"Why going to the cloud means more work for security not less, shared responsiblity is 100% your problem
- Am I going to treat this like a green field, or the next dumpster to throw the data, systems, and stuff we can’t deal with in real life?
- What are my expectations? (planning, timing, longevity, migration, business, etc.)
- Will we use it as an enclave to simply separate developers from anything else, or vice-versa, OR will we take a stance and work with ALL the teams to build it out successfully?
- DOES my cloud governance align with the rest of my business and technology policies and goals?
- AM I willing to implement the recommendations that most cloud providers offer TO make things safer and more secure?
- Can I manage the audit and compliance of a new world, and HOW will I integrate it?
- Speaking of integration, WILL my business and technology actually function IN/WITH the cloud?
- The cloud is MUCH more than someone else’s computers OR a spare data centre, but it still has to live somewhere, so WHERE does it live, and HOW do you get to it?
- Where’s YOUR staff, how do they talk with the cloud, what controls, management, etc.
- How much control will I have over my data in YOUR cloud?
- Who’s got access TO my little slice of the cloud, hardware, system, bare metal, data, etc.
- How do I (OR who’s going to) monitor YOUR cloud infrastructure, and MY systems for access, etc.
- And if it’s on your side, do I get to see the logs
- What’s the charges FOR monitoring
- SLA’s etc?
- Who’s managing the encryption for my data, if it’s YOU then where’s my key’s if it’s me what help etc.
- I don’t want to catch cooties from YOUR other clients, how to you maintain separation/segmentation?
- What options exist to backup my data, my configs, and what happens if YOUR systems go down?
- What areas of the technology, services, systems, and environments fall into shared responsibilities?
- Who has to deal with what when it goes wrong
- Who get’s to point fingers, and who has to fix things (AND what timeframe, etc.)
- ALL my data belongs to YOU… what happens about uptime, distribution, redundancy, AND company stability.
- Technology roadmap in here too
- What dependencies, partnerships, and vendors do THEY rely upon?
- Let’s talk security, compliance, regulatory stance, etc. What do you have, AND how do you maintain it?
- When we fall OUT of love, what happens, how do I migrate, what options are out there (and costs, etc.)"

Information security tells us that the job it is all about protecting data, protecting the confidentiality, integrity, and availability of the data ultimately to protect the human(s) the data is about.

On average each human creates 146,880 MB of data per day for a staggering total of 1.145 trillion MB a day or 2.5 Quintillion bytes WHOA that’s a lot of data, where is all this data coming from and more importantly where is it going, who has it and how is it being used?
How do I know my data is safe?
How do I know I can trust that it is accurate?
How do I know where my data is, has been, and is going?
How will my data be used to manipulate and or harm me?
DUDE Where is my data? And what are you doing with it?

"Lots of us say that information security is EVERYONE'S responsibility. While this is sort of true, we use this as a copout more than anything else. The truth is, everyone has information security responsibilities but information security is NOT everyone's responsibility.

See what we did there?

Everyone has information security responsibilities. So, let's start at the top and work our way down. The Board of Directors, the CEO, other C-Levels, etc.

Hey, CISO, what is it that you'd say you do here?
The quality of your answer might say everything we need to know. You either know or you don't.
If you know, share the answer with us (simpler, shorter answers are usually an indication of mastery, just sayin').
If you don't know, that's OK, BUT ONLY IF you don't pretend you do and you seek out the answer.

Now that we got that squared away, MAYBE we can figure out what everyone else's responsibilities are. If we don't get this right, how the hell are we going to hold anyone accountable. If we can't hold anyone accountable, how the hell are we going to get any better?"

Let's talk intelligence, machine learning, quantum and ALL the various future technologies and things we should be asking OURSELVES and OTHERS (our vendors, partners, suppliers, etc.) As we go forth into this brave new world...

Every day we inch closer to a new computing reality, the arrival of commercially stable quantum computing, we hear about this new disruptive technology, that when unleashed will break the worlds strongest encryption in nanoseconds, that is a very scary proposition for any info-sec professional.

There is work being done today to make quantum resistant encryption or so we hope. It is already difficult enough to secure and keep up with the systems that make up our modern world. Systems that are overly complex and running trillions and trillions of lines of code just using 1’s and 0’s, systems we already fail to protect every day, in part due to the complexity of them.

If you think current technology is complex and at times confusing, you haven’t seen anything yet, quantum introduces a whole new level of complexity and way of thinking about what is happening, and why.

What does this mean for us in the information security industry, will future system admins need PHD’s in quantum physics and discreet mathematics? Will we all need to get our CQISSP? Can we secure quantum? How will our world change? What new things we will be able to do? How will quantum be abused and misused by criminals and nation states.
So may questions so little answers, tune in for a fun discussion on the impact of quantum computing and what the grey hairs have to say about it.

All this and more on the Security Shit Show with Evan Francen, Chris Roberts, and Ryan Cloutier

Thursdays' at 10pm central / 9pm mountain

Don't overthink this, human. Just take my word for it. Math is beautiful, math is your friend, and math is trustworthy. Math DOES NOT lie. Math can be used to figure out bank balances, areas of shapes, rates of acceleration, even the angle of the sun in Asunción Paraguay at 11:42am (local time) on May 7th, 2022. The list of useful things math can do is endless. You, human, you're a different story. You are also beautiful, and you might be my friend, but you are not trustworthy. Humans have emotions. Humans have bias. Worst of all, humans LIE! What do we do when the math doesn't match up with the story you've told? You mention risk, math (whom I trust) tells me one thing, but you tell me something different. Why?

I'm fortunate, I am surrounded by good people whom are NOT like me, they bring different experiences, lives, thoughts, deeds, and viewpoints to all of life's interactions. That pool of good people continues to ebb and flow, often going weeks, months, and years between conversations. Some are thankfully more regular, and like clockwork we sit, talk, share ideas and breath a sigh of relief that all IS good in the world, at least at the very table we're occupying...

The key is to raising the geek right? Don't shelter them. Don't surround them with kin, and DO put them in a world that will challenge them, force them to reconsider their views, open their eyes, and look beyond what is presented simply with first sight.

Why this?

Because sometimes we loose sight of what is important, what keeps us grounded, and that the world around us IS different, and that IS a good thing, it's something that we should NOT label, not poke at, ridicule, attempt to redirect with humor, or discount.. OR something we should NOT let others do either.

That village? It's family. My Family.

When I sit back and think about it so much has changed in the last 24 months almost every part of our life’s is in some way much different now then it was before, and in others it is very much the same old story, so how do we keep up with all this change while keeping our sanity intact.

Even in the last couple of weeks the cybersecurity landscape has changed significantly. The world has gone from “not going to happen to me”, or “we are doing enough to be compliant” to I need all the security and I need it now. The rules have changed, the risk has changed, the pace has changed. We have changed as a society and as an industry. Many of us have new opportunities, new roles, and new responsibilities, and for those of us who care there is too much to do, to much to take on to meet our goals and God forbid find time to take care of ourselves to prevent burn out and dropping to many of the wrong things disappointing ourselves and those we care about.

We’ve talked a little in the past about inner voices, and how some folks don’t have one (which I still find fascinating, and would offer up one of mine if you aren’t fortunate enough to have a traveling companion in your noggin); however, this conversation takes it a little further.

I’d like to unpack both some historic “what the heck” moments, as well as look at some of the current issues we see with folks opening their mouths before engaging their brain….

OR

Is it that people still have an entitled mentality and think they can get away with it and simply apologize IF caught/found out/called out? We see the same behavior in our industry across numerous areas, from individuals grooming others, to put-downs, elitism, and denial…. (not the river) all of them COULD be mitigated if folks just paused, looked around, evaluated the situation, and then thought about things before inserting one or both feet in their mouth. Let’s talk about why this happens, and why we still don’t seem to be able to tackle it.

HAPPY NEW YEAR!

Join us as we wrap up and do a recap of 2021 what a year it has been lots to unpack here.

We will also be laying down our predictions for 2022, will Evan ever put on pants? Will Chris migrate his soul to the cloud? Will Ryan shut the Fark up? So many things to predict!

Who will be the biggest breach?
Will we finally see something other than "password" as the #1 bad password?
How many critical vulnerabilities will be from the 90's in 2022?

All this and more on the Security Shit Show New Year Special.