Merry Christmas to everyone except GoDaddy infosec leadership specifically. https://twitter.com/lolonghi/status/1341863667290140672

I hope your food turns out awful and your kids hate all their presents. I also hope people remember this when you apply for jobs in the future. This is one of the cruelest and most counterproductive moves I have ever heard of inside our industry. I am stunned.

It’s not “touchy feely” of me to point out this was bad. Not only is it stunningly unethical, the overall result on GoDaddy security will be objectively negative as it spoils the fragile relationship between infosec and staff for future IR, reporting, and policy adherence.

If you think about phishing tests or any red team assessments in a vacuum and not as a part of holistic security posture of the organization in terms of detection and incident response, you’re not seeing the big picture of security. Absolutely any of you can be phished.

We need ethics and business courses to be required in every cybersecurity degree program.

I’m the one who has to go into these orgs during incident response and try to piece things back together in time to contain an adversary and restore operations when employees won’t talk to their security team anymore and evade all their controls.