Listen Now

We are 9 months into a period in which many workers, including technology and security professionals, are still doing their jobs remotely. Some have moved away from their primary homes, often without letting their company know that this has happened. As business processes catch up with this change in approach, some companies are taking steps to a) formalise work from home as a more standard offering, b) determine how to pay people wherever they are in the country/world, c) decide if in-person culture is key to their ethos, and how to deal with the new focus on remote work. In this week's debate, Brian, Erik and Dan chat look at these topics from the pros and the cons, and what it could be like if everyone stays remote, the benefits and risks of geographically independent pay scales, and more. Please take a moment and subscribe to the podcast in your preferred podcast application, and while you are there give soime feedback, either via a rating, or a comment, or both! We want to hear your feedback and ideas, so you can also email us at feedback@greatsecuritydebate.net or on Twitter at https://twitter.com/securitydebateLinks:Do New Jersey Residents Working From Home Still Have To Pay New York Income Taxes? – CBS New YorkMicrosoft will remove user names from ‘Productivity Score’ feature after privacy backlash - GeekWireWatch Silicon Valley American Experience | Prime VideoRobert Noyce, Statesman of Silicon ValleyAmazon.com: Trillion Dollar Coach: The Leadership Playbook of Silicon Valley's Bill Campbell (9780062839268): Schmidt, Eric, Rosenberg, Jonathan, Eagle, Alan: BooksHow orange juice is made - production process, making, used, processing, product, industryThese Tech Companies Are Paying Workers the Same Rates Across U.S. - WSJMinimum pay at Basecamp is now $70,000 - Signal v. NoiseThis Company's New 2-Sentence Remote Work Policy Is the Best I've Ever Heard — Siemens's new remote work policy is a master class in emotional intelligence.

A few weeks ago, a company called SolarWinds was discovered to have had some bad actors in placing things in their technology (code) for a while. How did it happen? What does it mean to others? We don't know all the answers yet but we do know that it means we will have to make some changes to things like those universally hated security questionnaires, and how we manage our own source code to ensure better security. Along with a discussion about how cow stomachs relate to information security, and Brian's invoking of The Art of War, there's something for everyone in this epsiode. Propeller head warning - this one's a bit more security "inside baseball" than other episodes as we dig into the recent SolarWinds technology attack and some of the ways that the technology and security practitioners can address issues that have been identified. It's still a "for everyone" episode, but we do go a little more in depth that we usually do in some parts. Let us know what you think! Please take a moment and subscribe to the podcast in your preferred podcast application, and while you are there give soime feedback, either via a rating, or a comment, or both! We want to hear your feedback and ideas, so you can also email us at feedback@greatsecuritydebate.net or on Twitter at https://twitter.com/securitydebateLinks:Identifying UNC2452-Related Techniques for ATT&CK | by Matt Malone | MITRE ATT&CK® | Dec, 2020 | MediumThe Art of War: Tzu, Sun, Giles, Lionel: 9781604598933: Amazon.com: Books

One of the ways that companies have tried to improve education and awareness about the risks of phishing is the use of phishing tests to see if colleagues click on the link or open the suspect attachment in an unsuspecting yet controled environment. If they do, some instant education comes their way. There are those that think that this approach keeps the topic at the front of everyone's mind, and there are those that think that it can have the effect of chilling the relationship between IT/Security and the rest of the organisation. There are a lot of variables in the equation like how you respond when someone clicks on the phish, how you encourage reporting of potential phishing and more, so the answer is a resounding "it depends." We also cover some of the increased security challenges that come with the now more common "working remotely," and what happens when you walk into an empty castle after having gotten past the moat and door, but there is no one inside to defend it.Links:What Is DFMEA?Process FMEA | Process Failure Mode & Effects Analysis | Quality-OneHow to Overcome Obstacles by Using Toyota’s Five Whys Technique | Sam Thomas DaviesCountdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon: Zetter, Kim: 9780770436193: Amazon.com: BooksThe Perfect Weapon: War, Sabotage, and Fear in the Cyber Age: Sanger, David E.: 9780451497895: Amazon.com: BooksBeyondCorp - Enterprise Security  |  Google CloudThe Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win: Kim, Gene, Behr, Kevin, Spafford, George: 8601404253799: Amazon.com: BooksThe Perfect Weapon - Watch the HBO Original Documentary | HBOHomeland: Seasons, Episodes, Cast, Characters - Official Series Site | SHOWTIME

A regular complaint by those who consume and use technology is that security adds friction to their process, which often means they get frustrated at the control put in their path, curse technology in general, or abandon the activity altogether. In today's episode, Dan, Erik and Brian explore the balance necessary to understand when certain controls (and the friction they add) are necessary, or can be made smoother. Each decision on reduction of friction has the potential for knock-on effects to the security, privacy and performance of the system and should be considered before making any change to the control. In some cases the conscious addition of friction is the better approach, too, especially to support transparency with users and enable meaningful, informed choices.Links:Amazon.com: RSA SecurID Authenticator SID800 Key Fob (Pack of 25): Computers & AccessoriesUnderstanding Office 365 Impossible TravelBeyondCorp - Enterprise Security  |  Google CloudHalf of security pros would rather walk barefoot in a public restroom than use public Wi-Fi - TechRepublicAmazon.com: Step2 KidAlert V.W.S. Safety Sign: Toys & GamesiOS 14's Upcoming Anti-Tracking Prompt Sparks Antitrust Complaint in France - MacRumorsPopular app T&Cs 'longer than Harry Potter' - BBC NewsMDOT - CAV CorridorAmazon waves goodbye to its one-click purchase patent | Engadget

When bad things happen to the computers in your organisation, who is the first person you call? IT, the FBI, your general counsel, the insurance company? Today, Erik, Dan and Brian cover attacks, response and middle people negotiating with the attackers on your behalf. Other topics discussed include: The risk of cheap IoT devices and long term support (or lack thereof), Whose insurance policy covers the tree on your neighbour's land that falls and hits your house, The law of unintended consequences when creating things, and The joy of reading fake Amazon reviews Links:An Interview with "UNKN" Sheds Light on REvil's Operations & Future VictimsSchedule - GrrCONRansomware Activity Targeting the Healthcare and Public Health Sector | CISATavour - Craft Beer DeliveryAmazon.com: Amazon Sidewalk: Amazon Devices & AccessoriesAmazon Reviews: Thousands are fake, here's how to spot themAmazon.com : Sugar Free Gummy Bear 1LB Bag : Grocery & Gourmet FoodShodanTV Maker Vizio to Pay Out Millions After Secretly Collecting Customer DataVizio Reorg Folds Inscape Data Operations Into Platform Business - VarietyHow Does the Homeowners’ Policy Deal with Trees?SEC.gov | Form 8-KRansomware WannaCry: All you need to know | KasperskyMarcus Hutchins: UK ransomware ‘hero’ pleads guilty to US hacking charges | Cybercrime | The GuardianThe Confessions of Marcus Hutchins, the Hacker Who Saved the Internet | WIRED

So many movies about technology and security, so little time. We start our with some of our favourite (and least favourite) security movies. We also wander into a few other areas including: data use and ethics, balancing when to let an attack happen vs. when to let it happen to not let on that you know, Shodan, Stuxnet, Wannacry and more. Check out the complete list of movies we discuss and mention in the links list below!Links:We Analyze 13 Hacks in the 1995 Movie ‘Hackers’ and How They Compare to Today | by Cloudbric | MediumSneakers (1992) - IMDbSwordfish (2001) - IMDbMr. Robot (TV Series 2015–2019) - IMDbHackers (1995) - IMDbBlackhat (2015) - IMDbCyber Security Courses | SANS InstituteBritish Airways hit with UK data watchdog's biggest-ever fine | ReutersThe Great Security Debate Episode 6: Pippen and JordanWarGames (1983) - IMDbShodanCensysBananaphone By Raffi - YouTubeThe Imitation Game (2014) - IMDbSpy Game (2001) - IMDbAntitrust (2001) - IMDbOffice Space (1999) - IMDbThe Complete List of Hacker And Cybersecurity Movies, Version 2.0Superman III (1983) - IMDbThe Circle (2017) - IMDbThree Days of the Condor (1975) - IMDbThe Conversation (1974) - IMDbThe Net (1995) - IMDbTRON (1982) - IMDbJurassic Park (1993) - IMDbCloak & Dagger (1984) - IMDbAmazon.com: Ready Player One eBook: Cline, Ernest: Kindle StoreAmazon.com: Ready Player Two: A Novel (Ready Player One Book 2) eBook: Cline, Ernest: Kindle StoreReady Player One (2018) - IMDbThe Matrix (1999) - IMDbStar Trek (TV Series 1966–1969) - IMDbWeird Science (1985) - IMDbDanny Elfman On His "Embarrassing" Oingo Boingo Days - YouTubeEagle Eye (2008) - IMDbDie Hard 4.0 (2007) - IMDbDie Hard (1988) - IMDbCountdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon: Zetter, Kim: 9780770436193: Amazon.com: BooksThe Perfect Weapon: War, Sabotage, and Fear in the Cyber Age - Kindle edition by Sanger, David E.. Politics & Social Sciences Kindle eBooks @ Amazon.com.Ransomware WannaCry: All you need to know | KasperskyThe Perfect Weapon - Watch the HBO Original Documentary | HBOThe Great Hack (2019) - IMDbFerris Bueller's Day Off (1986) - IMDbReal Genius (1985) - IMDbEnemy of the State (1998) - IMDbMichigan Hacker Modifies Jail Records To Get Friend Released, Now Faces Jail Time

In what will surely become a recurring topic, the discussion turns to the short-term vs. long-term implications of privacy decisions we each make, the ethics of collecting and using data, and whether a European model of privacy (or data protection as Dan reiterates we should be calling it) would help in the US. We ask why we can't stop needing instant replies and gratification, is the value of the services we get worth the tradeoff for the data we are "paying" in order to use them, and more. Erik even beats Dan to be the first to use his "It Depends" catchphrase, so you know it's going to be a lively discussion. Privacy is on everyone's mind these days, and it's the topic of The Great Security Debate today.Links:Charlie Wilson's War: The Extraordinary Story of How the Wildest Man in Congress and a Rogue CIA Agent Changed the History of Our Times: Crile, George: 9780802143419: Amazon.com: BooksThe Coddling of the American Mind: How Good Intentions and Bad Ideas Are Setting Up a Generation for Failure: Lukianoff, Greg, Haidt, Jonathan: 9780735224896: Amazon.com: Books"Black Mirror" Nosedive (TV Episode 2016) - IMDbWatch Upload - Season 1 | Prime VideoTrump vs. Biden on Cybersecurity, Encryption, and Data PrivacyPrivacy and Information Security: The Territorial ChallengesRegulating the internet giants - The world’s most valuable resource is no longer oil, but data | Leaders | The EconomistAmazon Sidewalk will create entire smart neighborhoods. Here's what you should know - CNET

The school year is upon us. This week Erik, Brian and Dan are talking about things related to security and education. First, we cover the ongoing dilemma of which is better to establish and grow your career in security: certifications or experience. We also debate how traditional education (aka degrees) fit into the equation, and how to jump in if you have neither formal experience nor education and want to join the field... you'd never have guessed but "it depends!" Finally we talk about the challenges that K12 districts have managing security and privacy in normal times, let alone in the recent rush to move to remote learning so quickly. We also spent a lot of time on mentoring and reaching out to people who are in the field for help, and some resources you can go to for info on mentoring, and the reminder that if you had mentors and those who helped you get where you are, to give back to those who will carry the torch next. Links to resources are in the links below.Links:Home - Zach's BookHome | WomSAMentorCore – Growth and Development at your FingertipsHome | Cloud Security AllianceMichigan Council of Women in Technology Foundation / MCWT FoundationInformation Security Training | SANS Cyber Security Certifications & ResearchCybersecurity and IT Security Certifications and Training | (ISC)²

Ransomware is increasing. Brian, Dan and Erik discuss the evolution of ransomware, the preparation and the response, and the debate about whether to pay the ransom or not.Links:You’ll need a Facebook account to use future Oculus headsets - The VergeAIDS Trojan | PC Cyborg | Original Ransomware | KnowBe4What is the WannaCry Ransomware Attack?Backdoors and BreachesThe No More Ransom ProjectH.R.4718 - 99th Congress (1985-1986): Computer Fraud and Abuse Act of 1986 | Congress.gov | Library of CongressCost of a Data Breach Report 2020 | IBM

On the debate today: it was overheard (over-read?) by one of the crew that security leaders and teams shoudl stop whining when security is not a “superstar” part of the business, but rather should focus on being a reliable supporting act that is there to prop up the actual “superstars.” There was a flawed comparison in this same read to the relationship between Scottie Pippen and Michael Jordan on the Chicago Bulls of the 90s. In the course of this episode we cover the “best” place for the security organisation to live, the need for CISOs and their teams to be at the table vs. the backoffce, quotes from Colin Powell and more.Links:The "C" Matters or: How I Learned to Stop Worrying and Love the CISO Job11 Priceless Colin Powell Quotes - The Military Leader

Links:Backup Strategies: Why the 3-2-1 Backup Strategy is the BestData Privacy + Big Tech: How Facebook, Amazon, Apple, Netflix, and Google Deal With Data (And What It Means for You)   - METROWizer

Dan, Brian and Erik discuss the pros and cons of managed services for security vs. building similar capability internally, best of breed security vs. suite (for the 5th time since 1995), and education and awareness. Visit our website at https://www.greatsecuritydebate.net Contact us at feedback@greatsecuritydebate.net Follow us on Twitter at https://twitter.com/securitydebateLinks:The Big Interview: Peter Yapp, Partner, Schillings and former NCSC Deputy Director: “Boards Need a CISO Who Reports Directly to Them, Rather than the CIO”Martin Bally | LinkedIn

Dan, Brian and Erik debate the pros and cons to starting a product (or even a project) fully focused on hitting MVP (minimum viable product) or focusing more on TSP (totally secure product). Spoiler alert: it's somewhere in the middle! Also covered: the importance of support, defence vs response, and the mission of the podcast. Visit our website at https://www.greatsecuritydebate.net Contact us at feedback@greatsecuritydebate.net Follow us on Twitter at https://twitter.com/securitydebateLinks:Thoughtfulness in a PandemicHBR: Why Data Breaches Don’t Hurt Stock PricesExtreme Ownership: How U.S. Navy SEALs Lead and Win (9781250067050): Willink, Jocko, Babin, Leif: BooksLeaders Eat Last: Why Some Teams Pull Together and Others Don't: Sinek, Simon: 9781591848011: Amazon.com: BooksDon't Reward The Brilliant Jerk: The Role Of Culture In Employee RetentionTrue North: Discover Your Authentic Leadership: Bill George, Peter Sims, David Gergen: 9780787987510: Amazon.com: BooksHang Out A Shingle - Starting Your Cybersecurity Company Feat. Daniel Ayala and Douglas Brush - YouTubeCrucial Conversations Tools for Talking When Stakes Are High, Second Edition: Patterson, Kerry, Grenny, Joseph, McMillan, Ron, Switzler, Al: 8580001040288: Amazon.com: BooksWizer: Security Awareness TrainingThe Sixth Ocean!

Dan, Brian and Erik discuss how to talk about security in ways that encourage end users to understand security and want to be part of the process, and the challenges of selling security products into security organisations. Visit our website at https://www.greatsecuritydebate.net Contact us at feedback@greatsecuritydebate.net Follow us on Twitter at https://twitter.com/securitydebateLinks:Crossing the ChasmNever Split the DifferenceThe Phoenix ProjectGreat Security Debate WebsiteGreat Security Debate Twitter

Episode 1: Privacy Drone. Dan, Brian and Erik discuss expectation of privacy; privacy as a business enabler; transparency and ethical increase of privacy and how much should leaders and legislators understand privacy innately. Visit our website at https://www.greatsecuritydebate.net Contact us at feedback@greatsecuritydebate.net Follow us on Twitter at https://twitter.com/securitydebateLinks:Great Security Debate WebsiteGreat Security Debate Twitter