The UNSECURITY Podcast – Episode 55 Show Notes

Here we are, show notes for the UNSECURITY Podcast, episode 55!

Last week’s show featured pioneer virus researcher and keynote speaker Kenneth Bechtel. We learned from his wisdom, and he also shared some of his recent struggles with landing a job. UPDATE: Ken informed us that he’s landed a job, and we’re pumped about it! If you know Ken, reach out an congratulate him.

This week we have another super special guest! Zoe Bundy, the teenage founder of Brainy Ladies is joining us. We’re going to dedicate the show to learning more about her, her company, and her cause! This is going to be amazing!

This is Brad’s show to lead this week, and these are my (Evan) notes.

SHOW NOTES – Episode 55

Date: Monday, November 25th, 2019

Show Topics:

Our topics this week:

  • World Meet Zoe!
    • Who is Zoe Bundy?
    • Introduction to Brainy Ladies
    • What’s next?
    • How can we help?
  • Thanksgiving – What’s one thing we’re thankful for this year?
  • New Show Format
  • News

[Brad] Welcome to the UNSECURITY Podcast. The date is November 25th, 2019 and this is episode 55. My name is Brad Nigh and joining me in studio is Evan Francen. Sup Evan?

[EvanThings and such.

[Brad] So, Evan. You meet a lot of really awesome people on the SecurityStudio Roadshow. There are few, if any, that you mention with more admiration than our guest this week, Zoe Bundy. Before we introduce her, tell me how you met and your thoughts about what she’s doing.

[Evan] You’re absolutely right, by far the best part of being on the SecurityStudio Roadshow is meeting the people I get to meet. One of the most incredible people I’ve met is Zoe Bundy. She’s the CEO of Brainy Ladies, an organization with this super cool mission of helping more girls get into STEM.

I first met Zoe in November 2018 at Network Center’s nVision Conference in Fargo, North Dakota. Steve Marsden, FRSecure employee #3 ran up to me and told me he’d met the most fascinating girl who’s got this awesome mission to help girls get into STEM. She gave a talk at nVision 2018 and he was blown away by her poise, her ambition, and her mission. When we met in 2018, I put her in touch with some of the great women we have working at FRSecure like Megan Larkins and Lori Blair.

Fast forward to this year’s nVision conference, and I ran into Zoe again. She came by our SecurityStudio booth with her brother Grover. She’s still trucking along, making a huge difference in the world. I felt like we needed to get her on the show, get to know her a little, and help her spread the word about her noble mission!

[Brad] Awesome! Well, let’s introduce Zoe. Hi Zoe, welcome to the UNSECURITY Podcast!

Discussion with Zoe
  • World meet Zoe and Brainy Ladies!
  • Open, unscripted discussion.
  • Getting to know Zoe.
  • Questions we may/may not get to:
    • How old are you?
    • Do you come from a family with a STEM/technical background?
    • How did she come upon her mission?
    • What motivated her to do something?
    • Tell us about Brainy Ladies.
    • What plans do you have for the future of Brainy Ladies?
    • How can we get involved with helping Brainy Ladies or you?
    • What do her friends at school think?
    • Does she recruit girls into STEM? If so, what works and what doesn’t?
    • What advice does she give girls who have an interest in STEM, where should they go?
    • What about girls who are struggling with STEM, what help can we give?
    • If there was one thing you’d like our listeners to know about girls in STEM, what is it?
    • If there was one thing you’d like our listeners to help you with, what would it be?

[Brad] Wow! There are tons of opportunities to encourage girls to get into STEM. STEM isn’t for everyone, but for everyone who’s got an interest, there’s plenty of opportunity! Amazing.


[Brad] OK, this is Thanksgiving week. We all have things to be thankful for this year, starting with you Zoe, what’s one thing you’re particularly thankful for this year?

[Zoe] She can choose whatever she wants or nothing at all. This is her time.

[Brad] How about you Evan, what’s one thing you’re thankful for this year?

[Evan] We’ll see what he/I say…

[Brad] Good stuff! I’m thankful for ______________.

New Show Format Discussion (quick)

[Brad] Next let’s talk quick about an upcoming show format change, starting the first of the year. We’re going to devote ten minutes of each show to anyone who’s looking for a job in the information security industry. You email us at sometime before the next episode, and we’ll respond to you on a first come, first serve basis.

If you’re chosen, and the time works out, we’ll invite you on to our show to learn about you. Think of this as a quick 10 minute interview. We’ll work out the kinks between now and the time we kick this off, but we’ll have a standard format defined by then.

So, if you’re looking for a job, use us to help you get the word out! Stay tuned, we’ll mention this a few more times before we make this change official.

OK, now some news…


[Brad] There’s always plenty of news to choose from. Here’s just a couple of stories that caught our eye this week.


[Brad] Alright! Episode 55 is a wrap. Thank you again to Zoe Bundy from Brainy Ladies for joining us! We’re very excited to keep up with what she’s doing.

Thank you to our listeners! Keep the questions and feedback coming. We’re a little behind on responding right now, so please be patient with us. We love your feedback. Send things to us by email at If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan’s @evanfrancen. Zoe, how do you want people to socialize with you?

Follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies there too!

That’s it! Talk to you all again next week!

According to Author, Some Corporations Have “Achieved Security”

A friend of mine brought something to my attention this week. He said he heard there’s a guy out there claiming there are unhackable companies.

Me: Unhackable?

Friend: Yep, unhackable.

Me: What?! No way man. This can’t be true.

Friend: Oh yeah, it’s true. Want me to send you a link?

Me: Absolutely. I’ve got to see this.

He sent me a link to a National Public Radio (NPR) show transcript. The show, All Things Considered, is hosted by Ari Shapiro, a well-respected journalist. Appearing on this show was Richard Clarke, promoting his new book, “The Fifth Domain”. For those of you who don’t know who Richard Clarke is, he was the National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States from 1998 to 2003, an impressive position. He also led a lengthy career with the U.S. government. Like most people in the government and most politicians, he’s well-respected by some and hated by others. Since leaving the public sector, he’s written a bunch of books and he’s been fairly active in speaking about information security (or as he calls it “cybersecurity”). You can read his Wikipedia page if you want to know more about him.

So, I dug into the transcript looking for the place where this wild unhackable company claim was. At this point, I’m still thinking my friend must be mistaken.

SHAPIRO: One line in the book stood out to me from somebody who was talking about election security but could just as easily have been talking about other aspects of cybersecurity. And the line is, our house was robbed, so let’s at least lock the door. The problem is there are so many doors in the United States – 50 states, thousands of counties, who knows how many private businesses. Each one of them is a target. So is it naive to think that anyone could prevent the house from being robbed again?

CLARKE: There are major American corporations that have achieved security – cybersecurity. They don’t like to attract attention to themselves. They don’t like me using their names, so I won’t. But there are big American companies that have done it. Ten years ago, when we wrote the book “Cyber War,” we said no company is safe. If the Russians or the Chinese want to get into your network, they can. Now we’re saying that’s no longer true.

Wait. What the hell does “achieved security – cybersecurity” mean?! Is he saying there are mysterious unhackable “big American companies”? If they’re unhackable, why can’t we know their names and why can’t we share the secret sauce that makes them unhackable with the rest of the industry?!

I can tell you why we don’t know the names of these unhackable companies, and it’s not because Mr. Clarke won’t share them or because they don’t like him using their names, it’s because they don’t exist!

How about the secret sauce, surely this can be shared. Ari Shapiro, being the very good journalist that he is, asks.

SHAPIRO: What do the companies that have not been successfully hacked have in common? What are they doing right?

CLARKE: The companies that are resilient spend more money on it and have a better governance model so that the guy in charge or the gal in charge reports to a much higher-level official. They’re not buried in the bureaucracy of the company. And in terms of just a raw metric, the good companies – the companies that are successful at this – are spending 8% to 10% of their IT budget securing their networks. There are banks in New York that are employing thousands of people and spending hundreds of millions of dollars each year.

Am I reading this right? The secret sauce is “more money” and a “better governance model”? Can’t be. There’s got to be more than that. Well, he goes on to say there are banks in New York who employ thousands of people spending millions of dollars. Banks in New York. Could this be a hint about one of these mystery companies. He also referred to people. There’s a problem now, once you bring people into the equation. Something that’s unhackable requires perfection, doesn’t it? If there’s a flaw anywhere, there’s a potential vulnerability. These people must be infallible. Do you think these are infallible people? They don’t make mistakes? What kind of people must these be?

Want an unhackable company? Find perfect, infallible people. That’s got to be part of the secret sauce!

Back to the money thing. How much money is “more money”? Surely if we throw more money at the problem, it’ll get solved. After all, we’re throwing billions of dollars at the problem every year. Mr. Clarke claims that the successful companies are spending 8% –  10% of thier IT budget on security. On average a large company (more than $2 billion in revenue) spends 3.2% of revenue on IT, but banks spend more like 7%. So, let’s take a $2 billion (revenue) bank. If they spend between $11,200,000 and $14,000,000 ($2 billion x 7% x 8 or 10%) on security, this will make them unhackable? How about J.P. Morgan? This is the biggest bank in New York. They had revenues of $109 billion in 2018. If they spend (or spent) between $610 million and $763 million on information security, did this, or could this, make them unhackable?

Hmm. Maybe, but we still got that people thing. He also mentions another requirement. The guy or gal running this unhackable security program needs to report to the top, like the CEO or even the board.

So far, we can glean that we’ll need the following for an unhackable company:

  • More money – somewhere between 8-10% of 3.2-7% of revenue, maybe even more.
  • Better governance model – report to the CEO or board.
  • Infallible people – perfect people

SHAPIRO: You’ve said the government has acknowledged that it is hackable and that companies have figured out how to get the upper hand and prevent themselves from being hacked. Why can’t the government learn the lessons that these companies have learned?

CLARKE: Well, I think part of the problem is the federal government, which has maybe 40 or 50 major departments and agencies, insists that they all defend themselves. I don’t think that should be the job of every federal agency. What we propose in the book is that the government create one single cybersecurity office for all the little agencies and departments that can’t do it. This is what’s done in the private sector. A lot of companies don’t do it themselves.

SHAPIRO: They outsource it. They hire a contractor.

CLARKE: They outsource it, and you pay them by the month. And you get the – you get them handling all of your security. That’s the way the federal government should do it.

Ooh, another hint. Outsource all your security. Lord knows, a third-party will most definitely treat your stuff as well or better than you will.

DONE! Want an unhackable company, do this:

  • Spend more.
  • Govern better.
  • Be perfect.
  • Outsource stuff.

Let’s Be Real Now

You sensed the sarcasm, right? Here’s the truth:


Anytime you hear someone claim that something or someone can’t be hacked, give it a long sideways look. Such a person who says such things almost instantly loses credibility with all of us who know better. To give Mr. Clarke the benefit of the doubt, he didn’t explicitly say that there are unhackable companies. He just sort of implied it. It’s also possible that I misunderstood what he was saying, but I read the transcript multiple times and came to the same conclusion. Could be he’s just trying to sell books too. Who knows for sure?

The goal isn’t to be unhackable. The goal isn’t to eliminate risk. The goal is to manage it. Eliminating risk would require perfection, and perfection isn’t possible. If anyone tells you different, he/she is a fool. Don’t take advice from a fool.

Denver ISSA Incident Management Workshop Recap

Finally. I’m finally getting around to posting about this event. The fine folks of the Denver ISSA chapter invited me to speak at their chapter event on May 23rd. The event was a three-hour incident management workshop (titled Incident Management – Panic or Plan).

‘Wait! What?! Three hours?!

Yes. These poor folks endured three hours of my preaching. Read on…

About Denver ISSA

The Denver ISSA Chapter is the largest chapter in the world with more than 800 members. I’ve attended numerous ISSA chapter events over the years, and the Denver ISSA Chapter is one of the best! Read about the Denver ISSA Chapter here.

I spent some time with James Johnson, the Chapter President, and Shannon Welton, the Chapter Training Coordinator while I was there, and they are both top notch! Seriously. They’re good, and it was great conversation (for me anyway).

Can’t say enough good things about Denver ISSA. Loved every minute I spent there.

About the Workshop

Shannon Welton was my primary contact for the workshop. She’s a pleasure to work with. I was given liberty to create and present whatever content I wanted to, and she made sure I had everything I needed at every step of the way.

Flight in the morning from Minneapolis to Denver. Grabbed a Lyft. Made the trip from the airport to Maggiano’s Little Italy (16th St Mall). Lunch started at noon, and I got there at 12:05. Not bad. 😉

From the moment I arrived, I felt welcomed. There seemed to be ~100 people there, and they were all engaging. They showed genuine interested in each other and it felt good to be there. Lunch ran from noon til 12:45, at which time Shannon kicked off the workshop with an introduction. When she introduced me, she asked if anyone had heard of me. Funny! Only one person raised their hand.

After three hours together, they’ll all have heard of me now!

I’m the sort of guy that could talk for three days about information security (and incident management), so three hours wasn’t going to be a problem for me. The challenge is/was keeping people engaged for three hours.

Here’s the learning objectives.

Here’s the agenda.

I used two things to keep people awake; a 15-minute break at 2:15 and Dad jokes. We made it through to 4:00pm, and the group was very engaged. More than I expected. There were great questions, good eye contact, and I felt as though we all got something from the experience together.

Workshop Content

Get it here.

  • ISSA-Denver_PanicOrPlan-052319.pdf, the slide deck.
  • CSIR-Maturity-assessment-tool_Info1.pdf, the CREST Cyber Security Incident Response Maturity Assessment Tool introduction document.
  • Maturity-Assessment-Tool.xlsm, CREST Cyber Security Incident Response Maturity Assessment Tool (Summary).
  • Maturity-Assessment-Tool_Detailed.xlsm, CREST Cyber Security Incident Response Maturity Assessment Tool (Detailed)
  • ISSA-SAMPLE_Incident_Log&Categorization_Tool.xlsx, the FRSecure basic information security incident logging and categorization workbook.
  • ISSA-SAMPLE_Security_Incident_Response_Plan-052319.docx, the FRSecure basic incident management/response plan template.


The Denver ISSA is awesome! If I lived in Denver, I’d be at every event. If you live in Denver, you should go to every event. Seriously, get there.

A dozen of so people came up to speak with me after the workshop. More great questions and some great connections. I felt bad that I had to run shortly after the workshop in order to catch my plane back to Minneapolis. Next time (if/when there is one), I will stay longer.

Presenting this workshop was a real privilege, and I’d go back anytime.

P.S. Another example of their awesomeness; I received a beautiful “thank you” gift basket at my office from these guys. Too cool!

2019 New Directions in IT Education Conference

This was a wonderful opportunity to talk to some fascinating people; people tasked with helping us create the future talent of our industry.

It was also the fourth talk at the fourth conference of the week, so things were getting a little weird. Regardless, I always enjoy this and I’m having fun!

About the 2019 New Directions in IT Education Conference

This is an annual conference attended by “educators and industry experts”, sponsored by the Minnesota State IT Center of Excellence.

According to the conference website:

Minnesota State IT Center of Excellence, invites industry professionals, employers, and Minnesota State faculty members to convene at our annual free IT conference that takes place in May.  Explore emerging employer needs, identify specific implications for student learning outcomes, and map out actions that individual faculty and departments can implement, and identify comprehensive innovations to be developed collaboratively.

A really cool opportunity to speak and collaborate! I was here for two reasons:

  1. Deliver a keynote talk
  2. Participate on a panel of experts

I was with some experts, but I’ll apply that word loosely to myself. The full conference schedule is here.

Keynote Plan A

If you know me, you know that I wing it a lot. This makes me very hard to manage, and it can get frustrating for people who work with me. It’s just how I roll.

I prepared my talk for this conference four (maybe five) days ahead of time. That’s crazy good for me! My talk was/is titled “Seven Facts About Unicorns”. I put a lot of work into the presentation and I was excited to give the talk (at the time I wrote it).

Keynote Plan B

There wouldn’t be a need for Plan B if I had just stuck with Plan A, but what fun would that be? Driving on the way to the venue, I changed my mind. I didn’t want to talk about unicorns anymore. I even said to myself in the truck, “Seriously Evan?! Don’t do it.” Thankfully, I was 45 minutes ahead of schedule, so I pulled off at a local coffee shop to create a new presentation.

Some people (I/me) never learn.

I grabbed a cup of coffee, tore my laptop out of my bag, and begin pounding away on the keyboard. What would I talk about though? Hmm. Got it! I will cover the first 38 of 100 truths about information security. I started the #100DaysofTruth series 38 days ago, at the time of the talk (at the time of this writing, I’m on day 50). I felt like hitting some hard truth with the educators in the audience. So, that’s what I did. The title of Plan B was “38 of the 100 Truths About Information Security”.

Whipped the slides together, and away we went!

The talk went extremely well. The audience was engaged, and there were some great questions afterwards. We’ll save the unicorn talk for another day. 😉

Here’s a copy of the presentation if you want to look at it or use it.

Want to see the Seven Facts About Unicorns talk? What’s it worth to you? Just kidding, here it is. I still might deliver this talk someday.

Panel of Experts

This was cool! I just got to sit there and answer questions. Not all the questions, but only the ones where the other two panelists didn’t answer. I suppose I also added a few things here and there to their answers, but the other panelists were dead on I think. You know how you have to add something once in a while to make people think 1) you’re still paying attention and 2) you’re smart and stuff? I did some of that.

It was an honor to sit on the panel with Ryan Manship from RedTeam Security and Sahar Ismail from Legacy Armour

Overall, it was an awesome conference and a great way to end a crazy week.

2019 Secure360

Almost caught up with my conference and talk summaries from a couple weeks ago!

Secure360 is arguably “the” security conference in the Twin Cities each year. 2019 was the 14thyear for the event and it was very well-attended.

About Secure360

In the words of the Upper Midwest Security Alliance (“UMSA”):

This marked the first year that the event was held at the Mystic Lake Center in Prior Lake, and it was a perfect venue. Secure360 is a two-day conference, and I showed up in the afternoon of day two for my talk. I wish I had been able to be there for more, but business kept me away until then.

My impressions were very positive. The event was well organized, and there were people everywhere. I ran into a bunch of people that I know, which made the event comfortable too. I didn’t spend any time in the vendor area because I hate being sold stuff. Walking through the vendor areas at conferences sometimes feels like trying to survive a lions den with a T-bone hanging from my neck.

Judging from the published program, the quality of speakers and the content of talks was very good.

2020’s Secure360 conference will be held at the same place on May 5thand 6th. It will mark the 15thyear, one heck of an accomplishment!

What was I doing there?

Just two things this time.

First, just like the Loffler event, this was a great opportunity to say “hi” to a bunch of people that I don’t get to see very often. I ran into some people that I haven’t seen in a very long time! Fun to catch-up.

Second, I gave another talk.

The Talk

The title was Speaking Information Security. A copy of this talk can be downloaded here (link) and it’s also available on Secure360s site.

Like the other talk earlier in the day, this one was also well-attended. This room was mostly full, which sort of surprised me. I was surprised because my session was in the last group of sessions on the 2ndday (last day) of the conference. I didn’t think people would still want to hang out. They did. Here’s what I said to them (in jest, of course).

“Ever throw a party? You know when the party is winding down, and there are those folks that just won’t leave? They keep milling around, you’re tired, and you’re trying to shoo them out the door… That’s you. You’re though folks.”

The Secure360 party was coming to an end, but these infosec party animals wanted to keep going. They were committed!

This was essentially the same talk I gave earlier in the day at Tech Fest, but I was bolder with this crowd. I might have been a little ornery because I was getting tired (3rdtalk of the week), or maybe it was because I was talking to members of my own tribe (information security people). The point of the talk was to drive home the fact that we don’t speak the same language in our industry, and to make matters worse, we don’t have any good translations either. Take slide 7 for instance (pictured below).

Information security is… What? Just about everyone in my talk was a security person, but nobody wanted to give me an answer. Why? As I continued, through the presentation, there was head nodding everywhere. Slide 20 made sense to everyone it seemed. People were taking notes anyway, and nobody spoke up in disagreement.

By the time we got to slide 31, you could see skepticism growing on some people’s faces. FISASCORE® for free?! FRSecure has sold millions of dollars worth of FISASCORE® assessments over the years. Why would we make it free?! The simple answer comes from our mission; to fix our broken industry. Our mission is this, not to make millions of dollars on something that everyone should have. Let’s spend more time and money on fixing things.

I asked the audience, “How many of you are skeptical?” Only a few raised their hands. To the rest, I said (in jest again), “I thought you were all security people. I’m disappointed that more of you aren’t skeptical!”Laughs (maybe just obligatory ones). To the skeptics:

Help us. Join us to make a singular information security language that ALL can speak, and ALL can speak freely.

To the obstructionists; buzz off and get out of the way.

The talk was well received. People genuinely seemed interested, and a dozen or so stayed to talk with me afterwards. Met some new people and I’m looking forward to working with some of them toward some common goals. Oh yeah, I gave away some more books too. I like giving stuff away.

Overall, Secure360 is a great conference. I highly recommend it for the quality of the content and the wonderful people everywhere, which makes for great networking opportunities. Way to go UMSA!

Loffler Tech Fest 2019

Where does the time go? Loffler Tech Fest 2019 was held at the St. Paul (MN) RiverCentre on May 15th, and I couldn’t get around to writing this short summary until now.


This was the 2nd talk I gave (of five) that week, and the first of two I gave that day. This is my short summary.

About Loffler Tech Fest

It’s rare to find a quality event that’s free these days. Heck, it’s becoming rare to find a quality event period. Loffler pulls it off each year, and it’s fun to be a part of it. I don’t know how many people were there exactly, but I’d guess there were 1,500, or so. Highlighting the event was the keynote given by PJ Fleck, Head Football Coach, University of Minnesota and the IT Panel Discussion Featuring Twin Cities Business Leaders. Seated on the panel were:

  • Ben Davis – Executive Vice President & Chief Digital Officer at Cambria
  • Cindy Trousdale – Chief Financial Officer at Shaw-Lundquist Associates
  • Steve Molander – Chief Information Officer at Frandsen Financial Corporation
  • Barry Doerscher – Chief Information Officer at Midwest Dental

I know Ben and Steve, and they are amazing IT leaders. If the event only had the keynote and panel, it would be a success. There was more though. There were four technology sessions, prizes/vendor showcase(s), and a networking happy hour.

What was I doing there?

Three things, I think.

First, I stole PJ Fleck’s badge and showed it to my friends. The chances of me passing myself off as PJ Feck were very low, so I gave it back. This was more about having fun than anything else.

Second, this was a great opportunity to say “hi” to a bunch pf people that I don’t get to see very often. I love people and I love seeing them when I can.

Third, I gave a talk.

The Talk

The title was Speaking Information Security. It was well-attended. Maybe 80 people. I didn’t count, but the room was full. (I gave a talk once ~8 years ago where nobody showed up! Another story for another day).

This was a new talk, and I planned to deliver it twice that day; once here at Tech Fest, and again in the afternoon at Secure360. Not only does this save some time and frustration with PowerPoint, but I wanted to judge the audience reactions in both venues for a couple of reasons.

  1. The Tech Fest audience was mostly IT folks, not necessarily security folks. The audience in the afternoon would mostly be security folks, not IT folks.
  2. I’m the CEO of two companies; FRSecure and SecurityStudio. The Tech Fest talk was delivered as the CEO of SecurityStudio, while the afternoon talk would be delivered as the CEO of FRSecure.

A copy of this talk can be downloaded here. Arguably the biggest deal in the talk was the announcement that we’re going to be making the FISASCORE (self-assessment) free! I hadn’t even officially told my team yet. More to come on this later…

The talk was fun, as most are. The talk went over well, I gave away a few free books, had a few laughs, and answered a bunch of good questions. Stayed another 30 minutes(ish) to talk with people before I needed to leave for the next conference.

Overall, I loved the conference. Kudos to Loffler and all the cool people there for pulling off a great event!

2019 North America CACS Conference Recap

Each year, the Information Systems Audit and Control Association (ISACA) puts on a really good event in North America; the CACS Conference. This year’s conference (2019) was held at the Anaheim Convention Center from May 13 – 15. Read the conference brochure here.

This was my first time attending this conference. ISACA put on a great event in my opinion. Kudos to them and the 1,500 or so who were in attendance.

I was there for two primary reasons; to give my talk and to sign copies of my book at the SecurityStudio booth. Turned out there was a third reason that might have been more important than my original two; to meet a bunch of really cool people! The coolest of which were my wife, Kevin Orth, and Skylar Wickland (representing SecurityStudio).

The Talk

So, my talk was the first talk of the entire conference, in the Innovation Exchange.

Some Evan Drama

My talk was slated to start at 7:20am, but I thought it was supposed to start at 7:00am. I looked at the stage, looked around, and there wasn’t anyone there! Hell no. I’m not going to stand on a stage in an open space in the middle of all the vendor booths and talk to no one. I went over to the SecurityStudio booth, where my people were hanging out, and told them I was going to skip my talk. They were OK with that.

This slideshow requires JavaScript.

At 7:10am, one of the event organizers stopped by looking for me. She asked if I was ready to talk, and I told her that I was thinking about skipping my talk because there wasn’t anyone there. She said “What are you talking about? The place is packed, and we’re ready for you!” Turned out she was right, and the place was busy. ~100 people were there to hear my spiel (I mean “talk”).

What’s the most exciting thing to talk about on Monday morning, first thing? How about third-party information security risk management?! Maybe not, but there were plenty of people there and most were nodding their heads.

My talk was titled “Why?”. You can download a PDF copy – ISASC_CACS-WHY050719-FINAL-v2.

Book Signing

After giving my talk, people stood in line to get a free signed copy of my book. That was pretty cool.

This slideshow requires JavaScript.

Just when I thought I was done signing, the event organizers announced the book signing on the conference PA system. This brought a bunch more people. We only brought 150 copies of the Unsecurity book, and they all found new homes.

Cool People

My favorite part of the conference, by far, was meeting really cool people. This is usually my favorite part of conferences. When people came to get a book, I’d ask them two questions. 1) Where are you from, and 2) What do you do? I met some amazing people from Nigeria, Colombia, Belgium, Netherlands, Portugal, Spain, and all over the United States.

Overall, it was a very good conference. It was also a great way to start a new week.

Are Information Security People Arrogant?

I hate speaking in generalities, even though I do so often, but I’ve been thinking about something lately.

Are information security people arrogant?

This thought came to head a while back while I was visiting my mother. We were talking about life, and I was sharing some of my frustration in my line of work (information security). I was telling her that it frustrates me when people can’t seem to grasp the obvious.

She replied, “You’re arrogant. Plain and simple. You actually believe that people think the same way you do?”

My reaction to being called arrogant was a childish one (hindsight), so it’s fitting that my own mother called me out. I was offended. How dare she call me arrogant?! I’m frustrated that people can’t follow simple directions and basic logic. I’m not frustrated that they can’t figure out finite mathematics of anything!

Wait. Calm down. She’s right.

After five minutes or so of trying to defend myself against her attack (which wasn’t even an attack), I realized that I had no defense. She was right, I was being arrogant. I am arrogant. Actually, I have plenty of arrogance to go around. Not only do I have enough for myself, I have enough to share with my peers too, as we laugh together at the dumb things people do.

Thanks Mom!

Here’s the deal though, I’m not alone. Truth be told, there’s an abundance of arrogance in our industry. It seems as though some of the most esteemed information security people in our industry, or at least some of the ones in some high places, are full of arrogance.

Do we, as an industry, place a premium on being arrogant and full of ourselves? Good question. Scary thought, but I think there some truth here.

What is Arrogance?

Before I just start throwing words and accusations around any more than I already have, I should make sure I’m using them correctly. God knows, in our society we like to call people names and attach labels, regardless of accuracy or true meaning.

Let’s go to the dictionary and see.

Definition of arrogance is an attitude of superiority manifested in an overbearing manner or in presumptuous claims or assumptions.

Yep, I think I’m using the right word. Do you know of any information security people who have an attitude of superiority? Do you have an attitude of superiority, especially when referring to less skilled information security people or non-information security people (“normal people”)?

Is it manifested in any of these ways?

  • An overbearing manner
  • In presumptuous claims
  • In assumptions

If your honest, you can probably thing of times when you’ve been arrogant. How often you are arrogant is another question. It’s something we all need to keep in check. We can all stand a little more introspection, like looking at ourselves in the mirror.

Common examples of arrogance

Here are five examples of arrogance that I’ve either been a part of or heard in the last week alone:

  • Believing that you think what someone else thinks without asking.
  • Getting frustrated when someone else doesn’t understand what you’re saying, and maybe even believing that they’re less intelligent.
  • Telling someone what they think.
  • Griping about some “stupid” thing someone else did.
  • Calling or thinking someone is “stupid” for doing something that seems obvious to you.

None of these thoughts or actions are productive in our mission; making information security better (I hope).

Not All and Not Always

The downside in speaking or writing in generalities is the fact that I lump everyone together, even though I know there are exceptions.

  • Not all information security people are arrogant, but too many are.
  • Not all highly esteemed information security people (industry influencers) are arrogant, but some are.
  • Even the arrogant information security people are rarely arrogant all the time.

I won’t call out the industry influencers that I think are arrogant. That wouldn’t help the cause at all.

I will call out some of the humble and less arrogant ones people in our industry. These are information security industry leaders that I respect, and that I feel are more humble and modest. This is based on my observations, and you may know them differently than I do.

Here are (only) ten of my favorites (in no particular order) along with links to their Twitter feeds if you want to follow:

  1. Richard Bejtlich @taosecurity
  2. Aloria @aloria
  3. Tony Cole @NoHackn
  4. Roger Grimes @rogeragrimes
  5. Jane Frankland @JaneFrankland
  6. Dave Kennedy @HackingDave
  7. Dejan Kosutic @Dejan_Kosutic
  8. Chris Roberts  @Sidragon1
  9. Eleanor Dallaway @InfosecEditor
  10. Mikko Hypponen @mikko

NOTE: This list is based on opinion. My opinion. Not fact, but my opinion. I stated that this is my opinion three times (now four) because you are welcome to disagree with me! If you’d like to add to my list, please do!

There are many, many more that can be added to this list, but back to our problem, assuming there is one.

Humble Yourself

Arrogance is bad, and there’s no place for it in our industry. When we see it in others, we should respectfully call it out. When we see it in ourselves, we should change our attitude. If we can’t change our attitude, maybe we should get some help.

Are you honest with yourself? Ask yourself the question, “Am I arrogant?” Get in the habit of doing this regularly, and things will certainly go better for you and those around you.

That’s all for now. Thanks!

Status Update – March 24, 2019

Just got to the hotel in Aberdeen. Getting into the groove, and I felt compelled to share an update with you all. Compelled mainly because I haven’t been able to write here nearly as much as I had intended. It’s not unusual for me to bite off a little (or a lot) more than I can chew.

No matter. It is what it is. If I could learn to say no more often, I’d probably be healthier.

Current (or Recent) Things

Here’s some of things going on in this guy’s work life:

  • Running FRSecure, sort of. I’m the CEO here, but I’m not the person who get’s things done. I say “sort of” because I’ve been blessed with an INCREDIBLE leadership team who truly runs the best company in our industry. I love what they’re doing and they’re breaking records every month.
  • Running SecurityStudio, sort of. I’m the CEO here too. Like FRSecure, I’m not the person who get’s things done. I’m a little more involved with SecurityStudio because it’s such a young company. Awesome, awesome, awesome leaders here and it’s so much fun to watch this company grow. VENDEFENSE is attracting new customers every week, and there is some really exciting news coming soon!
  • The UNSECURITY: Information Security for Normal People book is behind schedule right now, so I need to focus more attention on completing the draft/manuscript. This will take up most of my time for the next few weeks or so. I’m really excited about this book, mostly because of the audience it’s intended for and the plain-Englishness of it all. I’m hoping it will resonate with “normal” people and help them better, more secure lives.
  • The So You Want to Get into Security? series of articles is complete, and I’ve compiled the articles into a simple free eBook. I’d never published an eBook to iTunes before, and it was a fun exercise to learn. I’ll plan on making more, and better quality eBooks available in the future. Check out this one, if you don’t mine, and let me know what you think.
  • The UNSECURITY Podcast is going well, but it’s a struggle to do a weekly one hour show sometimes. Feeling like we’re dragging @55 a little bit, but we’ll get back into the groove. My show notes have been a couple days late the last two weeks (vacation and work travel), but that should get back on track soon. We’ve done 19 consecutive weekly shows so far and we’ve learned a lot, but we’ve still got a ways to go before it really feels dialed in. Please be patient with us (me and Brad Nigh). We’re committed to creating a really good show and we’ll keep at it.
  • I’ve written a few more articles lately for other publications. Some are better than others:
  • I’m coming up on my one-year anniversary as the vCISO for a large, global company. I’m actually the vCISO for only one region, the Americas region that includes Canada, United States, and Mexico. It’s a 40-50 hour/month commitment, but it would be a lot more if there weren’t some awesome people there running the day-to-day operations. Great experience with really good people all around.
  • Was at the RSA Conference a couple weeks ago. I had no agenda but to see a friend of mine give his talk and to have lunch with him. Flew in late Thursday night, did what I was there to do, then left Friday afternoon. My friend is Roger Grimes, and he delivered a really good, and very well-attended talk titled 12 Ways to Hack 2FA. Afterwards, we visited (not nearly long enough) for lunch. Roger has an amazing security mind and he’s got impeccable character. We think A LOT alike.
  • The first gathering/meeting of the Cloud Security Alliance Minnesota Chapter (CSA MN) Executive Advisory Board met on March 14th, but I was on vacation. Sucked to miss the first meeting, but vacation was scheduled many months ago. I’m excited to help CSA MN make a real impact. Lots of great people involved!
  • Trying to stay up with Twitter and LinkedIn feeds. I’m thinking that I sort of suck at social mediaing.

I think that covers most of it.

What’s Coming – Future Things

  • Travelling to Aberdeen, South Dakota this week to work with a new client and figure out how we can secure the Ag industry better. We have a lot of work to do in the ag industry!
  • The UNSECURITY Podcast episode 20, live from Aberdeen with Shawn Pollard.
  • Sometime this week, I’m going to start a new hashtag #100DaysOfSecurityTruth. Each day, for 100 days, I will tweet a new truth. Hoping for some interaction, ideas, suggestions, etc.
  • New article for Cyber Security Intelligence about Identity Management. Tim Heath is the CEO over there, and he’s a good dude.
  • New article for here (or somewhere) about the bad things about RSA.
  • Planning the next Security Summit for my vCISO client. These are always fun. People from all over the region come to meet, learn, teach, and have fun together. The last Security Summit was one full day of incident management training and a second day about identity and access management.
  • The next Hacks and Hops event is this week. We didn’t pick the most enthralling topic (third-party security risk management), but it is a critical one. There will be good opportunities to network and learn what work (and what doesn’t). Come if you can.
  • Speaking of third-party security risk management, there’s another eBook being planned. The book will be a soup to nuts/zero to hero book; practical advice from starting from scratch —> the best friggin’ program ever, and everything in between. Thinking a few months or so, but it’s on the docket.
  • Lots of writing for the next book. I’m already behind a bit, so it’s time to get real on this thing! This is actually the number one priority right now.
  • More collaboration with security people I admire. I’d like to collaborate more with Chris Roberts and Roger. I already said a few great things about Roger, but Chris is pretty damn awesome too. More allies = more progress.

I’m sure something else will pop up, but that’s all I can think of right now. If you ask me to do something else, don’t be offended if I graciously decline (for now).

NOTE:  The Writing UNSECURITY series of articles – I still intend to finish writing this series, but for now it’s on hold. There are too many other pressing things (the Information Security for Normal People book, other articles, business commitments, speaking engagements, podcasting, and oh yeah… family!) that need focus too. Comes down to priorities, as it should, and this series must take a back seat for now.

Take care!