Operationally Cumbersome?

The leading cause of death in the workplace is falls. 36.5% of all fatalities are due to falls, followed by 10.1% caused by being struck with an object. Recognizing the problem, OSHA created requirements to protect workers from falls, including:

  • guardrail systems
  • safety net systems
  • personal fall arrest systems
  • covers
  • positioning device systems
  • fences
  • barricades
  • controlled access zones

All these controls, when used properly, save lives.

Hypothetical Scenario

A successful construction company is working on a 30-story office building. Timelines were already tight, but a series of material delivery delays has put them way behind schedule. In a rush to complete the project, it’s easy overlook certain things. In this case, a properly configured personal fall arrest system was overlooked. They bought the system, the system was onsite, but the system wasn’t installed correctly. Nobody noticed until one day a worker, twenty stories up, slipped and fell to his death.

As you can imagine, there was a serious investigation. In the end, the company admitted their oversight, received a fine, settled a lawsuit with the worker’s family, and continued operations.

A few weeks later, same thing happens. Another investigation, another slap on the wrist, another settled lawsuit, and back to business as usual.

A few months go by, and there’s another incident! The investigation cited the same cause as the others, a poorly configured/installed personal fall arrest system. This time, OSHA wants a public hearing and invites company representatives to answer questions before their panel. At the hearing, company representatives were asked the following question:

If a properly deployed personal fall arrest system had been used, would these lives have been saved?

A company representative responds:

It depends. In theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.

Seems reasonable, right?. We certainly don’t want to get in the way of company production!

Or, wait a second. This doesn’t seem right. Poor safety because good safety is “operationally cumbersome” doesn’t sit well with you. Good, it shouldn’t!

Sadly, a similar analogy plays out all over the information security industry every day.

Hearing on the Hack of U.S. Networks by a Foreign Adversary

The construction analogy hit home while watching recent testimony in front of the U.S. Select Committee on Intelligence.

On February 23rd, 2021, Kevin Mandia (FireEye CEO), Sudhakar Ramakrishna (SolarWinds CEO), Brad Smith (Microsoft President), and George Kurtz (CrowdStrike President and CEO) were invited to give their testimony about the attacks on SolarWinds Orion last year (and ongoing). These are four very powerful men in our industry, and I appreciate what they’ve accomplished. In general, I have a great amount of respect for these men, but I’m not comfortable in their representation of our industry without also considering (many) others. Some of the reasons I’m not comfortable, include these facts:

  • They run billion and multi-billion dollar companies that sell products and services to protect things.
    • If people were already protected, they’d have nothing to sell. There is incentive to keep people insecure.
    • Companies must continue to produce new products (See: product life cycle diagram below). Without new products, sales decline. As long as people keep buying (regardless of need), they’ll keep making.

  • They have significant personal financial interests in the performance (sales, profit, etc.) of their companies.
  • They represent shareholders who have significant financial interests in the performance of their companies.
  • They may lack clear perspective of what most Americans and American companies are struggling with due to where they sit.

A hearing such as this is a fantastic opportunity for people to tout their accomplishments (which they do), tout their companies accomplishments (which they do),  and sell more stuff as a result. I DO NOT fault the witnesses for doing these things. It’s their job!

Let’s just hope our Senators take the hearing and witnesses in proper context and seek many more perspectives before attempting to draft new policy.

IMPORTANT NOTE: It may appear in this article that I’m critical of the people in this Senate hearing, but this is NOT the point. The people participating in the hearing have done tremendous things for our industry and our country. For all we know, if we were in one of their seats, we would respond in much the same way they did. If anything, I’m critical of us, our industry. We have tools sitting right under our noses that we don’t use correctly. Instead of learning to use our tools correctly, and actually using our tools correctly, we go looking for more tools. This is ILLOGICAL, and might should be negligent.

The point.

At one point during the hearing (1:22:08, if you’re watching the video), Senator Wyden (D-OR) begins a logical and enlightening line of questioning.

Senator Wyden:

The impression that the American people might get from this hearing is that the hackers are such formidable adversaries that there was nothing that the American government or our biggest tech companies could have done to protect themselves. My view is that message leads to privacy violating laws and billions of more taxpayer funds for cybersecurity. Now it might be embarrassing, but the first order of business has to be identifying where well-know cybersecurity measures could have mitigated the damage caused by the breach. For example, there are concrete ways for the government to improve its ability to identify hackers without resorting to warrantless monitoring of the domestic internet. So, my first question is about properly configured firewalls. Now the initial malware in SolarWinds Orion software was basically harmless. It was only after that malware called home that the hackers took control, and this is consistent with what the Internal Revenue Service told me. Which is while the IRS installed Orion, their server was not connected to the Internet, and so the malware couldn’t communicate with the hackers. So, this raises the question of why other agencies didn’t take steps to stop the malware from calling home. So, my question will be for Mr. Ramakrishna, and I indicated to your folks I was going to ask this. You stated that the back door only worked if Orion had access to the internet, which was not required for Orion to operate. In your view, shouldn’t government agencies using Orion have installed it on servers that were either completely disconnected from the internet, or were behind firewalls that blocked access to the outside world?”

To which Mr. Ramakrishna (SolarWinds) responds:

Thanks for the question Senator Wyden. It is true that the Orion platform software does not need connectivity to the internet for it to perform its regular duties, which could be network monitoring, system monitoring, application monitoring on premises of our customers.”

Key points:

  1. SolarWinds Orion did not require Internet connectivity to function.
  2. The IRS had Orion.
  3. The IRS did not permit Orion to communicate with the Internet.
  4. Attackers were not able to control the IRS Orion server (because it couldn’t communicate home).
  5. The attack against the IRS was mitigated.

Senator Wyden continues:

Yeah, it just seems to me what I’m asking about is network security 101, and any responsible organization wouldn’t allow software with this level of access to internal systems to connect to the outside world, and you basically said almost the same thing. My question then, for all of you is, the idea that organizations should use firewalls to control what parts of their networks are connected to the outside world is not exactly brand new. NSA recommends that organizations only allow traffic that is required for operational tasks, all other traffic ought to be denied. And NIST, the standards and technology group recommends that firewall policies should be based on blocking all inbound and outbound traffic with exceptions made for desired traffic. So, I would like to go down the row and ask each one of you for a “yes” or “no” answer whether you agree with the firewall advice that would really offer a measure of protection from the NSA and NIST. Just yes or no, and ah, if I don’t have my glasses on maybe I can’t see all the name tags, but let’s just go down the row.”

Points made by Senator Wyden:

  1. Network security 101 includes blocking high-risk applications from connecting to the Internet when it’s not specifically required for functionality.
  2. Firewalls are designed to block unwanted and unnecessary network traffic.
  3. There is good authoritative guidance for using firewalls properly, including from the NSA and NIST.
  4. None of this is new.
  5. Organizations that don’t follow “network security 101” are irresponsible.

Kevin Mandia responds first:

And I’m gonna give you the “it depends”. The bottom line is this, we do over 6oo red teams a year, firewalls have never stopped one of them. A firewall is like having a gate guard outside a New York City apartment building, and they can recognize if you live there or not, and some attackers are perfectly disguised as someone who lives in the building and walks right by the gate guard. It’s ah, in theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.

OK, here the logic falls apart. The answer “it depends”, followed by “firewalls never stopped” a FireEye red team exercise, did NOT answer Senator Wyden’s question. Logically, this (non) answer would only be valid if (at a minimum):

  • The FireEye red team exercises were run against a “network security 101” firewall configuration.
  • The FireEye red team exercises were a variant or emulation of the SolarWinds attack.

The question was whether a “network security 101” (or a properly configured) firewall would have mitigated the SolarWinds attack (meaning a firewall configured to only permit necessary traffic, as per NSA and NIST guidance). The non-answer justification continues by mentioning “in theory, it’s a sound thing, but it’s academic”. Since it’s been brought up, this IS NOT theoretical, it’s factual. If an attacker cannot communicate with a system (either directly or by proxy), the attacker cannot attack or control the system.

The last part of this statement brings us (finally) to our original point. Using a firewall, the way it’s supposed to be used (“network security 101”) is “operationally cumbersome”.

Responses from the others:

  • Mr. RamakrishnaSo my answer Senator is “yes”. Do standards such as NIST 800-53 and others that define specific guidelines and rules. (THE BEST ANSWER)
  • Mr. SmithI’m squarely in the “it depends” camp. (Um, OK. So, a non-answer.)
  • Mr. KurtzYes, and I would say firewalls help, but are insufficient, and as Kevin said, and I would agree with him. There isn’t a breach that we’ve investigated that the company didn’t have a firewall or even legacy antivirus. So, when you look at the capabilities of a firewall, they’re needed, but certainly they’re not be all end goal, and generally they’re a speed bump on the information super highway for the bad guys. (Basically the same statement as the first. DID NOT answer the question.).

So the score is 3 to 1, “it depends” (without answering the question) versus “yes” (the correct answer).

Operationally Cumbersome

If a firewall (or any tool) is effective in preventing harm when it’s used correctly, why aren’t we using it correctly? The reason “because it’s operationally cumbersome” is NOT a valid argument.

It’s like saying “I don’t do things correctly because it’s hard” or “I don’t have time to do things right, so I don’t” or (as in our construction example) “We don’t have time to use a personal fall arrest system correctly, so people die”? Truth is, our infrastructures are so interconnected today, a failure to configure a firewall properly could/will eventually result in someone’s death.

So what do we do today? We do the illogical:

  • Since we don’t have time (or skill or operational bandwidth or whatever) to use an effective tool effectively, we purchase another tool.
  • We won’t have the time (or skill or operational bandwidth or whatever) to use this new tool effectively either, so we purchase another tool.
  • We won’t have time (or skill or operational bandwidth or whatever) to use the new tool and this newer tool effectively, so we purchase yet another tool.
  • The insanity continues…

What we must do (sooner or later):

  • inventory the tools we already have
  • learn how to use the tools we already have properly (knowledge/skill)
  • use the tools we already have properly (in practice)
  • then (and ONLY then) seek additional (or different) tools to address the remaining gaps

As an industry, we must (sooner or later):

  • make this “network security 101” (it’s not new, so we can’t call it the “new network security 101”)
  • hold organizations responsible for “network security 101” (the opposite being, the “new irresponsible” or negligent)

Other facts

Firewalls are NOT the end all, but they are an important part of security strategy. Here we are, many years down the road and we’re still fighting the same fight: the basics.

  • Firewalls have been around for more than 35 years.
  • Firewalls block unwanted and unnecessary network traffic (inbound/ingress and outbound/egress).
  • A properly configured, “network security 101”, “responsible”, “best practice” implementation of a firewall would have mitigated the SolarWinds (or similar) attack.
  • Many (maybe most) U.S. organizations have a firewall that is capable to mitigating the SolarWinds (or similar) attack.
  • There are still ways to bypass a firewall, but if you don’t have your firewall configured properly, what are the chances you’d stop a bypass anyway?
    • application vulnerabilities
    • SQL injection
    • social engineering
    • physical access
    • man-in-the-middle

Operationally cumbersome is not a valid excuse for our failures to understand and follow the basics.

The Burn(out)

If you work in this field (information security) long enough, burn out is something you’re sure to encounter. You will fight against burn out yourself, meet somebody who is on the verge of burn out, or sadly, meet someone who has already burned out.

We work our asses off. The hours are long. The stress is real. Isolation comes with the territory.

If you are on the verge of burning out, please seek help (from me, a colleague, a friend, a counselor, etc.). We need you. We need you to fight beside us. We need your ideas. We need your perspectives. We need your wisdom. We need your support. We need your passion. We need your skill. We have serious information security problems in society. In fact, we’ve created more problems than we’ve solved.

WE NEED YOU FOR THE CREATION AND IMPLEMENTATION OF SOLUTIONS TO SOCIETY’S INFORMATION SECURITY PROBLEMS.

The letter below is hypothetical. It’s not written to anyone in particular or with anyone in mind (except the information security professional). It’s a raw dump of frustrations I’ve heard over the years from my brothers and sisters in arms.


Dear <INSERT NAME OR TITLE>,

I’m tired.

You may not care, but you should. I’m holding shit together while you focus on life. Some of my frustration stems from your view that information security (or “cybersecurity”) isn’t part of life. The truth is, information security IS part of life. It’s a damn life skill!

Before you ask why I’m tired, I’ll tell you. I’m tired because:

  • I work 80+ hours a week to protect you and all that you are responsible for.
  • I’m fighting a fight I cannot win, especially without your help.
  • I’m asking you to help, but you aren’t listening.
  • We’re under relentless attack, but you don’t see it, so you don’t care.
  • You think “it won’t happen to me” and I’m afraid it already has.
  • I’m losing support from my family because they’re sacrificing their time with me while I protect you (and worse, they don’t understand why I’m doing it).
  • You won’t step up and take responsibility for what’s yours.
  • I need you to help me solve problems, but I can’t get you to participate.
  • You think this is my responsibility, but it’s not, it’s yours.
  • I tell you things with honesty and transparency, but I don’t think you trust me.
  • We’re understaffed and underfunded, but you keep telling me to do more with less.
  • I need you to champion this cause, but you do nothing more than tolerate it.
  • I want to teach you about information security, but you are too smart or too busy for education.
  • You don’t see the value in me because I’m nothing more than a cost center to you.
  • You will blame me when things go wrong, but you don’t notice when things seem OK.
  • Your demands for more technology and gadgetry makes protecting you harder than it already was.
  • I sit behind a screen all day and my physical health is declining.
  • I deal with the dark shit of this world, mostly alone, and my mental health is at risk too.

Despite all this, believe it or not, I LOVE what I do. I love what I do because I love doing good, fighting against evil, and protecting people like you. It scares me to think of doing anything else for a living. You pay me well, so I’m not complaining about money.

You know this isn’t about money, right?!

My work and passion runs deeper than money. Money provides the means to my cause, but it’s not the cause. I do what I do because I want to make a positive difference in your life and I want you to be healthy. I do this because I care about you, obviously more than I care about myself sometimes. I’m here to serve. I am here to help. I answer the phone when you call. I’m here to respond when things go wrong, even if it means I take the blame.

This is my duty and my promise to you.

Sometimes I ask myself if it’s worth it. Is the frustration worth the reward? Is this all worth it, knowing that I’m destined to fail?

You might be inclined to ask “what do you mean, destined to fail?!”

I’m destined to fail because you ask me (directly or indirectly) to do the impossible, you won’t enable me to succeed even it were possible, and you have expectations of me that can’t be met

You ask me to keep you “out of the news,” but I can’t promise you that. No matter what I do, I can’t protect you from all the bad things that can/will happen. I’ve always told you the goal is risk management, and not risk elimination. Risk elimination just isn’t possible.

I don’t want you to take pity on me, and I don’t want any outward acknowledgement. I want you to own what’s yours! I want you to get in this game and play ball. You can delegate all sorts of things to me and others, but you will never be able to absolve yourself of your ultimate responsibility. The wolves in our industry will fool you into thinking they can solve all your problems without your attention or worry, just your money. They can’t. It’s a lie. They prey on your ignorance to mislead you and steal your money, not unlike the attackers we’re trying to fight against in the first place!

All of us need you to step up. We need you to own what’s yours. We need you to lead. Ultimately, the security and safety of all things and people under your control is your responsibility. It’s time to step up before I give up. I’m your best hope, but we’re hopeless without each other.

-Information Security Professional (on the verge of burnout)

Good People Didn’t Vote For Your Guy

The truth:

There were hundreds of thousands, maybe millions, of worthy people who didn’t vote for “your guy”.

Demonize as you will, but here’s a reminder of some things.

People who voted for the other guy are NOT bad people. Sure, there are bad apples in any large group, but the vast majority of Americans are not bad people.

These people are NOT:

  • “ill”
  • “sick”
  • “dumb”
  • “stupid”
  • “racist”
  • “bigoted”
  • “idiots”
  • “Socialists”
  • “Fascists”
  • or any other demonizing word you want to throw at them.

These people ARE:

  • human beings with basic needs
  • human beings with basic desires
  • human beings with dreams
  • human beings who want to be loved
  • human beings who want to feel grace
  • human beings who have families
  • human beings who have different perspectives (a good thing)
  • human beings who have different beliefs (also a good thing)
  • human beings who have different backgrounds (also a good thing)
  • human beings with many additional things that are beautiful about them.

A failure to recognize these things about other people, especially those who don’t see eye to eye with you, makes you the same thing you rail against (intolerant, bigoted, etc.).

It doesn’t matter who “your guy” is or who “my guy” is. We both (Democrats and Republicans) have players on our team who demonize players on the other team. The lie is that there are two teams to begin with.

There is only ONE team. We are ALL Americans.

The other teams play for China, Russia, Iran, etc. You’d be remiss if you thought otherwise.

The sooner we learn to embrace the good things about us and shed the bad things, the better off our team will be. A team full of players who constantly fight each other doesn’t win (or accomplishing anything meaningful).

So, what are the good things? Go back to the list (above). The greatest of the “good things” is love. Choose and show love. It’s the best thing we’ve got.

 

 

Information Security Isn’t About Information or Security

NOTE: Throughout this article, I’ll refer to “we” and “us”. This collective is defined as me, FRSecure employees, SecurityStudio employees, our families, our customers, our partners, and everyone else who thinks in similar ways.

We have a strong belief that:

Information security isn’t about information or security as much as it is about people.

The fact is, if people didn’t suffer when things go wrong (cybersecurity incident, data breach, etc.), then nobody would (or should) care. Obviously, people do suffer, and we DO care.

There’s a second point related to our belief, it’s the fact that people (NOT technology) pose the greatest risk (to themselves and to each other). Technology only does what we tell it to do, but it’s people who tell technology to do the things that are risky (click links, download files, misconfigure settings, etc.).

We’ve held fast to this belief for years, and it’s not just a catchy saying. This is a deep belief we apply every day, in all that we do. For example, our sales team only sells what people need*, our analysts pour their heart and soul into every project, we’re committed to being product agnostic, and we always sleep well knowing we did right by the people who count on us.

*A rumor has been circulating for years at FRSecure; if you sell something that a customer doesn’t need (i.e. money-motivated BS solutions) I’ll run you over with my truck. I want to dispel this rumor. I will NOT run you over with my F250 (officially). Unofficially, this is a good rumor. For the record, I’ve never run anyone over (yet).

Why am I bringing this up again, and why now? Simple, I think it’s relevant.

People who love other people make the best information security people.

When making information security decisions, it’s important to feel the weight of those decisions. Especially when the information you’re protecting isn’t yours, meaning you’re not the one who suffers when it’s lost or stolen.

Relevance to Current Events

We’ve lived our belief (about people) for years, and it’s as relevant today as it’s ever been. People are suffering, directly and/or indirectly from the results of information security incidents. These are people from all walks, regardless of race, religious beliefs, economic backgrounds, political affiliations, or sexual or gender preferences.

Risk doesn’t discriminate, and neither do threats (attackers).

This is true in general terms. There are always specific threats targeting specific groups; however, in general, risk by itself doesn’t discriminate. Even if you’re not specifically targeted, you’ll still encounter some degree of consequence. In today’s world, most of us are digitally connected. In fact, most of us are digitally connected through a mesh of associations; networks, applications (SaaS platforms, social media, online shopping, and other shared services), etc.

The truth is we are all at risk, and people DO suffer. When people suffer, we shouldn’t roll over an take it. We all should get a little (or a lot) pissed off! People taking advantage of others should raise an ire in all of us. Playing the victim helps no one.

Beyond the non-discriminatory nature of information security, there’s additional relevance related to focus, emotions and lack of personal accountability.

Focus

While we’re focusing on VERY legitimate racial injustices in our society, the attackers are still attacking. Attackers know that we’re not paying as much attention to them, and they’re crafting attacks that are more likely to succeed given our emotional state.

Attackers are taking down (DDoS) local and state government websites and services, using language like “Black Lives Matter”, “Peaceful Protest”, and “Support Racial Injustice” as click bait (opposed to legitimate causes), and setting up fake fundraising sites to lure people into giving money for fake causes.

Attackers always use current, well-known, and emotion-laden events to take advantage of panic, fear, and compassion. The attacks happen every time these types of events, and it’s because they work. The attacks work so well that attackers don’t even bother changing their tactics.

Do your best to maintain (at least some) focus on information security. Easier said than done for some of us, but you can do it if you try!

Emotions

When emotions run high, we are quicker to react, and more likely to find ourselves in bad situations. This is due to the way our brain works. Our left brain is more pragmatic and tells us to act logically, while our right brain tells us to follow our heart. In a “normal” state, the left brain and right brain wrestle for control of a decision and the result is a compromise between the two. In highly emotional states, the right brain tends to dominate our decisions and logic takes a back seat. We think less and react more.

People are beautiful. Human beings are delicate and intricate systems, yet we come with this magnificent resilience that seems to defy logic. Most (or maybe it’s many, I don’t know) of us posses empathy, compassion, and love that are interwoven perfectly together. While these things are true, sometimes our emotions get the best of us, and we do things we wouldn’t normally do. It almost seems like things get a little jumbled when we’re in a highly emotional state.

There are at least two important tendencies that are more common for us when we’re in a highly emotional state:

  1. We make more mistakes. In our rush to act, we’re more likely to act before thinking things through to a logical conclusion. The right brain sorta kicks our left brain’s ass.
  2. We open ourselves more to manipulation. If an attacker knows you’re in a highly emotional state, it’s easier to use these emotions against you. Let’s say that you’re torn up about racial injustice. You feel the need to do something about it, driven by your deep compassion for others. If an attacker makes up a compelling story about how you can help right some of the wrongs in our society, don’t you think you’d be more likely to act on it? In a less heightened emotional state, you might be more logical about it the decision to help, be skeptical, and even do some research first.

If you can learn to recognize where your decisions are coming from, you’ll be better prepared to make good decisions. This takes self-discipline and honest introspection. For the time being, it might make sense to put off important decisions until after you’ve had time to process your emotions. Maybe take some time off.

Personal Accountability

During tense and emotional times, there is a much stronger desire to hold people accountable (for something or anything). We’re quicker to assign blame, point fingers, and lash out at anyone we perceive to be going against our personal version of right. This is true in societal issues like racial inequality and to some extent it’s also true with information security. In our rush to hold someone externally accountable, we lessen (even more) our own personal accountability.

Sadly, a great number of people think that their information security is somebody else’s responsibility. The truth is, you’re the one who’s primarily responsible for your own information security, privacy, and safety. Nobody cares about (or should care about) your information security more than you. If information security doesn’t motivate you, maybe your privacy will. If that still doesn’t work, maybe your own safety, and the safety of your loved ones will motivate you to act. In today’s world, safety, privacy, and information security can’t be separated.

Sure, there are others who play a role too, but you are responsible for all parts of information security for which you can control. You can control what your children are accessing online. You can control patching of your home network equipment. You can control which passwords you choose, what applications you run, and which websites you visit for entertainment.

What to Do

So, I covered a lot of stuff. Mostly educational stuff. Now, the practical stuff (hopefully).

The best thing you and I can work on is our habits. If we take the time to learn and form good information security habits, we’ll be in a much better spot to protect ourselves from attackers, especially in light of world-shaking events. Habits form a mindset of default actions, and default actions form a baseline that’s less likely to change, even in response to high stress situations.

In Organizations

Develop an information security program that fits with your culture and master the fundamentals. A good security program is built around risk management and risk management starts with:

  1. An intimate understanding of what “risk” is.
  2. Management commitment, not just endorsement.
  3. An objective and measurable risk assessment.
  4. A roadmap built from the unacceptable risks discovered in the risk assessment.
  5. Execution of the roadmap using creative solutions and processes that fit your culture.
  6. Re-assessment and repetition. This builds the habits.

If your information security program is counter-culture it won’t result in good habit forming. If you can’t secure management commitment, you’re just going through the motions.

At Home

You are the CEO at home, you make the calls, and you are ultimately responsible. The same process outlined above for businesses applies at home. You will need management commitment (you), an objective and measurable risk assessment (see below), a roadmap for improvements, action to implement the improvements, and repetition.

At SecurityStudio we’ve built all of these steps into a simple and FREE tool called S2Me. The only thing we couldn’t build into the tool is your commitment. That’s on you.

Quick Conclusion

There’s too much hate in the world, and we don’t want to make problems worse. I can only think of one thing I hate, and it’s people taking advantage of other people. For me, it’s the lowest of the low. Today, we’re witnessing riots all across the country (and world). They’re not about information security, but they’re about people taking advantage of other people. It’s all bullshit, and it needs to stop! Learn and play your role in information security, and don’t let yourself be a helpless victim.

You Don’t Know Me

Let’s cut through the bullshit. You don’t know me, and I don’t know you.

Here’s why this is important; despite us not knowing each other, I will judge you and you will judge me. This is human nature. We make our judgements based on information we have available and our own historical perspective (or world view). Judgement might not be overt, but you and I are always engaging in making judgements. You might think this is a bad thing, but it’s not. Judgement, by itself, is nothing more than:

  • the process of forming an opinion or evaluation by discerning and comparing
  • an opinion or estimate so formed
  • the capacity for judging: discernment
  • a proposition stating something believed or asserted

Judgement is good. When you judge me or I you, this could be a good thing; however, it’s only good without bias (unlikely).

Bias is a one-sided, closed-minded, and destructive mindset. Bias doesn’t discriminate, but it leads to discrimination. Look at the definitions of “bias”, “racism”, and “discrimination” for a second.

We can conclude that judgement is good, bias (and racism and discrimination) is bad.

The point

You don’t know me; therefore, if you were to judge me, what would your judgment be based on? If you don’t get to know me, you’d have to judge based on superficial things like how I look, the vehicle(s) I drive, how I dress, etc.

What if I told you these things about me?

  • I’m white/Caucasian.
  • I’m a man.
  • I have a long beard.
  • I drive an F250 pickup truck.
  • I drive a Harley Davidson motorcycle.
  • I live in a small town.
  • I have a good job.
  • I am licensed to carry a firearm.
  • I go to church every Sunday.

Would you think that I’m some sort of right-wing nut job? Would you treat me like one?

How about you? Let’s say:

  • You’re black/African American.
  • You’re a man.
  • You look “normal”, but you’re not clean shaven.
  • You’re middle-aged.
  • You’ve never been married.
  • You have plenty of money.
  • You wear nice clothes.
  • You drive nice sports cars.
  • You didn’t graduate high school.
  • You grew up in New Orleans

Would I think you’re a drug dealer, a thug, or involved in some sort of criminal activity? Would I treat you like you were?

God, I hope not!

In both cases, these judgements are 100% wrong! Like not even close. The judgements are wrong because they are biased.

Me, I am not some right-wing whacko. I despise most of what they stand for and I would never consider doing some of the things they do. Despite this, I can see how someone would mistake me for one. I look the way I look and like the things I like because I do. That’s it, nothing more and nothing less. I hate hatred in all its forms and have a genuinely deep love for people. I don’t just love people like me either, I love people from all walks, all backgrounds, and all beliefs. People who aren’t like me fascinate me.

About the only time I don’t love people is when I must share the road with them, but I’m told that’s sort of normal(ish).

The second person I referenced is Tyler Perry. He is an amazing man with an incredibly inspiring story. Rising from where he did to where he is now is a miraculous journey. He’s impacted thousands (maybe millions) of people across the globe with his works and his story. If you don’t know his story, I’d suggest you read up on him. He grew from a very troubled youth (shitty father figure, attempted suicide, child molestation, etc.) to become a tremendously successful actor, writer, producer, comedian, and director. In my opinion, he’s one of the most inspiring men alive today.

So, again, bias is bad. Put your bias to death as much as you are able.

What to work on

Here are some of the things I will work on to kill my own bias. I can’t change the world, but I can work on me. Here’s my pledge (to myself as much as anyone else):

  1. I will give people the benefit of the doubt. If I don’t know something to be true, instead or going the shitty route, I’ll take the good path in my thoughts and feelings toward others.
  2. I will seek other people’s perspectives. I don’t know what it’s like to be someone else. A person’s perspective is their reality. Understanding their reality and validating it where possible will go a long way towards killing my own biases.
  3. I will listen to people more. We’re all quick to offer advice and stories about the things we’re passionate about. I’ll do better at hearing these things from other people. Who knows, maybe I’ll learn a bunch.
  4. I will embrace the uniqueness in people. We all belong to people groups, either by birth or by choice. Despite whatever people group we belong to, there are beautifully unique things about each one of us. I want to discover the unique gifts in people and embrace them.
  5. I seek to change people and/or their minds less. You have your beliefs and I have mine. We can each be us.
  6. I’ll be a friend to anyone. This doesn’t mean there aren’t boundaries. All relationships have them, even friendships.
  7. I’ll work to find common ground. You’re not me and I’m not you. You believe certain things and so do I. We’re both human beings and if we can’t find anything more common than that, so be it. We’ll start there.

These are seven things that I’ll work on. I said it earlier, I don’t know you, so I can’t suggest the things you should work on. Only you can determine these things, and (probably) only after deep, honest introspection.

I truly love people, and it saddens me to see us hurt each other like we do.

The UNSECURITY Podcast – Episode 60 Show Notes – 2019 Year End Review

Goodbye 2019. It’s been real.

Where did the time go?

A common question, we ask ourselves. This year I decided to take a stab at answering it.

Here’s where my time went, for what it’s worth (roughly):

  • 38.58% (or 3,380 hours) working
  • 27.09% (or 2,373 hours) sleeping
  • 23.90% (or 2,094 hours) personal (family, friends, etc.) quality time
  • 10.42% (or 913 hours) other

I spent ~15% more time working than I did making memories with my family in 2019. Some priority adjustments are overdue for me in 2020.

Thank God for the gift of reflection.

The end of the year is a good time to reflect. Reflection is healthy. As I reflect on 2019, I can think of many good things about us like improved industry diversity, great personal growth, business accomplishments, and amazing people working round the clock for our collective benefit.

Unfortunately, there are also bad things. Since we’ve got plenty to cover, both good and bad, we’ll use this episode (#60) to discuss the bad. We won’t want to leave a sour taste in your mouth for too long, so we’ll cover the good things, and the things to look forward to in 2020, in next week’s episode (#61).

Now, the bad.

I already mentioned one of the bad things I discovered from 2019, that my priorities are out of whack, but I also learned things about the sad state of our industry. I learned that we’re (still) losing the war, and we’re losing it on multiple fronts.

Are you wondering what war?

The war where the bad people take advantage of the good people. The war where the immoral ones take advantage of the decent ones. Where the informed and corrupt beat the ignorant and noble every single time.

Let me preface the rest of this by saying I’m not a doomsayer. I’m a realist. I’m a realist with a deep desire to share the truth. If you’ve been paying attention, and can be objective, you’ll find it easier to predict our future. Predicting where a path leads is easier when there’s no (or little) change of course.

Our discussion points for episode 60’s year-end review:

  • Front #1 – Breaches are more common than ever, but we seem to care less than ever.
  • Front #2 – Our local governments and schools are losing their battles.
  • Front #3 – Our homes are part of the battleground and we’re not prepared.

All is not lost, and there’s hope. There’s good news too. We’ll cover good news next week. 2020 is the year for you, me, and our industry to get real. It’s time for us to tackle our most significant issues head-on, together!

I am (Evan) leading the show this week, and these are my notes.


SHOW NOTES – Episode 60

Date: Monday, December 30th, 2019

Show Topics:

Our topics this week:

  • Opening
  • The year (2019) in review.
    • Priorities and life adjustments
    • Front #1 – Breaches are more common than ever, but we seem to care less than ever.
    • Front #2 – Our local governments and schools are losing their battles.
    • Front #3 – Our homes are part of the battleground and we’re not prepared.
  • Closing
Opening

[Evan] Welcome to the last UNSECURITY Podcast episode of 2019! We’ve got a great show planned for you. The date is December 30th, and this is episode number 60. Joining me as (almost) always is my guy Brad Nigh. Hi Brad.

[Brad] Early morning version of Brad…

[Evan] No guest today. It’s just me and you. How you doing?

[Brad] More early morning version Brad things…

[Evan] When I put together today’s show notes, I felt like I was a little harsh, maybe even depressing. It’s not like I was depressed when I wrote the notes, but when I take an objective look at what took place this year, it’s sort of depressing to me. 2019 brought with it a record number of breaches, a record number of records disclosed/stolen, ransomware everywhere, etc. Crap man. Do I seem depressed to you?

[Brad] He’s got something to say.

[Evan] Maybe I take this too personal, but I HATE seeing people get taken advantage of. There were too many times this year that we read about people being taken advantage of, and it sucks. Ugh. Maybe I am depressed.

[Brad] More things…

[Evan] Alright, let’s get to it. The 2019 year-end review…

The year (2019) in review discussion
  • Priorities and life adjustments
  • Front #1 – Breaches are more common than ever, and we seem to care less than ever.
    • Another record year for breaches, do we care?
    • Sources; https://www.cnet.com/news/2019-data-breach-hall-of-shame-these-were-the-biggest-data-breaches-of-the-year/ and https://lifehacker.com/the-worst-data-breaches-of-2019-1840616463
    • “total number of breaches was up 33% over last year”
    • “medical services, retailers and public entities most affected”
    • “5,183 data breaches for a total of 7.9 billion exposed records”
    • Risk Based Security stated that 2019 is/was the “worst year on record” for breaches
      • January – Marriott breach (383 million)
      • February – 617 million accounts, from 16 websites and for sale on the dark web
      • March – 100s of millions of Facebook and Instagram accounts
      • April – 540 million Facebook records
      • May – 885 million First American Financial records
      • June – 20 million patients, bill collector American Medical Collection Association
      • July – Capital One and 100 million credit card applications
      • August – MoviePass and 160 million unencrypted/unauthenticated records
      • September – 218 million Words with Friends accounts
      • October – 4 billion social media profile records (???)
      • November – Facebook again…
      • December – we’re still waiting…
    • Breach fatigue.
    • Are we getting better at finding/reporting breaches? Are breaches happening more often? Are we getting worse?
  • Front #2 – Our local governments and schools are losing their battles.
    • Ransomware nails our local governments and schools.
    • A great article by Michael Mayes at CPO Magazine; the Top 10 Ransomware Stories of 2019.
      • “As the year ends, it’s time to declare 2019 the Year of Ransomware Escalation.”
      • Baltimore was “just one of 82 cities and municipalities to publicly report being struck by ransomware” in 2019.
      • “By December 1, a total of 72 US school districts have fallen victim to ransomware, impacting 867 individual schools and over 10,000 students.”
      • Nine “school districts representing 98 individual schools have been attacked by ransomware just in November. They include:
        • Wood County Schools, Parkersburg, West VA
        • Port-Neches Grove Independent School District, Port Neches, TX
        • Penn-Harris-Madison School Corporation, Mishawaka, IN
        • Livingston New Jersey School District, Livingston, NJ
        • Chicopee Public Schools, Chicopee, MA
        • Claremont Unified School District, Claremont, CA
        • Sycamore School District 427, DeKalb, IL
        • Sunapee Middle High School, Sunapee, NH
        • Main School Administrative District #6, Buxton, ME”
      • Louisiana declared a state of emergency twice in 2019
    • Do we just accept it?
    • We started a civic duty push in 2019, calling for citizens to inquire about ransomware protections from their local government officials. We’ll need to pick this up again this year, and include schools too.
  • Front #3 – Our homes are part of the battleground and we seem ignorant about it.
    • Security, privacy, and safety at home.
    • We still don’t emphasize information security, privacy, and safety enough at home.
    • Did this problem get worse in 2019?
    • Will this get worse before it gets better?

[Evan] That wasn’t too depressing, was it?

[Brad] Gives his honest opinion.

[Evan] We’ve got a lot of work to do, and there are no easy answers. No easy buttons. I think the answer is found in learning and applying information security fundamentals. We spent 2019 working hard at SecurityStudio and FRSecure to reach people with simple, but practical information security solutions like our vCISO, S2Org (information security risk assessment for all organizations), S2Vendor, S2Me (information security risk assessment for all people) and others. We even made some of our tools free! We’ll continue our quest to reach people and help wherever we can!

Got anything to add Mr. Nigh?

[Brad] Adds if he wants to add.

Closing

[Evan] That’s a wrap for another show. Heck, not just another show, but another year!

Thank you and Happy New Year to our listeners! Be sure to tune in next week, when we’ll cover some positive developments from 2019 and maybe a prediction or two. We love recording these shows for you, and we hope you enjoy them. Send us your questions and feedback at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and this other guy is @BradNigh.

That’s it! Talk to you all again next week!

#S2Roadshow Recap – Week Nine

This week on the SecurityStudio Roadshow, we made the trip down to Scottsdale, Arizona to visit the people attending the ISSA Phoenix Q4 2019 Chapter Meeting. Of course, we got our fill of good BBQ too!

SecurityStudio Roadshow Summary

If you’re new, or you’re confused about this #S2Roadshow thing, start here (maybe).

Previous Week’s Recaps:

The purpose of the SecurityStudio Roadshow (#S2Roadhow) is to meet people and make partners. We want to meet people, understand their businesses, and help them grow using simple, fundamental, and compliant solutions (S2Score, S2Org, S2Vendor, and S2Team/S2Me).

Our mission is to fix the broken information security industry. Success requires collaboration, partnership, and transparency.

BBQ Reviews

In the spirit of transparency, we have a secondary mission on the #S2Roadshow. We eat as much BBQ as we can. After stuffing ourselves, I summarize our BBQ reviews at the end of each recap article (see below).

Scottsdale, Arizona

We arrived in Phoenix/Scottsdale on Wednesday (12/4), the day before the ISSA chapter meeting. After getting our sweet rental, a 2019 Dodge Charger Hemi, we drove straight to our first BBQ joint, NakedQ BBQ in Scottsdale.

This slideshow requires JavaScript.

When you’re from Minnesota, a December trip to Scottsdale doesn’t suck. The weather was great. After BBQ, we were off to the hotel for some meetings and to catch up with work.

 

This slideshow requires JavaScript.

Next was a dinner meeting with a good friend and partner from the area, and afterwards day one was complete. Four or five great meetings, some good work completed, and two BBQ visits. Not bad.

Day two started with, you guessed it, more BBQ, before we headed off to the ISSA chapter meeting. Three BBQ visits in less than 24 hours. Think maybe we’re overdoing this? I think not!

ISSA Phoenix Q4 2019 Chapter Meeting

We’ve been to more than a couple ISSA chapter meetings, and this was one of the best! Lorna Kertész, the chapter President does a great job running things. She was running all over the place making sure things went off without a hitch. Huge shout out to Lorna!

Overall, this was a fantastic meeting! The venue was top notch, the speakers were great, and the happy hour was very well attended. On a scale of 1 – 10 for chapter meetings, this one was a 10!

When John and I arrived, it was cool to know that there were some people who were expecting me. A couple people came up to tell me that they’d read my book, and a few mentioned that they’d attended the FRSecure CISSP Mentor Program. Feels like we’re making a difference.

The first speaker of the day was Rachel Harpley from Recruit Bit Security. She gave a very good talk titled “Yule be Sorry without Security Researchers”. Rachel is cool. She’s got some great things to share and her perspectives about information security are spot on (in my opinion). If you haven’t met her, or attended one of her talks before, you should! It was fun to visit with her for after her talk.

The next speaker was Dr. Paulo Shakarian CEO and co-founder of CYR3CON. This dude is smart! He gave a legit talk titled “Artificial Intelligence Research for Forecasting Exploit Usage”. We caught up after his talk and scheduled a meeting (week after) to discuss how his research can make the SecurityStudio platform better. The prospects of tying legit AI into SecurityStudio’s S2Org technical vulnerability scoring are very exciting!

My talk followed the talks of these two esteemed speakers.

This slideshow requires JavaScript.

I gave a similar talk that I’ve given across the country now. Want the deck? Four topics in the agenda, housekeeping, meat, the dream, and call to action. The talk was well received, and the interaction with the attendees was super! Gave away three books, and had some wonderful discussions with people afterwards.Like I said earlier, this meeting was a 10 on a scale of 1 – 10. The only thing that would have made it better is if the guy next to me wouldn’t have gotten up and left his laptop unlocked.

I talked to him about it afterwards. We’re cool.

BBQ Reviews

You know how we roll, right?! BBQ man! As much as we can get, and yes, we (well I am) are gaining a few pounds along the way.

Three BBQ reviews this week; all three in Scottsdale. We expected good BBQ in Kansas City, but Scottsdale, Arizona?! Believe it or not, Scottsdale has some awesome BBQ joints! Here’s our take on the three we visited.

NakedQ BBQ – https://www.thenakedbbq.com/ – Overall: 8.25

  • Atmosphere – 7, the atmosphere for this place was OK. It was another one of those strip mall feeling sort of places.
  • Service – 9, Everyone was very pleasant and went out of their way to make sure you were satisfied. It’s great when people come out from behind the counter to see how you’re doing.
  • Portion/Value – 8, the price was better than I expected and the portions were generous.
  • Taste – 9, the food tasted great and you could tell it was made by people who know what they’re doing. The best brisket we’ve had in a while.

This slideshow requires JavaScript.

This was really, really good BBQ. I had a 1/4 pound of brisket, jalapeno sausage, turkey, and pulled pork, and they were all great. It’s a tie between the brisket and sausage for my favorite.

The Thumb – https://www.thethumb.com/ – Overall: 8.5

  • Atmosphere – 10, the atmosphere for this place was one of the best yet. The restaurant is part of a gas station and a gift shop. Totally comfortable and cozy. My kind of BBQ joint to just chill and visit with friends.
  • Service – 10, Seriously, these people know how to serve and make you feel like you’re a king (or queen, as the case may be)! One of the few places where they offer you a sample before you order. Once we ordered, they brought the food out to us, grabbed an assortment of sauces, gave us some free goodies, and constantly made sure we were happy.
  • Portion/Value – 7, the portions were hefty, but the price reflected it. Better than average, I’d say.
  • Taste – Maybe my expectations were set too high after experiencing the super cool atmosphere and getting service reserved for royalty, but the food tasted OK. Not great, but good maybe.

This slideshow requires JavaScript.

We met a good friend and business partner for dinner here. Overall, we had a great time and I’d visit this place again. Oh yeah, one more thing. This place was featured by Guy Fieri too. Some people think that’s pretty cool.

Little Miss BBQ – https://www.littlemissbbq.com/ – Overall: 8.75

  • Atmosphere – 9, this was a cool joint. It sort of felt like I was down south in the 70s. This is a order your food, grab your food, and sit sort of BBQ joint.
  • Service – 9, certainly above average. We arrived before the place was open and there was already a line around the corner. While we waited, a waitress walked the line offering samples of their home made sausage. While we ordered, the cook gave us a small cut sample of the pastrami brisket. After we ordered, we were assured that we had everything we needed to be happy.
  • Portion/Value – 8, very reasonable and worth every penny.
  • Taste – 9, We would have said “10”, but we use that number very sparingly. The brisket might have been the best we’ve had so far on the SecurityStudio Roadshow. It might be a toss-up between this place and Pecan Lodge (Dallas, TX in week #3). The taste of the meats here was incredible.

This slideshow requires JavaScript.

This was the best BBQ we’ve had for a long time, if ever, on the SecurityStudio Roadshow. If you like BBQ and you are in the Scottsdale area, you have to visit this place. It’s amazing!

BBQ Summary

Three new BBQ joints to add to our list, and this makes 28 we’ve visit so far. This was a VERY good BBQ week for us, with all three BBQ joints easily making the top 10. The winner this week was Little Miss BBQ, but it was close. Pecan Lodge is still on top as the overall #S2Roadshow leader with a score of 9 (but we need to go back an validate this now), and Little Miss joins Bowlegged BBQ in the #2 spot. The current overall standings are listed below.

Overall Standings (at the end of #S2Roadshow Week Eight):

  • Pecan Lodge – 9
  • Little Miss BBQ – 8.75
  • Bowlegged BBQ – 8.75
  • The Thumb – 8.5
  • Divine Swine – 8.5
  • Naked Q BBQ – 8.25
  • Dinosaur BBQ – 8.25
  • Big Ed’s BBQ – 8.25
  • Mission BBQ – 8
  • Slaps BBQ – 8
  • Q39 BBQ – 7.75
  • Cousin’s BBQ – 7.75
  • Blackwood BBQ – 7.5
  • Broad Street BBQ – 7.5
  • Hard Eight – 7.25
  • Spring Creek Barbeque – 7.25
  • Redd’s BBQ – 7.25
  • RIBBRO BBQ – 7.25
  • Iron Horse – 7
  • Lucille’s Smokehouse BBQ – 7
  • Texas Bar-B-Q Joint – 7
  • Fire Breather BBQ – 7
  • Smoque – 6.75
  • Sweet Lucy’s Smokehouse – 6.75
  • Red Coal BBQ – 6.75
  • Bad to the Bone BBQ – 6.75
  • Unkl Moe’s – 6.5
  • Hambone’s Smokehouse – 6.25
  • Shakedown BBQ – N/A (wasn’t open when it was supposed to be, wasted trip)

Next Week’s #S2Roadshow

A couple of talks this week, one in St. Paul, MN and another visit to Dallas, TX. We’re visiting the Minnesota Government IT Symposium on Wednesday and we’re visiting the Dallas/Fort Worth ISC2 chapter on Friday. Looking forward to meeting a bunch of great people this week, and we’re looking forward to revisiting Pecan Lodge.

Stay tuned for next week’s #S2Roadshow updates. You can follow us on Twitter (@evanfrancen, @HarmonJohn, @StudioSecurity, and the #S2Roadshow hashtag) and on LinkedIn.

See you next week! If you want to collaborate with us, get in touch!

#S2Roadshow Recap – Week Eight

Kansas City (MO) and Irvine (CA)

Monday was spent catching up in the office before heading off to Kansas City early Tuesday morning.

A day in Kansas City and three days in Orange County, California this week. Not bad!

SecurityStudio Roadshow Summary

If you’re new, or you’re confused about this #S2Roadshow thing, start here (maybe).

Previous Week’s Recaps:

The purpose of the SecurityStudio Roadshow (#S2Roadhow) is to meet people and make partners. We want to meet people, understand their businesses, and help them grow using simple, fundamental, and compliant solutions (S2Score, S2Org, S2Vendor, and S2Team/S2Me).

Our mission is to fix the broken information security industry. Success requires collaboration, partnership, and transparency.

BBQ Reviews

In full transparency, we have a secondary mission on the #S2Roadshow. We eat as much BBQ as we can. After stuffing ourselves, I summarize our BBQ reviews at the end of each recap article (see below).

Kansas City, Missouri

The Roadshow officially started on early Tuesday morning with a five something AM flight to Kansas City. The primary purpose for making the trip back to Kansas City was an important meeting with Lockton, our awesome partner. We had four people visiting from our office; myself, John Harmon, Alex Titze, and Chris Dian. I took a earlier flight than the other guys, so my job was to get the car and come back to pick them up.

I was greeted in Kansas City by the happiest and most encouraging rental car bus driver you could imagine. Ross was great!

Got the car, grabbed a coffee (red eye) at Starbuck’s, then came back to the airport to pick up the guys. Love these guys!

This slideshow requires JavaScript.

Lockton Meeting

The meeting with Lockton went great! We gave an introductory presentation to personnel in offices throughout the United States and discussed logistics about how we work together. Before heading back to the airport, we had to make a BBQ stop. This time we drove to Slaps BBQ (review below).

At the airport, we had great meeting with Chubb, a new potential partner. Chubb is reviewing the entire SecurityStudio platform, and seems most interested in using the S2Team/S2Me for their clients.

After this meeting, I was off to Irvine/Orange County, while the others headed back to Minneapolis.

Irvine, California

California is a beautiful place, that’s for sure! I had meetings with partners and potential partners while I was here, but things were low-key for the most part. Low-key is good when I have many days worth of email to catch-up on. The primary purpose for this visit was to preach at Webster University on Thursday evening.

My rental car was nicer than usual. Enterprise upgraded me (for no cost) to a Mercedes GL 320. If you know me, you know that I’m not a flashy guy who feels the need to drive a flashy car. At home, I drive a base model F250, so this is a change. A friend  told me that it looks like I’m driving a storm trooper helmet. Take a look at the picture below, yes?

John Harmon joined me on Thursday morning. We decided to check under the hood. Looks complicated.

This slideshow requires JavaScript.

We had some extra time on Thursday afternoon, so we took in a few sights. Like I said earlier, California is a beautiful place!

This slideshow requires JavaScript.

ISSA-OC

My talk is part of the “Cybersecurity Seminar Series”, a joint effort of ISSA of Orange County and Webster University. I wasn’t scheduled to be there until 6:00(ish) PM, so we made a stop at an In-N-Out Burger on the way. On all my travels, this was my first ever experience with an In-N-Out Burger. I can’t believe what I’d been missing!

This slideshow requires JavaScript.

We arrived on time (yay us!) and were greeted by the event organizer, Dr. Brian Dozer. Brian is the Director at Webster University and the ISSA Program Director. Super cool and nice guy! The facility was great, the audience was great, and we met some great people here!

Here’s a copy of my slide deck. Use it (or not) in any manner you wish! I added a slide to the usual deck, a simple challenge for audience members to get a free copy of my book. The challenge is to solve a simple monoalphabetic substitution cipher of one of Robby Bragg’s poems. If you don’t know (or remember), Robby was a wonderful person who used to work at FRSecure before he tragically took his own life on May 17th, 2018. I keep Robby’s memory alive on the #S2Roadshow by highlighting the need to address mental health issues head-on. The slides with Robby’s tribute and the challenge are pictured below.

This slideshow requires JavaScript.

After giving the talk, it was back to the hotel. More meetings on Friday, then back to Minneapolis Friday afternoon. Another great trip!

BBQ Reviews

You know how we roll, right?! BBQ man! As much as we can get, and yes, we (well I am) are gaining a few pounds along the way.

Four BBQ reviews this week. One in Kansas City (Slaps BBQ) and three in California (Fire Breather BBQ, RIBBRO BBQ, and Bad to the Bone BBQ). Reviews below!

Slaps BBQ – https://slapsbbqkc.com/ – Overall: 8 

  • Atmosphere – 8, this was a pretty cool place, located in an industrial part of town. The all brick building featured an indoor eating area, plus there were two more eating areas outside. The eating area on top of the building featured a great view of the Kansas City skyline.
  • Service – 9, I love when the BBQ is made to order right in front of you. They cut the meat and dish it out as you order it, right in front of you. The staff was very courteous and very helpful.
  • Portion/Value – 8, definitely above average. We got filled up at a very reasonable price.
  • Taste – 7, the brisket was good and the pulled pork was good. The best part was the jalapeno cheddar sausage. All the BBQ was good, but not amazing.

This slideshow requires JavaScript.

We went to Slaps on a recommendation from a close friend. She’s a local and told us this was her favorite BBQ in all of Kansas City. It was good, but I’ve had better in this town.

Fire Breather BBQ – http://www.firebreatherbbq.com/ – Overall: 7

  • Atmosphere – 6, there wasn’t anything special about this place. It was located in a strip mall type setting and sort of felt like fast food.
  • Service – 7, average(ish). The staff was courteous and helpful, but nothing special.
  • Portion/Value – 8, definitely above average. Again, I got my fill and I didn’t have to mortgage my house for it.
  • Taste – 7, the brisket had a great fat cap on it, and it was an excellent cut of meat, but there was no smoke ring at all. It was hard to taste the smoke flavor in the other meat too (pulled pork).

This slideshow requires JavaScript.

Overall, I could take it or leave it. I’d stop here again if I was driving by, but I wouldn’t go out of my way for this place.

RIBBRO BBQ – https://www.ribbrobbq.com/ – Overall: 7.25

  • Atmosphere – 8, This BBQ joint is also located in a strip mall setting, but they did a great job making it feel homey. Classic country music playing on the sound system seemed to round out a good atmosphere.
  • Service – 6, service was less than great. There were three people working here when we arrived and they were all busy trying to fill a catering order, which made the wait longer than it should have been. They were really nice people though!
  • Portion/Value – 7, the price was OK for what you get.
  • Taste – 8, the taste was definitely above average, but not great. The brisket was nice and moist. The ribs were good, but had some sort of weird spice in the dry rub. I couldn’t put a finger on what the spice was, and I wasn’t sure if I liked it or not.

This slideshow requires JavaScript.

John was VERY hungry after he got off the plane from Minneapolis, so we got here right when they opened. The service (which was what scored the lowest) might have been better if we’d gotten there a little later in the day.

Bad to the Bone BBQ – https://www.badtothebone-bbq.com/ – Overall: 6.75

  • Atmosphere – 8, this place felt like a BBQ joint on the one hand and a little like a sports bar on the other. Overall, the atmosphere was very good.
  • Service – 7, nothing special about the service. You order at the counter, grab a number, then wait for someone to bring your food.
  • Portion/Value – 5, the worst part about this place was the price for what you get. Even by California standards, this was too costly.
  • Taste – 7, the taste was good, but they put sauce on my meat. I don’t like sauce on my meat unless I’m the one putting it on.

This slideshow requires JavaScript.

I was expecting better, but maybe that’s what I get for having expectations. I probably wouldn’t visit this place again, primarily for the value/price factor.

BBQ Summary

Four new BBQ joints to add to our list. This was an OK BBQ week. The winner this week was Slaps BBQ (Kansas City). Pecan Lodge is still on top as the overall #S2Roadshow leader with a score of 9, and Bowlegged BBQ is still in the #2 spot. The current overall standings are listed below.

NOTE: I’ll organize this list with links to the reviews next week.

Overall Standings (at the end of #S2Roadshow Week Eight):

  • Pecan Lodge – 9
  • Bowlegged BBQ – 8.75
  • Divine Swine – 8.5
  • Dinosaur BBQ – 8.25
  • Big Ed’s BBQ – 8.25
  • Mission BBQ – 8
  • Slaps BBQ – 8
  • Q39 BBQ – 7.75
  • Cousin’s BBQ – 7.75
  • Blackwood BBQ – 7.5
  • Broad Street BBQ – 7.5
  • Hard Eight – 7.25
  • Spring Creek Barbeque – 7.25
  • Redd’s BBQ – 7.25
  • RIBBRO BBQ – 7.25
  • Iron Horse – 7
  • Lucille’s Smokehouse BBQ – 7
  • Texas Bar-B-Q Joint – 7
  • Fire Breather BBQ – 7
  • Smoque – 6.75
  • Sweet Lucy’s Smokehouse – 6.75
  • Red Coal BBQ – 6.75
  • Bad to the Bone BBQ – 6.75
  • Unkl Moe’s – 6.5
  • Hambone’s Smokehouse – 6.25
  • Shakedown BBQ – N/A (wasn’t open when it was supposed to be, wasted trip)

Next Week’s #S2Roadshow

No trip planned this week. We’re taking the week off for Thanksgiving. HAPPY THANKSGIVING!

Stay tuned for next week’s #S2Roadshow updates. You can follow us on Twitter (@evanfrancen, @HarmonJohn, @StudioSecurity, and the #S2Roadshow hashtag) and on LinkedIn.

See you next week! If you want to collaborate with us, get in touch!

The UNSECURITY Podcast – Episode 45 Show Notes

Welcome back for another quick recap of the week and another dose of UNSECURITY Podcast show notes. Hope you all had a great week!

For last week’s show, Brad was in studio while I was calling in from Sofia, Bulgaria. Brad was joined by Ryan Cloutier, an awesome return guest. As far as I could tell, it was another great show. I had some connectivity issues, but who doesn’t have connectivity issues in Bulgaria? Brad did a great job holding things together while we chatted about issues such as liability and speaking information security with “humans”.

Catch episode 44 here.

I was in Bulgaria to visit members of our SecurityStudio development team, check out the new office, and spend some time planning future releases of the software. Bulgaria is eight hours ahead, so timing with U.S. resources was interesting.

This slideshow requires JavaScript.

The trip was very successful and we made significant progress on a number of fronts. While I was halfway around the world, Brad held down the fort. He’s a really good leader and I’m sure he has a bunch of things going on. I didn’t get to check in with him last week, so we’ll ask how he’s doing on the podcast.

Lots of other really cool stuff to share, but I’ll do that in another post or on the show.

Let’s do some show notes now.


SHOW NOTES – Episode 45

Date: Monday, September 16th, 2019

Show Topics:

Our topics this week:

  • Catching Up
    • More Mentor Program success
    • Civic duty example
  • vCISO Revisited
  • Book Announcement

[Evan] – Hi folks, welcome to the UNSECURITY Podcast. This is episode 45 and I’m your host, Evan Francen. Brad’s joining me as usual. Hi Brad!

[Brad] Brad politely says hello to me and by proxy all of our listeners. Good Brad.

[Evan] Man, this is two shows in a row where I’m out of studio. Today I’m stuck in Washington, D.C. for a meeting. Only one day, so that’s good. What’s up with you?

[Brad] Stuff and things.

[Evan] We haven’t recorded together in person the last couple of weeks, and I haven’t even been able to catch up with you. You cool if we catchup quick?

[Brad] Brad will probably say “yes”.

[Evan] Alright, let’s start with your week. Tell us what you’ve been up to.

Catching up

  • What Brad’s up to.
  • What I’m up to.
  • We have more Mentor Program success to talk about
  • One of our listeners is setting a great example for all of us in holding his local government accountable for security.

[Evan] Alright, lots of good things. We’re all in this together and there’s a job and place for everyone.

[Brad] Brad’s words of wisdom.

[Evan] We’re always grateful for feedback that we get from listeners. If you’d got some, email us at unsecurity@protonmail.com. One of the more popular topics in the past few months has been that of the virtual Chief Information Security Officer (or vCISO). We’ve received some great questions about how to become a vCISO. A couple of episode ago, we talked about what a good vCISO is, but we didn’t really talk about how to become one. Let’s do that.

How to become a vCISO discussion

  • If you’re new (less experience).
  • If you’re experienced (even existing CISOs)
  • What are the benefits to being a vCISO versus being a FTE CISO?

[Evan] Alright. Good perspective and good discussion. Thank you Brad.

[Brad] Brad’s gotta say something or we’ll have an uncomfortable silence here.

[Evan] OK, last topic before we get into some news. I want to announce something that I’m VERY excited about. You and I are going to write a book, right?

[Brad] Brad confirms. See if you can notice any change in the tone of his voice when he responds.

New book announcement and discussion

There’s a tie in here with vCISO too.

[Evan] I’m pumped about writing with you Brad. What better time than 4th quarter to get started?

[Brad] He’s lived through multiple 4th quarters, so he’ll laugh/cry.

[Evan] Let’s close this thing out with some news, eh?

News

Here’s our news for this week:

Closing

[Evan] There you have it. Thank you for another great show Brad!

A special thank you to our loyal listeners. We love your feedback and sincerely appreciate the fact that you join us each week. Send your feedback to us at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Talk to you all again next week!