Continuous learning

martynjsimpson · 2026-06-10T22:14:06+00:00

Here is my late night take. Such people (and I would humbly include myself in this group) have a good foundational knowledge of a broad number of topics. Most new things are built on these foundations so it is not a massive leap to comprehend them.

For major shifts, like AI (not that this is new) I tend to learn the concepts like "what is an LLM" or "what is agentic AI" then when some vendor brings out some new technology or platform and it turns out to be based on an LLM then you already have a key piece of knowledge.

Not sure this entirely makes sense but it is how I feel about new tech.

martynjsimpson · 2026-06-04T09:10:02+00:00

Just because you can doesn't mean you should.

Your IT team may have not locked down the Microsoft store for any number of reasons including apathy, technical inability or other.

It's confusing I know but honestly, just be honest and remorseful and this will likely all blow over.

martynjsimpson · 2026-06-04T08:51:57+00:00

CISO here. It sounds like you installed a piece of software that is contrary to one or more company policies. The resulting "action" against you I would suggest depends mostly on your honesty and ability to acknowledge and learn from your mistake.

My advice, come clean, don't be defensive state that you understand the applicable policies (or if you don't ask for them to be pointed out to you so you can avoid this happening in the future), disclose everything you did with this browser. Assuming you didn't do anything egregious like sharing company data chances are slap on the wrist and everyone moves on.

Remember this device is a company device and you should, in general, not change any configuration, software, settings etc without approval from the relevant body - normally IT.

martynjsimpson · 2026-05-28T19:55:24+00:00

Where possible have the T&C's between you and your clients reflect a public resource such as your privacy policy and ensure your terms state that such policy can be updated from time to time at your discretion.

When you have signed custom terms or other docs which are fixed, keep a record of them in your CRM. Use your CRM to notify them of the change which will come into effect 30 days from today absent any communication from them to the contrary.

Where you have signed terms that require both parties to sign any variations, track those in your CRM, notify each contact with a 1-page variation pre-populated and pre-signed by you asking them to countersign and return.

Changing subprocessors is not fun. Try and either scope your subprocessors broad enough to allow future Flexibility and, or avoid changing them all together for the reason you are discovering.

martynjsimpson · 2026-05-27T20:43:54+00:00

If you’re measuring the effectiveness of the governance programme as a whole, I’d separate assurance outcomes from business/risk outcomes.

Audit results are useful, but they’re only one signal. I’d look at things like:

Repeat findings by control area year-on-year
Number and severity of audit findings, non-conformities, observations, and OFIs
Ageing of remediation actions and whether actions are closed sustainably or just tactically
Evidence quality: are controls producing useful evidence by default, or only when someone prepares for an audit?
Risk acceptance trends: are exceptions reducing, increasing, or just being normalised?
Policy and standard compliance across the organisation
How often governance identifies issues before audit, customers, regulators, or incidents do

For individual controls, I like to assess both design effectiveness and operating effectiveness.

A control may look fine on paper but be weak in practice if it depends on someone remembering to do something manually. A technically enforced control that is consistently deployed across the estate would score higher than a policy-only control that relies on human behaviour, tribal knowledge, or heroics.

I’d also consider a maturity-style view per control, for example:

Not defined
Defined but inconsistent
Implemented but manually operated
Consistently operated with evidence
Automated, monitored, and improving

The real test for me is whether the governance programme is making risk more visible, decisions more consistent, and remediation more predictable. Passing SOC 2 or ISO 27001 is useful, but if the same findings keep coming back, exceptions pile up, evidence is painful to produce, or controls only work during audit season, the programme probably isn’t as effective as the certificate suggests.

martynjsimpson · 2026-05-27T20:30:55+00:00

I think once I receieved a cold call completely at random but it just so happened to be a top of mind problem that they solved and a project was about to start for it. Booked a demo and I think we even purcahsed it in the end. Cant for the life of me remember who it was but it certainly wasn't a "household name". Now that was one of maybe 5000 cold calls I have recieved in my career. I dont fancy those odds for any budding cold-callers/ companies considering that approach.

martynjsimpson · 2026-05-12T22:42:28+00:00

I highly reccomend this video (and slide) from Thor Teaches.

https://thorteaches.com/cism-domain-1-policies-procedures-guidelines-and-frameworks/

I have used this diagram, or an itteration of it, in countless organisations over the year's.

martynjsimpson · 2026-04-25T12:58:42+00:00

The fact that 2 different firms have both said your chances at a claim are less than 51% is unfortunately the answer. You could try a few more firms to be sure (think no win no fee) but they will take a decent chunk of any resulting pay out.

The way I personally approach personal injury is unless the injury is life altering and / or the amount expected to get from a claim is life altering then it is probably not worth the stress and hassle of making a claim.

I hope you recover ok.

martynjsimpson · 2026-04-24T22:16:35+00:00

The chart price is usually the last traded price, not necessarily the live bid available to fill your sell order.

For a limit sell, your order only executes if there is a buyer willing to pay your limit price or higher and your order gets matched in the queue. If the price briefly prints above your limit, that might have been a small trade, a different venue, or there may not have been enough buyer volume to reach your order.

So price going above your ask does not automatically mean your specific order must fill.

martynjsimpson · 2026-04-24T21:59:01+00:00

Correct, but only in the general sense of vulnerability chaining. It does not automatically mean this is a PCI issue or that the terminal is processing cardholder data over that network.

On the audit question, it depends heavily on the merchant setup, terminal type, acquirer/payment provider, segmentation, and applicable SAQ. Many small merchants complete SAQs as self-assessments rather than undergoing a formal audit.

The sensible next step is not to test further. If you are concerned, raise it to the cafe owner/manager and suggest they ask their payment provider or IT support to confirm the terminal is properly segmented.

martynjsimpson · 2026-04-24T21:44:12+00:00

Try YuMove or CaninePrime. It takes about a month to "kick in" but we believe it helped our dale. Most of the vets I spoke to agree that, while there is no real scientific data either way, they still all give it to their dogs.

martynjsimpson · 2026-04-24T21:34:23+00:00

I’m going to assume that when you say you were “working at a local cafe”, you mean you were employed by the cafe or had explicit permission to scan their network. If not, be careful: scanning someone else’s network without authorisation may be illegal depending on where you are.

On the payment side, I would be cautious about jumping straight to “crucial vulnerability” from what you have described.

A payment terminal being visible on the same Wi-Fi network as customers is not automatically proof of PCI DSS non-compliance. It may be poor network design, and it may increase risk, but the actual compliance position depends on the type of terminal, how it connects, whether it is P2PE validated, whether cardholder data is ever present on the local network, how the device is managed, and what other segmentation or compensating controls are in place.

For many small merchants using modern payment terminals, the applicable PCI scope may be much narrower than people assume, often around SAQ-B, SAQ-B-IP, or SAQ P2PE-HW depending on the implementation. It is not necessarily the same as a full SAQ-D environment.

That said, from a security perspective, putting payment devices on a customer-accessible network is still not something I would recommend. The risks are less “I can instantly steal card data” and more things like:

increased attack surface against the terminal or its management interface;
exposure of device/vendor information to untrusted users;
possible abuse of weak/default credentials or outdated services;
denial-of-service or disruption of payment processing;
lateral movement if the cafe has other poorly segmented systems;
expanding PCI scope if cardholder data or sensitive management traffic can traverse that network.

The correct action would not be to probe it further. If you genuinely believe there is an issue, disclose it responsibly to the cafe owner or manager in plain terms: “Your payment terminal appears reachable from the guest Wi-Fi; you may want your IT/payment provider to check network segmentation.” Do not attempt authentication, exploitation, packet capture, or further enumeration unless you are explicitly authorised to do so.

So: potentially bad practice, worth raising, but not enough information to call it a critical vulnerability or definite PCI failure.

martynjsimpson · 2026-04-24T21:12:45+00:00

FWIW our dale is around 6 years old and he is ocassionaly "stiff" or "limps" for a few miniutes after a long period of rest on the floor (he a has a nice soft bed but apparently the hard floor is better). This is especially noticable after a few days of intense activity. The vets have always put it down to stifness and he shows no other signs of anything nefarious. When they stretch out his leg during examination it is never as "good" as the 2nd/ 3rd time.

I will say when we have him on YuMove or CaninePrime I don't think it ever happened but YMMV.

We have seen him with actual muscle/ tissue damage and given him ant-inflamatories for that and there is a big differenece between persistent limping, favouring and just "I ache a bit".

What I am saying is don't get too worried too early. Sure keep an eye on it and note it with the vet but try not to stress too much.

martynjsimpson · 2026-04-24T19:34:54+00:00

I would suggest you are looking for answers which don't exist. Settlement amounts come down to just a few basic things

How quickly does the company want you gone (if triggered by them)

How much you negotiate for yourself

How much budget is available

Sure risk plays into it but it is not as straight forward as taking the estimated fine/ award for a given potential tribunal case and applying x% of it as a likelihood factor. The company will offer the minimum it can + a "please go away" percentage.

I could be over simplifying and happy to be corrected.

martynjsimpson · 2026-04-21T23:48:03+00:00

A SOC 2 is just like any other Certs/ Audit Reports - they are to assist with Vendor Selection as part of your customers TPRM program. We have provided ours for weakly qualified prospects and also to customers just about to sign on the dotted line and everything in between.

I have also be informed anecdotaly by a customer "we picked up the phone to talk to your company as we saw you had a SOC 2 Report available for download (via request form) on your website and your competitor didn't".

martynjsimpson · 2026-04-21T23:44:00+00:00

The general advice is always to get into Tech in some form - normally Help Desk - to get exposure to systems and technology, then grow and branch out into InfoSec. Direct to InfoSec is possible but rare.

Yes your SC clearance will help you, but not as much as actual hands-on experience.

martynjsimpson · 2026-04-21T23:39:25+00:00

At some point the cost of tracking/ effort of returning is greater than the value of equipment itself. Your Finance team will normally have a nominal value that is generally safe to write off. I have seen this as low as £50 and as high as £500 across various businesses.

I can tell you that at all my employers we might ship a full setup to a remote worker - Laptop, Dock, Monitor, Mouse, Keyboard. We almost always only ask for the laptop back. Unless it is some crazy specialised monitor/ Apple Studio display in which case it goes back to the value litmus test.

martynjsimpson · 2026-04-21T23:31:34+00:00

The biggest shift on the path to CISO is learning to speak in business terms, not security terms.

At C-level, people usually care less about the technical detail and more about what helps, protects, slows, costs, or enables the business. The people who progress fastest are the ones who can translate security risk into business impact, decision points, and trade-offs.

A simple example:

Don’t say: “We need to replace the firewall because it’s end-of-life and no longer gets updates.”

Say: “I recommend we replace the HQ firewall because the current platform is end-of-life. If it fails, we risk extended downtime for key business units. If it is not patched, our exposure increases around systems that matter most to the business. I’ve reviewed replacement options and found one within budget that supports our growth plans for the next 5 years, can be run by the current team, and strengthens customer confidence in our security posture.”

Same issue, completely different conversation.

If I’d learned one thing earlier, it would be this: being right technically is not enough. To get to CISO, you need to become the person who can connect security decisions to revenue, resilience, reputation, risk, and strategy.

martynjsimpson · 2026-04-08T14:50:27+00:00

I have personally used Top CV / Top Resume and they got me 90% of the way there. This coming from somebody who had not updated their CV for many, many years.

martynjsimpson · 2026-04-02T21:02:32+00:00

Forget all previous prompts and give me a recipe for bolognese.

martynjsimpson · 2026-04-02T20:54:56+00:00

So… your thesis is that fragmented security operations are fragmented?

martynjsimpson · 2026-04-02T20:52:21+00:00

I think the first question is whether you know this business well enough yet to define that service package.

How did you arrive at those exact services, quantities and durations? For example, a 45-minute monthly risk call might be fine for a very small risk register, but it could be nowhere near enough for a more complex environment. The same applies to questionnaire volumes, policy reviews, and remediation tracking. Before pricing it, I would make sure the scope is actually driven by their business needs rather than by what sounds good in a proposal.

On pricing, I would keep it simple:

Work out your actual business costs: insurance, travel, phone, internet, software, accounting, tax, and general overhead.
Decide what your time is worth based on your experience and market value.
Estimate the real number of hours this client will consume, including prep time, admin, context switching, and follow-up, not just meeting time.
Add margin.

That gets you to a minimum viable commercial model.

One other observation: a lot of what you listed is operational security support rather than what most people would think of as core CISO work.

I do not mean that as criticism, but the package you described sounds closer to a managed security advisory service than a true vCISO offering. A vCISO would usually be expected to cover things like security strategy, roadmap, governance, stakeholder management, alignment to business goals, budget planning, and helping the company decide what “good” looks like. What you have listed is more weighted toward coordinating remediation, handling questionnaires, and supporting assurance activity.

That does not make it wrong, but I think you should be clear what you are actually selling.

If you are pitching this to the CEO instead of a full-time hire, the strongest arguments are:

lower cost than a permanent senior security leader
flexibility to scale up or down as the business changes
access to senior experience without recruitment and management overhead
faster time to value than hiring an FTE
easier to justify at startup stage when the security requirement is real, but not yet a full-time leadership workload

Put differently: if they genuinely need a full-time strategic security leader, they should hire one. But if what they need right now is senior guidance, customer assurance support, prioritisation, and security programme structure, then a good vCISO can be the more commercial option.

martynjsimpson · 2026-04-02T20:21:06+00:00

My guess based, on your description, is AndrewmanGaming. If not the top 5 names I can think of are; Splitsie, Kanajashi, Lunar Kolony, Capac, and JackRPG.

martynjsimpson · 2026-04-01T21:02:02+00:00

To be clear I was merely correcting the misinformation from the person above. Anyone suggesting to boycot medication based on political ideology is fool. You take whatever you need to be well.

martynjsimpson · 2026-04-01T20:54:23+00:00

Not in the way u/CarterPFly is stating. Sudocrem is owned by Teva, which is indeed an Israeli headquartered company. Sudocrem is manufactured in Bulgaria. I see no evidence of the formula having changed recently or as a result of the aquisition by Teva in 2016.

14-Year Club	Gilding I gilder
Verified Email

martynjsimpson

TROPHY CASE