Security Writer :verified: :donor: on Nostr: npub1074dk…hz2j6 npub12lxtr…jjvjy npub17lgy0…k9uux I think most of the benefit ...
npub1074dk2mqqxl7kgukea6th3xaa9fdgx7vty2x8zger32uydyf6e3qzhz2j6 (npub1074…z2j6) npub12lxtr540euchz3wpu4l745spze9fesue5lcentzceegq04ftzzxsajjvjy (npub12lx…jvjy) npub17lgy0rj5a2nwpnyc4hup6ufpfz7wz6dzcgd3crm6fm2yd34dcz0qlk9uux (npub17lg…9uux) I think most of the benefit I’ve seen so far is from communicating with stakeholders and execs.
Funnily enough this is one of the things getting picked up on 27001 audits in three different places (independent of my involvement), where organisations don’t have a cloud back-out plan. So on the risk side, knowing there’s the possibility of vulnerabilities that can’t be fixed and quantifying them does really seem to help ground that argument in reality.
I’ve seen the needle really shift from “it’s cloud, obviously it’s secure” to more sensible conversations as if these are real, tangible systems with real problems (which they are).
Functionally… I’m less convinced. We’re relying a whole lot on Microsoft being forthcoming with their vulnerabilities, marking their own homework, after a decade (and longer) of terrible security decisions and practices… so I’m skeptical.
However, I put it to a room full of very senior people at most of the main security vendors last week, and while they agreed in principle that greater transparency would be good for all SaaS/PaaS platforms, they’re waiting for someone to go first.
Funnily enough this is one of the things getting picked up on 27001 audits in three different places (independent of my involvement), where organisations don’t have a cloud back-out plan. So on the risk side, knowing there’s the possibility of vulnerabilities that can’t be fixed and quantifying them does really seem to help ground that argument in reality.
I’ve seen the needle really shift from “it’s cloud, obviously it’s secure” to more sensible conversations as if these are real, tangible systems with real problems (which they are).
Functionally… I’m less convinced. We’re relying a whole lot on Microsoft being forthcoming with their vulnerabilities, marking their own homework, after a decade (and longer) of terrible security decisions and practices… so I’m skeptical.
However, I put it to a room full of very senior people at most of the main security vendors last week, and while they agreed in principle that greater transparency would be good for all SaaS/PaaS platforms, they’re waiting for someone to go first.