The Security Shit Show The InfoSec Mission

"Why going to the cloud means more work for security not less, shared responsiblity is 100% your problem
- Am I going to treat this like a green field, or the next dumpster to throw the data, systems, and stuff we can’t deal with in real life?
- What are my expectations? (planning, timing, longevity, migration, business, etc.)
- Will we use it as an enclave to simply separate developers from anything else, or vice-versa, OR will we take a stance and work with ALL the teams to build it out successfully?
- DOES my cloud governance align with the rest of my business and technology policies and goals?
- AM I willing to implement the recommendations that most cloud providers offer TO make things safer and more secure?
- Can I manage the audit and compliance of a new world, and HOW will I integrate it?
- Speaking of integration, WILL my business and technology actually function IN/WITH the cloud?
- The cloud is MUCH more than someone else’s computers OR a spare data centre, but it still has to live somewhere, so WHERE does it live, and HOW do you get to it?
- Where’s YOUR staff, how do they talk with the cloud, what controls, management, etc.
- How much control will I have over my data in YOUR cloud?
- Who’s got access TO my little slice of the cloud, hardware, system, bare metal, data, etc.
- How do I (OR who’s going to) monitor YOUR cloud infrastructure, and MY systems for access, etc.
- And if it’s on your side, do I get to see the logs
- What’s the charges FOR monitoring
- SLA’s etc?
- Who’s managing the encryption for my data, if it’s YOU then where’s my key’s if it’s me what help etc.
- I don’t want to catch cooties from YOUR other clients, how to you maintain separation/segmentation?
- What options exist to backup my data, my configs, and what happens if YOUR systems go down?
- What areas of the technology, services, systems, and environments fall into shared responsibilities?
- Who has to deal with what when it goes wrong
- Who get’s to point fingers, and who has to fix things (AND what timeframe, etc.)
- ALL my data belongs to YOU… what happens about uptime, distribution, redundancy, AND company stability.
- Technology roadmap in here too
- What dependencies, partnerships, and vendors do THEY rely upon?
- Let’s talk security, compliance, regulatory stance, etc. What do you have, AND how do you maintain it?
- When we fall OUT of love, what happens, how do I migrate, what options are out there (and costs, etc.)"

Information security tells us that the job it is all about protecting data, protecting the confidentiality, integrity, and availability of the data ultimately to protect the human(s) the data is about.

On average each human creates 146,880 MB of data per day for a staggering total of 1.145 trillion MB a day or 2.5 Quintillion bytes WHOA that’s a lot of data, where is all this data coming from and more importantly where is it going, who has it and how is it being used?
How do I know my data is safe?
How do I know I can trust that it is accurate?
How do I know where my data is, has been, and is going?
How will my data be used to manipulate and or harm me?
DUDE Where is my data? And what are you doing with it?

"Lots of us say that information security is EVERYONE'S responsibility. While this is sort of true, we use this as a copout more than anything else. The truth is, everyone has information security responsibilities but information security is NOT everyone's responsibility.

See what we did there?

Everyone has information security responsibilities. So, let's start at the top and work our way down. The Board of Directors, the CEO, other C-Levels, etc.

Hey, CISO, what is it that you'd say you do here?
The quality of your answer might say everything we need to know. You either know or you don't.
If you know, share the answer with us (simpler, shorter answers are usually an indication of mastery, just sayin').
If you don't know, that's OK, BUT ONLY IF you don't pretend you do and you seek out the answer.

Now that we got that squared away, MAYBE we can figure out what everyone else's responsibilities are. If we don't get this right, how the hell are we going to hold anyone accountable. If we can't hold anyone accountable, how the hell are we going to get any better?"

Let's talk intelligence, machine learning, quantum and ALL the various future technologies and things we should be asking OURSELVES and OTHERS (our vendors, partners, suppliers, etc.) As we go forth into this brave new world...

Every day we inch closer to a new computing reality, the arrival of commercially stable quantum computing, we hear about this new disruptive technology, that when unleashed will break the worlds strongest encryption in nanoseconds, that is a very scary proposition for any info-sec professional.

There is work being done today to make quantum resistant encryption or so we hope. It is already difficult enough to secure and keep up with the systems that make up our modern world. Systems that are overly complex and running trillions and trillions of lines of code just using 1’s and 0’s, systems we already fail to protect every day, in part due to the complexity of them.

If you think current technology is complex and at times confusing, you haven’t seen anything yet, quantum introduces a whole new level of complexity and way of thinking about what is happening, and why.

What does this mean for us in the information security industry, will future system admins need PHD’s in quantum physics and discreet mathematics? Will we all need to get our CQISSP? Can we secure quantum? How will our world change? What new things we will be able to do? How will quantum be abused and misused by criminals and nation states.
So may questions so little answers, tune in for a fun discussion on the impact of quantum computing and what the grey hairs have to say about it.

All this and more on the Security Shit Show with Evan Francen, Chris Roberts, and Ryan Cloutier

Thursdays' at 10pm central / 9pm mountain

Don't overthink this, human. Just take my word for it. Math is beautiful, math is your friend, and math is trustworthy. Math DOES NOT lie. Math can be used to figure out bank balances, areas of shapes, rates of acceleration, even the angle of the sun in Asunción Paraguay at 11:42am (local time) on May 7th, 2022. The list of useful things math can do is endless. You, human, you're a different story. You are also beautiful, and you might be my friend, but you are not trustworthy. Humans have emotions. Humans have bias. Worst of all, humans LIE! What do we do when the math doesn't match up with the story you've told? You mention risk, math (whom I trust) tells me one thing, but you tell me something different. Why?