Recorded on Saturday 29 October 2022, at the tailgate before the University of Michigan vs Michigan State University (American) football game, Brian, Erik and Dan chat about the news of the day, with more than a few correlations back to football. And we had a special guest join us, too: https://www.linkedin.com/in/zahira-zah-rodriguez-gonzalvo-1a97692/ (Zah Gonzalvo Rodriguez) There was an upcoming OpenSSL vulnerability hitting the world this week. How would Software Bill of Materials (SBOM) make the response easier? A reminder of our dependence on the stability and security of some very core tools (like OpenSSL) to run our businesses. Mot to mention the fact that such tools are often within the libraries we use and don’t even realise it’s there. Similarities between football and security in the need to adjust based on what the other team shows signs of throwing at you, and further based on what they actually bring to the line. How repeatable process and inventory help make the response to these vulnerability disclosures less like a firedrill and more like standard ops. Did you know that credit ratings are being affected by information security posture and breach response? Same thing with MandA and investment valuation… if you’re not as mature in security and privacy you may see a discount taken on your value! How transparent should we be with the peer companies and the public world about our security posture (like incident response plans, and security controls in place)? And if you’re curious, you can find out what team Dan (the lifelong Badger) was supporting in the game. Congratulations to the University of Michigan in later winning this game, and to both teams for keeping the rivalry alive and spicy. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate (https://youtube.com/@greatsecuritydebate) and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening! https://www.patreon.com/securitydebate (Support The Great Security Debate)

Are we getting subscription overload? The move to more and more subscriptions is good for those selling, but are they good for those buying, too? Do subscriptions offset by other non-cash costs (e.g. data collection, advertising) reduce subscription fatigue? How does that fit into the security product world? What are the risks of making security technology only for those that can't afford it? Why are the ad-supported versions more heavily marketed than the no-ad versions? How do subscriptions encourage continuous development of software and features? What about innovation? What's a persistent feature, and what can be revoked or shifted into a different subscription tier (take a look at Slack's recent move to make the free tier way less valuable and encourage the need to move to a paid tier) Do the combinatoric vastness of features that can go on and off based on the subscriptions you buy introduce an unnecessary or unsafe risk of not working well together in specific combos? What are the legalities of jailbreaking your software rather than paying to activate it by subscription? How does doing so affect the liability and effectiveness of the product? We also talk about some things unrelated to subscriptions (and cars)! What is needed to adapt your communications (and subscription sales pitch) to VC/PE vs the CIO/CISO at a company? East coast vs west coast? Etc. Tips for job candidates on looking for public info on what a company thinks is important from security and risk (hint: it's SEC filings like the 8-K and 10-K!) Tune in to delight as Dan rants in Yiddish and then mess up the name of some of the most popular movies of our time. Enjoy seeing (or hearing) Erik get on a soapbox stumping for Sig Sigma. Binge on Brian talking about automotive manufacturing (who knew) and for once not be broadcasting from a "train station". We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube (https://bit.ly/gsdyoutube) and watch, subscribe and "like" the episodes. If you're watching on YouTube, we are very sorry for the video sync issues this week! The sound is great, but one of our hosts does a very poor Milli Vanilli impression. We are writing up the root cause analysis documents and issuing CAPAs to keep it from happening agai Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links. Thanks for listening! https://www.patreon.com/securitydebate (Support The Great Security Debate) Links: http://www.amazon.com/exec/obidos/ASIN/0062292986/securitydebat-20 (Crossing the Chasm, 3rd Edition: Marketing and Selling Disruptive Products to Mainstream Customers (Collins Business Essentials): Moore, Geoffrey A.: 9780062353948: Amazon.com: Books) http://www.amazon.com/exec/obidos/ASIN/B0877D6H28/securitydebat-20 (This Is How They Tell Me the World Ends: The Cyberweapons Arms Race - Kindle edition by Perlroth, Nicole. Politics & Social Sciences Kindle eBooks @ Amazon.com.)