Lea Kissner
@leak.bsky.social
Security, privacy, respect. Was the Twitter CISO until it was terrible. Now LinkedIn CISO. they/them
Up until a few weeks ago, the conversation virtually always went like this:
Them: "why are you wearing a mask?"
Me: "because I don't want to accidentally kill my mom. Plus I hear COVID is no fun."
Them: *vivid story of how terrible COVID is*
It sounds less fun than wearing a mask, y'all 🤷
Them: "why are you wearing a mask?"
Me: "because I don't want to accidentally kill my mom. Plus I hear COVID is no fun."
Them: *vivid story of how terrible COVID is*
It sounds less fun than wearing a mask, y'all 🤷
Sometimes when people ask me why I’m wearing a mask I say I’m traveling or have some important thing soon and can’t afford to get sick and miss it and that’s pretty much always true but I think it would be nice if it were more normalized to just say “I don’t want to get sick” and leave it at that
November 9, 2025 at 4:53 PM
Up until a few weeks ago, the conversation virtually always went like this:
Them: "why are you wearing a mask?"
Me: "because I don't want to accidentally kill my mom. Plus I hear COVID is no fun."
Them: *vivid story of how terrible COVID is*
It sounds less fun than wearing a mask, y'all 🤷
Them: "why are you wearing a mask?"
Me: "because I don't want to accidentally kill my mom. Plus I hear COVID is no fun."
Them: *vivid story of how terrible COVID is*
It sounds less fun than wearing a mask, y'all 🤷
New life goal unlocked
Loving today's news that the mysterious "fedora man" outside the Louvre heist was actually a 15-year-old museum visitor who dresses like a 1940s French detective all the time, just because. apnews.com/article/louv...
Fedora man unmasked: Meet the teen behind the Louvre mystery photo
Fifteen-year-old Pedro Elias Garzon Delvaux has become an internet sensation after an Associated Press photo captured him outside the Louvre on the day of a crown jewels heist.
apnews.com
November 9, 2025 at 4:40 PM
New life goal unlocked
I hired a director recently and this was my screening question: can you please explain the difference between public-key and symmetric-key cryptography.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
November 7, 2025 at 4:57 PM
I hired a director recently and this was my screening question: can you please explain the difference between public-key and symmetric-key cryptography.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
"Betteridge's law of headlines is an adage that states: "Any headline that ends in a question mark can be answered by the word no.""
en.wikipedia.org/wiki/Betteri...
en.wikipedia.org/wiki/Betteri...
November 6, 2025 at 5:30 PM
"Betteridge's law of headlines is an adage that states: "Any headline that ends in a question mark can be answered by the word no.""
en.wikipedia.org/wiki/Betteri...
en.wikipedia.org/wiki/Betteri...
"Worked for" is an exaggeration here -- while there may be actual staff in this group, these scan centers are mostly operated by victims of human trafficking.
This is one of the many reasons we need stronger online security across the board: to break the incentives behind this horror.
This is one of the many reasons we need stronger online security across the board: to break the incentives behind this horror.
India is repatriating on Thursday the first batch of hundreds of its nationals who last month fled to Thailand from Myanmar, where most had been working at a notorious center for online scams.
Indians who fled a Myanmar cyberscam center are being flown home from Thailand
India is repatriating the first batch of hundreds of its nationals who last month fled to Thailand from Myanmar, where most had been working at a notorious center for online scams.
bit.ly
November 6, 2025 at 1:33 PM
"Worked for" is an exaggeration here -- while there may be actual staff in this group, these scan centers are mostly operated by victims of human trafficking.
This is one of the many reasons we need stronger online security across the board: to break the incentives behind this horror.
This is one of the many reasons we need stronger online security across the board: to break the incentives behind this horror.
Would you like to work on LinkedIn? InfoSec is hiring! We have both manager and IC roles -- and more coming.
I'm here because I want to help protect people and not work with jerks. If that's what you like, then I hope you'll join us.
Jobs in 🧵
I'm here because I want to help protect people and not work with jerks. If that's what you like, then I hope you'll join us.
Jobs in 🧵
November 5, 2025 at 11:27 PM
Would you like to work on LinkedIn? InfoSec is hiring! We have both manager and IC roles -- and more coming.
I'm here because I want to help protect people and not work with jerks. If that's what you like, then I hope you'll join us.
Jobs in 🧵
I'm here because I want to help protect people and not work with jerks. If that's what you like, then I hope you'll join us.
Jobs in 🧵
Encryption without key rotation is just sparkling obfuscation
October 23, 2025 at 7:11 PM
Encryption without key rotation is just sparkling obfuscation
Not being a jerk is a shockingly underrated hiring strategy.
look, one reason workplaces started making us all go to HR's "be polite to others" class is because you alienate people when you're a bigoted asshole, and that can lose you both talent and business www.ft.com/content/8e6d...
Sequoia COO quit over Shaun Maguire’s comments about Islamism
Sumaiya Balbale left the venture firm after it decided not to discipline outspoken investor for posts about Zohran Mamdani
www.ft.com
October 22, 2025 at 1:11 PM
Not being a jerk is a shockingly underrated hiring strategy.
Reposted by Lea Kissner
pleasures of the flesh fade, other people however much you love each other will sometimes let you down, the world is filled with sorrows. but from today until the last day of your life, wherever you are if you pay attention there is something new to learn. it's a great comfort.
October 13, 2025 at 6:30 PM
pleasures of the flesh fade, other people however much you love each other will sometimes let you down, the world is filled with sorrows. but from today until the last day of your life, wherever you are if you pay attention there is something new to learn. it's a great comfort.
The number of people who don't seem to realize that people in the same field, even in the same team, talk to each other is astonishing.
A security vendor invited me to a dinner with featured guest the "VP of IAM at LinkedIn". There is no such person. I'm so curious who; the vendor wouldn't answer.
A security vendor invited me to a dinner with featured guest the "VP of IAM at LinkedIn". There is no such person. I'm so curious who; the vendor wouldn't answer.
This morning's spam from a scammer claiming to be Andy Weir, asking me to send a link to my own work and maybe he'll check it out (aka the opening salvo to sending the scammer money) and I'm all, look pal, I know Andy's read my stuff already, he said so WHEN WE WERE DOING A FUCKING EVENT TOGETHER
September 22, 2025 at 1:36 PM
The number of people who don't seem to realize that people in the same field, even in the same team, talk to each other is astonishing.
A security vendor invited me to a dinner with featured guest the "VP of IAM at LinkedIn". There is no such person. I'm so curious who; the vendor wouldn't answer.
A security vendor invited me to a dinner with featured guest the "VP of IAM at LinkedIn". There is no such person. I'm so curious who; the vendor wouldn't answer.
TIL that setting LESSSECURE makes you more secure
September 15, 2025 at 9:24 PM
TIL that setting LESSSECURE makes you more secure
Fully most of what I travel with for any trip is food, which I am not willing to risk the airline losing, but speaking as someone who packs light to the point where I did a 4-day trip with only a briefcase (pre-having-to-carry-all-of-my-food situation), this is the hard way to travel light!
Personally, I'd rather just check a large bag for a long trip, than have to deal with randomly shipping stuff home and buying entirely new things at unpredictable intervals
(speaking as someone who spends a lot of time traveling internationally for extended periods myself)
(speaking as someone who spends a lot of time traveling internationally for extended periods myself)
September 8, 2025 at 4:03 PM
Fully most of what I travel with for any trip is food, which I am not willing to risk the airline losing, but speaking as someone who packs light to the point where I did a 4-day trip with only a briefcase (pre-having-to-carry-all-of-my-food situation), this is the hard way to travel light!
At one job someone decided to argue with me about whether my pronouns are grammatical.
a) yes they are I have citations
b) what an extremely odd fight to pick at work
In summary, there are so many ways not to be a jerk and not being a jerk is one of my life goals
a) yes they are I have citations
b) what an extremely odd fight to pick at work
In summary, there are so many ways not to be a jerk and not being a jerk is one of my life goals
roses are red
violets are blue
singular they
predates singular you
violets are blue
singular they
predates singular you
Another day, another whiner complaining that I use the singular "they" in my work, and of course they can go fuck themselves
(you see what I did there)
(also, gift link)
wapo.st/3JEdPUv
(you see what I did there)
(also, gift link)
wapo.st/3JEdPUv
September 3, 2025 at 10:34 PM
At one job someone decided to argue with me about whether my pronouns are grammatical.
a) yes they are I have citations
b) what an extremely odd fight to pick at work
In summary, there are so many ways not to be a jerk and not being a jerk is one of my life goals
a) yes they are I have citations
b) what an extremely odd fight to pick at work
In summary, there are so many ways not to be a jerk and not being a jerk is one of my life goals
Vibe coding is a lot easier if you don't care about breaking things
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7
August 26, 2025 at 11:50 PM
Vibe coding is a lot easier if you don't care about breaking things
In "people are awesome" news, some UPS drivers helped me find the UPS driver driving around with my medication and he popped over and gave it to me and told me how to find him if I end up with a meds emergency again. Stand up dude and I owe him.
August 22, 2025 at 11:46 PM
In "people are awesome" news, some UPS drivers helped me find the UPS driver driving around with my medication and he popped over and gave it to me and told me how to find him if I end up with a meds emergency again. Stand up dude and I owe him.
I'm failing to remember enough to Google this, but I could swear there were cases where someone mixed corporate data into personal systems (or vice versa), personal data got dragged into legal discovery, and it was embarrassing all around. Does anyone have a pointer?
August 17, 2025 at 9:56 PM
I'm failing to remember enough to Google this, but I could swear there were cases where someone mixed corporate data into personal systems (or vice versa), personal data got dragged into legal discovery, and it was embarrassing all around. Does anyone have a pointer?
The big problem with having agreed to write a book is having to actually write the book
August 15, 2025 at 8:13 PM
The big problem with having agreed to write a book is having to actually write the book
@kendraserra.bsky.social just gave an interesting talk about strong "you will not disclose any security bugs you tell us about" NDAs on some disclosure/bounty platforms
I'd add something to that: companies have a real incentive for people to disclose closed vulns 🧵
www.usenix.org/conference/u...
I'd add something to that: companies have a real incentive for people to disclose closed vulns 🧵
www.usenix.org/conference/u...
Everything Old Is New Again: Legal Restrictions on Vulnerability Disclosure on Bug Bounty Platforms | USENIX
www.usenix.org
August 13, 2025 at 11:39 PM
@kendraserra.bsky.social just gave an interesting talk about strong "you will not disclose any security bugs you tell us about" NDAs on some disclosure/bounty platforms
I'd add something to that: companies have a real incentive for people to disclose closed vulns 🧵
www.usenix.org/conference/u...
I'd add something to that: companies have a real incentive for people to disclose closed vulns 🧵
www.usenix.org/conference/u...
@adamshostack.bsky.social says STOP DOING RISK 😆
(Math says no to a lot of things people do to try to predict risk. If math says no, I do, too)
This talk is fantastic, I have so much to think about #usenix
(Math says no to a lot of things people do to try to predict risk. If math says no, I do, too)
This talk is fantastic, I have so much to think about #usenix
August 13, 2025 at 10:53 PM
@adamshostack.bsky.social says STOP DOING RISK 😆
(Math says no to a lot of things people do to try to predict risk. If math says no, I do, too)
This talk is fantastic, I have so much to think about #usenix
(Math says no to a lot of things people do to try to predict risk. If math says no, I do, too)
This talk is fantastic, I have so much to think about #usenix
I will admit that I find it endlessly entertaining to watch people try and fail to pick up my luggage -- this 30L backpack has all my food and accoutrements, a bunch of electronics, and personal items for 5 days. Fits under the seat in the airplane *and* provides me my workout for the week.
August 12, 2025 at 12:52 AM
I will admit that I find it endlessly entertaining to watch people try and fail to pick up my luggage -- this 30L backpack has all my food and accoutrements, a bunch of electronics, and personal items for 5 days. Fits under the seat in the airplane *and* provides me my workout for the week.
I hope I'll see y'all at USENIX Security this week, wherein I will be giving a talk complaining about real world challenges (and hoping to get some smart research folks on them)
Next up, our USENIX Enigma preview features "Security Theater Is Canceled: Time for a Real Show" by LinkedIn CISO Lea Kissner. This talk reframes real-world security as a human-driven challenge demanding cross-functional collaboration. 1/3
August 10, 2025 at 4:46 AM
I hope I'll see y'all at USENIX Security this week, wherein I will be giving a talk complaining about real world challenges (and hoping to get some smart research folks on them)
Pretty much any backpacking is good backpacking, but may I suggest backpacking to the beach?
August 6, 2025 at 2:40 PM
Pretty much any backpacking is good backpacking, but may I suggest backpacking to the beach?
OH MAN I'M BEING SOCIALLY ENGINEERED IN REAL TIME
POORLY
POORLY
July 28, 2025 at 11:19 PM
OH MAN I'M BEING SOCIALLY ENGINEERED IN REAL TIME
POORLY
POORLY
A reporter asked me a question today that started with something like "I know personal brand is a really important part of being a CISO..." and honestly I was floored. I just show up and try to be helpful. I'm not aware of that being a branded activity
July 28, 2025 at 9:42 PM
A reporter asked me a question today that started with something like "I know personal brand is a really important part of being a CISO..." and honestly I was floored. I just show up and try to be helpful. I'm not aware of that being a branded activity