, and things will certainly go better for you and those around you.

That’s all for now. Thanks!

UNSECURITY Podcast Episode 25 Show Notes

Yes! Made it to another Friday. I didn’t get enough stuff done this week, but whatever. It’s always good to make it to another Friday!

We have a special guest this week! Read on…

If you’re new to this thing, these are our show notes for the Unsecurity Podcast. This is episode 25 already, can you believe it? If you missed episode 24, you can find the shows in a bunch of places:

There’s a few other places, but these are the most common ones.

So, I hope you all had a good week! Mine, well it was busy. Work highlights had to be the CISSP Mentor Program class on Wednesday and the great time I spent with the only client I work with on a recurring basis, Flight Centre. 

I attended the Mentor Program remotely from New York, while Brad Nigh led the class in person from Minnesota. I had some fun chiming in with random crap during class. Brad being the pro that he is, took it all in stride.

We held the Spring 2019 Flight Centre Americas Security Summit on Wednesday. They’re a very large global company, and they’re really rocking it. I won’t bore you with the details, but it was really fun. Great people, great conversation, great collaboration, great progress, etc., etc. See the pic.


I’m sure Brad had a week too. He mentioned something to me about three incident response (IR) calls. We’ll find out on the show.

Episode 25

Date: Monday, April 29th, 2019

Today’s Topic(s):

  • Introduction and Discussion with Christophe Foulon
  • More Password Guidance
  • News

[Evan] It’s another Monday morning here at FRSecure/SecurityStudio world headquarters, and you know what that means? It’s time for another episode of the Unsecurity podcast. It’s Monday, April 29th 2019 and this is episode 25. I’m Evan Francen and I’m your host this week. Brad’s here. You know he’s my guy. Say “Hi” Brad.

[Brad] Hi.

[Evan] I’m pumped today Brad! We have a special guest today. Joining us today is Christophe Foulon! Welcome Christophe.

[Christophe] Probably says something here.


We’re excited to have Christophe join us today. He’s one of the good guys that I’ve grown to admire.

Christophe’s LinkedIn Profile


Things to talk about with Christophe:

  • What got you into information security?
  • What part of information security gets you excited?
  • Do you have a personal mission or purpose in the field?
  • I noticed that you do a lot of volunteer work, tells us about it?
  • You’re the co-host of the Breaking into Cybersecurity podcast (, let’s talk about that for a bit.
  • In episode 20 we covered the topic of staying healthy in the information security industry. How do you keep a good balance between personal time, work, volunteering, social media (LinkedIn), etc.?
  • What sorts of things are you working on now?
  • You appear to be very active on LinkedIn, posting articles regularly and commenting often. I find you posting good content all the time. How important is LinkedIn to an information security professional’s career?

Segue into More Password Guidance

One of the posts you (Christophe) made this last week in particular caught my eye. You posted a reference to a Microsoft Security Guidance blog article titled “Security baseline (DRAFT) for Windows 10 v1903 and Windows Server v1903” . In the article written by Aaron Margosis, he writes about Microsoft’s plans about “Dropping the password expiration policies.”

We’re going to discuss this revelation and the recent(ish) NIST guidance in SP 800-63-3. Interesting changes to the NIST guidance included:

  • Focus on Making Passwords Easy to Remember and Hard to Guess
  • The Use of Special Characters Is No Longer a Requirement
  • Character Allowances Increase and a Minimum Number Required
  • No Longer Requiring Password Time Periods or Expirations
  • Copy and Paste Functionality in Password Fields Are Enabled

Open Discussion

We talk about the new guidance, whether we agree or not, what it means for us, what it means for users, and how it differs so much from what we grew up with.

I’m sure it will be a good discussion. 🙂

[Evan] OK. Thanks guys. Now some quick news stories from the past week.


Facebook is facing a big fine, but…

How a Nigerian ISP Accidentally Hijacked the Internet

Cybersecurity Job Openings Boom, Pool of U.S. Job Seekers Shrinks

One last thing. Some drama last week as Brian Krebs doxxed a couple of good security folks. Causing quite a stir on Twitter. Here’s a screen shot of the since-deleted tweet.



[Evan] Man, that was a full show! A special thanks to Christophe for visiting with us today! Thank you.

Don’t forget, you can follow me or Brad on Twitter; @evanfrancen and @BradNigh. Email us on the show at Christophe, how do you like people finding you?

[Christophe] Gives some info.

[Evan] Awesome. Thanks again! That’s it for episode 25. Have a great week everyone! Until next week, eh?

UNSECURITY Podcast Episode 24 Show Notes

Happy Friday! It’s Good Friday. 

If you missed episode 23 of the Unsecurity Podcast, you can still check it out here.

Brad’s hosting episode 24. He sent me his notes to post. So, these are his notes, but I might have put a little of my own flavor to ‘em.

We had another great week here at FRSecure and SecurityStudio. Our quarterly meeting was held on Monday. I love the weeks when we have our quarterly meetings because we fly everyone in from all over the country to our headquarters in Minnesota. We all get together, collaborate on cool stuff, hang out after work, play games, etc. The week is full of fun; sort of like a week long FRSecure/SecurityStudio party.

This slideshow requires JavaScript.

The only people who aren’t able to attend in person are the great Bulgarians! Shout out to those guys because they’re fricken amazing!

Anyway, like I stated earlier, it’s Brad’s week. Let’s see what he has in store…

Episode 24

Date: Monday, April 22nd, 2019

Today’s Topic(s): Compliant vs Secure

[Brad] Hello listeners! Here we are, today is Monday, April 22nd, 2019 and this is episode 24 of the Unsecurity podcast. I’m Brad Nigh, and I’m your host for today’s show. Joining me is Evan Francen. Hello Evan

[Evan] Evan says “Hi” and other things

[Brad] We also have a special guest this week. As you may know, FRSecure participates in several mentorship opportunities, including some in our own back yard. As part of one mentorship program in particular, we have to do a real world experience exercise with the student. So, here we are, we’ve invited one of our students to sit in with us today. He may just sit and listen but he’s more than welcome to join in and ask questions.

[Evan] Says stuff to the guest, probably…

(may be some open discussion here but maybe not… tune in to find out!)

[Brad] Anything exciting you want to talk about from last week? How’s the survey going?

[EvanGives a recap of his week…

[Brad] Alright, we’ve got some good topics for today’s show. I chose today’s topic after responses from a couple of calls this week. It’s something that I think we are both passionate about and honestly gets me fired up. So let’s talk “Compliant vs Secure”. The one comment that triggered this was a potential client seeing our proposed services to address several issues responding with “what is the absolute minimum I have to do to be compliant with (insert regulation here)?” 

[EvanGoes off on rant, just as I planned. 😉

[Brad] This isn’t something new either but we are still seeing it.

Krebs wrote an article in 2016 around it.

The sad truth is that far too many organizations spend only what they have to on security, which is often to meet some kind of compliance obligation such as HIPAA to protect healthcare records, or PCI certification to be able to handle credit card data, for example. However, real and effective security is about going beyond compliance — by focusing on rapidly detecting and responding to intrusions, and constantly doing that gap analysis to identify and shore up your organization’s weak spots before the bad guys can exploit them.

Forbes mentioned in in 2014

But here’s the kicker: being compliant won’t necessarily save you from being hacked.

We know that is rough to hear, but requirements are not the same as best practices. Basic prescriptive requirements are often the bare necessities of information security. To truly defend against all-purpose attacks, full information security programs and best practices must be implemented.

Open discussion around the differences and how can we, as InfoSec professionals help change this mindset

[Brad] Okay we should probably talk about a couple news stories, there are some big ones out there.


Easter Attack Affects Half a Billion Apple iOS Users via Chrome Bug (

Wipro breach

Facebook: we logged 100x more Instagram plaintext passwords than we thought (


[Brad] Don’t forget, you can follow me or Evan on Twitter; @evanfrancen and @BradNigh. Email us on the show at

That’s it for episode 24. Have a great week everyone! Thank you and see you next week!

#100DaysofTruth – Week One

If you follow me on Twitter or LinkedIn, you may have noticed that I started a new campaign. The name of the campaign is #100DaysofTruth, and it’s a pretty simple concept. Each day at 8:00am CDT I’ll post a new truth about information security, one per day. See?! Simple.

I have two reasons for doing the campaign:

  1. I want to educate. Over the years, it’s been a tremendous blessing to see the ways people do things, and they ways they solve problems. I take it for granted some days that I get to steal the cool things that extremely talented people do and make them my own. This is a HUGE benefit to being a consultant! Every single client I meet, every single CISO, is another opportunity to put a cool tool in my bag of tricks. I want to share the wisdom I’ve learned with others.
  2. I want to engage. You will either agree or disagree with what I say. If you agree, let’s reinforce each other’s view and encourage each other. Lord knows, this industry could use more reinforcement of good practice and encouragement. If you disagree, let’s respectfully challenge each other’s views, thoughts, and opinions. I am a believer in diverse perspectives. They lead to the best solutions.

I’m doing the campaign this way because it doesn’t take more than a few minutes each day. Who can’t donate a few minutes each day? Don’t answer that.


Truths From Last Week

The slideshow (below) contains each of the truths from last week as depicted in my Twitter feed.

This slideshow requires JavaScript.

Do you agree with the truths or disagree. Follow me and comment to let the world know.

Next week’s truths are already queued up. Have a great week!

UNSECURITY Podcast Episode 23 Show Notes

[My Notes (Evan)] <— tuple nested within a list, but my syntax sucks. 😉

Happy Saturday! Friday came and went before I could get this update done. It was good to spend the entire week at home (finally). Reconnecting with the people I love is refreshing for my soul. Had a great week! Hope you did too.

My happy place (see pic).


This was a crazy week. What week isn’t for someone who works in security?

The highlight in last week’s show (episode 22) was our discussion about dealing with toxic co-workers. I can’t tell you how grateful I am for the people I get to work with every day. You may think I’m exaggerating, but we have amazing people where I work; from top to bottom. 100% awesome.

It wasn’t always this way though. We’ve had some toxic employees and co-workers in our past. Today, we’re better off for having dealt with our issues head-on.

If you didn’t catch episode 22, check it out here.

We have a jam packed show planned today, so let’s get to it.

Episode 23

Date: Monday, April 15th, 2019

These are the notes we use to guide the discussion. These notes were written by me (Evan) this week. 

Today’s Topic(s): The FRSecure CISSP Mentor Program, Security Podcasting, and #100DaysofTruth

[Evan]: Hello listeners! Here we are, today is Monday, April 15th, 2019 and this is episode 23 of the Unsecurity podcast. I’m Evan Francen, and I’m your host for today’s show. Joining me is my favorite security pal, Brad Nigh. Say “Hi” Brad.

[Brad] Hi.

[Evan] How was your week last week? Give me at least two highlights and something you learned.

[Brad] He’ll say cool stuff because he’s Brad!

[Evan] Man, it was a great week. I worked a lot, probably a lot more than I should have, but I had a blast! Some of the highlights were:

  • The CISSP Mentor Program (more on this later)
  • Lunch with a CISO that I really respect.
  • Launched the #100DaysofTruth campaign (more on this later)
  • Made 5 out of 6 coffee meetings this week (explain quick)
  • Wrote and sent my research survey (explain quick)

[Brad] More cool stuff because he’s still Brad!

[Evan] Alright, we’ve got some good topics for today’s show. So many things to choose from, but today I chose The FRSecure CISSP Mentor Program, Security Podcasting, and #100DaysofTruth. Let’s start with the FRSecure CISSP Mentor Program.

Open Discussion, the FRSecure CISSP Mentor Program

Notes: Kicked off, no technical issues, registrations, support, best one yet, I talk too much, etc.

Open Discussion, Security Podcasting

Hard to believe that this is already episode 23. We have made 23 consecutive weeks without missing one! That’s almost six months. Our listeners are rewarding us with their loyalty, and we’re VERY grateful. The show has grown steadily since our 1st recording, and we’ve both learned so much.



Notes: The start, the progression to today, where we go next (studio improvements, video, more guests, etc.), advice, what’s good/what’s not so good, etc.

Open Discussion, #100DaysofTruth

[Evan] Last Monday, I started a new campaign called #100DaysofTruth. Each day at 8:00am (Central), I post a new truth about information security. I post them on my Twitter and LinkedIn accounts.

Some of them are obvious, some of them aren’t. I hope to spur some good discussions and thought sharing. We’ll see. This past week’s truths were:

  • Day One – Information security isn’t about information or security as much as it is about people.
  • Day Two – Information security is a business issue, not an IT issue.
  • Day Three – Data breaches are inevitable, no matter how good you are.
  • Day Four – One of the best tells of a novice (or poor) security professional is their inability to put risk into context. 
  • Day Five – You don’t need a degree to be awesome at information security.
  • Day Six – Cybersecurity and information security are different things. – if you’re reading this before Saturday at 8am, you get the scoop.
  • Day Seven – There’s a lot of snake oil for sale in the information security industry. – if you’re reading this before Saturday at 8am, you get the scoop.

Let’s talk about the #truth quick.

Now for some news… 


[Evan] You know I always appreciate your take on things Brad. Thank you.

[Brad] Words from the mouth of Brad.

[Evan] OK, news stuff. I want to start us off with something positive.

We have plenty more news we could talk about, but you and I have some work to do today. We’re billable assets for crying out loud!


[Evan] What say you Brad? Give us wisdom.

[Brad] Brad imparts wisdom here.

[EvanDon’t forget, you can follow me or Brad on Twitter; @evanfrancen and @BradNighEmail us on the show at

That’s it for episode 23. Have a great week everyone! Thank you and see you next week! 

UNSECURITY Podcast Episode 22 Show Notes

Happy Friday from the road (again)!

Sitting in a Buffalo, NY Starbucks writing these notes. I guess it beats Brighton Beach (SC) or Hackensack (NJ)

Some of these notes are Brad’s and some are mine. Brad took a 5:45am flight out of Rochester this morning, and I have a later flight. He started these notes on his flight, sent them to me, and I’m finishing them up while I wait for my flight at 5:45pm. Wait! Crap. Just got word that my flight is now delayed to 6:30pm. Hope it doesn’t get worse. The joys of business travel, eh?


As you know, Brad and I recorded episode 21 from my hotel room in Rochester, New York. He and I were working on a couple of projects together with the same client in Rochester. Arrived last Sunday, and here I am now (Friday) in Buffalo. In between was a whole bunch of really good security work and good memories.

If you didn’t catch episode 21, check it out here.

In episode 21 we had a candid talk about dealing with bully customers. Sometimes our customers are internal to our organization, and sometimes they’re external. Bullies are bullies and they suck, but there are ways to deal with them. As you know, security people don’t always have positive news. One way to bring the bully out of someone, assuming it’s there in some people, is to tell them something they don’t like.

We also talked about third-party security risk management. Might not be the most exciting topic in the world, but it is critical to any successful security program.

Had a great week! Hope you did too.

Episode 21

Date: Monday, April 1st, 2019

These are the notes we use to guide the discussion. These notes were written by both me (Evan) and Brad (see above).

Today’s Topic(s): Toxic Coworkers

[Brad]: Welcome to episode 22 of the Unsecurity podcast, I’m Brad Nigh, your host for this weeks show, and with me as (almost) always is Evan Francen. Here we are Evan, it’s April 8th, and we are back home!

[Evan] Yes! Man, I’m feeling a little traveled-out. Good to be home!

[Brad] We spent the last week in New York working on some projects together. That was a great experience, doing a lot of security stuff and a lot of BBQ. What, we had BBQ all five nights, from four different places, didn’t we?

[Evan] Oh yeah.

This slideshow requires JavaScript.

[Brad] OK, the work though. We did work too, remember? One thing that really stood out to me is how passionate the client was about improving their information security program, and how proud they were to show their progress. We did work for them a few years ago, gave them a bunch of recommendations, and they really knocked it out of the park! It was inspiring to see an organization doing things right. They get buy in from the top, take recommendations seriously, and the result was big improvements. That isn’t to say they don’t have more work to do and don’t still have gaps though. Just impressed with their progress.

[Evan] I’ll say something here. Seems I’m not usually at a loss for words.

More discussion about the week. Seriously good stuff this week!

[Brad] One more thing before we get started, the CISSP Mentor Program starts tonight! We got word from our Marketing Team on Thursday that we hit a new record for students! We have more than 400 registered. That’s incredible, and we’re within range for maxing out our current solution for the live broadcast.

[Evan] Yeah man! This is one of the most valuable and rewarding things I’ve been a part of in my career. To think that we started with just six students in 2010. Love it!

[Brad] Last week we talked about bully customers, we got some great feedback from listeners. One recommendation stood out, “You talked about bully customers, which is a good topic on it’s own.  An interesting lead on could be dealing with a toxic coworker, someone you cannot escape so easily. It’s my week to lead the show, so I figured why not talk about dealing with toxic coworkers?

[Evan] Yeah, that’s a good topic. I think we’ve all dealt with a toxic coworker at some point in our career.

Open Discussion, dealing toxic coworkers.

Brad says, “Evan says Evan things and we discuss how to deal with toxic coworkers.”

NOTE: Quick question for Brad, what are “Evan things”?!

Pretty sure that we both have lots of experience and examples around this.  


[Brad] Good discussion, but enough of our idle chit chat. Time for some news now.

[Evan] Yeah.

[Brad] Evan was featured in an article on CSO Online by Roger Grimes. Evan isn’t comfortable self promoting, luckily I don’t have any issues bragging about the cool stuff he does.

[Evan] Thanks Brad. I have the utmost respect for Roger Grimes. Knowing that the article came from him means that much more to me.

[Brad] In other news…

[Brad] Some much news, so many threats, so little time. Remember, you can’t do it all. Be careful, and do your best to keep your head above water.

[Evan] Good advice.


[Brad] Any parting words of wisdom Evan?

[Evan] I read somewhere, “If you think there is good in everybody, you haven’t met everybody.” Not sure who said this first, but it’s wise.

OK, well that just about wraps things up. It’s good to be home.

Don’t forget, you can follow me or Brad on Twitter; @evanfrancen and @BradNigh.

Email us on the show at

Thank you and see you next week!