I am not saying that here, on my slice of the #fediverse, I found "my" people. What I do say is that Facebook, Twitter, Insta, TikTok, BlueSky, Threads are definitely not "my" people. But I would love to see all of them use a common language at the low-level -#ActivityPub. Once that happens, things can only get better :) #SundayMusings

For all my #artists out here in the #Fediverse ​​

"In order to create art, you have to live."
- Jill Scott

#actors #writers #poets #singers #musicians #painters #sculptors (and e'erbody in between) here's some #SundayMusings for ya

#BlackFedi
@BlackMastodon@chirp.social
@blackmastodon@a.gup.pe

Since @newsgoth raised the topic, I'd like to keep it going. My intuition is that there are a LOT more GRC types of people out in the workforce than there are pen testers, SOC analysts, bug hunters, REs and so on.

I will say that the thing which really drew me in to security was risk. I read the book "Black Swan" before a lot of risk programs starting crowing about black swans, and it entertained me endlessly to watch companies try to enumerate and quantify their black swan risks/exposures.

I learned a ton about decision making under uncertainty, and, in particular, that most companies don't have an appetite to be diligent about it, and so we end up with the likelihood x impact heatmap nonsense that lets people press on with their preconceived notions about what risk priorities are.

I do think that a fundamental problem we have in IT is a lack of understanding about what can go wrong. We make what we think are informed decisions, but they generally are not. We lack imagination, which is why I think we need more red team consultations in the GRC field.