Information security is mostly a shit show, so we made the Security Shit Show.
This is the place where shit gets real. No filter. Straight talk about shit that ain’t right in the information security industry (or life in general).
Three industry experts share their daily experiences and pick a topic to discuss each week. The Security Shit Show is LIVE on Thursday nights and the fans are ENCOURAGED to participate. If it’s not fun, it’s definitely good therapy!
This is not a commercial podcast, meaning we won't be hocking product or taking sponsors. We suppose this could change sometime in the future, but probably not.
All content for The Security Shit Show is the property of The InfoSec Mission and is served directly from their servers
with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.
Information security is mostly a shit show, so we made the Security Shit Show.
This is the place where shit gets real. No filter. Straight talk about shit that ain’t right in the information security industry (or life in general).
Three industry experts share their daily experiences and pick a topic to discuss each week. The Security Shit Show is LIVE on Thursday nights and the fans are ENCOURAGED to participate. If it’s not fun, it’s definitely good therapy!
This is not a commercial podcast, meaning we won't be hocking product or taking sponsors. We suppose this could change sometime in the future, but probably not.
Episode Sixty-Seven - Control the message, control reality
The Security Shit Show
1 hour 41 minutes
3 years ago
Episode Sixty-Seven - Control the message, control reality
A true story with four realities (or versions of reality).
1. The public version. 2. The employee version. 3. The management version. 4. The Security Analyst’s version.
To the public, -ORGANIZATION- seems to be doing a great job. -ORGANIZATION- has a noble mission and appears to be serving the mission well. They don’t think about information security at -ORGANIZATION- because it doesn’t come up in conversation. All they care about is that -ORGANIZATION- is fulfilling their mission, and they seem to be treating the public OK.
To the employee, -ORGANIZATION- is doing OK. Sure, there are plenty of challenges, and politics sometimes gets in the way, but employee's like what they do. As long as employees do their job well, they’ll be fine. Information security isn’t a concern because the employees don’t really know what it is. Just stay focused on the job, keep your head down, and you'll be OK.
To management, -ORGANIZATION- has a mission, but personal missions far outweigh the -ORGANIZATION- one! The personal mission is to keep this job and get some kudos along the way. In order to keep the job, they have to play the game. The game is politics, and sometimes politics are cutthroat. Management spends more time defending itself and attacking each other than they do on accomplishing anything. As long as the public and the employees see management as great (or good) leaders, they’ll be safe. Problem is, they suck at the job. Focus #1 is "MY JOB" (at all costs). They love the job because it comes with a lot of perks. Information security is a pain in the ass and management doesn't have time to learn about it. Who cares anyway?
To the Security Analyst, -ORGANIZATION- has a mission and information security is (and must be) part of the mission. There are so many risks to deal with and there's not enough support. The Security Analyst is a team of one and has no support from management. People keep clicking on links, people keep choosing crappy passwords, management wants new blinkly lights, and the Security Analyst can’t cope anymore. The Security Analyst is not paid well (by industry standards), but they're here because they care. The Security Analyst doesn't want people to get hurt, and they believe in the mission, but they need help!
The true reality? Most of three realities are bullshit. To some extent, the public has been deceived, employees are misled, management is shitty, and the Security Analyst needs some support.
The Security Analyst works at -ORGANIZATION- for the right reasons.
The Security Analyst loves people and wants to protect -ORGANIZATION-.
The Security Analyst wants to protect -ORGANIZATION-'s employees, customers, and the public.
The Security Analyst doesn't want to make a name for themselves, but desperately wants to do the right thing.
The Security Analyst has tried again and again to get their message through to the alternate realities, but the results are very disappointing.
The Security Analyst feels it's their moral responsibility to do something.
To this end, the Security Analyst sends a VERY respectable email to the -TOP MANAGER-'s executive assistant. The email is respectful, informative, fact-driven, and was NOT threatening in any way. The sole purpose of the email is to get help and to help (the public, employees, and management).
The next day...
The Security Analyst is called into a meeting, and here's what the Security Analyst is told: - "The Board and most people don't give a shit about Security and it's not our job to educate them." - "Our job is only to deal with internal concerns and stay in our lane." - You "didn't follow the chain of command and need to be mindful of the bigger picture and their concerns, and realize that (your) focus isn't theirs."
This story is REAL. It just...
The Security Shit Show
Information security is mostly a shit show, so we made the Security Shit Show.
This is the place where shit gets real. No filter. Straight talk about shit that ain’t right in the information security industry (or life in general).
Three industry experts share their daily experiences and pick a topic to discuss each week. The Security Shit Show is LIVE on Thursday nights and the fans are ENCOURAGED to participate. If it’s not fun, it’s definitely good therapy!
This is not a commercial podcast, meaning we won't be hocking product or taking sponsors. We suppose this could change sometime in the future, but probably not.
