The UNSECURITY Podcast – Episode 82 Show Notes – World On Fire

So, in case you missed it, the world blew up last week. Again.

This time it’s not COVID-19 that takes the headlines, it’s rioting. Rioting that was triggered by (NOT caused by) one of the most disturbing videos I’ve ever watched, that of Minneapolis Police officer Derek Chauvin kneeling on the neck of George Floyd. As I write this, riots are taking place (or have taken place) in Atlanta, Bakersfield, Boston, Chicago, Columbus, Dallas/Fort Worth, Des Moines, Denver, Detroit, District of Columbia, Houston, Los Angeles, Louisville, Memphis, Minneapolis, New York City, Phoenix, Portland, Sacramento, and San Jose, among many others. The media is reporting riots are even taking place in other countries!

Seems like the world is on fire. While this isn’t the place for us to dig into the debate about racial injustice and inequality, we’ve all got opinions (and I’ll share mine later, in another place/time). The UNSECURITY Podcast is dedicated to information security, so we’ll stay on topic. Today’s current events are hard to process, but a relevant question is, what do current events mean to/for information security? This will be our topic.

I’m not going to recap last week/weekend personal events here either. We might discuss these things a little during the time that Brad and I catch up with each other, but otherwise, we have plenty to discuss in this episode. Let’s get to it!

These are my (Evan) show notes…


SHOW NOTES – Episode 82

Date: Monday, June 1st, 2020

Episode 82 Topics

  • Opening
  • Catching Up (as per usual)
  • World On Fire
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey there! Welcome to episode 82 of the UNSECURITY Podcast. Today’s date is June 1st, 2020. Due to a lack of personal hygiene, well mostly a hair cut, I’m your information security chia pet, Evan Francen. Joining me is my good friend and co-host Brad Nigh. Good morning Brad!

[Brad] He wishes all the listeners nothing but the best of mornings!

[Evan] Some serious stuff to talk about in today’s show, but one of the most serious things, for me at least, is checking in with you. How you doing Mr. Nigh?

Catching Up

Quick discussion about last week, the weekend, family, safety etc.

[Brad] Gives us the low down on his haps.

[Evan] I give the low down on my haps. Also, I hit a deer on my motorcycle on Saturday (again). What the?!?! Who does this?

World On Fire

[Evan] It was easy to pick a topic for this week’s show. Just when you think the world couldn’t get any crazier, we encounter the events of last week. There are so many thoughts and emotions running through our heads. Everything from sorrow to anger to frustration and everything in between. We don’t ever want to shy away from tough issues, but we also need to keep things on topic (information security) for the show. What I’d like to do is discuss today’s current events and apply them to what we do. Ultimately, what do all these things mean to information security?

Whatya say Brad, you game?

[Brad] He’s a smart and competitive son of a gun. You know he’s game!

Things to discuss:

  • FRSecure’s Information Security Principle #1; a business is in business to make money.
  • Physical security implications, lessons, ideas, etc.
  • What does this mean for cyber/technical security?
  • Some organizations are targets.
  • Personnel information security implications.
  • If COVID-19 wasn’t enough to motivate better response planning, does this?
  • Whatever other pertinent thoughts come to mind.

[Evan] Great discussion and lots of good advice I think! Let’s do some newsy stuff.

News

[Evan] Even though information security may not be dominating the news, there are still plenty of information security news stories to choose from. Here are three news stories that caught my eye.

Wrapping Up – Shout outs

[Evan] Alright listeners! That’s episode 82. Brad, who you got a shout out for?

[Brad] Somebody special for sure!

[Evan] Here’s mine…

[Evan] Thank you to all our listeners! You guys are a big deal to us. PLEASE be safe out there; physically, mentally, and electronically. Let us know what you think of this episode or whatever else is on your mind. Send us things (preferably not malware, but whatever) by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and you can find this Brad guy @BradNigh. If you wanna follow our company’s stuff, you can follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for whatever cool things they’re up to.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 81 Show Notes – Hard Truths

Welcome back! Episode 81 is sure to be a good one, but before I get started, just a few thoughts…

We just went through our first Memorial Day weekend under COVID-19. I don’t know what to say about it, other than the world seems as crazy, or crazier, than ever. Seems like 1/2 the country is out and about like everything’s normal while the other 1/2 of the country stays cooped up as though the apocalypse were upon us. To complicate matters, both halves seem to look upon each other with disdain.

We’re learning more and more each day about this coronavirus we call COVID-19. One thing appears certain, we’ve had crappy data to work with since day one. Crappy data leads to crappy decisions and crappy decisions lead to crappy outcomes. I’ll just leave it at that.

Memorial Day

This is one of my favorite holidays. I wonder how many of us know what it stands for or what it means. I wonder because I was wished a Happy Memorial Day numerous times yesterday, yet there’s nothing “happy” about it. The day is set aside to remember and honor our nation’s war dead from the Civil War onwards. It’s a day to stop what you’re doing, spend (at least) a few moments remembering the sacrifices that were made by our soldiers, and be grateful.

I suppose there are happy parts too, but these are mostly the product of what somebody else gave for you and me.

Not sure if I’m in a pissier mood today or what. No matter, I’ll snap out of it soon. Let’s get to Brad’s show notes!


SHOW NOTES – Episode 81

Date: Tuesday, May 26th, 2020

Episode 81 Topics

  • Opening
  • Catching Up (as per usual)
  • Hard Truths
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 81 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is May 26th, and joining me this morning as usual is Evan Francen.

[Evan] Has some sort of story for us I’m sure

[Brad] We’ve got a good show planned today! Before we get going though, let’s recap our week.

Catching Up

Quick discussion about last week, Memorial Day, last weekend, COVID-19, life, and other stuff.

[Evan] Evan talks about the cool things he did.

[Brad] I talk about the cool things I did.

Hard Truths

[Brad] So interestingly, at least to me, this is the first time I struggled with what to cover in our podcast.  Maybe the monotony of quarantine, the tidal wave of news around breaches and new attack vectors, or just plain old writer’s block but even sitting down to write this I don’t know where it ended up.

Because I was stuck I decided to start with news, there have been several really interesting things that have come out lately and that’s when I found this article from CSO Online 6 hard truths security pros must learn to live with and, yeah we can talk about this.

The Hard Truths

Discussion about the hard truths outlined in the CSO Online article:

  1. Hackers are probably inside your network right now
  2. You can do everything right and a careless end user can ruin everything
  3. You face critical staffing and skills shortages
  4. IoT creates new and unforeseen security problems
  5. You sometimes feel misunderstood and underappreciated
  6. Stress, anxiety and burnout come with the territory

[Brad] Good conversation, thank you Evan.

Let’s do some news…

News

[Brad] Always plenty of things to talk about in the news, and here’s a few stories that caught my eye

Wrapping Up – Shout outs

[Brad] That’s it, Episode 81 is a wrap. Evan, you have any shout outs?

[Evan] Of course he does!

[Brad] Here’s mine…

[Brad] Huge thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan’s @evanfrancen. Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 80 Show Notes – Zero Trust

We write our show notes either at the end of the week (Friday) or at the very beginning of the next (Sunday). It’s easier to remember the things that happened during the week on Friday than Sunday, that’s for sure! Only one day away (Saturday), and it’s easy to forget all that we did.

Most weeks are crazy, for us at FRSecure and SecurityStudio, and for people in general.

Normal(ish)

Are you feeling like things are slowly returning to normal? I am, and it’s great news! Personally, I don’t like the term “new normal”. I think I don’t like it because I feel like people have twisted it to serve their own desires and/or opinions without any factual basis. Normal is normal, and the greatest abnormality (in my opinion) has been our lack of in-person contact. We’ve been built, or wired, for analog personal interaction. Digital, online interaction will never substitute for it, and the longer we go without it, the more mentally unhealthy we become.

Four Things

Last week was a great week! Four cool things stand out in particular:

  1. Last week’s podcast was awesome! I love every opportunity to chat with Brad, and it’s a blessing to hang out every Monday morning. Recording episode 79 was a great way to kick things off last week. If you missed it, we talked about information security in K12, and you should go catch it.
  2. We made great progress in helping state governments last week! Had a great conversation with Minnesota’s CISO, Rohit Tandon, on Wednesday as we discussed third-party information security risk management. This was followed by the scheduling of a similar meeting with the State of New Mexico and joining the National Association of State CIOs (NASCIO) Cybersecurity Committee on Thursday.
  3. Chris Roberts, Ryan Cloutier, and I did Episode #1 of The Security Shit Show on Thursday night. It was a ton of fun hanging out with these guys! We’re planning to do our episodes/shows live every Thursday night at 10pm CDT, record them for future playback, and use he audio for our podcast. It’s definitely entertaining for our viewers/listeners and therapeutic for us. Be sure to tune in if you can!
  4. The Daily inSANITY Check-ins are still going strong, and this past week was great! People supporting each other and helping where we can is what it’s all about. Come join us when you can.

There were many great things about last week, but these were the four that came to mind when I sat down to write these show notes.

Speaking of show notes, let’s get to it! Today we’re going to talk about Zero Trust; what it is, why it’s a hot topic today, and what you should be doing about it.


SHOW NOTES – Episode 80

Date: Monday, May 18th, 2020

Episode 80 Topics

  • Opening
  • Catching Up (as per usual)
  • Zero Trust
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey everyone! Welcome to the UNSECURITY Podcast. This is episode 80, the date is May 18th, 2020, and I’m Evan Francen. With me today is my co-host, Brad Nigh. Good morning Brad!

[Brad] We’ll see what sort of mood Brad is in this morning…

[Evan] We’ve got a good show planned today! There’s this thing called “zero trust” that people are talking about, and I thought it’d be good for you and I to discuss it. Personally, I’ve received a lot of questions about it, and I’m sure you have too Brad. Like always, before we dig in, let’s catch up. What were some highlights for you from last week and how was your weekend?

Catching Up

Quick discussion about last week, last weekend, COVID-19, life, and other stuff.

Zero Trust

[Evan] A simple Google search of Zero Trust turns up “About 691,000,000 results”. A Google search of “Zero Trust” (with quotes) turns up “About 1,940,000 results“. So, clearly there are a lot of people who know what it means, right? Here’s some returns from the first page of search results:

The fact that there are so many “what is zero trust?” search returns might be a hint that people are confused. Let’s tackle this!

Zero Trust Discussion

Let’s try to clear some of the confusion:

  • What is Zero Trust?
  • Is it really new?
  • Is Zero Trust possible?
  • If I want Zero Trust, what do I need to do?
  • What common mistakes should I look out for?

[Evan] Alright. Good talk Brad. Thanks for sharing your insight! I think our listeners have a clearer picture of Zero Trust and what it means to them. If they have additional questions or comments, they can always contact us for more!

News

[Evan] News stuff! What the heck happened in the world last week? Let’s see…

I found four articles that caught my attention. Let’s talk about them!

Wrapping Up – Shout outs

[Evan] Never a shortage of things to talk about in this industry is there? Well, episode 80 of the UNSECURITY Podcast is just about a wrap. Brad, you have any shoutouts?

[Brad] Maybe he does, maybe he doesn’t…

[Evan] Here’s mine…

[Evan] Can’t say enough thanks to our listeners! Crazy how we run into you in all sorts of places. Stay safe and let us know how we can help you. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh. Thinking about coming to hang out at the Daily inSANITY Check-in? You can follow this on Twitter too at @InSanityIn.

There you go, have a great week!

The UNSECURITY Podcast – Episode 79 Show Notes – K12 Cybersecurity

56 days.

That’s how many days have passed since we officially closed our (physical) offices at FRSecure and SecurityStudio. The date was March 16th, 2020, and it’s a common closure date for many organizations. It’s crazy, but I hardly remember the month of April or the first week and a half of May! I’ve either lost context, or I’m losing it in a big way. These are times like no other.

This thought about context got me thinking about how it applies to our work as information security professionals. I believe one of the biggest tells about good or bad information security leadership is the ability or inability to put risk into context. I think there’s a whole series of podcasts we could do on this topic focusing on how we can help people understand context better. The better we understand context, the better our information security decisions will be. Maybe we’ll start tackling this in a series of podcasts, starting with episode 80 next week.

This week, we’ve got a slightly different topic.

Today, in episode 79, we’re going to focus our attention on a recent report from the Consortium for School Networking (CoSN) titled “The State of Edtech Leadership in 2020“. There’s some really good information in this report, and kudos to CoSN for pulling it together!

Let’s just get to it, episode 79 show notes below…


SHOW NOTES – Episode 79

Date: Monday, May 11th, 2020

Episode 79 Topics

  • Opening
  • Catching Up (as per usual)
  • The State of Edtech Leadership in 2020
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey everyone! Welcome to the UNSECURITY Podcast. This is episode 79, the date is May 11th, 2020, and I’m Evan Francen. With me today is my co-host, Brad Nigh. Good morning Brad!

[Brad] Brad’ll say good morning I bet. He’s a super nice guy like that! 

[Evan] We’ve got a good show planned today! You and I both love helping people, and I think we’re covering some things in this episode that should help all our listeners. Before we get too deep though, let’s catch up. It’s what we do! How you doing and what’s new Brad?

Catching Up

Quick discussion about COVID-19, life, and other stuff.

The State of Edtech Leadership in 2020

[Evan] Like you Brad, I get asked a lot for my opinion about this or that in information security. If the question I get is focused, it’s easier to provide a quick answer, but when a question is vague or open-ended, it takes much longer. This hit home for me this weekend when I was asked to chime in on this article; K-12 Tech Leaders Prioritize Cybersecurity, But Many Underestimate Risks, Survey Says. There’s a lot to unpack here, and a good opinion takes more time.

[Brad] He probably hasn’t read the article yet, but we’ll see…

[Evan] One thought that came to mind when I was asked for my opinion was the concept of context. Anything taken out of context can be made to look anyway we want, good, bad, and/or anything in between. When I read the article, one statement stood out right away:

fewer than 20 percent marked any items on a list of cybersecurity threats as “high-risk” from their perspective

[Evan] What caught my attention were the words “from their perspective”. Questions popped into my head. How do Edtech leaders define “cybersecurity”? What’s on their list of “cybersecurity threats”? What’s “high-risk”? This is a can of worms.

The following are key quotes directly from the CoSN report.

Cybersecurity remains the number one technology priority for IT Leaders, yet the threat is generally underestimated.

For the third straight year, cybersecurity has ranked as the top priority. When it comes to maintaining network security, 69% of districts say they are proactive or very proactive – up significantly over last year’s 52%. Districts employ a variety of strategies to minimize risk, including the vast majority in which IT staff training is a top practice and a majority requiring teachers and principals to receive training as well. Despite concerns, the survey also found that less than a fifth of respondents (18%) have a dedicated full-time employee (FTE) whose sole job is cybersecurity. IT Leaders feel phishing scams pose the greatest risk to network security, with almost half (49%) rating them medium/high risk to high risk. Despite this, results also showed an overall trend to underestimate risk—less than a fifth of respondents considered any specific threat as high risk. This runs counter to the reality that school systems are being specifically targeted by cybercriminals with reported cyber incidents tripling in one year.

Artificial Intelligence (AI) holds both promise and peril for IT Leaders.

The majority (55%) of IT Leaders anticipate that of the emerging technologies, AI will play a significant or transformational role in teaching and learning over the next five years. However, AI also poses concerns, with privacy being the biggest. Before AI becomes adopted at scale and can deliver on its promise, privacy issues will need to be addressed.

The top three challenges persist: budget, professional development, and department silos.

These three areas have been vexing IT Leaders since 2017. While budget is often beyond district control and directly affects professional development, it is within districts’ abilities to address the existence of silos. As outlined in CoSN’s “Digital Leap Success Matrix,” cross-functional executive team leadership is integral to the development of a successful digital learning environment. Until the executive leadership breaks down the silos, IT Leaders will continue to face difficulty in achieving their district’s own technology goals.

Other items from the report

Page 14:

Districts without a dedicated person on staff use a variety of methods to monitor network security. The most common approach is sharing the responsibility across several jobs (46%) followed by incorporating network security monitoring as part of another job (30%). Outsourcing is used by 11% of respondents. A concerning 10% of respondents have an ad hoc approach and do not have anyone assigned to monitoring their district’s network security. A makeshift approach to addressing cybersecurity is one reason why “school districts are proving to be particularly enticing to hackers.”

Page 15:

When it comes to maintaining network security, 69% of districts say they are proactive or very proactive. This represents a significant increase over the prior year’s 52%. Only 13% describe their activity as reactive or very reactive, a decrease from 23% the prior year. These year-over-year results indicate that districts are highly aware of increased network attacks in K-12 environments and are increasing efforts to thwart them. It is likely that lack of resources, not lack of awareness, is responsible for the 13% described as reactive/very reactive. As one respondent lamented: How is our small district able to fend off a multitude of possible cyber threats with the staff we have?

When asked to rate their perception of various risks to network security, respondents did not make significant distinctions between threat types. The largest segment fell into the Medium risk range—low/medium, medium, high/medium. With 49% rating it medium/high risk or high risk, phishing was deemed the greatest risk. It is surprising more did not consider it a greater risk. Phishing attacks have reached the “highest level in three years” with more than two-thirds of all phishing sites using SSL protection. With SSL decreasing as a reliable indicator of security, risks increase for users unable to spot phishing sites. Less than a third (31%) of respondents perceive ransomware attacks as medium/high riisk or high risk. This risk level assessment is also likely lower than it should be as the FBI is reporting ransomware schemes are being specifically designed to target public schools.8 With less than a fifth of respondents rating any threat as high risk (phishing received the most with 16%), threats overall appear underrated. Only 5% assessed student data to be at high risk, yet, according the most recent data on reported K-12 cybersecurity incidents, “the most frequently experienced type of school-related cyber incident…..were data breaches, primarily involving the unauthorized disclosure of student data.” With the number of reported K-12 cybersecurity incidents rising—nearly triple from 2018 to 201910—perceptions in perceived risks should start to realign more closely with reality.

[Evan] No doubt, we have a lot of work to do in K-12. It’s our obligation to do everything we can to help. Check out SecurityStudio’s free resources and do a holistic information security risk assessment like the S2School we developed earlier this year. Put information security risk into perspective and make much better choices.

News

[Evan] Alright. Good talk. Thanks Brad! Let’s cover a couple of interesting news stories before we wrap this up. Here are a couple stories that caught my attention:

Wrapping Up – Shout outs

[Evan] Sheesh! Lots of stuff. Well, that’s it for episode 79. Brad, you have any shoutouts?

[Brad] Maybe he does, maybe he doesn’t…

[Evan] Here’s mine…

[Evan] Seriously, a huge thank you to our listeners! We love your encouragement and we don’t take your advice lightly. You’re all great! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Have a great week!

The UNSECURITY Podcast – Episode 78 Show Notes – Working From Home

Keeping the show notes short again this week. It was another crazy week at FRSecure and SecurityStudio. We make progress towards our mission each and every day, regardless of COVID-19. Our mission is to fix the broken information security industry, which can be summed up by this statement:

Information security isn’t about information or security as much as it is about people.

When we help people, we help our industry. After all, would anyone care about information security is nobody suffered when things go wrong?

We’ll keep on trucking! We’re grateful for the people who put their trust in us and our credibility.

Let’s just get to it, episode 78 show notes below…


SHOW NOTES – Episode 78

Date: Monday, May 1st, 2020

Episode 78 Topics

  • Opening
  • Catching Up (as per usual)
  • Working from home
  • S2Me/S2Team
  • Listener Mail
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey guys and gals. Welcome to the UNSECURITY Podcast. This is episode 78, the date is May 4th, 2020, and I’m Evan Francen. With me today is my co-host, Brad Nigh. Good morning Brad!

[Brad] It is a good morning and Brad’ll be in a good mood for sure. Let’s see how he responds.

[Evan] Another good show planned for today, but before we jump in, let’s catch up. It’s sort of our usual thing to do about this time.

Catching Up

Quick discussion about some of the cool things we’re doing.

[Evan] We’ve been talking a lot lately about working remote or working from home. This has been a hot topic for some time, but since the COVID-19 outbreak, this is one of the top trending topics in the information security world. Let’s discuss another take on this, more of a future looking strategic perspective.

Working from home

Discussion about:

  1. What work from home looked like before COVID-19.
  2. What happened because of COVID-19.
  3. What the future looks like after COVID-19.

There are plenty of news articles about these topics and there’s no shortage of “expert” advice. Here’s just a few:

  • Is Working From Home The Future Of Work? – https://www.forbes.com/sites/nextavenue/2020/04/10/is-working-from-home-the-future-of-work/#4260c2c846b1“An early-April 2020 MIT survey of 25,000 American workers found that 34% of those who’d been employed four weeks earlier said they’re currently working from home. Combined with the roughly 15% who said they’d been working from home pre-COVID-19, that means nearly half the U.S. workforce might now be remote workers.”
    • “The Brookings Institution’s Katherine Guyot and Isabel V. Sawhill just wrote their take on remote work and COVID-19, calling the pandemic “among other things, a massive experiment in telecommuting.”
    • ‘In a March survey of HR execs by the Gartner IT research firm, 76% said the top employee complaint during the pandemic has been “concerns from managers about the productivity or engagement of their teams when remote.”’
    • “In Buffer.com’s9 State of Remote Report, 19% of remote workers called loneliness their biggest struggle with working from home and 17% cited collaborating and/or communication.”
  • Some May Work From Home Permanently After COVID-19: Gartner – https://www.crn.com/news/running-your-business/some-may-work-from-home-permanently-after-covid-19-gartner“Gartner last week released results from a March 30 survey of 317 CFOs and business finance leaders that found 74 percent of those surveyed expect at least 5 percent of their workforce who previously worked in company offices will become permanent work-from-home employees after the pandemic ends.”
    • “According to Gartner, about 25 percent of those surveyed expect 10 percent of their employees will remain remote, 17 percent expect 20 percent will remain remote, 4 percent expect 50 percent will remain remote, and 2 percent expect over 50 percent of employees now working from home to permanently work from home after the pandemic subsides.”
  • Working from home has a troubled history. Coronavirus is exposing its flaws again – https://www.theguardian.com/commentisfree/2020/apr/12/working-from-home-history-coronavirus-uk-lockdown“According to the Office for National Statistics, only 5% of the UK labour force worked mainly from home in 2019, but well over a quarter had some experience of home-working.”
    • “With all but key workers confined to their homes, the virtual office is now the new norm – a development that could prove to have far-reaching consequences.”
  • As working from home becomes more widespread, many say they don’t want to go back – https://www.cnbc.com/2020/04/24/as-working-from-home-becomes-more-widespread-many-say-they-dont-want-to-go-back.html“States of Play, a joint CNBC/Change Research survey of swing states, finds 42% of respondents nationwide saying they are working from home.”
    • “Once the economy reopens, 24% say they’d like to work either entirely or more from home compared to how they worked before, while 55% plan to head back to the office.”
    • “Some 60% report being either as productive or even more productive than they were working from the office.”

But what about information security?

There is no shortage of information security tips for people working from home. Just a small sampling:

A different approach – S2Me and S2Team

[Evan] In early 2019, SecurityStudio release its first version of S2Me. The S2Me was released (well ahead of COVID-19) to gauge people’s information security habits at home and S2Team was a way to share the results with an employer without violating privacy at home. Last week, SecurityStudio released version two of S2Me and I’d like to talk about all this.

  • What is S2Me?
  • What is S2Team?
  • How do S2Me and S2Team work together?
    • S2Me is a simple, personal information security risk analysis tool for use at home. S2Me helps people understand their risk related to security, privacy, and safety. Once these risks are understood, S2Me attempts to motivate people to build better information security habits at home.
    • S2Team is a collection of S2Me aggregated results to help organizations understand their employees information security habits. Organizations use S2Team to develop better, more personal information security training programs.
    • A couple of quotes from the “Introduction to S2Team and S2Me Topic Descriptions” draft document:
      • “The problem isn’t people. The problem is managing risk related to people.”
      • “People are creatures of habit. People will occasionally deviate from their habits, but habits are their default. Habits create peoples’ baseline and become nearly (or in some cases completely) involuntary.”
      • “People choose to form new habits because if they desire the positive outcome or because they fear a negative one.”
  • A quick peek into S2Me.
  • A quick peek into S2Team

[Evan] I think we’re on the right track, trying to help people build better information security habits at home where everyone ultimately benefits.

Listener Mail

[Evan] A loyal listener, one who got a shout out from me last week, Jason Dance, sent us this article that I thought was interesting and worthy of a brief discussion; It’s Not Just Zoom. Google Meet, Microsoft Teams, and Webex Have Privacy Issues, Too. – https://www.consumerreports.org/video-conferencing-services/videoconferencing-privacy-issues-google-microsoft-webex/

Brief discussion

[Evan] Alright, now some newsy things quick.

News

[Evan] It’s easy to find interesting things to talk about in our industry! Here’s a few that caught my attention:

Wrapping Up – Shout outs

[Evan] Wow. Lots of things. Well, episode 78 is almost in the can. Brad, got a shout out or two?

[Brad] Maybe he does, maybe he doesn’t…

[Evan] Here’s mine…

[Evan] Seriously, a huge thank you to our listeners! We love your encouragement and we don’t take your advice lightly. You’re all great! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Have a great week!

The UNSECURITY Podcast – Episode 72 Show Notes – COVID-19

Hi everyone. We’re hoping and praying for everyone’s health and mental well-being right now. Take care of what really matters, yourself and your loved ones.

Episode 72 of the UNSECURITY Podcast will be dedicated to continued discussion about COVID-19 and what the pandemic means, in our daily lives and in our vocation as information security people. It’s the topic on everyone’s mind, so to not talk about it seems a little tone deaf.

Before we get to the show notes (below), I’d like to highlight a few things going on around here.

One Word

What one word would you use to describe your past week? If you’re a Twitterer, let us know by tweeting your word with the hashtag #UNSECURITYoneword. Be sure to include us (@evanfrancen and @bradnigh) in the conversation.

Not Adjusted Yet

Not sure about you, but I haven’t adjusted yet. I’m an introvert, so I was expecting to thrive in isolation. I was wrong (for now). I was surprised to learn how much personal interaction really means to me.

Everything seemed different this past week and I was definitely a little off my game. I had trouble focusing on tasks and struggled with processing events occurring all around me. Nothing made sense at times.

On Tuesday (3/17) we (FRSecure and SecurityStudio) closed the offices, and by the next day, almost everyone was online and functionally working from home. Since there was nobody at the office, I decided to work from there.

The empty office was quiet. Too quiet. The quiet forced me to realize how social we are in our office. Every (normal) day is like a family get together. A family get together where everybody actually likes each other.

In a quiet office there are no dumb office jokes. No laughter. No smiles. No fist bumps. A quiet office is just filled with empty. Our office was filled with empty and me. It was a eerie and it was lonely.

I’m assuming the adjustment will just take time. Between now and then, let’s all keep our head up and look for ways to help others. Helping others can be a great coping mechanism!

The Pledge

Also on Tuesday, I wrote a pledge and posted it on LinkedIn. This pledge is one that I plan to live by, especially now.

My pledge:

  • I will NOT panic.
  • I will NOT give in to fear.
  • I WILL think things through.
  • I WILL make prudent decisions based upon the best (non-biased) information available.
  • I WILL be the person I’ve always been and learn to be better.
  • I WILL help my fellow humans whenever and however I can, putting my family first.
  • I will NOT use this (or anything else) to take advantage of people, and
  • I will NEVER put someone in danger if I can help it.

coronavirus panic fear think prudence decisions learning helpingpeople

What Else

We did a lot this past week.

The Impact of COVID-19 on Information Security Webinar(s)

In the midst of the chaos, we decided to put together a last minute webinar for Wednesday (3/18) afternoon.  Our motivation for the webinar was to help people and bring calm to the storm. Despite last minute arrangements and everything else going on, we had ~250 people come to the first session. Participation and interaction was more than we expected! There were many unanswered questions after the first session, so we decided to do a second session on Friday (3/20).

The topics we discussed were:

  • Introductions.
  • Before we get started.
    • #1 – The current state of affairs.
    • #2 – My pledge.
    • #3 – FRSecure Open Letter.
    • #4 – Ideas we’re kicking around.
  • Topics:
    • What is the impact of COVID-19 on information security?
    • How to securely shift employees to remote work during social distancing.
    • Some of the current social engineering scams around COVID-19 and how to avoid them.
    • How to create or adjust your business’s disaster recovery plan.
  • Where to go if/when you need help.

I’ve posted a copy of the presentation online for everyone.

Virtual Happy Hours

Our team started doing virtual happy hours on Thursday. Every organization should do these! We all get into an online Zoom meeting and hangout for a while. We share. We laugh. We joke. We smile. We love. These are amazing experiences that are healthy and good for the soul.

I prefer to sit and listen most of the time. Just taking it in. The sounds of my team laughing, their smiles, their dumb jokes (like really dumb), and sharing our day together are beyond magical. The joy these guys bring to my day is the best way to end it!

The Daily inSANITY Check-in

Nobody has this thing figured out and nobody has it all together.

We want to help, so we’re starting the Daily inSANITY Check-in webinar series. The purpose of the Daily inSANITY Check-in is to provide a safe place for people to discuss current events, information security things, challenges we’re facing, or whatever else comes to mind. The check-ins are short (30- to- 60-minute) daily meetings with discussion. People are always free to come and go as they please.

This is new, and we’re just getting started. Don’t expect all the kinks to be worked out day one. Visit the registration page for the full description and to signup.

K12 Cybersecurity Podcast

Good news! Our buddy Ryan Cloutier just released the first episode of the K12 Cybersecurity Podcast. His first episode is awesome! It’s so much better than our first UNSECURITY Podcast. In this episode, Ryan’s special guest is Amy McLaughlin. Amy is the Information Services Director at Oregon State University and cybersecurity project director for the Consortium for School Networking (CoSN).

This was a timely and well done episode. I recommend you subscribe to Ryan’s K12 Cybersecurity Podcast and get ready for more great content!

Pretty sure I forgot something, but that’s all for now. Let’s do a podcast (or something)!


SHOW NOTES – Episode 72

Date: Monday, March 23rd, 2020

Show Topics:

  • Opening
    • The week that was.
    • The week that is to come.
  • COVID-19
    • Priorities, and where does information security fit?
      • Mental and Physical Health
      • Yourself and Your Loved Ones
      • Business – Survival
    • The Bass and The Barracuda
      • Don’t be a bass. Be a barracuda.

This slideshow requires JavaScript.

Opening

[Evan] Hello listeners, this is another episode of the UNSECURITY Podcast. My name is Evan Francen, this is episode 72, and the date is March 23rd, 2020. Joining me in studio is my buddy Brad Nigh. Good morning Brad!

[Brad] If it’s a good morning for Brad, we’ll know by how he responds.

[Evan] Last week was nuts. You and I hardly had a chance to connect with all that’s going on, so we’re a little out of sorts. This would normally be your week to lead the podcast, but since we didn’t really connect, I’m hosting again. Hope that’s OK.

[Brad] He’s one of the nicest guys you’ll ever meet. He’s probably OK with this.

[Evan] We’ve got a lot to talk about this week. Top of mind or course is COVID-19 and what the pandemic is doing to our daily lives. Sort of hard to talk about much else right now, right?

[Brad] He might agree.

[Evan] Last week was crazy. Let’s talk about the week that was and then talk a little about what’s coming this week.

Catching Up Discussion

Discussing last week’s events and what we’re expecting this week.

[Evan] Alright, there has never been anything in my lifetime that’s been as disruptive as the COVID-19 pandemic. I sort of feel like we’d be tone deaf if we didn’t keep up the conversation.

COVID-19 Discussion

Our topics this week include:

  • Priorities, and where does information security fit?
    • Mental and Physical Health
    • Protecting Yourself and Your Loved Ones
    • Business – Survival
  • The Bass and The Barracuda
  • Another plug for S2Me.
  • Next Week:
    • Maybe a guest; it’s been a while.
    • What happens on the other side?
    • Daily inSANITY Check-in Update
    • What we’re doing to help.

[Evan] The world has hardly seemed any crazier than it is today. Do all you can to maintain (or restore) your health. Good talk. Now let’s get to some non-COVID-19-related news.

News

[Evan] Alright, let’s talk about a non-coronavirus story (or two or three). Remember, attacks aren’t going to stop. In fact, they are increasing and are expected to continue to increase. Don’t ever put anything past or too low for the lowest among us.

Here’s two news stories to consider this week:

Closing

[Evan] There you have it. Episode 72. Thank you for listening. We’re wishing everything health and sanity! Remember, we love hearing from you. If you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet like that. I’m @evanfrancen, and Brad’s @BradNigh. Check out @studiosecurity and @FRSecure frequently. They’re always posting good things!

Be safe. That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 71 Show Notes – Coronavirus

My good friends Brad and Ryan recorded episode 70 last week, and the topic was voting machine security. If you missed it, go check it out. Kudos to those guys, the show was great!

The Twilight Zone

Crazy. Life over the course of the last week was like an episode right out of Twilight Zone.

I was on vacation last week, taking a planned seven day cruise out of Long Beach, California. Cruises are a great vacation option for anyone who wants to disconnect from the world for a while. Connectivity on a boat is terrible, so why bother trying?

Never in my life has the world changed so much in a week.

When we flew out of Minneapolis on Friday (3/6) morning, the world seemed sort of normal. Sure, there was an increased awareness of the Coronavirus disease (COVID-19), but fear and panic appeared to be in check. Our collective awareness led to more people washing their hands, more people covering their mouths when they coughed or sneezed, and more use of various sanitizers. Occasionally, I’d run into someone wearing a surgical mask, but it wasn’t alarming or all that unusual.

The Cruise

We left the hotel for the cruise terminal on Saturday (3/7) around noon. As we got closer, we got our first glimpse of Carnival’s newest ship, the Panorama, and the excitement started to build. Seven days of sun and much needed rest. Something seemed off though. When we pulled up, we noticed there were hundreds of people just standing around with their bags. Nobody from the previous cruise was being allowed off the ship for some reason. Rumors were spreading and things were getting weird. After an hour or so, Carnival sent this message:

Thank you for your patience. Debarkation remains suspended pending medical test results for a guest who was on board last weeks cruise. Results are expected sometime after 6PM. Please do not proceed to the cruise terminal as the parking garage is full. We apologize for this delay and will provide an update in two hours.

Next, the news media started arriving in troves. Within minutes, news stories were already been published.

Carnival didn’t cancel our cruise, so we spent the night at the Long Beach Airport Hampton Inn, and went back to the cruise terminal on Sunday (3/8) morning. All the cruisers from the previous cruise had left, and we were permitted to board. Embarkation went off without a hitch, and before we knew it, we had arrived!

Our cruise was cut from seven days to six, and our originally planned visit to Mazatlan was cancelled. No matter, we were (and are) grateful for everything! Some people were mad, but what the hell?! One day in the sun is better than none! Even if they would have cancelled the cruise altogether, we would have been grateful.

This started the six days of limited (or no) connectivity for us. Almost like we were cut off from the world for a while.

Back on Land

On Saturday (3/14), we arrived back in Long Beach. The hot topic on the ship was all the chaos that the coronavirus (and media) had caused. We got connectivity again, and whoa! You’d think the world had lost its mind. Every news channel was dominated by the coronavirus. Seemed like bad news was everywhere and we’d stepped into an apocalyptic Twilight Zone episode.

What happened over the past six days?! Is the world ending? No, it’s not, despite what you might think from reading the news.

Store shelves are bare, there’s no toilet paper to be found, people are standing in long lines to buy everyday goods, people are physically assaulting each other over innocent items like sanitizing wipes, the NCAA cancelled the men’s and women’s national basketball tournaments, the NBA season is postponed (or cancelled), the NHL season is postponed (or cancelled), schools are closed, Disneyland and Disneyworld are closed, flights are cancelled between the United States and dozens of other countries, conferences and concerts are being cancelled, etc., etc.

Reality

Did thousands, or God-forbid, millions of people die while we were away on this six-day cruise? No, not really.

By the end of the day on Saturday (3/14), there were 3,043 confirmed infections in the United States and 60 deaths. Every single illness and every single death is significant, especially to loved ones, but are these numbers that should cause panic? There are some 329,000,000 people in the United States. Using rough math, the infection rate in the United States has grown to .000925% and the mortality rate for those who are infected (meaning those who were infected and died) is 1.9%. This means that one in every 108,000 people has become infected, and even if you were infected, you stand a 98.1% chance of surviving.

The math is good, but the inputs are extremely variable. These numbers are going to change, I know. If we don’t take action now, the numbers will be much worse than they should/could be, I know this too.

I’m not making any sort of case against taking proper precautions. Things like social distancing, cancelling group gatherings, and all of the (common sense, or should be common sense) sanitary measures like hand washing, mouth covering, etc., are prudent things to do. What’s wrong is the panic! People need to think and stop the panic.

We deal with panic on a much smaller and less significant scale every time we help a client through a troubling event or incident. In these cases, we always confront panic with facts. Panic is always bad. Panic makes things worse. Panic is NOT good for you. Panic makes you more susceptible to harm and opens you up to making poor decisions.

  • For those who are using this pandemic and panic to profit off other people – You suck and your actions are despicable.
  • For those who are using this pandemic and panic for political gain at the expense of others – You suck. Learn some decorum, stop dividing and start uniting. There’s a time for politics and responding to a pandemic is not one of those times.
  • For those who are not taking this seriously by taking proper and prudent precautions – You also suck and you’re putting others at unnecessary risk.

We are all in this together, and we all need to work together.

Seriously, don’t panic!

What does all this have to do with the UNSECURITY Podcast?

Lots! There are significant information security implications related to the coronavirus pandemic and the panic that has come from it. All of this is going to be our base for conversation in this episode.

On to the actual notes now…


SHOW NOTES – Episode 71

Date: Monday, March 2nd, 2020

Show Topics:

  • OpeningCatching up.
  • CoronavirusWhat’s happened?
    • What are we doing?
    • Information security implications
    • Business continuity, disaster recovery, and pandemic planning.
    • How does working from home affect information security?
    • What are the most important precautions?
    • If you haven’t planned well, it’s not too late.
    • How you can use S2Me and S2Team to make better choices.
  • News (non-coronavirus)
Opening

[Evan] Hello listeners, this is another episode of the UNSECURITY Podcast. My name is Evan Francen, this is episode 71, and the date is March 16th, 2020. Joining me in studio is my buddy Brad Nigh. Good morning Brad!

[Brad] If it’s a good morning for Brad, we’ll know by how he responds.

[Evan] It’s good to be back. What the heck happened while I was out?

Catching Up

[Evan] Did you happen to read my Twilight Zone reference about what it was like to be gone for a week, then to come back to what seemed like utter chaos?

[Brad] Of course he did. Brad’s good at preparation and stuff.

[Evan] Let’s talk about the elephant in the room, the coronavirus pandemic. Last week, the World Health Organization (WHO) declared that coronavirus is a pandemic. Nothing has been the same since. Let’s discuss some facts, our opinions, and give some advice to our listeners, based upon our own information security experience.

Coronavirus Discussion

IMPORTANT: Get your priorities straight; God, family, friends, work, etc., but don’t let your guard down. Attacks always increase in frequency during major events. Attackers know that many people are preoccupied mentally and physically, and they won’t/don’t hesitate to take advantage of the situation.

Be as vigilant with information security as you always have. In fact, be more vigilant than ever!

We’ll address all this (and probably more):

  • What’s happened?
  • What are we doing?
  • Information security implications
  • Business continuity, disaster recovery, and pandemic planning.
  • How does working from home affect information security?
  • What are the most important precautions?
  • If you haven’t planned well, it’s not too late.
  • How you can use S2Me and S2Team to make better choices.

[Evan] Thanks for sharing and thank you for the great discussion! To wrap this up, I’d like to highlight two online discussions that I had the other day about coronavirus on Twitter. The first started with a question posed by a Twitter user:

Twitter User: So how are you talking to your children about the pandemic?

A good question for sure. My answer:

Me; I’m telling them to wash their hands, cover their mouths when they cough or sneeze, and to be kind to others. Like I always have. I also tell them the world is a wonderful but dangerous place. They’ll be OK.

The other discussion also happened on Twitter. This Twitter user was calling for us (U.S. citizens) to vote everyone out of office because of the coronavirus (and probably their response). In this exchange, I responded with a question:

Did we have the same reaction with H1N1 that infected more than 59 million Americans and killed more than 12,000? It was only 10(ish) years ago.

Rather than engage in a discussion, this Twitter user blocked me. 🙁 I didn’t think my question was offensive. It certainly wasn’t meant to be. Maybe this Twitter user was more motivated by politics than any sort of constructive conversation. Sadly, politics get in the way of working together for solutions. Please don’t be like this Twitter user!

News

[Evan] Alright, let’s talk about a non-coronavirus story (or two). Remember, attacks aren’t going to stop because you’ve self-quarantined. Quite the opposite is true, sadly. Here’s two news stories to consider this week:

Closing

[Evan] There you have it. Episode 71. It’s good to be home. Let’s hope and pray for a good week with some sanity. Thank you to our listeners, we love hearing from you. If you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet like that. I’m @evanfrancen, and Brad’s @BradNigh. Check out @studiosecurity and @FRSecure frequently. They’re always posting good things!

Both Brad and I are praying for health for you and your family. Please don’t panic, and make good decisions.

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 69 Show Notes – Who does what?

After last week’s BSOD on Brad’s laptop…

We were 50+ minutes into last week’s podcast when Windows said no more. The operating system crash brought episode 68 to a dead halt before we had a chance to cover the last part of our Roles and Responsibilities series. So, instead of two parts, we’re doing three. This is how it all worked out:

I’m excited about this episode because it hits close to home. It should hit close to home with everyone!

RSA Conference

We’ll also talk about last week’s RSA Conference in this show. SecurityStudio sent seven people to the conference this year, and here are some highlights we will discuss:

  • The theme for the conference this year was “Human Element”.

  • Roughly 36,000 attendees this year.
  • San Francisco’s State of Emergency, mid-conference
  • The money grab was alive and well (literally).

This slideshow requires JavaScript.

  • SecurityStudio’s first appearance as a sponsor.

This slideshow requires JavaScript.

    • Gave away 1,000 free, signed copies of UNSECURITY.

This slideshow requires JavaScript.

    • We became known as counterculture (which was super cool).
    • The theme “Mission before $” was born and etched onto each book.
    • We made (at least) 961 new friends.

This slideshow requires JavaScript.

Overall, the RSA Conference was a great experience for everyone and a huge success for SecurityStudio.

On to this week’s show notes…


SHOW NOTES – Episode 69

Date: Monday, March 2nd, 2020

Show Topics:

Our topics this week:

  • Opening
    • What’s up?
    • One thing.
  • RSA Conference
  • Information Security Roles and Responsibilities (Part 3 of 3)
    • Last week, quick recap of roles and responsibilities (at work).
    • People are creatures of habit.
    • SIMPLIFY – What are things we can do?
    • At home:
      • Information security, privacy, and safety cannot be separated.
      • Parent
      • Spouse
      • Children
    • What should every “normal” person know about information security?
    • The importance of definition, formality, and communication.
  • News
Opening

[Evan] Hi again UNSECURITY podcast listeners! My name is Evan Francen and this is episode 69. The date is March 2nd, 2020. Joining me in studio is my co-host, Brad Nigh. Good morning Brad!

[Brad] Rumor has it, he’s been working hard on some IR work. Let’s see if he’s in the mood to talk this morning.

[Evan] It’s great to be back in the office and good to be here. We have a really good show for our listeners this week, but before we dive in, let’s catch up. Brad, tell me about your week.

Catching up

Some back and forth happens here.

[Evan] I’m behind on just about everything. Hoping for a good catch-up week!

RSA Conference

[Evan] So, there was this RSA Conference thingy last week. Let’s talk about it.

RSA Conference discussion. What we learned and what we wish we hadn’t.

[Evan] We’ll invite some of the interesting people from RSA to join us a future guests.

Information Security Roles and Responsibilities (Part 3 of 3) – Micro Level (at home)

[Evan] OK. So last week, we had a nice visit from the BSOD genie. Probably a good thing because we were going sort of long anyway. We originally planned two episode for Roles and Responsibilities, but instead we’ve got three now. No big deal. I’m looking forward to this talk with you Brad! What do you think about the series thus far?

[Brad] His opinions…

Last week, quick recap of roles and responsibilities (at work).

[Evan] We’ve talked about roles and responsibilities at a macro level and we’ve talked about roles and responsibilities within an organization. Now, let’s talk about roles and responsibilities at home. I know that you and I both are very conscious of information security at home.

Roles and Responsibilities at Home:

  • People are creatures of habit.
  • SIMPLIFY – What are things we can do?
  • Information security, privacy, and safety cannot be separated.
  • Roles
    • Parent
    • Spouse
    • Children
  • What should every “normal” person know about information security?
  • The importance of definition, formality, and communication.

[Evan] Great conversation. These things will all be covered in our book, and I’m really looking forward to finishing it with you. This book could help tons of people! Alright, as usual, let’s get to some news.

News

[Evan] Here’s what we’ve got for news this week:

Bonus, maybe a future episode; This breast cancer advocate says she discovered a Facebook flaw that put the health data of millions at riskhttps://www.cnn.com/2020/02/29/health/andrea-downing-facebook-data-breach-wellness-trnd/index.html

Closing

[Evan] There you have it. Episode 69. It’s good to be home this week.

[Evan] Thank you to our listeners, we love hearing from you. If you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet sometimes. I’m @evanfrancen, and Brad’s @BradNigh. Check out @studiosecurity and @FRSecure frequently. They’re always posting good things! Is FRSecure out at SecureWorld North Carolina this week? Lots going on and lots of chatter!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 68 Show Notes – Who does what?

Trying to get back to posting show notes on Fridays. We’ll see…

The Week

It’s been another amazing week at SecurityStudio and FRSecure! I was in the office all week, so I got to see some of the magic first hand. You’d be amazed, truly.

OUR PEOPLE ARE INCREDIBLE! (yes, I shouted that).

Some of the things that come to mind right now:

  • Discussions and meetings with awesome people like Chris Roberts, Steve Hawkins, Mike Johnson, Augustine Doe, Jeremy Swenson, and Devin Harris this week. Each of them is awesome in their own way. Had lots of meetings this week, but these are the ones that stand out right now. Giving them all shout outs. They are wonderful people.
  • Brad’s kickin’ butt on some new service offerings, including a new CMMC readiness assessment. Checked out his executive summary report mock-up, and it’s sweet!
  • One of our analysts, “Ben” (he’s been on the podcast show before) has discovered some (16ish) significant potential/confirmed breaches of data in his research. Learning a ton about responsible disclosure. 😉
  • Lunch with John Harmon, FRSecure’s president on Thursday was incredible. We ate some sweet BBQ and talked strategy. This dude has some great ideas and I’m pumped about what he’s up to!
  • Ryan (“cola”) Cloutier is a machine. Opening doors, making a difference in education (K-12 & higher ed), and taking things global (UK, Australia, APAC, etc.). Letting this guy do his thing.
  • The marketing stuff and coordination for RSA next week is all set, thanks to the leadership of Andy Forsberg. This dude’s got in under control! There are seven SecurityStudio people heading out to RSA next week and we’ve all got brand new blue Nike’s and brand new blue branded T-shirts, not to mention 1,000 books to give away, and all the details. Excited to go have some fun with this group next week! (P.S. I think I got Andy hooked on Rockstar Energy drinks. I’m a bad influence, and I’m sorry.)

I could write something about every person here. The ALL pour their heart and soul into our mission of fixing this broken industry. They ALL understand that information security isn’t about information or security as much as it is about people. There are no words to describe the experience of working on this mission with this amazing group!

Breathe

OK, enough braggin’ for now, we got a podcast to do.

In last week’s show, Brad and I discussed the topic of information security roles and responsibilities at a macro level. We gave our opinions about the role of government, the role of business, the role of schools, etc. This week, we’re going to take the same topic and apply it at a micro level.

This is sure to be a great discussion!


SHOW NOTES – Episode 68

Date: Monday, February 24th, 2020

Show Topics:

Our topics this week:

  • Opening
    • What’s up?
    • One thing.
  • Information Security Roles and Responsibilities (Part 2 of 2)
    • Last week, quick recap of roles and responsibilities at a macro level.
    • The importance of definition, formality, and communication.
    • SIMPLIFY and operationalize.
    • At work:
      • Executive Management
      • CISO (or similar), two jobs.
      • IT
      • Legal
      • Everyone else.
    • At home:
      • Information security, privacy, and safety cannot be separated.
      • Parent
      • Spouse
      • Children
    • What are things we can do to simplify and operationalize?
    • What should every “normal” person know about information security?
  • News
Opening

[Brad] Good morning UNSECURITY podcast listeners! I’m Brad Nigh and this is episode 68. The date is February 24th, 2020. Joining me in studio is my co-host, Brad Nigh. Good morning Evan!

[Evan] Stuff and things…

[Brad] We have a great show planned today. Before we dive in, let’s catch up. Crazy week behind us and another crazy one ahead! What’s going on?

Catching up

Some back and forth happens here.

[Brad] Wow! Alright, let’s shift gears now a little. Last week, we talked about information security roles and responsibilities. Not the most exciting topic, but an absolutely critical one for sure! We’re approaching this topic from two different perspectives, from a macro level and a micro level. Last week was part one, the macro level. This week is part two, the micro level. You ready to get started?

[Evan] For sure.

Information Security Roles and Responsibilities (Part 1 of 2) – Micro Level

[Brad] You mentioned that we’re working on this book together. It’s a book focused on simplifying and operationalizing information security for underserved markets like state/local government, schools (K-12 and higher ed), small businesses, and individuals. Part of all this is understanding who does what, or at least who should be doing what. We started last week with our opinions about the importance of defining roles and responsibilities for governments, businesses, schools, etc. Now, let’s take it down to a more practical level.

We’ll share our opinions this week on the following:

  • How important is it to define, formalize, and communicate information security roles and responsibilities?
  • If we haven’t defined, formalized, or communicated information security roles and responsibilities, where should we start?
  • Why is it important to simplify information security, and how can I do it?
  • What does operationalizing information security look like and how can I accomplish this?
  • Roles and Responsibilities at Work:
    • Executive Management
    • CISO (or similar), two jobs.
    • IT
    • Legal
    • Everyone else.
  • Roles and Responsibilities at Home:
    • Information security, privacy, and safety cannot be separated.
    • Parent
    • Spouse
    • Children
  • What are things we can do to simplify and operationalize information security at home?
  • What should every “normal” person know about information security?

[Brad] Great conversation. We could have taken any one of these subtopics and devoted an entire show to it. I’m really looking forward to finishing this book with you. This book could help tons of people! Alright, as usual, let’s get to some news.

News

[Brad] Here’s what we’ve got for news this week:

Closing

[Brad] There you have it. Episode 68. Good talk today. Got any parting words?

[Evan] It’s a secret.

[Brad] Thank you to our listeners, we love hearing from you. If you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet sometimes. I’m @BradNigh and Evan’s @evanfrancen. Be sure to watch social media for news from RSA! SecurityStudio will be tweeting and LinkedInning all week! Check out @studiosecurity frequently. FRSecure’s Twitter handle is @FRSecure, and they’re sure to have some good things too. Especially the week after next when FRSecure is out at SecureWorld North Carolina. Lots going on and lots of chatter!

That’s it. Talk to you all again next week!