Welcome to Outcome Security! Here you'll find us talking about cybersecurity data, why it's broken, and how to fix it. Maybe even some insights as we navigate the industry as a startup. Also, memes.

Sometimes the startup game is hard in unexpected ways

https://t.co/ViItHctE2t

Excited that #AI will soon be almost as effective as a turkey #cybersecurity #startups

If you made a Venn diagram for what parts of vulnerability data #productsecurity and #threatintelligence teams cared about, it would almost be a circle. https://t.co/fs3mbX1sdT

When do I get past this part of my dev career

It's almost Halloween and what's scarier than an impending cybersecurity apocalypse? Read about what we're lovingly labeling "The Four Horseman of Cybersecurity" - four problems buried so deep they're pulling us apart https://t.co/yPdOGylkhe

Your dashboard is probably bad

"We don't have centralized logging, we don't log what's happening on our systems" o, okay

Imagine being a blossoming cybersecurity startup trying to navigate the big scary world of big data (BSWBD) and hearing @dotMudge tell Congress "Twitter does not have... a testing environment or a development or staging environment" ..he said, yelling into the void

Oh and maybe we could put that working-level context into some kind of platform...

Maybe (and I'm getting crazy here) we could even focus on not just trying to put all of this great analysis in a black box and hiding it behind a score or a dashboard and instead giving it to the team using the data in a way that's actually usable FOR THEM TO DO THEIR JOB BETTER

Maybe we should have some kind of system that can help those teams wearing 20 hats cut through the mess of cyber data that we're all drowning in so they can see what threats they should care about and prioritize

If orgs are going to default to paying fines/insurance/whatever, then maybe we should focus on helping those teams be more efficient. You can pay less, and your business processes can be more efficient by not having your "security" butt heads with your "devs".

Even in comp sci/cybersecurity 101 you hear it's better to build security from the ground up than try to retro fit And yet, how many teams make their devs double dip instead of having a concerted security team or strategy? Even if they're not "security people"?

There's an argument to be made that stronger external forces would help/cause an org course correct how practitioners would prefer, but I'm going to pass on that train wreck rn

Maybe it's apathy or maybe it's the industry being too onerous to grok or maybe it's Maybelline but obviously market forces don't (directly) reward organizations with mature, properly functioning security postures.

It's pretty obvious when you lay it out but that's also why fangless fines and punishments don't do anything - they're a minor annoyance (paperwork) but don't really push an org to doing security "correctly" because there's not enough pain.

Compare breaches and ransomware boogeyman. Ransomware is effective because it hits the bottom line in a real tangible way, whereas breaches are usually furrowed brows and then hand wringing and then nobody caring and then back to the status quo

There's more to impact than stock price 🤪 The point about revenue and availability is right... but we're already there. CISOs (and orgs in general) basically only care about business continuity. Business incentives have never really been aligned w/ security... 🧵

It's actually only a Venn diagram if it's from the Swedish isle of Ven, otherwise it's just nominally eccentric circles