Cyber Security Design Studies, Papers, Books, and Resources

Archive for the ‘Security’ Category

Cyber Security Design Studies, Papers, Books, and Resources

Posted by

The cyber security design principles emphasize psychology over technology. Here is a collection of scientific studies, research papers, design books, and related resources.

This is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Paths They Take

Number of steps; Familiarity of each step; Friction at each step.

Introduction to Customer Journey Mapping (ebook)

Flow Design Processes – Focusing on the Users’ Needs

Scientific Articles

Shosuke Suzuki, Victoria M. Lawlor, Jessica A. Cooper, Amanda R. Arulpragasam, Michael T. Treadway. Distinct regions of the striatum underlying effort, movement initiation and effort discounting. Nature Human Behaviour, 2020; DOI: 10.1038/s41562-020-00972-y

G. Suri, G. Sheppes, C. Schwartz, J. J. Gross. Patient Inertia and the Status Quo Bias: When an Inferior Option Is Preferred. Psychological Science, 2013; DOI: 10.1177/0956797613479976

ulia Watzek, Sarah F. Brosnan. Capuchin and rhesus monkeys show sunk cost effects in a psychomotor task. Scientific Reports, 2020; 10 (1) DOI: 10.1038/s41598-020-77301-w

Choices They Make

Number of choices; Predictability of the choice; Cognitive load of each choice.

Nudge to Health: Harnessing Decision Research to Promote Health Behavior

Sludge: “activities that are essentially nudging for evil”

Intentional and Unintentional Sludge

Books

Choosing Not to Choose, by Cass Sunstein

How to Decide: Simple Tools for Making Better Choices, by Annie Duke

Being Wrong: Adventures in the Margin of Error, by Kathryn Schulz

Scientific Articles

Sunstein, C. (2020). Sludge AuditsBehavioural Public Policy, 1-20. doi:10.1017/bpp.2019.32

Soman, Dilip and Cowen, Daniel and Kannan, Niketana and Feng, Bing, Seeing Sludge: Towards a Dashboard to Help Organizations Recognize Impedance to End-User Decisions and Action (September 27, 2019). Research Report Series Behaviourally Informed Organizations Partnership; Behavioural Economics in Action at Rotman, September 2019

Chadd, I., Filiz-Ozbay, E. & Ozbay, E.Y. The relevance of irrelevant informationExp Econ (2020). // Unavailable options and irrelevant information often cause people to make bad choices. The likelihood of poor decisions is even greater when people are presented with both.

Behavior

The behavior we want people to perform.

Scientific Articles

Hall, Jonathan D. and Madsen, Joshua, Can Behavioral Interventions Be Too Salient? Evidence From Traffic Safety Messages (September 16, 2020).

Barriers

Barriers preventing people from completing the behavior.

Scientific Articles

Benefits

Benefits of completing the behavior.

Scientific Articles

Training (Ignorance)

Scientific Articles

Irrationality

40 Clever and Creative Bus Stop Advertisements

Scientific Articles

Vadiveloo, M. K., Dixon, L. B., & Elbel, B. (2011). Consumer purchasing patterns in response to calorie labeling legislation in New York City. The International Journal of Behavioral Nutrition and Physical Activity, 8(1), 51-51.

Fernandes, D., Lynch, J. G., & Netemeyer, R. G. (2014). Financial literacy, financial education, and downstream financial behaviors. Management Science, 60(8), 1861-1883.

Investments

More people, better technology.

Scientific Articles

Incentives

Books

Drive: The Surprising Truth About What Motivates Us, by Daniel H. Pink

Scientific Articles

Gneezy, U., & Rustichini, A. (2000). A Fine is a Price. The Journal of Legal Studies, 29(1), 1–17. doi: 10.1086/468061

Rey-Biel, Pedro & Gneezy, Uri & Meier, Stephan. (2011). When and Why Incentives (Don’t) Work to Modify Behavior. Journal of Economic Perspectives. 25. 191-210. 10.2307/41337236.

Behavior Economics

From “Economic Man” to Behavioral Economics

Related Books

  • The design of everyday things, by Don Norman
  • Designing for the digital age: How to create human-centered products and services, by Kim Goodwin
  • Design research: Methods and perspectives, by Brenda Laurel
  • User experience revolution, by Paul Boag

Presentations

Does security have a design problem? Designing Security for Systems that are Bigger on the Inside.

How does design apply to securing application development and DevOps? Securing without Slowing.

How does design apply to BYOD and Cloud apps? Security Design Strategies for the Age of BYO.

How does design apply to blue teaming? Design Thinking for Blue Teams.

Killing Passwords with Infosecurity Magazine

Posted by

Back in September, Gartner detailed its top eight security projects for the coming year. Among those was the concept of ‘passwordless’ authentication, where a second factor such as a known asset like a phone, tablet, keyfob or smart watch can be used instead of a password.

Excerpt from: Interview: J Wolfgang Goerlich, Advisory CISO, Duo Security (Cisco)

Speaking to Infosecurity, Goerlich cited a talk at the 2004 RSA Conference, where Bill Gates said that the password is dead, and Goerlich commented that “16 years later we’re still trying to kill it.” He said that to enable a passwordless strategy, you need both the equipment and technology to enable it, but mostly you need “to have momentum in the organization and a reason to do it.”

However, now that everyone carries a biometric authenticator in their pocket, has hardware in place and given the fact that security wants to enable users, why do passwords still exist? 

Read the full article: https://www.infosecurity-magazine.com/interviews/interview-wolfgang-cisco-duo/

Wolf’s Additional Thoughts

What leads one innovation to succeed? What leads another innovation to stall? We need standards, infrastructure, and critical mass. But these come often out of order and require a spark to bring it all together. Sixteen years after Bill Gates declared the password dead, we’ve reached the inflection point. It’s about to get exciting.

The final thought in the article is “He concluded by saying that increasing trust in authentication is vital for passwordless to succeed, as today’s good factor is bypassed tomorrow. “

My strong recommendation is pairing passwordless with additional anti-fraud measures. Include the device identification in the authentication. Include behavior analytics (where, when, how) to further bolster trust in the authentication. We can predict criminals will work around these authentication methods, so let’s move now to put in place compensating controls to detect and prevent their next move.


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Hold a value, make a decision, change a life – Design Monday

Posted by

“Develop people, develop security.” That was our tagline for the SimWitty team. The order reflected our values and simplified decisions. What to prioritize, developing a skill in a teammate or getting a release out the door? When develop people comes first, the answer is clear.

“Make a loan, change a life.” That’s Kiva’s tagline. Kiva has significantly more impact on broader social issues than SimWitty ever had, and it’s barely a comparison. There is one thing both have in common: values reflected in slogans resulting in decisions.

Kiva had a challenge. While its goal was to change lives through loans to small businesses, most businesses weren’t completing the application. The conversion rate was less than 1 in 5. Kiva looked to make design changes to simplify the application process. Many suggestions were made. One suggestion was particularly counter-intuitive to the point of being controversial: give small businesses a deadline.

“The founder was appalled. By giving customers a deadline, the company would have to deny service to people who missed that deadline. Denying service, the founder argued, was not a part of their company values,” wrote Kristen Berman, founder of Common Cents and Irrational Labs, who championed the design work for Kiva.

Security leaders must bring a degree of clarity to their team. Our values must be clear. Our criteria must be clear. And how we’ll try things and evaluate decisions must be clear. For Kiva, that meant changing lives through access to capital, with the number of people who complete loan applications as one measure. What does it mean for a security team?

Berman’s team went to work and experimented with deadlines. The number of completed applications went up. They experimented with incentives for early completion. Application rates went up further. More small businesses than ever were completing applications, resulting in changing more lives than ever. The decision to move ahead with the approach was clear.

This series has covered security programs reflecting strongly held corporate values. It’s equally important that a security leader have strong personal values, and that these values are reflected within the team. As Kiva’s example illustrates, there are times when options, on the surface, run contrary to our values. The path forward is to have a clear definition of success within those values.

Clarity enables experimentation and innovation while remaining true to what we believe in. Security leaders design capabilities and lead teams that reflect their personal values.

A case study in behavior design to reflect values. Read about the Kiva app redesign here.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Anti-patterns and Patterns for Directing Security Projects – Design Monday

Posted by

An implementation is like a movie, directed by leadership and produced by project management. Successful security implementation projects start strong, start with style, start like movies. As projects are running, what else can cinema teach us?

I began this series of cyber security design principles with an insight: to see things differently, look at different things. Spend a week with an artist, designer, or director. Find a security lesson. Share what I find. Sometimes my process is easy, sometimes difficult. Yet no one has challenged me more than Federico Fellini.

Federico Fellini. Distinctive, acclaimed, the Italian filmmaker was legendary in the twentieth century. He directed thirty-one films, “was nominated for twelve Academy Awards, and won four in the category of Best Foreign Language Film, the most for any director in the history of the Academy.” You’ve seen a movie scene inspired by (or directly copied from) a Fellini film. It’s guaranteed. Let’s take one example: Fellini’s Casanova. The film follows the titular Casanova on an adventure across Europe, while highlighting what makes Fellini a legendary director and a example for cyber security.  

Anti-patterns in project management from Fellini’s Casanova:

  • Micro-manage your people. “Puppets are happy to be puppets if the puppeteer is good,” Fellini said of his relationship with his actors. Donald Sutherland, who played Casanova, described it as being the worst experience of his filmmaking career. Every action micro-managed and scripted, until nothing of the talented actor remained.
  • Force your people to fit your stereotype of talent. Sutherland is unrecognizable as Casanova. Fellini has him wearing a false chin and nose. He raised Sutherland’s hairline, which then necessitated false eyebrows to even the look out.
  • Over-engineer details that don’t affect the final result. Fellini, unsatisfied with the color and waves from the water, had a plastic simulated lake created for Sutherland to row across. Almost a decade later, furious the color blue wasn’t the right color blue, Fellini would delay production while an entire faux ocean shore was created with plastic sheets for And the Ship Sails On.    

James P. Carse popularized the idea of finite and infinite games. Most games we are familiar with are finite: you play to win, you play to maximize your results at the expense of the other players. Infinite games ongoing: you play to continue others to play. Federico Fellini films were finite games. Sutherland never worked with Fellini again. By contrast, the Golden Age of cinema was an infinite game. (Well, infinite, until it stopped in the 1950s.) Major film studios had in-house production crews and contracted actors. While the roles varied and films came and went, the directors were incentivized to keep the best people playing with them.   

Cyber security in an organization is like the Golden Age of cinema. The leader’s role is encouraging people to want to play with us again and again, implementation after implementation.

Don’t be Fellini. Manage projects with the following patterns:

  • Set the vision and collaborate with people on execution. Listen.
  • Personalize the approach and tasks for the people on the project. Individualize.  
  • Maximize efforts where they matter by minimizing where they don’t. Simplify.

Directing implementation projects is both an art and a game. It is the art of engaging people in an infinite game. Good security projects leave people hungry to play again.

Afterwards

Security is often a story about crime, and criminals often make mistakes even while succeeding. Imagine someone stealing backup tapes to get at stored credit cards, not realizing they were also stealing people’s spreadsheets. In 1975, thieves broke into Technicolor labs and made off with film from 120 Days of Sodom. The heist also swooped up seventy reels of film from Casanova, forcing Fellini to reshoot weeks of material.

A good reminder to classify and protect data according to what criminals value … rather than what a snarky blogger might value.


This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Verizon Taps Cisco, BlackBerry for Internet Security

Posted by

Verizon’s new Business Internet Secure bundle for small businesses taps Cisco and BlackBerry security services to help protect customers’ routers and connected devices. A recent Verizon Business survey found 38% of small businesses moved to remote work because of the COVID-19 pandemic. 

Excerpt from: Verizon Taps Cisco, BlackBerry for Internet Security

To support this transition, Verizon Business Internet Secure protects against threats at two points where attacks typically occur: employee devices with BlackBerry and the internet with Cisco Umbrella.

Even pre-pandemic, small businesses faced the same threats and potential damages from an attack, according to a Cisco security report based on a survey of almost 500 SMBs. The report also found that these companies take security preparedness every bit as seriously as their larger counterparts. And this matters because the security industry has traditionally been biased against SMBs, perpetuating the myth that they don’t prioritize cybersecurity, the report says.

“SMB executives, IT executives, security executives in these businesses have done their best to address the problem,” said Wolfgang Goerlich, advisory CISO at Cisco Duo in an earlier interview. What this means is that SMB IT and security leaders now have to ask themselves what’s next, he added. “Where do I go from here?”

Read the full article: https://www.sdxcentral.com/articles/news/verizon-taps-cisco-blackberry-for-internet-security/2020/11/


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Security Culture needs Security Advocates – Design Monday

Posted by

“Everything is design. Everything.” — Paul Rand (1914–1996)

Paul Rand is behind so many stories this series has covered. The Olivetti Valentine typewriter designed by Ettore Sottsass and used by Dieter Rams in his documentary? Paul Rand did Olivetti’s US advertising. Speaking of Deiter Rams, the Braun shavers that made Rams famous? Paul Rand bought every model. (Though Rand once said he would “buy just for their beauty and then put them in a drawer.”) IDEO, the birthplace of design thinking? Paul Rand did IDEO’s logo. He collaborated on a team with Charles Eames on IBM’s Design Program. I like to think some of that work was in the IBM plaza building that Ludwig Mies van der Rohe designed. The building, by the way, sported the iconic IBM logo which was, you guessed it, designed by Paul Rand.

Paul Rand was instrumental in creating the culture and discipline of graphic design. He taught the next generation at Yale from 1956 to 1985, with a break in the 1970s. Rand was visiting professor and critic at a number of other institutions. Check out the book Paul Rand: Conversations with Students for a view into that work. “What is design?” Paul would often ask. When he wasn’t creating, Rand was instructing, and through instruction, he was creating culture.

Like Paul Rand fostered designers who brought ideas to wider audiences, security leaders need to foster advocates who will bring security ideas to the wider workforce.

We don’t talk much about advocates. A security advocate is a member of the security team who focuses on getting practices into the hands of the workforce. It’s more common for us to talk about security champions. A security champion is a member of the business itself, who collaborates with the security team on best practices. A fully fleshed out security capability has advocates working with champions to interpret and implement security controls. In a well-run security capability, those controls will be usable and widely adopted, because of the partnership of advocates and champions.

To learn more about cyber security advocates and what they need to succeed, check out the “It’s Scary…It’s Confusing…It’s Dull” research paper. These professionals “advocate for systems and policies that are usable, minimize requisite knowledge, and compensate for the inevitability of user error.”

Here are four practices from Paul Rand that we can apply to designing a security advocacy program:

(1) Coach on tangible work, not abstract principles. Rand’s courses were practical not theoretical, with advice given based on the student’s work. He focused stories, literature, examples, and more through the lens of the work at hand.

(2) Coach one-on-one, avoid one size fits all. Paul Rand worked individually with students, and a session on their work “went on as long as was necessary to set the student on the right track and was laced with stories from Paul’s vast career as they were appropriate to the issue at hand. When he worked with students, he poured his heart and soul into it.”

(3) Use short cycle times. Typically, the criticism on individual work in Rand’s courses came weekly. Feedback was quick, specific, and direct. Compare this to many security programs where manager feedback comes at annual reviews.

(4) Encourage personalization. Rand taught designers to build their own set of techniques, their own visual vocabulary, to solve problems. That’s not for the sake of originality. “Don’t try to be original,” Rand often said, “just try to be good.” It’s to develop a sense of the designer’s personal needs and strengths and how to mesh those with the audience’s instincts and intuitions.

When designing a cyber security program, give thought into how leadership will coach advocates. Give thought to how advocates will cultivate security champions. With a nod to Paul Rand, prompt both with a deceptively simple question. “What is security?”

Abacus Photogram, Photography by Paul Rand

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

A Pilot is Purposeful Play – Design Monday

Posted by

A new technology is a new toy. “Toys are not really as innocent as they look. Toys and games are the prelude to serious ideas.”

So said Charles and Ray Eames. The Eames ran a design studio in California (1943–1988) producing architecture, films, furniture. Arguably their most well-known piece was the Eames Lounge Chair. The chair, produced by Herman Miller, ushered in a new era of materials and is a valuable collector’s item today. It’s impossible to overstate this. It was impossible to make furniture that way before Eames. But this story isn’t about a chair.

This story is about a toy elephant.

A decade before the Eames molded wood for a Herman Miller chair, they were playing with molding processes in toys. The result? The Eames Elephant, a toy intricately crafted from molded plywood. The complexity of the elephant was foretold by dozens of unnamed playful experiments. The elephant itself foreshadowed the lounge chair. Without play, without toys, the Eames would never have mastered the underlying skills that produced the later masterpiece.

Playtime is fertile ground for innovation.

The power and necessity of play is a cross-discipline truth. In music, Miles Davis once said “I’ll play it first and tell you what it is later.” In biology, Alexander Fleming often said “I like to play with microbes.” Physics? Andre Geim stated the “playful attitude has always been the hallmark of my research.” The final word on this human condition goes, appropriately enough, to the psychologist Carl Jung. “The creation of something new is not accomplished by the intellect, but by the play instinct arising from inner necessity. The creative mind plays with the object it loves.”

A pilot is purposeful play. We need to pilot ideas and technologies as we frame up the security capability. To get the best work, people doing the pilot must be dedicated, be engaged, and enjoying themselves. As leaders, we clear calendars and make space. We also need to clear bureaucracy and other hinderance to fun. As implementers, we need to clear our heads and reach a state of flow. The purpose of a pilot is to improve our understanding of how things work, and to build underlying skills for what we’ll build next.

See Scale with Philosophy and Methodology for insights on managing the chaos. In the article, I compared Charles and Ray Eames to hackers. I easily imagine them at home in hackerspaces or hacker cons. The Eames embodied the hacker ethic years before “hacker” was even a term. Hands-on. Learning by doing. A strong sense that work, be it design or be it computing, changes the world when we love what we are doing.

The elephant in the room is the best pilot projects won’t look anything like work.

Eames Elephant, Charles and Ray Eames, 1945

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

The Work of Luck – Design Monday

Posted by

It is the final task of an implementation. The stakes are high. One of your people hits a wrong button. The entire system comes crashing down. My question: Is this good luck, or bad?

For an answer and inspiration, I look to Massimo Bottura. Bottura is a chef and restauranter. At his Michelin 3-star restaurant, Osteria Francescana, a similar situation played out. The pastry chef, Taka Kondo, was platting the final course. One tart slipped. Smash! And to Kondo’s surprise and relief, Massimo Bottura burst out laughing. Good luck! The Oops! I dropped the lemon tart was born. The dessert has become legend.

You can hear Bottura tell the story himself at the video below. For now, I want to turn to the question of how to get lucky. So many things must go right when deploying technology, we can use all the luck we can get.

One factor in seeing the opportunity in accidents is associative barriers. High associative barriers lead to functional fixedness. By contrast, people with low associative barriers tend to find connections and opportunities others don’t. I’ve previously covered techniques to get beyond functional fixedness: discuss an item without naming it, and discussing what an item does rather than it is. (See Play with the spaces between the words.) Here, let’s cover building new associations.

New associations can prime us to turn accidents into good luck. It provides a larger net for catching ideas. The exercise is simple. List the assumptions. Imagine what would happen if the opposite were true. We can (and probably should) do this at multiple stages in designing security capabilities; from the vision to our assumptions about the organization, the security function, the security controls, the tools, and our assumptions about implementation. For example:

  • A tart from a Michelin 3-star restaurants is carefully plated and perfectly constructed.
    • It is messily deconstructed. Innovation: Oops! I dropped the lemon tart.
  • The authenticating security credential is a person’s ID and password.
    • A person can authenticate without a password. Innovation: passwordless.
  • A security perimeter is enforced by the network, that is, by a firewall.
    • A perimeter is enforced regardless of network. Innovation: Zero Trust.
  • Defense-in-depth necessarily means having deep control coverage.
    • Defense can be achieved with only a few controls. Innovation: attack path.

The other factor in finding the opportunity in accidents is time. Rushed people don’t get lucky. Stressed people don’t get opportunities. The psychology of stress and time shows people develop tunnel vision and repeat well-known and practiced techniques. The same is equally true for rushed and stressed projects and initiatives. The same goes for rushed and stressed teams and operations. This is an anathema to getting lucky, of course. We’re highly unlikely to see possibilities and to take them on when in this state. Buffer time and down time create the space for getting lucky.

“Leave a free space for poetry. Leave a free space from obligation. You have to be ready to see what others don’t even imagine,” Massimo Bottura says in the video below. He could be speaking directly to us about designing security capabilities. “Make visible the invisible.”

Massimo Bottura tells the story behind Oops! I dropped the tart.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Mies and IBM Plaza: Knowing When More is More – Design Monday

Posted by

The building came into view. My vantage point was on the Chicago River. It was Valentine’s Day. Now Chicago natives had warned us about the cold February winds. But there my wife and I were, on a river tour of Chicago’s architecture. Frozen to the ship’s deck, we looked up as the IBM Plaza came into view.

Ludwig Mies van der Rohe designed the building in the 1960s. Mies came from the famed Bauhaus school, another of my favorite sources of inspiration. In fact, Mies was the last director of Bauhaus. He moved from Berlin to Chicago in 1937 to head the architecture department of Illinois Institute of Technology. There’s a direct line from Bauhaus to Second Chicago School of architecture. Specifically, in minimizing ornamentation in favor of emphasizing building materials themselves.

It was this modernism which drew IBM to Mies van der Rohe. But there was a problem. Many, in fact, with the building IBM wanted. Computing technology of that age was notoriously hot and power-hungry. Moreover, computer engineers were at a premium, which meant a large workforce with little patience for waiting on elevators. Every minute counted. Moving to the ground, the lot was an oddly shaped. Triangular. It sat partially atop of a train line which restricts the foundation needed for a skyscraper. And to top it off, the site had an agreement to provide storage for the Sun-Times. That’s a lot.

“Less is more” was popularized by Mies van der Rohe. Boil down architectural requirements to the essentials. In cybersecurity, we’ve embraced less is more. You see it in concepts like least privilege, least trust (aka Zero Trust), economy of mechanism, and limited security blast radius. You see it in my security principles; like when I discuss building Roombas not Rosies. Less is more is a reminder to take a minimalist approach.

Even from the Chicago River, you can feel the minimalism of the IBM Plaza. The exposed vertical beams, the glass and steel materials on full display. Less is more. But it’s more than it seems. The building has more than double the elevators of a comparable building. The cooling system is similarly over-powered. Designed by C.F. Murphy, the HVAC is tuned for 1970s era computing. Mies also made several floors to be taller to support raised flooring, and reinforced to support the weight. The building is subtly shifted back to make use of the lot, with weight shifted back onto a strong foundation. This feature explains the open pillars in front and allowed Meis to neatly avoid the question of the railway. Less is more? If anything, much of the IBM building is overdone.

Less is more is not a call for doing less. It is a reminder to save our energies to do more where it counts. It is a reminder to pour the savings into solutions for the problem at hand. When we save resources for priorities, less isn’t loss.

IBM moved into IBM Plaza in 1971. For more than three decades, the building was the Chicago office of the tech giant. “The building was declared a Chicago Landmark on February 6, 2008 and added to the National Register of Historic Places on March 26, 2010.” Today, the building at 330 North Wabash is known as the AMA Plaza. It stands as a testament to Ludwig Mies van der Rohe’s ability to balance less and more.

The design lesson: More of what matters is more.

The floating foundation of 330 North Wabash, Chicago. Photography by Ryan Cramer.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

CyberScoop: Security professionals lose central watering hole with demise of Peerlyst

Posted by

For years, the Peerlyst social network has been a resource for software developers looking for a job or cybersecurity enthusiasts wanting to host meetups across the world. But on Aug. 27, the website will shut down, Peerlyst founder Limor Elbaz said Monday, citing financial pressure.

Excerpt from: Security professionals lose central watering hole with demise of Peerlyst

Cybersecurity professionals lamented the end of the platform. “I took the news hard,” said J. Wolfgang Goerlich, an advisory CISO at Duo Security who has posted nearly 700 times on Peerlyst. “With the Peerlyst going away, we’re losing a central watering hole. The conversations may continue over LinkedIn and Facebook groups. But the loss of a dedicated security social media site will be felt for some time.”

The site also let users plans their own offline meetups in various cities in Asia, Australia, Europe, and North America.

Read the full article here: https://www.cyberscoop.com/peerlyst-shut-down-infosec-professionals/

Wolf’s Additional Thoughts

I was an early adopter of Peerlyst and a regular contributor. I end up the 22nd most popular user on the site which boasts of serving “70% of security professionals around the world and the site ranks higher than the majority of security companies.” Also? Peerlyst once put my face on the side of a bus during the RSA Conference. So I’m a little biased.

There is tremendous value in community. Apple itself got its start at the The Homebrew Computer Club. I spent many years and cut my teeth as a top poster in the Citrix online community, back in the early 2000s. And in the last decade, more people than I can count had their careers launched through my local security community, MiSec.

I’m sad to see Peerlyst go and am grateful to Limor Elbaz, Evgeny Belenky, and the entire Peerlyst team. Thanks to them for the memories and connections.

To you the reader, I ask this: what community will you build?


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.