Security Program Maturity
Level 2 (Intermediate)
Documented program, but still largely reactive in execution.
Invitation-only · Trust-based membership
AI-in-Browser Data Protection Consortium
An operator-led consortium of security leaders, practitioners, vendors, and researchers building practical standards to prevent confidential data leakage through browser-based AI tools.
About
What We Are
A private community where security professionals discuss breach prevention, AI governance, supply chain security, and incident response.
Based on IBM's finding that organizations face $2.9M+ in preventable costs from skills shortages, shadow AI, and missing security fundamentals. See the IBM Cost of a Data Breach Report for underlying research.
Core Principles
- Confidentiality: Chatham House Rule applies
- Privacy: Default anonymity and pseudonymous participation supported
- Free: No membership fees
- Invitation-only: Growth through member vouching
- Collaboration: Defensive, not competitive
What Members Discuss
- AI governance and shadow AI elimination
- Supply chain security and vendor risk
- Breach prevention and incident response
- Security frameworks and implementation
- Skills development and peer learning
Members share only what they're comfortable with. No obligation to disclose organizational vulnerabilities.
Why Signal?
Signal is a free, nonprofit messaging app for private chats and small groups—not a public social network. We use it for consortium intake and private working discussions because it is built for confidential peer communication.
End-to-end encryption. Minimal metadata collection. No corporate infrastructure to breach. Members control their privacy and data. New to Signal? Download here and consider usernames and phone-number privacy settings before you reach out to join.
Privacy-first design
The consortium is designed for candid discussion of real security challenges. Members use pseudonymous usernames and share context (industry, org size, challenges) without revealing identifying information. That enables honest conversations about vulnerabilities, failures, and lessons learned without personal or organizational exposure. Your sponsor knows your identity for accountability, but the broader community doesn't need to—giving you both trust and privacy.
Membership
How to Join
This consortium operates on trust networks. Members vouch for people they know professionally.
Two Ways to Join
Option 1: Referral (Primary Path)
Ask a current member to vouch for you.
Option 2: Direct Request (Limited)
Message @soodonym70 on Signal.
Include:
- Your security role
- Specific challenge you're focused on
- How you discovered the consortium
You'll receive a response within 2–3 business days.
What to Expect
After initial vetting conversation
- Invitation to private screening channel
- Review of consortium framework
- Questions answered before you commit
- No obligation until you accept
Invitations are selective to maintain trust and quality.
The Stats That Matter
Evidence-forward metrics to guide where consortium effort should focus first.
6 metrics
Sources include: IBM Cost of a Data Breach Report
The Average Company (IBM-Derived Snapshot)
A composite operating profile built from IBM-derived evidence.
This is an aggregated reference model, not a universal truth. Use it to pressure-test assumptions, compare your current posture, and identify where control quality and response readiness are most likely to fail.
Expected Breach Cost
$6.68M
Base breach cost plus commonly cited shadow AI and skills-shortage premiums.
Detection and Containment Time
241 days
Extended attacker dwell time remains a core risk multiplier.
Recovery Window
100+ days
Most organizations report prolonged disruption after major incidents.
24 profile signals
Showing 1–6 of 24 signals
Mission and Scope
Make AI usage in the browser visible, governable, and safe.
We define browser-layer controls, telemetry standards, and governance frameworks so organizations can unlock AI productivity without leaking regulated or confidential data.
What We Do
Publish practical patterns for prompt, copy/paste, and upload controls; define telemetry fields that quantify risk; and ship adoption playbooks with measured outcomes.
What We Do Not Do
We are not a product marketplace, legal authority, or a guarantee against incidents. We focus on operator-tested guidance and implementation rigor.
Consortium Charter
Shared mission, explicit boundaries, serious collaboration.
The consortium exists to solve a hard, unresolved security problem. We commit to disciplined collaboration, practical evidence, and transparent decision-making, while acknowledging that success is not guaranteed.
Principles
- Consortium-first: members prioritize shared problem-solving over organizational positioning.
- Evidence-first: proposals are grounded in implementation data, not assumptions.
- Transparency under constraints: decisions are documented with rationale and open questions.
- No guaranteed success: difficult work and uncertainty are expected parts of this effort.
Non-goals
- A vendor marketing channel or product comparison forum.
- A legal certification body or compliance guarantee authority.
- A place to share sensitive raw production data, secrets, or regulated records.
Framework Workstreams
Six pillars of focused consortium work
Cost Mitigation Practices
Develop and test practical control patterns that reduce avoidable leakage response burden without claiming fixed financial outcomes.
AI Governance and Shadow AI
Define enforceable governance baselines for prompts, uploads, and extensions so unmanaged AI usage can be identified and addressed.
Supply Chain Risk Coordination
Coordinate member learning around third-party and SaaS-linked leakage paths with common assessment and response practices.
Skills and Capability Development
Build operator depth through shared exercises, implementation reviews, and cross-functional learning loops.
Operational Resilience
Improve containment and recovery readiness through tested playbooks and repeatable workflows.
Complexity Reduction and Integration
Reduce governance fragmentation by aligning telemetry, standards, and control integration practices across member environments.
Who Should Join
Built for security professionals with organizational responsibility.
Built for security professionals with organizational responsibility—CISOs, security directors, IT leadership, compliance officers, and incident responders. Default anonymity in the consortium helps you share lessons without unnecessary exposure.
Security leaders and IT owners
Benchmark control effectiveness, compare governance approaches, and reduce exposure without stalling AI adoption.
Operators and platform teams
Pressure-test controls in peer environments and contribute practical implementation patterns.
Practitioners and researchers
Help define measurable telemetry and methods that close browser-layer blind spots.
Vendors and ecosystem contributors
Participate in a vendor-neutral forum to align real-world requirements with practical capabilities.
Contributions are most valuable when they are implementation-focused, anonymized where needed, and tied to measurable outcomes.
Consortium FAQs
Frequently asked questions
How membership works, default anonymity, confidentiality, and what to expect before you commit. Screening details and operational security measures are not spelled out on this public page.
17 questions
About
What is this consortium?
A private community where security professionals discuss breach prevention, AI governance, supply chain security, and incident response.
IBM Cost of a Data Breach Report (2025)
Based on findings from IBM's 2025 Cost of a Data Breach Report showing organizations face $2.9M+ in preventable costs from skills shortages, shadow AI, and missing security fundamentals.
Why is there limited public information?
Operational security. Members discuss active vulnerabilities and breach details that require confidentiality. Publishing member lists, security frameworks, or internal processes creates attack surface.
Membership
Why Signal for private group messaging?
Signal is a free, nonprofit messaging app for private chats and small groups—not a public social network. The consortium uses it for intake and working discussions because it is built for confidential peer communication.
Download here (Signal)Usernames and phone-number privacy settings (Signal)What is Signal? (signal.org)
End-to-end encryption. Minimal metadata collection. No corporate infrastructure to breach. Members control their privacy and data. New to Signal? Download here and consider usernames and phone-number privacy settings before you reach out to join.
How does membership work?
- Stage 1: Message @soodonym70 on Signal with your security role and focus area. A brief vetting conversation follows.
- Stage 2: If approved, you receive an invitation to a private screening channel. You review the consortium framework, ask questions, and observe discussions. After you accept the framework, you're promoted to the main channel within 2–4 weeks.
Is there a cost?
No. The consortium is free to join and participate in.
Who can apply?
Security professionals with organizational responsibility: CISOs, security directors, IT leadership, compliance officers, incident responders.
Participation
How does anonymity and privacy work?
The consortium operates on default anonymity with layered privacy:
Recommended practice
- Signal username: Use a pseudonymous Signal username (not your real name).
- Organization name: Don't reveal your organization's name.
- Context without identifiers: Share context without identifiers—for example, “I'm at a mid-size healthcare company,” not “I'm at Memorial Hospital.”
- Role: Describe role generally: “security director,” not your specific title.
- Examples: Anonymize examples: “An organization experienced…” not “We experienced….”
Why anonymity matters
- Candor and risk: Even in trusted groups, identifying information creates risks. Anonymity enables honest discussion about real vulnerabilities without personal or organizational exposure.
Privacy layers
- Your sponsor knows: Your real identity and background (required for vouching accountability).
- Admin knows: Your Signal handle and basic professional context from vetting. This minimal information supports security monitoring.
- Other members see: Only what you choose to share in discussions; your pseudonymous username; not your phone number (with Signal configured for number privacy as intended).
- You control: Whether to share industry, organization size, and role type, and how much detail to provide.
Privacy principle: Default to anonymity. Share strategically. Protect yourself and your organization while contributing meaningfully.
What should I share about myself and my organization?
We strongly recommend default anonymity:
Share (valuable context)
- Industry: For example: “Healthcare,” “Financial services,” “Technology.”
- Organization size: For example: “Mid-size (500–2,000 employees).”
- Role type: For example: “CISO,” “Security director.”
- Challenges: For example: “Shadow AI detection,” “Supply chain security.”
Don't share (unnecessary exposure)
- Real name: Use a pseudonymous Signal username instead of your real name.
- Organization's name: Avoid naming your employer when it isn't necessary.
- Unique identifiers: Avoid details that could single you or your organization out.
Why: Even in trusted communities, anonymity protects you from competitive intelligence, vendor targeting, legal discovery, and career risks. You can contribute meaningful insights while protecting yourself and your organization.
Will my participation be confidential?
Yes. Chatham House Rule applies—information can be used for learning, never attributed to individuals or organizations without permission. Signal provides end-to-end encryption. Anonymous usernames are strongly recommended. Phone numbers remain private. Member lists are not disclosed publicly.
Chatham House: the Chatham House RuleSignal: phone number privacy & usernames
What if my competitor joins?
All members agree to confidentiality requirements. Information sharing is for defensive purposes only. You control what you disclose. Default anonymity means competitors won't know which anonymous contributions are yours. Note competitor conflicts during your application if concerned.
What are the ground rules?
General principles include:
- Confidentiality of discussions
- Default to anonymity (pseudonymous usernames, don't name organizations)
- Anonymize and censor information you share
- Professional conduct
- Defensive collaboration, not competitive intelligence
- Information shared is not legal or compliance advice
- No obligation to share anything you're not comfortable with
Specific requirements are explained during the screening process.
What happens in the consortium?
Technical discussions on security challenges, sharing of governance frameworks and assessment templates (when members choose to share), analysis of IBM report findings, anonymous case studies, and collaborative problem-solving. Members control what they share. Participation can be as passive (listening/learning) or active (contributing) as you prefer.
How much time does participation require?
No minimum participation requirement. Engage when you have questions, information to share, or time to contribute. Observing without posting is acceptable.
Can colleagues from my organization join?
Yes. Each person applies and is vetted individually.
Membership
How do you prevent fake accounts or bad actors?
The invitation-only vouching model provides natural protection. Members vouch for people they know professionally and remain accountable for their invitees.
We have additional vetting procedures that aren't publicly disclosed for security reasons.
Participation
How do I exit?
Leave the Signal channel at any time. No exit process required.
What if I'm not approved?
Invitations are selective to maintain trust and quality. If not approved, you'll receive brief feedback. You may reapply after addressing concerns.
This FAQ is a public overview. The operating framework, confidentiality expectations, and member rules you accept after screening are authoritative. Default to anonymity in discussions; when in doubt, share less.