management   178169

« earlier    

Pyramid Scheme. #hautalk - Allegra
on how the OJS platform afforded abusive behavior
design  management 
yesterday by brainwane
[no title]
<< I left the vendor world and decided to go work as a CISO (an actual CISO, not a marketing or “advisory” CISO, y’all know the difference). Nothing will humble you faster than seeing how your 20 years of security expertise run into the cold, hard wall of reality.


The first thing I noticed is that when ALL my contacts from the #infosec vendor world started calling me and pitching me on their solutions (including my own company!) I found myself laughing at the presumption: “You don’t even have an $XYZ solution in place?”

My answer was “NO, I don’t have an $Xyz solution in place and I probably a year away from that problem even making it onto my Top 10 list”. This was after YEARS of me telling the world that $Xyz solution should be the first thing you invest in, and BELIEVING it!

Every security vendor and every researcher sees the industry through a soda straw, inside a soda straw, inside another soda straw. >>
security  management  technology-industry  tweet-threads-that-should-be-blog-posts 
yesterday by absfac
Yet Another Law | In the Pipeline
"You are in real trouble if someone knows more about your project than you do."
yesterday by brainwane
Employees should work on hard things, not easy things
‘For a business to thrive, each employee must ultimately be worth three times their wages to the business. That means if someone is getting paid $60k per year, their worth to the business likely exceeds $180k. People often underestimate what they are worth. One way people, especially more junior employees, underestimate themselves is by failing to spend most of their time on things that are really hard for them to do. All employees (not just entry level employees) should strive to have at least 70% of their time doing things that are really difficult. These are the tasks that require the most thought, rigor, and attention. And these are the tasks that result in the most growth.’

Of course, this assumes a capitalist view of work. Work is there to generate profit, not help people pass the time (find value in being alive) and making sure they have the means to eat and such.
management  work 
yesterday by cote
Engineering Ladders at Meetup – Making Meetup – Medium
Clear Expectations is one of the three pillars of management at Meetup. In my role as a fractional VP of Engineering, I was ecstatic to help Meetup’s HR team develop a new cross-company leveling…
yesterday by luigi
про компьютерную безопасность и мышление о рисках - Поклонник деепричастий
Уокер рассказывает, например, как он нашел тысячи подключенных к интернету без пароля серверов VNC (программы, к-я позволяет контролировать компьютер издалека) и для того, чтобы показать проблему особо наглядно, нашел сервер на компьютере, который управлял свинофермой. Кто угодно мог подключиться к компьютеру и скажем выпустить всех свиней, или перекрыть им кормежку. Он повесил скриншоты этого сервера у себя на двери офиса (он работал в DARPA, агентства внутри Пентагона). И вот, говорит он, когда другие специалисты по безопасности видели эти скриншоты, они понимали, какой это ужас, и хватались за голову. А когда мимо проходили высокое начальство или политики, они не понимали вообще, что тут такого. Он пытался объяснить, но они быстро теряли интерес. "Зачем кому-то нужно нападать на свиноферму?" Что они не понимали, а специалистам было ясно автоматически - это что если есть один такой сервер, наверняка есть тысяча и десяток тысяч; и что где-то ферма, а где-то больница или завод; и что злоумышленники могут написать скрипты, которые будут автоматически находить такие серверы в интернете и автоматически нажимать на всякие кнопки и двигать мышкой, просто так, чтобы побаловаться, не для того даже, чтобы атаковать конкретное место; и что это может натворить огромную кучу вреда. Но у начальства воображение туда просто не шло; даже если попытаться им подробно все это объяснить, это казалось нереальным и малоосмысленным сценарием.

Другой отличный пример я процитирую по-английски:
...policy thinking within the conflict domain of computer security is dominated by thinking about planned, intentional malice rather than considerations of the collective risk of randomized disaster. This is a real divide; you will find it again and again. What it creates are Rorshach Tests: both sides stare at the inkblot, one side sees a butterfly and the other side sees a butterfly that has been stepped on. Let me give you an example.

V2V is a technology that allows cars to communicate, digitally exchanging position and vector information; when two cars are on a collision course they can compute the collision without seeing each other and either alert the driver or autonomously take avoidance action. This digital exchange of vectors will take place through constant vehicle-to-vehicle exchange of vector information signed and secured by the X.509 certificate industry standard.

Now as I look around the room, and I gauge your reaction, what I see is people who see a butterfly that has been stepped on. Because what we all heard is that the cars of the future are going to be part of a peer-to-peer digital mesh network that transmits, receives, and parses X.509 certificates. We don't think a lot about the safety history of cars, but we think quite a bit about the safety history of X.509 certs, and what we know scares us. Now if you believe that parsing complex, nested binary formats is dangerous, that the uncomputable complexity of ASN.1 Basic Encoding Rules creates unnecessary danger, that peer-to-peer communications without central inspection or forwarding is a basic requirement for self-replicating code, and you intuitively understand that the worst teleporting robots can clone themselves, then you can in one breath summon to mind the sum of all fears: a widely used implementation, memory corruption, a worm, and a nation of vehicles afflicted with a control systems virus.

What the other side heard was that thousands of automotive collisions could be wiped out by a single technology based on a tried-and-true industry standard, defended by best practices that work every day to keep the Internet safe. Our concerns are theoretical; theirs are governed by real lives being lost right now. And if you speak only to the perceived technological weakness, the other side of the table will immediately want to know who perceives this weakness, what their effort to act is, what their motivation to act is, and what deters them. When you possess a threat model dominated by intentional malice, you think about people, not bugs. And if you push on this divide, you end up having what is essentially a deadlocked conversation.

И последнее, ну это просто забавная цитата: "I had the chance to talk to a lot of smart people; one of them was a young roboticist from MIT [...] and I asked this young man what the word Cyber meant. He told me that cyber was a word used exclusively by people in government to let everyone know that they didn't understand how computers worked. I think maybe he was on to something. I think this definition is still universally accepted in the hacker community."
internet  security  management  psychology  crypto 
yesterday by some_hren

« earlier    

related tags

&communication  &mindset  1:1  1on1  @executives  advice  aggressive  agile-development  agile  ai  algorithms  architecture  argument  arsenal  arsenewenger  article  automation  behavior  behaviour  big_data  books  business  calendar  career-paths  career  careers  ccaa  charity  coaching  collaboration  collide  communication  communications  company_culture  compliance  conflict  consulting  control  corporaterealestate  crisismanagement  crypto  culture  data  datascience  dataset  design  development  device  devices  devops  documentation  dumb  ea  editorial  education  encryption  engineering  entrepreneurship  environment  estimates  evidence  excel  facebook  fastcompany  feedback  feminism  fleet  flood  font  football  for_snap  for_work  funny  golang  google  handy  harvardbusinessreview  hbr  hiring  howto  hr  humans  ifttt  inclusivity  influence  innovation  internet  investment  it  key  kms  kolide  labor  ladder  leadership  lego  lessons  life  linux  lists  mac  manager  marketing  medical  medicine_business  meeting  meetings  meetup  mentalhealth  mentoring  mentorship  monitor  monitoring  motivation  myths  negociation  ngo  notes  numbers  office  offices  okr  one-on-one  oneonones  open-source  openoffices  openplan  opensource  organization  organizations  osquery  osx  passive  password  people  personal  phd  plan  planning  pm  pocket  policy  politik  pricing  priority  process  product  productivity  productmanagement  professional  programming  project  projects  psychology  raspberrypi  realestate  reference  remote-working  remote.labor  remote  report  research  resource  risk  sales  scrum  secrets  security  self-management  shell  socialmedia  software-engineering  software  ssl  startup  storage  stories  strategy  system  team  teaming  teams  tech  technology-industry  telecommuting  template  time  tools  toread  trauma  tweet-threads-that-should-be-blog-posts  ucf  ui  ux  vault  verwaltung  webapplication  weekly-guide  wish  women  work  working  workplace  workspace  writing 

Copy this bookmark: