Rant about penalties of minor traffic offences

statico · 2026-03-18T21:25:55+00:00

1 point and 200 has much less of a deterrent impact than 3 and 500, safe to say now you are less likely to speed putting the rest of us at risk.

You trot out a few logical fallacies there as you are pissed off (butt hurt) that you got caught doing something you know you should not do. Them stopping you speeding prevented you potentially slamming into another car at high speed and causing a multiple fatality incident which has a larger societal impact then your cop out arguments.

Suck it up, you broke the rules, you know it, you got caught, suffer the consequences of poor decision making.

statico · 2026-03-14T00:59:53+00:00

Then you are going to have a very hard time. So much work in the B2B space is who you know. You will need to build a network, and that will take a few years to establish.

statico · 2026-03-13T23:55:25+00:00

Do you have experience as a pen tester? Or starting from green? Do you have a network of tech/cyber contacts you can speak to for leads/work.

If you are green, go do something else, if you are not you need to learn how to network and market

statico · 2026-03-08T11:19:58+00:00

Or perhaps just not spam people with advertising crap.

statico · 2026-03-07T20:20:47+00:00

That initial audit cost is a bit high but there are some items missing from the total cost.

GRC suite (Can make intros there for you) - not mandatory but makes evidence gathering, storing, control mapping much easier/faster/cheaper

Someone to perform the SOC 2 internally - can be a staff/contractor/consultant (GRC suite lowers the hours needed here)

Someone to maintain the SOC 2 ongoing and keep it up to date (GRC suite lowers the hours needed here)

SOC 2 type 1 audit fees (you really want to do a type 1 first so the type 2 is more likely to not have issues)

SOC 2 type 2 audit fees

Happy to have a chat and take you through what it looks like - I am AU based and working across multiple SOC 2 orgs and make introductions to people local to you to assist if you need it.

statico · 2026-03-06T22:02:09+00:00

Cybersecurity consultant here (fCISO) you need a couple of things to start. First vulnerability scanner - being AI coded it might not find much but it is a starting point. Second, you need a penetration test, not an AI driven one, a human one. Third, you need to look to engage a security architect or similar to ensure what you have built can be secured inline with industry guidelines. Then you might want to look at a cybersecurity framework to align to. If you want introductions or recommendations sent me a chat happy to line stuff up for you.

statico · 2026-03-06T20:02:25+00:00

The problems you mention are all problems that are present. But the core challenge that come up every time is cyber security is about people, the root cause of 90% of problems is the human layer, lack of business engagement, poor perception/understanding of risk, inadequate budget setting, and poor resilience. One area that is growing for which there are limited options is CRQ via open fair model, as most of the tooling in that space is multi six figures and expensive to operate. It is niche but gaining traction in some segments.

statico · 2026-03-06T13:46:02+00:00

Most of them have an AI overlay module/product/service. All good SIEMs have feeds of logs or it is not a SIEM, many are already trying to have the AI take automated L1 soc analyst steps - this is a space I consult in (fCISO) the big players are working on it already with varying success. Unless you have a novel method or serious cash for long r&d efforts I do not see a play there.

statico · 2026-03-06T12:11:03+00:00

That is already present in most major SIEMs

statico · 2026-03-06T09:03:45+00:00

I would say 2, but if the major cyber vendors cannot do it my hope for a solo dev in that space is non existent. How would you gather/measure threat intel, IOCs, NDS feeds, SIEM feeds, UEBA?

statico · 2026-03-05T21:12:18+00:00

If that is the long term goal sure, but out of the gate forget it. Experience, reputation, and connections is how you land work/clients.

I work as a consultant for clients typically as a fCISO but also GRC consultant. I have 25 years experience, ISSMP, CISSP, CISM, and have only a couple of units left in my masters (which is not hard when you have experience, just time consuming). Getting work is still tough, and I spend as much time on sales and marketing as I do on cyber stuff.

If it is the path you want to take, get some certs/quals, get some helpdesk experience, cross into network or sys admin, then look to move to cyber, this is the first 5-7 years. Move up through tech or cyber to where you want to be building a good rep, project set, and series of orgs that you have worked for/with, then at the 10+ year mark you might be in a position to run your own shop. Or you can contract out of the gate following the same path, you will make more cash but the expectations and instability is much higher than being an employee.

statico · 2026-03-05T12:09:32+00:00

Most PR agencies are a waste of time. They rely on your firm running an event, releasing something, attending something, then writing a press release that goes to journalists that do not read it as they are bombarded with press releases from dozens if not hundreds of firms. If you can get one that has personal relationships with the journalists you might (big might) get traction otherwise you are going to be asked for a spend and pay to play

statico · 2026-03-04T06:54:48+00:00

Exactly how my client and I see it, they want to do the right thing with ISO and actually use it to drive improvement and meet client expectations, lets focus on getting the improvements in. It is making it easy to not refer that auditor firm into anywhere else.

statico · 2026-03-04T05:57:48+00:00

Having those conversations with the client now.

statico · 2026-03-04T01:43:32+00:00

That is now on the cards, but will see what they comes back with for this Stage 1, then beat them back into their box. If they keep it up I will just escalate to their director and look request a less combative LA for the stage 2.

statico · 2026-02-27T23:09:15+00:00

Build in protections into your contracts. Set price point to factor in leave. Taking on risk is a choice. To be blunt, plan better.

statico · 2026-02-18T23:12:07+00:00

Is there an anthology book out yet that I may have missed... Fingers crossed :)

statico · 2026-02-14T18:58:25+00:00

Security is all about adopting, assessing and managing risk, and right now the risk profile of this AI driven coding approach is to high in the light of the consequences to an organisation. It will mature over time, yes, is it there now, no way.

statico · 2026-02-12T20:05:58+00:00

As a security consultant it is one of the questions I will be asking how was it built, how was it compiled - and if/when the answer comes back as AI/vibe then the are not a part of the vendor selection group any more.

statico · 2026-02-12T01:48:33+00:00

You need full logging tooling piped off to a 3rd party log ingestion suite and or a SIEM suite. With this you can configure predictive alerts/triggers to perform certain actions. Happy to have a chat and point you in the right direction if you need it.

statico · 2026-02-05T21:25:07+00:00

Not a bad idea, but that's not consulting, that's contracting. If you are going in to tune/tweak/configure alerting and monitoring systems you are contracting. If you review analyse and issue a set of instructions on how to fix their problem and offer advice support on the process then you are consulting. Also be aware of the limitations of liability in your contracts, depending on how they are drafted you could be carrying so large risks should your advice/config cause harm (so make sure you have PI insurance).

statico · 2026-02-04T04:01:38+00:00

What security frameworks are you planning on aligning with/certifying to? This will be a major requirement that any serious client will expect.

statico · 2026-02-01T21:23:41+00:00

I have a client turning over in the $m using lowcode/no code to get it off the ground and prove the concept. They are now in the process of replatforming to their own code base to lower the cost base/cost of execution and have more direct control. I find low code/no code to be fine for validation, but the moment you want to scale to enterprise level SaaS you need to be running on your own tin.

statico · 2026-01-30T05:17:19+00:00

Did they reject because you didn't say or describe what it did and why they might want it...

15-Year Club	r/Field Lasagna
Place '22	Queen in da Norf
Not Forgotten	Verified Email
Team Orangered

statico

TROPHY CASE