kuzushi

kuzushi, 10 months ago to random

A long while back I got into a conversation with @wendynather on why you can't treat security standards like building for elemental risk (fires, earthquakes, etc) and safety standards because unlike these things, we are talking about adversaries that are intentionally working to circumvent such controls for their own benefit.

While I still contest that is true, lately I have this feeling that I am finding hard to shake... we are a professionally negligent industry. Let's say I was wrong, and indeed cybersecurity could be thought of as tolerances against predictable events... do we have any evidence that what we are doing is working? Where are the objective studies that show that compliancy standards have net positive reduced the very outcomes they are designed around?

The sheer lack of evidence of effectiveness, coupled against clearly growing threats and consequences is honestly alarming. I get that risk reduction still leaves opportunity for occurrence. Like, if I could reduce the risk by 80%, that still means that there is a 20% chance a thing could still happen. But as far as I have seen, I've only run into one study done on effectiveness that would even begin to direct people.

Maybe I am wrong, and all of this is just my own ignorance into the modern state of enterprise security. but, at least as far as breach reports I've been reading seem concerned, whatever we are doing isn't really tracking.

jerry, 10 months ago to random

The calm before the storm

image/jpeg
image/jpeg

kuzushi, 10 months ago to random

okay. profile updated with recent pictures and whatnot. followed many o-folk. next up, studying hashtags.

kuzushi, 10 months ago to random

It has been a while, but do people actually use this over twitter? I don't seem to get lots of engagement on either. Not really sure where I post tbh.