POPULARITY
On this episode of YBO, Christina puts y'all on to a rewards program and discusses the latest news with guest Jessy Irwin (formerly Proctor) including Trump's second impeachment and Jazmine Sullivan's EP "Heaux Tales." Follow YBO on social: @theybopodcast Follow Christina on social: @misschrisdee Follow Jessy on Instagram: @jessyproctor26 Follow Jessy on Twitter: @jessyxo6
Jessy Irwin is the Founder at Amulet. Prior to this role, she ran her own consultancy, Jessysaurusrex LLC, for seven years, worked as a vice president of privacy and security at a privately owned public affairs firm, and was a security empress advocating for password managers at AgileBits, Inc. Join Corey and Jessy as they discuss the best job title in the world, how majoring in art history was the best life decision Jessy made, why security needs to be as mundane as vacuuming the house, what Jessy is doing to make security more enjoyable, the role consumer branding plays in the adoption of security tools and practices, why Jessy thinks security problems are akin to lifestyle choices, why security practitioners should be focused on raising the cost of an attack, one of Jessy’s endless frustrations about working in blockchain, why Jessy generally avoids using the b word, and more.
Dennis Fisher sits down with Fahmida Rashid, Mike Mimoso, and Jessy Irwin at the RSA Conference in San Francisco to talk about the major themes of the conference.
About the speaker: Jessy Irwin is Head of Security at Tendermint, where she excels at translating complex cybersecurity problems into relatable terms, and is responsible for developing, maintaining and delivering comprehensive security strategy that supports and enables the needs of her organization and its people. Prior to her role at Tendermint, she worked to solve security obstacles for non-expert users as a strategic advisor, security executive, consultant and former Security Empress at 1Password. She regularly writes and presents about human-centric security, and believes that people should not have to become experts in technology, security or privacy to be safe online.Her current interests include security maturity and culture, usable security and secure UI/UX, and building impactful security teams and programs in emerging blockchain technologies.
Guest Jessy Irwin, Head of Security at Tendermint, spoke with me at RSAC 2018 in San Francisco where she presented Cracking the Security Communications Code: Talk about Security without FUD. She also did a talk at OURSA entitled Defense in Depth: Building An Old Lady Gang.
Question: What do you get when you connect a bunch of friends who have worked in or written about security for a long time over a few drinks and fried chicken? Answer: A 62-minute dissection of the RSA Conference, security buzzwords, marketing missteps and lots more that's top-of-mind in the industry. This semi-annual podcast was recorded this week in San Francisco during the RSA Conference and features Flashpoint's Mike Mimoso and Jennifer Leggio, Decipher journalists Dennis Fisher and Fahmida Rashid and Tendermint head of security Jessy Irwin. Up for discussion is a wide array of topics starting with blockchain and its applicability—if any—for information security, as well as privacy, the impending GDPR deadline, hardware bug disclosures, RSA Conference and how to do security marketing correctly without introducing more harm or risk.
Jessy is a security expert who excels in translating complex cybersecurity issues into simple, relatable terms for non-technical audiences. In her work as a consultant, security executive, and former Security Empress at 1Password, she's taught consumers how to better protect themselves, their data and their identities online. Jessy is currently making security more accessible for the average person. In 2017, she was named one of the Top 20 Women in Cybersecurity by Cyberscoop. Jurassic Park (DVD) Jessy on Twitter - @jessysaurusrex Don't forget, to get in touch with me either try the contact page of the site or follow me on Twitter, where I can be found at @Jenny_Radcliffe SaveSave
Black Hat 2017 was an adventure, as it always is, and to help make sense of it all, Dennis Fisher sat down with friends from across the security community for a long conversation. The discussion with Robert Hansen, Jessy Irwin, Jennifer Leggio of Flashpoint, Mike Mimoso of Threatpost, Patrick Gray of Risky Business, and Fahmida…
Black Hat 2017 was an adventure, as it always is, and to help make sense of it all, Dennis Fisher sat down with friends from across the security community for a long conversation. The discussion with Robert Hansen, Jessy Irwin, Jennifer Leggio of Flashpoint, Mike Mimoso of Threatpost, Patrick Gray of Risky Business, and Fahmida…
This week, we invited Ms. Jessy Irwin (@jessysaurusrex) on to discuss the issues Small and medium businesses and startups have with getting good training, training that is effective and what can be done to address these issues. We also go through several ideas for training subjects that should be addressed by training, and what maybe would be addressed by policy. ------- Upcoming BrakeSec Podcast training: Ms. Sunny Wear - Web App Security/OWASP 14 June - 21 June - 28 June at 1900 Eastern (1600 Pacific, 2300 UTC) $20 USD on Patreon to attend the class $9 USD for just the videos to follow along in class Patreon: https://www.patreon.com/bds_podcast If you want the videos and don’t care about the class, they will be released a week after class is over for free. -------- Jay Beale’s Class “aikido on the command line: hardening and containment” JULY 22-23 & JULY 24-25 AT BlackHat 2017 https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html --------- Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ Show Notes: http://www.darkreading.com/endpoint/cybersecurity-training-nonexistent-at-one-third-of-smbs-/d/d-id/1328766 I don’t trust articles written with a survey created by a company that is touting their new education track at the bottom of the article. -- brbr https://twitter.com/jessysaurusrex/status/859123589123121152 “So sick of the tired narrative that sec awareness is just about phishing when there are ~10 basic skills we need to be educating people on” What are the ~10 things? First off, most corporate security training misses the incentive mark by a mile. If training were refocused in a way that showed the incentives to improving personal safety, we might get somewhere. Teaching people how to take care of themselves first works-- those habits carry over into their work life, not usually the other way around. Passwords Multifactor authentication Device encryption Ad blocking Browser hardening via extension/plugin Safe browsing (this breaks into a few different topics) Phishing doesn't just happen via email anymore: social media inboxes, text message inboxes, messaging apps, etc. Most users won't come to social engineering defenses on their own-- important to educate and give alternatives that encourage them to confirm information out of band or navigate to a site in their browser Social engineering (this breaks into a few different topics) Segmentation/compartmentalizing data + communications Secure storage(local vs cloud data) Media storage safety (thumbdrives! Charge-only cables for mobile devices!) Google Apps + Slack allow for OAuth; most people set it and forget it, don't review what apps can act on their behalf until it's too late Regularly reviewing permissions granted to apps through oAuth Backups http://www.zdnet.com/article/sans-security-awareness-study-reveals-technical-communication-skills-and-proper-resourcing-critical/ “The report goes onto say that security awareness professionals with more technical backgrounds are more keen to recognizing behaviors that might bring risk, however, at times communications training is critical given that human interaction soft skills make changing risky employee behavior. They know what behaviors are the most effective in managing those risks. Often however, the challenge is that these same individuals often lack the skills or training to effectively communicate those risks and engage employees in a manner that effectively changes behavior.” summed up our entire industry in this paragraph --brbr https://securingthehuman.sans.org/resources/security-awareness-report-2017 ^^^^ saw this on Twitter yesterday -brbr Key takeaways: The study recommends the following for addressing communications: Communicate to leadership monthly about your security awareness program -- in a way that business leaders will value. Find a strong champion within leadership, and ask them to help relay the program value to other leaders, or assist with message crafting. Partner with those in the org that you've found to appreciate and adhere to security awareness inputs, especially those who can help partner on better communications. Take communications training; they can be easily developed with the right focus. Align with human resources to ensure an awareness program is tied into company culture. Keep an eye on your audience, as it grows and shift, and recognize that the same message that works for developers may not be effective for marketing, and vice versa. A one-size-fits-all communications approach can be limiting. You writing a book? I've been working on a book about security that's focused on education and communication. We do such a horrible job at this-- we don't do very much that helps the average person or our non-technical, non-expert colleagues have a chance at being successful online. Our terms are too technical, our framing is unbelievably negative and toxic, and the lack of empathy for the people at the other end of the computer is absolutely astounding. It is entirely fixable, but we all have to stop contradicting one another and really start working together. :) You make it sound so bleak and self-destructive :| I would like to hope that we can get better. Oh yea, the echo chamber, “who has the right answer?” no one, we all just have pieces... Yes! And sometimes the right answer changes very, very quickly! It's less about the silver bullet answer and more about what we’re defending from and hoping to accomplish. Are SMBs the issue? Are they more insecure than bigger companies? Or do bigger companies get more media coverage? Are bigger companies any better at training employees? Or are they better at ‘checking’ the box? If we take the statement ‘paid for security training sucks’ as a given, what do we do about it? What trainings should we be giving? And what training should actually be policy driven? (make it a requirement to follow) Clean desk Password manager Coding practices Acceptable use Device encyption 2FA/MFA What training do infosec people need? How important are the soft skills to help with communicating?
One of our most popular guests, Jessy Irwin, returns to the podcast to discuss the WannaCry ransomware outbreak, usable security, user education, safaris, and why we can’t past the idea of pointing fingers whenever something goes wrong. Music by Chris Gonsalves and Ken Montigny
The O’Reilly Security Podcast: Speaking other people’s language, security for small businesses, and how shame is a terrible motivator.In this episode, I talk with Jessy Irwin, VP of security and privacy at Mercury Public Affairs. We discuss how to communicate security to non-technical people, what security might look like for small businesses, and moving beyond shame. We also meet her neighborhood gang of grannies who’ve learned how to hack back.Here are some highlights: Speaking other people’s language One of the first things I do when talking to non-technical people is to stop using jargon. The average person doesn't know what encryption is, and if they've heard of the word before, it probably is perceived as something for terrorists, not for them. Password manager is not an intuitive phrase to most people, so I could say, "Well, you need a password app," and suddenly the whole world becomes a different place for someone who didn't realize that such a thing exists. It’s important that we communicate with people using their own terms and recognize that the average person is not going to use the word "hacked" the way the security person uses the word "hacked." Accepting that those moments, which to a professional ear sound like nails on a chalkboard, are going to happen—that completely changed the way I do things. Your local law office isn’t Netflix or Google A lot of the people I work with aren't from tech companies. They tend to be with government organizations or in verticals that maybe use technology but don't necessarily ship their own technology. It seems like a lot of people in security think it's completely realistic to expect companies to start security teams, to hire a lot of engineers and run these tools that are five to six figure purchases a year. That's not going to work for the average business. These organizations often outsource security services and may not run security tools in-house. They might need security to be managed externally, or they need to focus on configuring tools and processes to allow their small team to build security into the workflow process. Not all of that is going to require engineers, and not every company can or should spend $3 million on security, especially if the organization is a law firm down the street or the mortgage broker around the corner. Making tools work for people As an industry, we need to work really hard to make sure our tools are accessible to the average user. Otherwise, the person who handles these tasks potentially only as a part-time IT staffer is not going to be able to use them. If a business has a full-time IT administrator, they might be able to utilize an intern on occasion. Frequently, businesses won’t have a security-minded IT administrator, meaning the person making decisions in a small business won’t necessarily be a security expert. We need more consumer-friendly tools because then they're also small business-friendly, which is basically the same audience. We have to focus and be prepared to look at security and say, ‘How do we make this work in half the time? How do we make it work for one dedicated IT person, and then how do we make it work for an organization with a small IT team?’ Then, from there, where do they even start with security? At what point do they need to actually have a security hire, and how can they help that security hire build programs and think in a way that's going to produce returns for their business? Moving beyond shame Making people feel bad when they know they have failed or when they're trying to get it together is the number one way we set our average consumer or business up for failure. If someone walks in and says, ‘Hey, I'm having a problem with my router. It's being really weird. I'm not sure what's up.’ And, some security nerd looks at it and says, ‘Oh, my god. You're an idiot. Why would you ever configure it this way?’ That's not just being a bad person; that's being a really bad ambassador for the kind of work we do. We have to work really hard to say, ‘Yes, that’s okay’ in the right way to positively reinforce good decisions. If we don't, I really don't know what the future looks like.
The O’Reilly Security Podcast: Speaking other people’s language, security for small businesses, and how shame is a terrible motivator.In this episode, I talk with Jessy Irwin, VP of security and privacy at Mercury Public Affairs. We discuss how to communicate security to non-technical people, what security might look like for small businesses, and moving beyond shame. We also meet her neighborhood gang of grannies who’ve learned how to hack back.Here are some highlights: Speaking other people’s language One of the first things I do when talking to non-technical people is to stop using jargon. The average person doesn't know what encryption is, and if they've heard of the word before, it probably is perceived as something for terrorists, not for them. Password manager is not an intuitive phrase to most people, so I could say, "Well, you need a password app," and suddenly the whole world becomes a different place for someone who didn't realize that such a thing exists. It’s important that we communicate with people using their own terms and recognize that the average person is not going to use the word "hacked" the way the security person uses the word "hacked." Accepting that those moments, which to a professional ear sound like nails on a chalkboard, are going to happen—that completely changed the way I do things. Your local law office isn’t Netflix or Google A lot of the people I work with aren't from tech companies. They tend to be with government organizations or in verticals that maybe use technology but don't necessarily ship their own technology. It seems like a lot of people in security think it's completely realistic to expect companies to start security teams, to hire a lot of engineers and run these tools that are five to six figure purchases a year. That's not going to work for the average business. These organizations often outsource security services and may not run security tools in-house. They might need security to be managed externally, or they need to focus on configuring tools and processes to allow their small team to build security into the workflow process. Not all of that is going to require engineers, and not every company can or should spend $3 million on security, especially if the organization is a law firm down the street or the mortgage broker around the corner. Making tools work for people As an industry, we need to work really hard to make sure our tools are accessible to the average user. Otherwise, the person who handles these tasks potentially only as a part-time IT staffer is not going to be able to use them. If a business has a full-time IT administrator, they might be able to utilize an intern on occasion. Frequently, businesses won’t have a security-minded IT administrator, meaning the person making decisions in a small business won’t necessarily be a security expert. We need more consumer-friendly tools because then they're also small business-friendly, which is basically the same audience. We have to focus and be prepared to look at security and say, ‘How do we make this work in half the time? How do we make it work for one dedicated IT person, and then how do we make it work for an organization with a small IT team?’ Then, from there, where do they even start with security? At what point do they need to actually have a security hire, and how can they help that security hire build programs and think in a way that's going to produce returns for their business? Moving beyond shame Making people feel bad when they know they have failed or when they're trying to get it together is the number one way we set our average consumer or business up for failure. If someone walks in and says, ‘Hey, I'm having a problem with my router. It's being really weird. I'm not sure what's up.’ And, some security nerd looks at it and says, ‘Oh, my god. You're an idiot. Why would you ever configure it this way?’ That's not just being a bad person; that's being a really bad ambassador for the kind of work we do. We have to work really hard to say, ‘Yes, that’s okay’ in the right way to positively reinforce good decisions. If we don't, I really don't know what the future looks like.