• Vulnerable U
  • Posts
  • 🎓 VulnU #013: Venture Catastrophists: Profiting from Fear in Infosec 🔒

🎓 VulnU #013: Venture Catastrophists: Profiting from Fear in Infosec 🔒

Exploring the parallels between financial hedging and fear-driven approaches in the world of infosec

Read Time: 5 minutes

Hey Friends,

To the 300+ new subscribers reading along this week - welcome! Glad you’re here.

This issue of Vulnerable U happens to be going out on my birthday! 🎂 🥳 I’m writing from my hotel in Chicago where I traveled for a work trip. Flew my family up with me and we are having a great week in this beautiful city.

We just got back from Wrigley Field watching the Cubs play the Mets. I, of course, wore my Yankees hat, but glad to cross that park off the list of ones I’ve been to. Not too shabby for this birthday boy.

If you’re wondering what you can get me, I accept cash and newsletter referrals.

Lets Get Vulnerable:

After a recent recommendation, I’ve been absolutely devouring content by Scott Galloway, becoming a big fan very quickly. Prof G, as his podcast namesake calls him, embodies all the principles I preach in this newsletter.

Not only is he extremely open and vulnerable about his mental health, his self described addiction to other people’s affirmations, and his depression, but he also seems to have a superpower to read through the PR spin and call BS when he feels necessary.

On a recent episode he coined a term that I immediately knew was going to be a newsletter topic - “Venture Catastrophists”

🌩️💸 Sounds ominous, right? Venture Catastrophists are the folks who profit from the fear and anticipation of economic collapse, the ones who bet on disasters rather than working towards prevention and improvement. 😰📉

And guess what? This notion struck a nerve with me because it's not just relevant to Wall Street, but also to our own turf – the world of infosec. 😱💻

Yes, just as some folks anticipate financial crises, there are those who lean into the fear of breaches, ransomware attacks, and cybercrime. They envision an infosec apocalypse, expecting it to skyrocket the demand for their security solutions. 🦹‍♂️🔐

Preparing for the worst-case scenarios is crucial, no doubt. But, shouldn't our main goals be prevention, detection, and response, rather than merely profiting from chaos? We've seen the devastating effects of major breaches too many times. However, constantly pushing a narrative of doom can lead to irrational decision-making. 🎭🔥

So, how about we flip the script? Let's shift focus to developing resilient systems, training capable professionals, and fostering a culture that is driven by solutions rather than catastrophes. 🚀🧑‍💻 Our aim should be to create a safer internet and promote a mindset that tackles challenges head-on. 💪🌐

In doing so, let's not forget to pack some emotional intelligence tools in our cybersecurity toolbox. It's high time we asked ourselves: Are we betting on the world's collapse, or are we actively contributing to the solution? We need to strike a balance between recognizing potential risks and maintaining a proactive approach. 🧠💫

To drive it home:

Fear vs. Solution-Driven Approach 🎭 vs. 🏋️‍♂️: The narrative we choose to push matters. Fear leads to irrational decision-making, while a solution-focused mindset inspires innovation and resilience. Let's pivot from fear-mongering and start championing solutions, resilience, and preparedness. The goal? A collective safer internet. 🌐🚀

Building Resilience 🏗️: Resilience isn't just about having the latest security tech; it's also about training capable professionals. By investing in skills development and fostering a culture that values continuous learning, we can build a more resilient community. 🧑‍💻💼

Mental Health and Emotional Intelligence 🧘‍♀️🧠: Lastly, the human elements that determine how we handle threats, cybersecurity threats included. A growth mindset and emotional resilience can help us navigate through challenges without succumbing to fear. So let's invest in our emotional toolkits as much as our technical ones. After all, behind every secured system is a team of strong, healthy individuals.

Wrapping this with a direct quote from the Prof G episode:

It comes down to this. What type of leader, business person, and (quite frankly) man do you want to be? When shit gets real, do you want to be the steady hand who stays calm and works with others, with purpose and skill, to figure out a solution? Or are you in the foxhole screaming, only giving your position away and making things worse? The real man here, the real American, is in Washington, and his name is Janet Yellen. The Venture Catastrophists are the other guys.

Scott Galloway

Elective Reading

Here are some things I’m reading right now and some cliff notes or thoughts:

Chinese Malware Hits Systems on Guam. Is Taiwan the Real Target? The code, which Microsoft said was installed by a Chinese government hacking group, set off alarms because Guam would be a centerpiece of any U.S. military response to a move against Taiwan. - (also covered in the NYT here)

We hear a lot about supply chain security but this is a unique version of that. Instead of a dependency somewhere in code all of a sudden being malicious, its a fairly popular Android app that went from legit to spyware.

one of the craziest AI demos I’ve seen so far.

“For all three bugs, Apple said it is “aware of a report that this issue may have been actively exploited.””

Nobody working blue teams is surprised by this. Come to think of it, nobody selling security products is surprised by this. Layoffs aren’t the only way wallets tightened this year.

There is so much to unpack here. Not everyday you get a full report on a Chinese corporate espionage scheme. The formula for the chemical that keeps Coke eating through the cans was on a Spy’s hard drive.

the quality of the vulnerability details published by Microsoft on Patch Tuesday has noticeably declined. Vulnerability descriptions used to be useful. Now they are reduced to being nearly meaningless”

Really didn’t have this on the bingo card. Don’t enjoy when any .gov goes after e2e encryption under the guise of security.

Rachel is awesome. This topic is super real and in the right spot in the mainstream on 60 minutes because the audience of that show are the targets to be victims of the scams she demos.

Got ‘em

Community Spotlight:

Easy call out today since one of the big news stories linked above comes out of their team - Sherrod DeGrippo is one of the good ones. One of the best ones even.

I’ve looked up to Sherrod for years and loved the work she’s shared on many stages and I’m glad something from her team is making news this week.

Extra Credit:

Help Us Grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them! As of now, spread will just be by word of mouth.

Parting Thoughts:

Let me know how I can help as always.. If there's a topic you'd like to see covered in a future edition of the newsletter, or if you have any questions or concerns, please don't hesitate to reach out to us. I’m always happy to hear from our readers and help in any way I can.

Stay safe, Matt Johansen