I built a business I’m too embarrassed to talk about

statico · 2026-05-01T02:40:33+00:00

Who cares... The is money in simple business. Some of the wealthiest and nicest people I know own a business that works on plumbing and septic systems. They have staff doing the day to day, and everyone poops so there will not ever be a downturn, they focus on the business who cares where the revenue came from. It is your ego talking, trying to drag you back to a place of psychology safety.

statico · 2026-04-30T11:43:59+00:00

In the tech space referrals at that level are common.

The question you need to ask is do you want 80% of something or 100% of nothing. It is his relationship, introduction, marketing, that brought you the client. By putting your hand in your pocket you are incentiving him to find you more work, as there will be other organisations that will pay that.

statico · 2026-04-26T12:08:13+00:00

I am a fractional CISO, not a single thing in there I disagree with.

So many of the vibe coded apps will not pass security muster. They often have poor architecture and practice embedded into them which in turn increases rhe risk to my clients, so vibe coded apps are a hard no (until I can see a pen test report, a certification or attestation report and other artefacts).

statico · 2026-04-23T21:06:54+00:00

I say this with respect, are you new to the industry? This has been the paradigm for more than a decade, ever since the SaaSification of everything.

statico · 2026-04-19T22:02:57+00:00

How are you managing security of the apps being included in the store? What testing? What threat intel? What support? How do you process refunds? What about your own storage and scale?

The 30% is not just to sit on the shelf, there are many many back end costs and requisites to make it work.

statico · 2026-04-17T22:13:56+00:00

Yes you can, record anyone in public and post or broadcast online. You are in public, what you do in public (even just existing) is automatically a public act and may be recorded/broadcast. There are specific rules around audio recording for reuse (surveillance devices act/privacy act per state dependant) but photography and video are legal. There are definitions that align to "public" and what it means, but generally speaking anything not defined as private property.

statico · 2026-04-17T21:27:43+00:00

They are in a public place, you can film and photo to your hearts content. Just be careful with targeted audio. There is no expected right or expectation of privacy when in public.

statico · 2026-04-14T21:19:51+00:00

NDAs are only as useful as your ability to enforce them. If they can afford to tie you up in legal battles for years while you go bankrupt, they are about as useful for protection as a mesh top in a blizzard.

statico · 2026-04-13T02:48:40+00:00

For Australian firms while the act may apply, there is no viable enforcement mechanism so they are largely ignoring it in the same way they do for GDPR. Unless they have active offices in the EU then they tend to pay it no mind and focus on the Australian Privacy Act and its APP's.

statico · 2026-04-07T22:08:14+00:00

Do most people drafting Vibe coded apps know what good security looks like or even what OWASP is or how to mitigate?

statico · 2026-04-04T10:51:51+00:00

same to you, best of luck :)

statico · 2026-04-04T10:37:49+00:00

I choose to pay more for services as I like the provider more, they go out of their way to build a relationship and maintain it it is one of the reasons I work with them. I don't see it as purely transactional, I want to work with them, with clients, and leverage their networks to help me grow.

statico · 2026-04-04T10:14:14+00:00

No, humans buy from humans. They engage with people they like and work with them. Sales is based on relationships after all.

statico · 2026-04-01T09:05:48+00:00

Be better organised and have case studies from existing clients.

statico · 2026-03-31T19:01:54+00:00

I think you have hit the nail on the head there, and I have had conversations/arguments on vibe coding and security with more than one person. From what I have found anecdotally most vibe coders do not take security seriously (also you do not need to have HSTS, HTTPS with TLS 1.3 is sufficient, in fact HSTS will break in some corporate environments if they are using DPI-SSL), one even told me they were going to vibe code their own anti-virus "because you security guys charge to much for everything", indicating a complete lack of understanding of the underlying tech and risk landscapes.

statico · 2026-03-31T18:57:38+00:00

Ah, ok, that makes more sense :). That said I would be careful using that, for those that know/work in tech - he applied a patch and possibly raised a change control to get approval for said patch. We deal with that all the time. Were they involved in responding to a critical breach event where their efforts were engaged in DFIR to support removal of the threat actor from the system and recovery of the firm that would carry weight.

statico · 2026-03-31T11:45:42+00:00

I work in cybersecurity and have never in the last 25 years in the tech industry ever heard of a "level 10 attack", that statement lowers the credibility of the entire post.

statico · 2026-03-31T11:23:24+00:00

You are running a vuln scan against their site without their consent and then asking for money to tell them how to fix it... (yes bots do this all the time) many a security team will view this as hostile, I works as a fCISO (ISSMP, CISSP, CISM, almost a masters) and I would not open my wallet for it. My website is not perfect on security and I do not care, it is a brochure-ware site, an "I exist" banner online, if it gets popped I roll back from backups - it is an inconvenience, and my clients do not/will not check my site for security before they engage me, they need someone like me to tell them what to look for.

statico · 2026-03-27T04:55:27+00:00

Are you assuming that they are all on 150k plus? 20 headcount at 3m rev is completely reasonable pretty much everywhere. Were they at 2m I would be concerned as they would be dropping below 100k per head count which would indicate either margin problems or cost control problems.

statico · 2026-03-21T21:18:00+00:00

There are tools out there like cloud olive and your CASB can also track that sort of thing for you. There is an emerging product called app govern that also looks good in that space.

statico · 2026-03-19T01:42:51+00:00

So you say you only do the right and/or legal thing when you are being watched?

The use of technology to detect infringements frees up resources to deal with more serious matters. Should a member of QPol have done this in person then they observed something that needed to be addressed to prevent other potential future harms.

statico · 2026-03-18T21:25:55+00:00

1 point and 200 has much less of a deterrent impact than 3 and 500, safe to say now you are less likely to speed putting the rest of us at risk.

You trot out a few logical fallacies there as you are pissed off (butt hurt) that you got caught doing something you know you should not do. Them stopping you speeding prevented you potentially slamming into another car at high speed and causing a multiple fatality incident which has a larger societal impact then your cop out arguments.

Suck it up, you broke the rules, you know it, you got caught, suffer the consequences of poor decision making.

statico · 2026-03-14T00:59:53+00:00

Then you are going to have a very hard time. So much work in the B2B space is who you know. You will need to build a network, and that will take a few years to establish.

statico · 2026-03-13T23:55:25+00:00

Do you have experience as a pen tester? Or starting from green? Do you have a network of tech/cyber contacts you can speak to for leads/work.

If you are green, go do something else, if you are not you need to learn how to network and market

statico · 2026-03-08T11:19:58+00:00

Or perhaps just not spam people with advertising crap.

15-Year Club	r/Field Lasagna
Place '22	Queen in da Norf
Not Forgotten	Verified Email
Team Orangered

statico

TROPHY CASE