This is the third edition of my Infosec Buzzword Bingo, just in time for 2019’s RSA Conference (RSAC). Rather than relying on my keenly tuned snake oil spidey senses to generate the words populating the bingo card, I took a more data-driven approach this year.

I surveyed 100 companies’ websites*, the vast majority of which are exhibiting at RSAC and possess VC funding. I did not include any of the large security vendors**, who probably could populate their own bingo cards across their mastodonian websites.

The idea is to take this with you to RSAC or any other vendor halls…

This year’s nominees for the 2019 edition of the RSA Conference’s Innovation Sandbox were announced this morning. As I’m wont to do, I wanted to explore the funding side of these ten startups.

People struggle to understand how risk accumulates in complex systems, thereby also not understanding the extent to which risk must be reduced. This misapprehension can lead to “wait and see” decisions that cause a problem to snowball, or mitigations that don’t meaningfully reduce risk, creating the feeling of just barely treading water in your security program.

It is challenging for people to understand risk dynamics conceptually for two primary reasons. First, we are bad at tying inflows and outflows to the current level of risk in a system, as we tend to believe outputs are positively correlated with inputs. For…

My perennial New Year’s resolution is to read one fiction and one non-fiction book per month. I tend to fail, and this year I only averaged 1.33 books per month (which, interestingly, is the same as last year; 2016 was 1.5 per month).

As you can tell from this list, I became a bit obsessed with afrofuturism and am still in awe of the immersive worldbuilding within the genre’s novels I read. …

Fed up with ridiculous infosec predictions for the upcoming year, I decided to aggregate them all and use the power of Markov Chains to generate my own list. What follows is the result, very lightly edited solely for readability. You can see last year’s edition here.

In 2019, we predict 2019. Cyber espionage, cybercriminals — in 2019, they materialize. What if this is a dangerous reality? For example, consider how the world feels sometimes. According to Ponemon, security leaders around the world feel sometimes.

During 2019 we expect to see an increase in cyber space. The prospects are understatement. If…

What type of vendors are showing themselves off in the Business Hall? Are they mostly startups?

What follows is the full text of my keynote , also available as a video and as slides.

There has been insufficient exploration of the first principles of resilience in the context of information security, despite the term being superficially peppered in our common discourse. Too often, resilience is conflated with robustness — to the detriment of us all.

To state more poetically, through the pen of the notable fantasy author Robert Jordan referencing one of Aesop’s fables, “The oak fought the wind and was broken, the willow bent when it must and survived.” To speak of protection without resilience…

Originally given as the keynote at BSides Knoxville.

Security is a product, but we treat it like a sacred, immutable grail to preserve, unblemished by the sublunary needs of users. And yet, we wonder why defense remains stagnant, why we fail so consistently in progressing towards the glorious ideal of a “secure organization.” We will continue to fail — unless we treat security as a product. Are we trying to respect the phantasmal Elder Deities of Infosec and their stringent doctrine, or are we trying to ensure our organization can still thrive while operating in a perilous digital world?

One…