The Great Security Debate Great Security Debate Productions LLC

This week we are debating modern AI systems, especially the commercial ones on just about everyone's lips when talking about CVs, high school term papers, and interview answers.
Large Language Models (LLMs), of which ChatGPT and Bard are two examples, are growing in prominence, but will they disrupt the technology world, or are they nothing more than just another blockchain fizzle?
In this episode:
Are these even actually "AI" models, or really just very fast processing of large data sets?What should I (and should I not) be putting into LLMs? How does the re-teaching based on data entered impact what you should put into public LLMs?What are some valid use cases for LLMs?Does depending on tools like LLMs (or calculators) bring us further from core understanding of how things work? Or should we be OK with the efficiency it brings?How does copyright fit into the LLM expectation and model, and does the legal licensing of training data dull the shine of LLMs?Are the analyses from LLMs skewed not only by the data they chose to use for training, but also by the userbase that uses that LLM?How are any of the "good practise" security and privacy requirements for LLM different from any other systems? Spoiler alert: not at all.
Unrelated to AI, we also talk about what happens to all the "smart" things in your house when the internet goes out? What stops working? Way more than you might think...
We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.
Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.
Thanks for listening!
Links:
Is OpenAI almost bankrupt?: https://www.windowscentral.com/software-apps/chatgpts-fate-hangs-in-the-balance-as-openai-reportedly-edges-closer-to-bankruptcy
Maybe not bankrupt, but has business problem: https://www.forbes.com/sites/lutzfinger/2023/08/18/is-openai-going-bankrupt-no-but-ai-models-dont-create-moats/?sh=3c8922845e22
Gartner declares LLMs at the peak of inflated expectations: https://www.gartner.com/en/newsroom/press-releases/2023-08-16-gartner-places-generative-ai-on-the-peak-of-inflated-expectations-on-the-2023-hype-cycle-for-emerging-technologies
When ChatGPT goes Bad: https://sloanreview.mit.edu/article/from-chatgpt-to-hackgpt-meeting-the-cybersecurity-threat-of-generative-ai/
https://venturebeat.com/security/how-fraudgpt-presages-the-future-of-weaponized-ai/
The Circle (Movie): https://www.imdb.com/title/tt4287320/
Amazon Sidewalk, and it's privacy issues: https://www.popsci.com/technology/amazon-sidewalks-privacy-concerns/
Idiocracy (Movie): https://www.imdb.com/title/tt0387808/
Moores law is dead:...

It's been a minute, but we are back with another Great Security Debate!
Whether it is compliance, trust, questionnaires, we all sell something to someone and security is core to that process.
In this episode, the focus is on how security integrates into the core of each of our businesses or organisations. From being part of strategic planning, the reminder that perfect being the enemy of progress, to the power in being a first mover on security and privacy topics:
Compliance vs security: Is it pro forma? Do you check the SOC2 (and other) reports you get from your suppliers?You're not a special snowflake: Why won't more orgs use standard questionnaires on supplier assessments?There are multiple ways to solve a problem, and context is key. The process and environment may mean you don't need a technology control or a specific (prescribed) technology control."The business" is a term that should never be uttered again by security or technology practitioners and leaders.There is power and business value in governance and transparency in security and privacy; build trust in your brand.We need to move our programs a layer above the specific people. Risk is reduced by living at the process layer. Heroics are not scalable.How can preparing for a triathlon be used to describe adherence to targets that lead to good security (and the brand value that comes with it)
Remember that you can't be "SOC2 Certified." And PFMEA is not always the answer to every question. Or is it?
We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.
Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.
Thanks for listening!

Welcome to a very special Great Security Debate. If it is spring, it means that the annual Forrester “Top Recommendations For Your Security Program” report has come out, and we get to visit with one of the authors, Jess Burn. But this year, we get an added extra voice in that of Jess’ Forrester colleague Jeff Pollard. Both Jess and Jeff share a ton of insight on topics from that report and a few others (see the links below for blog posts about most of them)
In this episode we cover:
How (if) CISOs have been able to become “part of the business” and help colleagues understand that in 2023 security is business.Board reporting by CISOs and CIOs and where/how we succeed and fail.Talent shortages in infosec: a self-created nightmare?Consolidation in times of austerity: right or wrong for security?
Huge thanks to Jess and Jeff for joining (find their LinkedIn and Twitter in the links section). Even though Jess is legacy, we are pretty sure that Jeff will be welcomed back in 2024 with open arms.
We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.
Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Thanks for Listening!
Special Guest: Jessica Burn.
Support The Great Security Debate
Links:
Cybersecurity's Staffing Shortage Is Self-InflictedLeadership Communication and Speaker Coaching | Speak by Design | United StatesBuild Better Bridges: Introducing Forrester’s BISO Role ProfileAnnouncing Analyst Experience: SOC Analysts Finally Escape The Shackles Of Bad UXThe Pay Gap Isn’t The Only Problem For Women In CISO RolesTop Recommendations For Your Security Program, 2023 | ForresterHow CISOs Can Navigate The 2023 DownturnJess Burn | LinkedInJeff Pollard | LinkedInJess Burn (@Jess_Burn_) / Twittera href="https://twitter.com/jeff_pollard2"...

This week, Brian, Erik, and Dan look into the security impacts of last week’s Silicon Valley Bank closure, both from a direct security risk, but also what we can learn about risk from the events leading up to the incident that we can apply to our information security responsibilities.
Brian kicks it off with a great description of how Silicon Valley Bank got here (based on what we knew on 12 March 2023 - subject to change as more becomes known after). And from that, we go some of the direct and indirect lessons and implications such as:
Fraud attempts amongst a bevvy of legitimate bank account payment change requests from companies. Check from a known source before changing where you pay.Putting all your eggs into one (infosec or financial) basket can be risky. And risk can bring great rewards, or great resentmentEvaluating vendors for where they bank as part of third party risk management (or not)Clear insight to tough choices that have to be made to keep small business and startups running - sometimes that’s not “doing every thing of security”Business continuity planning requires a more realistic “yeah that could happen” when doing the reviewRemember that there is no such thing as no risk, just determining the right balance of (realistic) risk and downtime for your organisationIf one vendor goes away suddenly, what happens? What about if 6 go away all at once? Diversity of suppliers vs. focusing on basics in the security stack
Along with some strong recommendations (or maybe they are warnings) for our security vendor listeners on how not to use this incident as a sales tool (tl;dr: DON’T!), there are a few correlations to the automotive industry. And check out the book club recommendations in the show notes on our website www.greatsecuritydebate.net, too.

Since we recorded another bank, Signature Bank, has also been closed and placed into receivership. On behalf of all of us at Great Security Debate, we wish all those affected either as companies of these banks or their customers good wishes and hope for good news ahead on the recovery of funds.

Thanks for listening!
Support The Great Security Debate
Links:
The Demise of Silicon Valley Bank - by Marc RubinsteinAll the Devils Are Here: A Novel (Chief Inspector Gamache Novel Book 16) - Kindle edition by Penny, Louise. Mystery, Thriller & Suspense Kindle eBooks @ Amazon.com.Silicon Valley Bank profit squeeze in tech dip attracts short sellers | Financial PostThe Tenth Man Rule - Principle ExplainedThe Innovator's Dilemma: The Revolutionary Book That Will Change the Way You Do Business: Christensen, Clayton M.: 8601300047348: Amazon.com: Books — https://amzn.to/3LcZKvTThe Innovator's...

The Great Security Debate Book Club is in FULL force this week as we talk about life after you’ve gotten the job in information security and are looking for the growth and promotion that come as you grow your career.
Check out the show notes on our website www.greatsecuritydebate.net/48 to get links to all the books, articles, and references we discuss up through the show.
A mere appetiser sized sampling of the topics we cover in this hour include:

What does it mean to “return to normal” in work in 2023?How do you grow in your role once you are in the Infosec field?The “old-man” perspective on entitlement in growing within jobsWhat approaches work (and don’t work) when asking for promotions, raises, new roles, within your organisationConversely, how to approach getting responsibilities added with out getting additional compensationUsing the word “I” vs “We” when talking about a job and your teamWhat to consider the factors and risks outside the office when looking at role and organisational growthThe importance of knowing the difference between what you want to say vs how it will be received when read by the recipientWhat do you do when you find yourself as (or think you are) the smartest person in the room?What resources can people use to get ready for their next growth step at work?How can networking and mentoring be valuable to find the next position?
Since it came up a few times in the show, remember that not every securty career path ends with becoming a CISO, or nor should we expect that everyone in infosec wants to become a CISO!

We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.

Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Thanks for listening!
Support The Great Security Debate
Links:
High-Earning Men Are Cutting Back on Their Working Hours - WSJCensus: Michigan's population drops again for 2nd consecutive year5 Whys - Getting to the Root of a Problem QuicklyLittle Giants: 10 Hispanic Women Who Made History: Calderon, Raynelda A., Donna, Wiscombe: 9781733139229: Amazon.com: BooksAmazon.com: True North, Emerging Leader Edition:

Insurance for information security is changing. Recently some reports came out that there were moves by insurance companies to leave the cybersecurity insurance market - that it was uninsurable. Dan, Brian, and Erik discuss on this week's Great Security Debate:
What happens now that cybersecurity insurance is built into contracts and requirements by customers doing business with other companies?Are the carveouts such that it’s easier to just pay and not inform insurance that you want them to pay for the incident?Does having “easy” insurance give too many orgs a pass on having to actually improve their security control sets?How do insurance “formularies” make companies less secure by not letting them buy the newer, better technologies? Conversely, how does the formulary of products help prevent from buying junk tech that calls itself “security”?How does the threat of nonpayment of expenses and losses by insurance companies after the fact affect organisational security decisions for or against the formulary?How is relying on insurance to determine tech standards the same as the EU demanding all chargers be USB-C?Does insurance go away altogether? Do we want it to go away?What is the law of the horse and how does it apply to insurance in information security?Can shifting downstream supplier risk into insurance really work to reduce risk?Is security a cost centre, a cost of doing business, or a potential profit centre for orgs?Should we shift from insurance mandate to “figure it out”How does the conscious decision not to patch because the patch causes worse issues affect the insurance coverage?How can we balance the expectation with our technology suppliers to maintain support longer, especially on IOT or high-cost, long life devices?Can a move toward clear, yet broad expectations on controls be enough to meet security expectations for insurance without prescriptive formularies of technology and process?
We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.
Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Thanks for listening!
Support The Great Security Debate
Links:
Large Insurer Says Cyber Attacks Are Becoming 'Uninsurable'3 Times Businesses Were Denied Cyber Insurance Payouts. | Managed ITUSB-type C to become EU's common charger by end of 2024 | News | European...