A few personal insights on our industry, from my visit at Infosecurity Europe:

1️⃣ I expected the #AI buzzword in every company description. Instead it seems that most companies decided to stick to the usual “we’ll make your company unbreakable” lie.

2️⃣ Even copycats that have no #USP thrive in this market (there are a lot). I asked a couple companies: “What makes you different from your competitors?” and I got replies like “Our UX is better”. What makes them sell? Maybe the USP is in sales people, network, marketing etc and not in the product itself. What do you think?

3️⃣ Thinking about the future of Meroi Security, I asked around for feedbacks. Becoming a #MSSP seems a more scalable option than just selling #consultancy hours. Ideas?

4️⃣ I met Jenny Radcliffe – The People Hacker 🎤🎧🧠 and started reading her book “People hacker”. It brought my interest back to #socialengineering, the aspect of security that I find most fascinating.

5️⃣ I finally met Rogier Fischer, perhaps the most successful security #startup founder in the Netherlands (Hadrian). We had a chat about what it takes to go from an MVP to a fully developed product and I got some insights on who to partner with when starting a company.

6️⃣ I met Eunhye(Grace) Han in the Korean pavilion and we discussed about the security market in Korea. Lack of security professionals and high security standards are the main gaps. She’s expanding her company in Europe and the US, check it out! SSNC Co.,Ltd.

7️⃣ Our approach to #risk must rely less on subjective scoring and more on data. Risk matrices are very prone to score bias. Some quantitative risk analysis methods worth considering:
– Monte Carlo simulations (different scenarios)
– Conditional probabilities
– Bow tie diagrams (sources-event-consequences)
Once risk is quantitatively measured, controls can be more effectively modelled.

8️⃣ AI is an increasingly relevant threat factor. The key concept is to reduce the “learning surface” (stop AI from learning our vulnerabilities).
The steps to mitigate are the usual:
– Identify risks, assets, vulnerabilities and communications
– Drastically reduce attack surface. Application whitelisting, default deny…
– Segregation of each asset

9️⃣ Why so many F1 cars? It looked more like a car show than a security conference!

I’ve learned a lot in this trip, however I feel one day is not enough to fully appreciate such an event. Next year I’ll organise it with some more advance!

Hopefully see you soon in Las Vegas for #blackhat!