I talk with my CISO every week for a F100 company. Trust me, he’s just another human with his wife, problems at home like having a contractor come in during a meeting to patch the roof, and walks his dog outside while on the phone.
Just ask the person about what the career path was to be where they are today.
100%. I know that I’m not going to be bothering them bunch of work related question. I’m sure they are busy as it is. But, it would be interesting to hear their opinion on certain topics. Could be an eye-opener.
What are you most worried about in the upcoming years? (So I know what to prepare for and skills I can build)
What skills are the most valuable to grow to be in upper level positions like yours?
Which zero day attack are you most worried about?
Gotcha that’s super cool. So you are in cybersecurity and play sports with them and just wanna see if you can pick their brain sometime? Tbh I don’t hear of many people that high up having personal time for hobbies or stuff like that so I’m impressed they just go out and do that for fun
Presumably it's another log4j style event - - a RCE on ubiquitous software. Something that is used / embedded everywhere, tied to systems that process user input, and can be triggered past the ingress point.
Why do they not give a damn about cybersecurity? When asked why do you mean , ask why are they not offering better salaries to retain talent. As a ctr they are bleeding on the civilian side and mil side , and I’ve seen alot of CTR cap out and plan to leave as well . If not for salary it’s def bc there are so many holes they are over worked, plenty of people saving -and investing and more interested in building an escape plan from working vs being able to enjoy the field as much as they used to.
Why public service for you?
What has been your worst day in security?
How are you doing, honestly?
If this is an informal chat you’d be surprised how much the last one can endear them to you and you’ll see their demeanor change. If it’s an interview whether job or media/school id keep it as professional as possible.
Assuming I hadn't had anything planned, which I don't - it's a reddit post:
* What got you into cyber?
* What are some things you've worked on?
* What are the threats to look out for in 2024-2025?
* How is your organization working towards addressing them?
* What is the most pressing issue in the industry?
* What's the most memorable finding you've come across in your career?
* What is your dream scenario for cybersec?
* What's your favourite RFC?
* What, and who do you think the threat of the future (5-10 years out) is?
* How can we prepare for it?
* Where do you plan on bringing your organization in 5 years time?
* What are your thoughts on people using cybersecurity as a shield to justify non-security-related actions?
What's up with burnout in cyber security?
Something something Artificial Intelligence something something?
Have you ever regretted or questioned going into the field?
Has anything in cyber security ever scared you?
Why can't we secure our power grid and other public infrastructure?
What's one thing people misunderstand about CISOs?
Since you said a gov official, I'd say, what's your plan to keep up with current market trends for policy and security? AI is a catch up game, there are hundreds of iterations of policies that reference themselves in a cyclical manner, how do we stay ahead? I know I'd get a bs answer, but there's always a hope.
Depends on the agency. If DoD, I’d ask what they’re doing to get China out of our shit. If treasury, I’d ask why they aren’t banning more China and Russia products used for espionage. If CISA, I’d ask what the hell they’re thinking with CIRCIA (total fedgov overreach, in my opinion). If DOE, I’d ask when they’re going to fund the much needed backbone upgrades for our fractured energy grid.
I would ask the how I saw someone else’s phone UI in a pop up window that instantly disappeared. The only reason I know it exists is because I had a screen recording and went frame by frame and took a screenshot
My first and only question would be: May I speak to one of your engineers, please?
You can discover almost everything a leader knows in a 60 minute chat with an engineer reporting under them, as well as determine how healthy the organization is (and likely where most of the risk is). Any leader that hides their team is instantly suspect of being a fraud.
Now, the questions to ask that engineer could get pretty spicy! Those are the interesting ones. First question: Talk to me about data.
I'd ask why does your government let ICANN profit off of criminals rather than remove domain names from obviously fraudulent domains? Why not put pressure on them to address this?
Where is your safe place where you don’t need to worry about anything?
Jesus would go off alone, almost like he was hiding from the overwhelming pain of the world he was bombarded with. Monks and religious people do the same it seems as do famous people, very clever people and very powerful people….if they care that is.
I can answer your second question. New innovations are out there. You just have to go and find it.
What do you have in mind in terms of doing something new?
let me give you two examples from my own work the past few years.
Example 1. Public transport company is looking for onboard firewalls and puts out an RFP. We submit an offer. We've found an equipment manufacturer who makes a device with all the necessary ratings and approvals and some to spare. We've got a reference dealing with firewall management in industrial environments, another in vehicle security and a substantial software development team for a similar company in a neighbouring country.
Turned down because we had no previous experience in this. Well duh! They were at that time one of only a handful of companies worldwide looking to do this. Went to a company who makes and implements the boxes.
Example 2. SOC for a utility company. We've got a multitenant SOC, including industrial companies and a utility company (different sort but still a utility company) in a neighbouring country as a reference. We submit two dozen CVs of engineers and consultants with relevant industrial experience.
Turned down because we did not have any experience in-country with that kind of utility. So this one went to the company that already had a majority share on the market.
That's what I mean. Governments tend to give the contracts to parties that are already doing it regardless of creating a monopoly, regardless of quality
Why are you so complacent ? Is the assurance and guarantee of government job security, health insurance, pension one of the reasons behind such complacency ? What are you doing about this malaise ?
I’ve been through those circles already, what good is time unless you have the things you want already. Need seed capital at some point in some situations.
I talk with my CISO every week for a F100 company. Trust me, he’s just another human with his wife, problems at home like having a contractor come in during a meeting to patch the roof, and walks his dog outside while on the phone. Just ask the person about what the career path was to be where they are today.
100%. I know that I’m not going to be bothering them bunch of work related question. I’m sure they are busy as it is. But, it would be interesting to hear their opinion on certain topics. Could be an eye-opener.
Most CISO's like to talk, so if you have a handful of things you want to talk to them about, you're golden!
Tits or ass?
Thighs
After tits
Tits all the way
Ass
Now a question of etiquette: As I pass do i give you the ass or the crotch?
Are you a grabber ?
"*The* grabber." Always use the indefinite article.
If you had an unlimited budget, which country or state would you attack ? How and why ?
Interesting question. Much more of a political opinion based question but a good one none the less.
It's that or what do they look for in cyber operative exactly ? How can I become one ?
That’s a question for google
True enough
That’s a good question. But, they will probably not going to answer that.
probably tits or ass
Tits gang
What are you most worried about in the upcoming years? (So I know what to prepare for and skills I can build) What skills are the most valuable to grow to be in upper level positions like yours? Which zero day attack are you most worried about?
How could someone know in advance what zero day attacks to be worried about?
Firewall attacks. It’s been popping off lately
If I had to pick a subset of zero days to be concerned about it would either be VPN (like with ivanti) or RCE for obvious reasons.
Was meant as a slight joke lol, I’d have the confidence to ask them if the conversation was upbeat and positive to see their reaction
Noted! I will ask about the zero day to see their reaction 😂
I’d be curious to hear what the answers are for them as well. Would you be willing to say who it is or if they are military?
When/if I ask, I will post an update with the answers. I don’t want to say who because we just play sports together, but they work at the pentagon.
Gotcha that’s super cool. So you are in cybersecurity and play sports with them and just wanna see if you can pick their brain sometime? Tbh I don’t hear of many people that high up having personal time for hobbies or stuff like that so I’m impressed they just go out and do that for fun
Presumably it's another log4j style event - - a RCE on ubiquitous software. Something that is used / embedded everywhere, tied to systems that process user input, and can be triggered past the ingress point.
Where do you need help?
Do you mean like which areas in cyberspace?
Yes where can practitioners focus to better improve cyber security nationally? What initiatives is the government taking to protect citizens?
Do you guys have nice racks?
Now I have to ask this question 😂
Why do they not give a damn about cybersecurity? When asked why do you mean , ask why are they not offering better salaries to retain talent. As a ctr they are bleeding on the civilian side and mil side , and I’ve seen alot of CTR cap out and plan to leave as well . If not for salary it’s def bc there are so many holes they are over worked, plenty of people saving -and investing and more interested in building an escape plan from working vs being able to enjoy the field as much as they used to.
Also why are they not actually hiring by 8140 ? Its almost two years old
Why public service for you? What has been your worst day in security? How are you doing, honestly? If this is an informal chat you’d be surprised how much the last one can endear them to you and you’ll see their demeanor change. If it’s an interview whether job or media/school id keep it as professional as possible.
It’s more on personal setting. I keep it informal with them, but every now and then, I’m itching to ask them cyber related questions.
Assuming I hadn't had anything planned, which I don't - it's a reddit post: * What got you into cyber? * What are some things you've worked on? * What are the threats to look out for in 2024-2025? * How is your organization working towards addressing them? * What is the most pressing issue in the industry? * What's the most memorable finding you've come across in your career? * What is your dream scenario for cybersec? * What's your favourite RFC? * What, and who do you think the threat of the future (5-10 years out) is? * How can we prepare for it? * Where do you plan on bringing your organization in 5 years time? * What are your thoughts on people using cybersecurity as a shield to justify non-security-related actions?
What's up with burnout in cyber security? Something something Artificial Intelligence something something? Have you ever regretted or questioned going into the field? Has anything in cyber security ever scared you? Why can't we secure our power grid and other public infrastructure? What's one thing people misunderstand about CISOs?
Since you said a gov official, I'd say, what's your plan to keep up with current market trends for policy and security? AI is a catch up game, there are hundreds of iterations of policies that reference themselves in a cyclical manner, how do we stay ahead? I know I'd get a bs answer, but there's always a hope.
Noted!
How thin is the line between harrassment and research?
How quickly do you respond to CISA RFIs, and why is it so slow?
Depends on the agency. If DoD, I’d ask what they’re doing to get China out of our shit. If treasury, I’d ask why they aren’t banning more China and Russia products used for espionage. If CISA, I’d ask what the hell they’re thinking with CIRCIA (total fedgov overreach, in my opinion). If DOE, I’d ask when they’re going to fund the much needed backbone upgrades for our fractured energy grid.
It’s DoD. I’ll ask about our “fragile” energy grid.
I would ask the how I saw someone else’s phone UI in a pop up window that instantly disappeared. The only reason I know it exists is because I had a screen recording and went frame by frame and took a screenshot
On your computer or on your phone?
On my phone.
Boobs or back
Dont forget elbows and ankles
Would you hire me if i can showcase my skills
Apply online
My first and only question would be: May I speak to one of your engineers, please? You can discover almost everything a leader knows in a 60 minute chat with an engineer reporting under them, as well as determine how healthy the organization is (and likely where most of the risk is). Any leader that hides their team is instantly suspect of being a fraud. Now, the questions to ask that engineer could get pretty spicy! Those are the interesting ones. First question: Talk to me about data.
I like this!
since 95% of the ransomware enters via email.. what security measures are in place to prevent that ?
Hello there!
What has the government done to help prevent the next Crackas With Attitude type of doxing?
I'd ask why does your government let ICANN profit off of criminals rather than remove domain names from obviously fraudulent domains? Why not put pressure on them to address this?
Bourbon or pepto?
You mean bourbon AND pepto
Preach
Do I need to introduce myself or do you know more about me than I know about myself?
It was like talking to Spider-Man because they had a lot of responsibility.
That’s funny. What would you ask Spider-man then?
Where is your safe place where you don’t need to worry about anything? Jesus would go off alone, almost like he was hiding from the overwhelming pain of the world he was bombarded with. Monks and religious people do the same it seems as do famous people, very clever people and very powerful people….if they care that is.
Why the fuck are you guys always using such weird contracting procedures? Why are you afraid of anyone actually doing something new?
I can answer your second question. New innovations are out there. You just have to go and find it. What do you have in mind in terms of doing something new?
let me give you two examples from my own work the past few years. Example 1. Public transport company is looking for onboard firewalls and puts out an RFP. We submit an offer. We've found an equipment manufacturer who makes a device with all the necessary ratings and approvals and some to spare. We've got a reference dealing with firewall management in industrial environments, another in vehicle security and a substantial software development team for a similar company in a neighbouring country. Turned down because we had no previous experience in this. Well duh! They were at that time one of only a handful of companies worldwide looking to do this. Went to a company who makes and implements the boxes. Example 2. SOC for a utility company. We've got a multitenant SOC, including industrial companies and a utility company (different sort but still a utility company) in a neighbouring country as a reference. We submit two dozen CVs of engineers and consultants with relevant industrial experience. Turned down because we did not have any experience in-country with that kind of utility. So this one went to the company that already had a majority share on the market. That's what I mean. Governments tend to give the contracts to parties that are already doing it regardless of creating a monopoly, regardless of quality
Looking to get into this where should I start
Get into what?
Overall cyber security
Just tell him I said thank you!
Will do!
Why are you so complacent ? Is the assurance and guarantee of government job security, health insurance, pension one of the reasons behind such complacency ? What are you doing about this malaise ?
Will you hire and train me, please?
Bobs or vagen?
They seemed like the vagen type
What’s the point if you know we turn on our own so easily?
Care to elaborate?
Not without seeing some serious money.
I will you give time. Time is gold.
I’ve been through those circles already, what good is time unless you have the things you want already. Need seed capital at some point in some situations.
Did biden poop his pants?