Cameron Smith @Secnomancer   Layer8conference is virtual (https://layer8conference.com/layer-8-is-online-this-year/) https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final   CMMC:https://info.summit7systems.com/blog/cmmc https://www.comptia.org/certifications/project - Project+ Cameron’s Smith = www.twitter.com/secnomancer Cybersmith.com - Up by 14 April   Ask@thecybersmith.com Cameron@thecybersmith.com https://en.wikipedia.org/wiki/Christopher_Voss https://www.amazon.com/Never-Split-Difference-Negotiating-Depended/dp/0062407805 https://www.masterclass.com/classes/chris-voss-teaches-the-art-of-negotiation https://www.masterclass.com/   https://www.autopsy.com/support/training/covid-19-free-autopsy-training/ https://www.youtube.com/playlist?list=PLg_QXA4bGHpvsW-qeoi3_yhiZg8zBzNwQ   “There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.”― Ernest Hemingway  https://www.goodreads.com/quotes/76281-there-is-nothing-noble-in-being-superior-to-your-fellow Original B-Sides Talk Blurb SITREP: A Consultant's Perspective from the Trenches of InfoSec In this session you will hear war stories and lessons learned consulting for hundreds of clients across dozens of verticals at every level, from bootstrapped startups with garage beginnings to Fortune 50 companies and everything in between. We will cover life on the front lines in InfoSec, ranging from individual contributions and staying relevant in a rapidly evolving field all the way to how bad most orgs are at InfoSec and what we can do as practitioners to help make them better. Speaking Goal After my presentation is over, I want my audience to... Feel better about where they are as an infosec practitioner Understand that most of Cybersecurity is largely NOT about the latest hack or technique Failing is OK as long as you learn from it ...so that ... When they go back to their office / SOC / client engagements on Monday they focus on the things that matter to their organizations Hopefully feel a little bit less that the work they are doing is boring, exhausting, unappreciated, or hopeless Intro Security is a really crazy industry Like the wild west out here Constant threats Complacent or ignorant clients/dependents Resource and budget constraints Security is really complex There are SO. MANY. MOVING. PIECES. There is a never ending stream of new information to learn and new threats to face Security always involves at LEAST 4 parts The practitioner - Hopefully you have backup! What you're protecting - Employer, Client, System, Application, Data, SOMETHING, etc What you're protecting it from - External TAs, Internal TAs, Incompetence, Apathy, Plain Ol' Vanilla Constraints, etc What you have to protect it with - Budgets, Time, Personnel, Training, Relationships, etc Cybersecurity/Information Security is simultaneously an old and new/emergent discipline Cyber History Old Nevil Maskelyne / Guglielmo Marconi wireless telegraphy attack and Morse code insults - 1903 Phreaking in the 1960s ARPANET Creeper - 1971 Morris Worm - 1988 New Gartner Coined term SOAR in 2017 Yeah... It's barely 3 years old. Now you can literally find job openings with SOAR Engineering titles DevSecOps - Amazon presentation in 2015? Not even in grade school yet. Average enterprise is running 75 security tools in their environment (Cybersecurity almanac 2019) Most cybersecurity professionals over 30 do not have degrees in cybersecurity Many don't even have Computer Science or IT related degrees This is it's own problem Training cyber pros, Chris Sanders, cognitive crisis, etc. BDS ep 2019-021 and 2019-022 Emergent disciplines are challenging by default You chose to play the game on hard mode for your first play through Security really isn't as complicated as most people think Occult Phenomenon Things we don't understand we imagine to be far more complex Things we anticipate we imagine to be far w