 Hey, okay, so we have like a gazillion information security professionals scattered around a million Organizations every large organization you go to you've got it security department a information security department the list goes on Oh, no, no, no, so the question is if you've got so many of these Professionals working in all of these organizations. How comes each and every one of them has suffered some sort of breach in the last couple of Years or months or days or what have you and they continue to suffer them What can't these guys get it wrong wrong? What can't they get it right whenever there's a actually a breach at any of these organizations? You always got one of these geeks nerds ID security people the information security people sitting in a corner going Have you listened to my recommendations three months ago? You would not have encountered this. I told you so I Told you so did I not So if they knew about the vulnerabilities beforehand and they documented it and they try to explain it Well, is it never fixed and why do the companies still get breached? I like to return here has the pacification of the information security professional They can't convey a simple message in a clear coherent and a ballsy manner that other people would Sit up and take notice of but they usually go in and they end up saying something like this if you all refer to the Risk matrix on slide number four you will see that twenty eight point three percent of the risks Have a very high impact Though the message never really gets out they should try and approach like this Gentlemen, if you go ahead with this website, you will be absolutely fuck simple and clear concise Business speak they don't want to know whether it's a buffer overflow or what? You know sub routine didn't work correctly it gets a point across of course You're always going to get some bean counter in there He's going to pipe up, but if we pull the website offline We're going to be losing in the region of five million pounds a day Hey, hey if I wanted your opinion I grab my arm up your eyes and work your mouth like a puppet Did you just put the other guys? I'm pretty sure you did sure of course it could be that your chief information security officer is more worried about running a business than being a hundred percent secure Don't settle for anything less than 100% security in any case regardless of whether the cost of security outweighs a business because why we're in the security industry Security is our job and we're good at it and we're proud of it So if if they try to get you over a barrel is a tried and tested method This is crap chief Information security officer That web app is dirty and you know it and you're letting it go just like that You need a needle kid you can't fight the system is my sis badge. I quit I am accepting your resignation you get some vacation time coming up. I suggest you take it But if I so much as sniff out that you're poor scanning that web app I'll put you through so many disciplinary processes. You'll never work in the industry again Of course despite your chief's hollow Threats you still go on your days off you buy your own equipment You do your own pen test and you find out all the vulnerabilities and you present them back This works all the time that the CISO gets happy the business execs are happy The business execs PA falls in love with you and you're held a hero throughout the organization Try it Stay secure my friends