Cybersecurity as an Ecosystem

okay the idea that the 2021 b-sides huntsville gets started one minute early is very exciting to me so nick would you please introduce joanna and let's get this party started all right um so i i just want to really quick say uh i know there were questions in chat about b-sides so i think everybody kind of knows now what b-sides is but huntsville b-sides started about six i think this is our sixth year uh by a group of us in huntsville and it has actually flourished uh since then so we're so happy we have besides uh in huntsville all right let's do this again uh i want to introduce our first keynote joanna berkey is the

chief information officer security officer at hp in this role joanna and her team have responsibility for hp's global cyber security program including it infrastructure technology platforms and business units our organization has responsibility for identity governance compliance security operations strategy and architecture as well as product security joanna returned to hp in april 2020 after several years with siemens ag where she was most recently the global head for cyber defense responsibility responsible for cyber security defense across it ot infrastructure as well as products solutions and services joanna has a computer science mathematics background from the university of texas at austin and angelo state university she has focused on cyber security throughout her career her previous roles have included

software engineering product strategy and security evangelism joanna is based in austin texas welcome joanna thank you nick thank you for the introduction thank you david david has done amazing coordination there's a couple of external conference type events i have been a part of since the pandemic and i have to say he's done amazing so i think all of us are really lucky to have the chance to be a part of this and i appreciate so much that i have this chance to spend with you all i wish i could be there i'm missing having food from another part of the country and especially food that i don't make myself but of course i would you know draw number one would be able

to be able to hang out with all of you so in lieu of that i wanted to have a conversation this morning i know it's called a keynote and like anybody i have a lot to say but i also want it to be conversational um i think a couple of people are going to be keeping an eye on the chat and if there's questions to bring up while i talk i absolutely welcome those and especially interested if there's certain things you'd like for me to dive in deeper on or not as we chat more than welcome and i'm going to i'll go join the talk q a when we're done here if there's anything that you want to keep going

after 10 o'clock this morning so um you'll see i've thrown a couple of slides up here because i think in the virtual world it's kind of nice to have something to look at that's not my face but i don't really love slides so you know they're only there as a little bit of an assist and mostly what i'd like to chat about with you all today is going to be all in the talk track and what is it that we're talking about it's a little bit about the evolution of cyber security it's a little bit about what and why are some of the changes we've seen in the last year and but more importantly what does it mean to us

where are we going and what are some of the best practices on us as the practitioners and as the technicians with the scale and scope of what we're dealing with today interesting thing i've observed in the last year number one is all of us in here in this room whether it's it's there in a big room in huntsville or it's here in this virtual room we know already cyber security is a fascinating technical domain i mean that's why we work in it and whether you got into it on purpose you started playing around when you were really young you started playing around as you got older or you fell into it most of us here

tend technical and we got into it and we stuck with it because we love those technical parts of the subject whether it gets a ton of public attention or whether it gets nothing or whether the you know president of the us talks about it or not or what does his administration do we're here because it's a cool topic and because it's fun right my own origin story is pretty basic really a little bit boring when it comes to people in cyber i was a software engineer i studied computer science i loved it i got hooked on assembly language my university taught ibm 360 370 assembler as our assembly language basics we had to take two semesters of

it and i fell in love the ability to actually move things around at a bit level was one of the neatest things i had ever been exposed to in my life when i was in college long enough ago unless you were in the military cyber wasn't really a thing so i'm one of those people who got out of college with a cs degree i started programming for a living and in the startup boom of the late 90s i fell into security i i started working as an embedded programmer for a network security product and it was awesome i loved it been in the field ever since so no matter how you get into it most of

us here already know how cool it is as the topic has increased in importance though the fact that most people not in the field only look at it as a technical domain is starting to hold us back in the enterprise world for many years there's been this mindset in the boardroom and in the executive suite of you know cyber security is just this interesting part of it throw enough engineers at it we're good oh i have a cyber problem throw some more engineers at it we're good right technical domain throw enough expertise at it all is bueno it's not good enough and it's not enough anymore but how do we as the people in that domain

pivot along with this change in the language now because there has been a change in the language you know looking at regular media looking at non-technical publications listening to the news listening to the things that the people running the companies listen to you hear all these ways in the last couple of years that cyber security is referred to it's referred to as a boardroom issue it's referred to you as a business enabler it's referred to as chief concern of the ceo chief concern of the cio chief concern of the chief risk officer chief concern of the c whatever letter of the day officer and sitting here in the field you kind of look around and you go

what does that mean i mean does that even matter does it really change anything that it's being talked about in all these ways i'm here today after enough years in this field technical non-technical management i absolutely can say and i am convinced we cannot and should not run a cyber security organization today the way that we did 10 years ago the way we did five years ago the way even really that we did two years ago but it's not because of those things that people say it really has to do oh i'm sitting here playing with powerpoint and it's not wanting to cooperate there we go oh a big blue screen not the bad kind

there are forcing functions that are forcing a change in this language and these are not inconsiderable these are not the smallest concerns these are big things a couple of them to highlight none of these are going to be news to anyone in here one is the commercialization of the attack tool chain we know we've seen it the attackers are getting better at utilizing each other at developing their own supply chains for lack of a better word at commoditizing the tools okay we've seen the evolution in the regulatory in the compliance space that part admittedly a little bit boring the policy part of cyber security has never been one that lights my fire but it is a super critical one and we

start to look at the really serious money that's getting thrown around in fines in non-compliance penalties in violations this ever-increasing complexity of the regulatory landscape is a really significant lever on the topic of cyber today and very importantly a growing awareness and a growing savviness in the consuming base whether your consumer is someone who buys your product or whether your customer is someone in your own company or your customer is a fellow student at the school that you are in people who aren't involved in cyber are constantly learning more they're demanding more and they're starting to ask questions that they didn't ask even as recently as several months ago all of these things are important

they are not by far the smallest reasons that we're changing how we approach running cyber security however i think there are two really compelling reasons that are not in those three buckets we just mentioned the first one is digitalization there are so many different definitions to what this word means to me it means the explosion of data and the new technologies we have to transport data in other words it is 5g it's iot and it is the focus of the world on data and all the different ways data can be pulled can be collected can be can use can be misused can be exploited can be violated can even be used for good whatever those

are i hope we find them at some point all of these things in my opinion are what's really forcing this change in cyber having to insinuate itself in so many different parts of the world that it never has before this coupled with the democratization of technology i love that phrase i did not come up with it i stole it i stole it with pride the democratization of technology to me as a practitioner means how much easier it is now for people to bypass cyber security if they don't want to they don't have to engage with you as much anymore as they used to and when i talk about they right now it's absolutely employees of the enterprises that i've

been a part of but that's only my view on who i'm talking about here when we think a little bit about technology especially technology out in the business world out in the corporate world out in the educational field for about 15 to 20 years it departments had a great stranglehold on technology they pretty much were able to manage and rule most of the world you wanted something you generally had to go through i.t they might say yes they might say no but they were able to sit around with the crown and the scepter and pretty much rule rule what the technology landscape in in your part of the world look like it is easier than ever now though

to bypass it it is no longer in that seat with the advent of the cloud with the advent of easily accessible really foundational pieces foundational pieces like github i mean 15 years ago the idea that you would have a bunch of source code floating around in the public domain was crazy this was not on the radar of people but now technology is accessible to anybody an employee with a corporate credit card can go online get what they want do what they want it never has to know about it and by extension the old type of cyber security organization never had to know about it it is easier than ever for people to bypass cyber unless they

have a reason to work with us so you can easily say all right we need to get tougher we need to get better visibility we need to get better detection and we need to get tougher that people do what we tell them to do right uh no i don't think that is the right answer we're going to get back to that in a minute back back into the y so the question to me and what i wanted to dive in a little bit with you all on is how are we pivoting the organizations of cyber security now to meet this call and the short answer is kind of all the ways we're pivoting in all the ways

you name it it's different right to me as a leader in the space it decomposes into four really significant areas and it's all about the how those three things i mentioned at the beginning commoditization of the attack chain the regulatory landscape the growing savviness of your consumer base those things all in influence what we do but digitalization and the democratization of technology influence how we do it and that to me is where it really gets interesting is the how because if you get the how done right wherever you are that's when you can really make the impact at scale i believe it chiefly influences how we talk about cyber security how we define and work within our scope how we work

with the business and how we lead how we lead has so many different connotations to it and i could probably spend a five hour keynote on that i will spare you that i will not but i save that one to the last because it is my it is my favorite one so a little bit about these and i'd like to ask real quick because i'm not paying attention to the chat um david or anyone has anything uh come up in the chat that you want to tell me as we're going through this no um people are listening maybe making question notes to themselves and i'll just take this opportunity to encourage them to throw it in there if you have a question

get ready for now and uh if something comes up check in again i'll let you know what they're asking fabulous sounds good so having been you know and i'm i know in this virtual room today we span a lot of lengths of experience i realized recently i am approaching um about 25 years in this space which is a little crazy to me uh not the least of what it says about my age but i have seen so many changes in how the organizations operate during that time i've not spent the majority of my career on the practitioner side i've actually spent the majority of my career on the product and then on the engineering side i loved doing

that but of course you're always you know seeing how the practitioners are running cyber security wherever you are whether it's work or school or even your hobbies um the how it's been done has changed so much you know 15 years ago when i t had that control over the technology that they did it was really enough it was sufficient to hire super smart people who love the topic of cyber stick them in a basement throw flat food under the door and let them protect the infrastructure it was enough it was not a bad approach it is not enough today what we do outward facing now wherever we are is as important as what we do

inward facing and by the inward facing i mean the actual operational and technical work it is the forensics we do it's the security operations we do it's everything we do that's what i call inward facing this outward facing stuff it it seems like like this is not the fun part of what we do what is fun about going out and talking to the business when i could be reversing a piece of malware but it's so critical now because it's that outward facing part that is enabling us to do the n word at the degree that we need we need so much more to do it well we need more collaboration we need more resources we need

i'm maybe i'm not going to say more tools we might need different tools but what we need to do that job inside constantly changes and if you don't take care of the outside you ain't gonna have what you need inside so what are some of these best practices to keep in mind the first one i mentioned is how we talk about cyber i mentioned at the beginning it has been seen and still is in a large way as a technology domain that's why we got into it because we're technologists and it's cool but that's enough for us it's not enough for the rest of the world when i say how we talk about cyber it

really comes down to one thing the so what years ago when my primary job was was two hats i was running a security research organization and i was doing security evangelism which is this really weird phrase that kind of means everything you need to talk to salespeople to enable them you need to go talk to customers on the road you need to go speak at conferences you know you need to do all of this talking to get people capital what's going on with cyber and i remember one day really clearly i was giving a presentation a group of salespeople about our product and the features we'd added to it and there is one guy in there

and you know i finished my little spiel and i thought i had done a great job i was like yes i've articulated this in terms of salespeople going to understand i got it down i'll take a few questions and then i'm going to go have a beer this guy sticks his hand up he's like so what i'm kind of like what do you mean so what so what about what and he's like so what you just said all this stuff to me what's the so what i said well the so what is the product is better at securing the customer and he's like so what what does it mean and honestly y'all at that time and for probably about two to

three years later i just thought the dude was a jerk you know and i'm like oh that's the so what guy and someone would mention to me i'm like oh yeah the so what guy he probably could have done it in a little different way but the point he was making was so spot on and i realized that once i started to see how csos were talking the boards of directors how cisos were talking to their peers how people in the org were talking to people not in cyber people that don't get it need to understand so what what are you telling me this for what does it mean to me i as a cso can roll into the board of

directors and i've seen people do this so many times and they go all right everybody we have 287 unpatched red hat servers in our environment and to them they're like i just said it i just said this so what and everyone sitting around the table is like so what is that good is that bad it's 287 put us in like top quartile or just 287 mean like we're going to be target tomorrow i mean what do you mean and it has taken us years to really clue into the fact that what seems meaningful to us is not always what's meaningful to our audience people talk about metrics that matter oh it's alliterative it rolls off the

tongue it's lovely metrics that matter metrics that matter are hugely important because if someone doesn't understand the impact of what you're saying they don't give a you know what about what you say audience driven communication is huge in this space how we define our scope so in the old days when the cyber team took flat food and was able to sit around and not be bothered by people from the business knocking on their door all day the scope was relatively straightforward it was the infrastructure it is so hard now to find these bright lines especially if you're with a company is delivering services to customers or you're at a startup you're able to design your

infrastructure greenfield and you've gone cloud first or your school hasn't quite clued into where these bright lines need to be and they probably don't have the money to enforce them anyway you cannot clearly distinguish as well any longer product from services from infrastructure the cso and the cso's org can no longer sit around and go oh infrastructure's our problem other stuff that's your problem because who gets the finger pointed at them you know not that other finger but sometimes you get that too pointed at you when there's a problem you you're wearing the hat they go hey you're cyber you know more about cyber than anyone else around here this is your deal and you're sitting

around going hey i i've only been focusing on infrastructure i don't know what you're talking about we have to figure out what they're talking about because if we don't figure out these accountability chains and we don't figure out who does what and where and how to make it secure it ain't going to be anybody else we are the experts and that's an exciting thing to me because would you trust anybody more to figure it out than yourself you're the one who has the knowledge you know more about cyber than the non-cyber people around you of course we're the right people to figure it out but we need to do it we need to make that mindset to acknowledge oh wow

okay this is a gap to be filled i'm going to have to grab that bull by the horns and i'm gonna have to realize it's not a one and done thing this is not a one and done oh i changed my scope i talked about it differently hallelujah we're gonna move on i'm finally gonna get that beer it's gonna constantly be changing acknowledge it make that part of your scope as well part of your scope is a constantly changing scope hooray but you know that's what keeps it interesting right we're here because we don't like to be bored well you ain't gonna be bored how we work with a business this is one that can really alienate

people and i would lay a couple of dollars out there that some of you in the audience are like i don't want to work with a business this is why i got into a technical field and david i don't know why you got a keynote speaker in here who's talking about business because if i want to talk about business i'd go to an mba conference i wouldn't come to b-sides i'm sympathetic to that i don't you know this is not a part of the job that that i am gravitating to if i gravitated to business i'd have gone to mba school as well right but we can't go without it it's not optional any longer if you're

in cyber unless you have a really privileged position of being able to isolate yourself maybe you write books for a living that'd be cool you can carve out maybe a couple places in the world where you don't have to engage with a business those are few and far between and they're getting smaller going back earlier to that democratization of technology and what we do outward facing productive engagements with the business will allow our success if our success is the securing of the enterprise we're in or the greater protection of wherever we sit or the accomplishment of this goal productive business engagement will be what gets us there when we figure out how to do it right

and i i don't think it's that challenging you don't need to go back to business school and learn how to talk like a financial analyst you don't have to meet the gm of the business on his own terms what you do need to do is to be able to meet them a little bit over halfway by acknowledging your common goals somewhere somehow there will be common goals it may seem like a massive polarity that's unsolvable they want to get a product out fast you did a pen test on the product and you're like there ain't no way we can put this thing out in public are you kidding me we will get slaughtered that doesn't seem like a solvable polarity

they want to get it out you want to make it secure it's going to take some time and money there is a common goal there the common goal there is though they need that product to succeed once it is out in the field they don't get to just retire the day they ship the product and run off to maui right so finding and highlighting those common goals and expressing to them the desire that you do want them to meet their goal you want to meet that goal because ultimately that's your goal too you don't want to be part of a company that puts crap out there in the field that can be popped at the drop of a hat

right we have to keep that eye on the prize talk with them in those ways and recognize they don't work in absolutes we sometimes can tend to work in absolutes you know you're attacking a product you want to find the vulnerabilities you're either going to find something there or you're not that's kind of absolute right businesses don't work in absolutes one of the easiest ways that that we've seen this manifest in the last years is there used to be this idea that the cyber security strategy was a lift and shift no matter where you were look at the nist framework get your vote get your unpatched system numbers down get your product vulnerabilities down boom check we're good

that idea of a universal cybersecurity strategy is a total myth and the reason it is a myth is that there are not only three but three that i really like to think about you know they're good enough to get minimum viable product there there's three legs to that tripod that determine what your right strategy is wherever you are and i'm going to talk about this in business and enterprise terms but i think these ideas apply no matter where you are the first idea is what's the strategy of your business are you in a business that is rapidly and exponentially growing in a new field are you in a business that's going through a transformation are you in a business that just wants to

run and maintain or maybe even in a business that's spinning down so that they can spin something up all of those things matter they matter on their own and they also matter because they affect the risk appetite this is one of the biggest things that in impacts your cybersecurity strategy what is the risk appetite of the business around you you know the the textbook example here is let's compare coke to uber to state farm insurance right the amount of risk these companies are willing to take is vastly different in vastly different ways and that risk is really closely tied to and often comes out of what is the core value of that business what makes that business it what makes

you you you know for coke it's the recipe right if everybody was able to make coke why are they special but there's no recipe at uber i mean you know yeah there may be some cool algorithms in their technology but they haven't made a business around a recipe that can't be duplicated they made a business around other concepts you look at a company like state farm what makes them them stability you don't want an insurance company that's a fly-by-night right all of these core values are incredibly different from each other so if your job is to make those enterprises and those efforts more secure you're going to have incredibly different frameworks to do that the securing and protection of a super

special soft drink recipe is going to be really different than protecting massive financial assets in a company like state farm right so acknowledging that there really aren't absolutes in this business world and figuring out what that means to us in a world where there often are absolutes is really challenging but one of the biggest ways that we can start to have this partnership with the business and not have it like this empire right and speaking of that empire i think of the empire it's kind of like being the traffic cop or being the doctor no and i i notice i noticed something here in the chat about being the dr no it is an art it is absolutely an

art to walk that line between we want to be partners we want to be enablers but at some point you do have to say you can't do that at some point you do have to look at metrics i mean i see phishing campaigns targeted here users hate that yes they do so the answer is we just don't do them because we want to be friendly we want to be partners this is the art the art is that balance and i'll i will give all of you an example i ran into really recently where it was that balance between not being the doctor no but not being okay with something that a part of the business really wanted to do

i'm in a company right now going through a transformation it's no surprise you look at hp's press releases you listen to our ceo speak in his quarterly analyst calls we're going through a transformation it's by the way it's super fun it is really exciting to be in cyber when your own business is changing faster than you can keep up with it as you can imagine there are a ton of efforts going on here and there people have their corporate credit cards people can go to procurement they can buy things they can execute things and if you're lucky you know about it and you're able to have a little bit influence on it one came to light recently where there was a

large amount of really critical sap data that a part of the business wanted to put in a vendor's cloud fully in the vendors cloud i'm okay with that for some forms of data and i'm okay with that for some forms of cloud this particular data and this particular vendor no i didn't think it was a good idea so the conversation we had was not joanna rolls into the meeting and says no no no no i gotta go guys what's next bye see you later the conversation we had in the meeting was me saying i am extremely uncomfortable with this and i'm going to tell you why and i illustrated for them what i had seen happen

at another enterprise when the vendor was not able to prove good enough security practice when the criticality of the data was important enough and when i gave that illustration the discussion in the meeting changed from let's convince joanna to say yes rather than no the discussion and the meeting changed to is this more risk than fitzhp at this time and the answer was yes yes this doesn't fit who we want to be this doesn't fit who we're trying to be this doesn't fit who we want to be so let's talk about other options you will find yourself having so many of those conversations if you get into a part of cyber where you are face to face with the business

and not all you have to be you'll have that conversation multiple times a day where you don't just say no and walk out the door you explain the why you explain the why that helps more than anything get people to the table and recognize hmm okay they're not trying to be difficult so let's talk about how we get where we want to be in a way that we can all get behind and you will sometimes still come down to the person who says i get it i understand what you're telling me i understand the risk but i eat risk for breakfast eh you know what that's when you go to their boss and if they're the ceo and their boss

ceo and ceo goes i at risk for breakfast you've done your job you've done your job you brought visibility to it you shouted from the rooftops and that's what we're here for is to do our best right another a word here that's really fraught is governance that word makes people like governance don't tell me what to do but a huge part i mean i think it's even in my bio it's a huge part of what my organization does is define and execute on governance that part is the art it's figuring out governance in a way that you can bring people along with you and not just create an environment where you can't look away because then they're

going to go run off and do something bad earlier in the introduction when we talked about you know it's just enough to get tougher right and i said no i do not believe getting tougher and getting more restrictive is the answer simply because if you rule with the hammer you can't ever take the hammer away and if you rule by putting your thumb down you can't ever remove your thumb so with the problem getting broader with the problem getting more complex if you can't exponentially sprout enough thumbs to keep up with the breadth of the problem to keep up with 5g to keep up with iot you got to find another way so the fact

that i don't believe in ruling with the hammer and i don't believe in the empire it's not just because of my personality that i'm like you know kumbaya girl scout everybody get along it's mathematics if you can't scale enough to rule with the empire you gotta find another way to me it's as simple as that and that feeds into how we lead and you know you may go ah it's easy for you to talk about leading you're sitting there as a ciso we're all leading in in some form or fashion and i really don't want to you know be the pissy we're all a leader no matter where we are now the reality is by being in such a cool area by

knowing what you know by having people come to you and ask you questions look at you as an expert you're leading by definition there are so many faucets to that leadership i i'm really only going to mention to you today because they're they're two that i think are really critical because they're the ones that influence the future you lead by how you grow and hire and you lead by how you structure i'm really really interested these days in this idea of how we grow the cyber tent we need to figure out how to make the tent bigger more inclusive not only because we have a talent gap not only because we we have a people gap

i think we have a gap in how we think about everything we need to do nobody will argue at the importance of having critical technical roles in cyber that's obvious been around forever still when most of us you know think about or people say oh what what is the cyber professional people like y'all people like me people who started as technologists i would argue very strongly that that is not the only image of the cyber professional that we need to develop into you cannot do without the technologist you cannot do without people like us but we cannot make up everything that you're hearing about today we need people who can work on deal support with sales organizations

you need people who can assess and audit and not just you know check the box like oh here's my cmi here's my check box say okay we're good no people who can really go into environment and think in look at complex setups look at complex problems and draw conclusions financial and business analysts who can understand cyber yet understand how the business works and therefore find exposures find gaps and more importantly find solutions right you need the politicians i mean uh politicians really but yeah i mean a lot of what i've talked about today is you know not politician in this really nasty uh idea of we're going through a horrible time as a country a politician in the old sense like a

statesman who can bring different parties to the table and find that common ground that is an important part of what we do it's easy to make fun of it it's easy to go god i don't want to do that but it's really critical to to what we need in order to enable us right we also need techies that have zero cyber skills you know we're really actively these days in my org we're looking for cloud experts devops specialists people who they have never had any cyber training but they've got a massive other skills we can teach cyber we all learned it at some point right so we need techies who don't fit the traditional mold either

the great news is this is an ideal time to intersect all these needs with also underserved populations and by underserved population that can mean anything it can mean non-traditionally degreed it can mean people in the latter part of their career who never thought about cyber before but now they need another opportunity it can mean people who lost their job and need re-skilling it can mean minority populations who haven't gotten this enablement in this focus before there's a lot of talent out in the world that isn't getting attention because it doesn't fit the traditional mold and that's a great marriage for a field that's blowing up with need like cyber in an area where there are people we

just need to find them this is a marriage made in heaven that's the whole part about the growing i get obviously get really excited about this stuff the the growing for the future this is a massive part of what excites me and makes me happy as a leader i also want to talk a little bit about structuring most organizations still have a commanded control structure you have a hierarchy you have a command and that's how it works there is a great idea that it's been around for a while especially in the military in general stanley mcchrystal wrote a book about it several years ago called team of teams general mcchrystal uh headed up the us armed forces for

several years in afghanistan i'm i think around the first gulf war not certain about that but during that period of time and that is where he noticed the traditional cnc mode of rule and command in the military was not working against the insurgents because they were working in independent networks they were working in self-forming pods they were using non-traditional methods of communication they they had leapfrogged the us military command structure in how they worked and they were within the us's butts and he recognized we can't take the command and control structure and and combat this we have to change what we do so what he ended up doing and what he wrote the book about is this idea called

the team of teams and the team of teams was you don't have that traditional cnc structure you have self-forming teams around certain topics etc so i was fortunate enough when during a couple of my years at siemens to run an organization where we were able to structure this way it um you kind of have to have the right org for it and the org that i had was global but we didn't do you know only incident response was here and then only forensics was here and then only x is here in all of our global locations we did a little bit of everything so it was a great place to formalize this team of teams idea

i learned a lot from it what went well what didn't go well but what it taught me was we don't have to think in these traditional forms of structure in cyber if you think about what we're doing in a lot of ways as a military engagement because there are a lot of a lot of similarities there we can take ideas from stuff like what general mcchrystal has and use that to adapt to the situation we're in i noticed i noticed something in um in the chat about when have we when have we done kind of lateral non-cyber moves and it gone well and when it's gone awful oh yeah so i can tell you about one right now

that that's going so well that i'm i'm so happy with it um the organization that i run today uh for many years of course like any cso org was very focused on on the inside focused on the infrastructure we are really now trying to grow this ecosystem with developers across hp specifically software development across hp there's never been this holistic unified ecosystem where it's not someone at the top ruling but it's all of us bringing our skills and talents to the table so several months ago we had interest from a uh from a member of our print business unit she'd been working with develop development organizations for a while as a project manager really was was interested in cyber had

taken the cissp put her hand up and said i'd love to come to york at some point i don't really have a technical skill but i love the topic and hey i know a hell of a lot about how hp works so she came over it's been amazing she's driving several work streams right now that cyber is doing in collaboration with the development community at our enterprise and that development community is about 9 000 people so she gets out and she finds the stakeholders she finds the people that can move the needle she works on solutions she comes back to the cyber org and says hey we need this this and this the guys work to give it to her it has

been amazing and it really demonstrates to me she brought a ton of skills to the table none of them were technical cyber skills but what she brought to the table was exactly what we needed to advance that needle and to continue that shift left on the topic now i've seen several that bomb and a lot of them bomb because of ego it's hard to admit when you don't know something and it's easy to be intimidated when you move into a new area and i've seen several people move into cyber and they want to establish how much they know they want to establish here's my value here's what i can do and they're not looking around enough to say

here's also what i need to learn those are the ones that go really really poorly so you really want to make sure that everyone across your org has that mindset and i love what david mentioned earlier about the whole spirit of b-sides the spirit of b-sides is that we all have something to learn from each other and we do and if you're finding people that know that and they operate that way you will find people who can be successful in the field so there's a lot of things we need to be and i mean i don't know what you guys think as we talk about it i feel like i need to be all these

things in front of you on a daily basis and even though i made mental health expert and sounding board smaller in the fine at the bottom some days they are in writ large right it's the most important thing you can be on some days and you know you look around you're like oh boy that's a lot and what isn't written in there is king of empire or chief traffic cop and some days you look around and you think i'm just giving up more and more control maybe i should be the king of the empire maybe i should roll with the hammer maybe i should roll with the thumb i am convinced after seeing it and

trying it and not doing it that's not the way to go the way to make an impact at scale is to recognize you can't do it by being the king you do it by finding the ecosystem by pushing the ecosystem enabling the ecosystem recognizing all of these things that need to be brought to the table recognizing that not a single human can do these things and once you recognize that and you find what those parts of the ecosystem are and the who and the where and the what and the wherefores that's when we really make impact at scale these days and i believe too this is not this is just the latest in the evolution

of cyber this is not our last evolution our field by the years is still really immature think about how long physical safety has been a thing has been a focus we're still figuring out what is cyber going to be how do we continue to adapt to that constantly changing world and i think the good news in there is by nature of what we in here have done already because we have people in here that in one way or another have already touched cyber we've already learned i think what are the most critical skills here are and i don't mean technical skills at all i mean collaboration we all have learned collaboration because we know the

importance of intel sharing we know the importance of putting a couple of brains together to uncover an attack chain we know that you can't do it all alone in your own brain secondly we have adaptability you could never get through an incident or even get through the perpetration of one on your own without some adaptability nothing ever goes like it's planned right it's uh i don't remember who said it but the whole idea of military strategy you've got a plan until the first bullets fired right or until you crest the first hill by nature of what we do whether it is on the white side or the black side it has to be adaptable you know why that black cat

one in the middle whatever we have to adapt because it never goes like you script and the third one is i wrote down equiminity and luckily it's in the morning i haven't had a morning cocktail yet i can say equimanity but what i mean is the ability to not get too spun up to treat things calmly we deal with emergencies constantly that over time creates the ability to take emergencies to take fire drills to deal with them to deal with fire drills to not get the hair on fire but not get spun up there's a lot of people in the communities you'll work with that don't have that skill i think cyber teaches it i'll never

forget one time when i started to wonder have i gotten to laissez faire about cyber incidents i was on a train platform in germany i'd been at some meetings in nuremberg i was waiting to go back to munich to headquarters and i get a call from a pyramid oh my gosh joanna someone someone is impersonating our ceo on whatsapp and my first thought was okay someone spoofing the ceo on whatsapp bummer uh what what are you so spun up about and of course his view what he thought was happening this is not a real cyber savvy guy he is thinking oh my gosh in order to do this someone had to take the ceo's phone

someone maybe they stole his sim someone has has has phoned everything from the ceo and of course in my mind i'm thinking yeah someone put his name on an account whatevs right big deal and i remember that day and of course it worked out where it hadn't been a big deal someone spoofed his name and i'm sitting on the train and i'm thinking joanna have you gotten to whatevs about everything right have you lost the ability to really get spun up when you need to and the conclusion i came to is it's not ever productive to get in a panic it's not ever productive to get spun up especially when the people around you will do more than what is needed in that

regard this is something all of us i believe by nature working in the field we get that we develop that calmness and it's a great skill to have so we've got these skills we can make this difference at scale i mean i think it's an amazing time to be in the industry there's so much we can do we can if you want to find a different place you can find a different place if you love what you do you can keep doing what you do it's only going to be in more demand so i think it's good for us to kind of sit back look at the evolution recognize the evolution think about what's needed

think about at the moment where you want to plug in to that and do it and then look at and be excited by the impact that you're able to make so i haven't looked at the chat in a few minutes let's see if there's anything else in there i'm all ears and happy to move to the top q a track when this is over as well yeah there have been some discussion and questions um i think rita had one and if she wants to take a second uh on mutant relay it that's that's cool rita you said you were comfortable with that so go ahead and fire away i'm gonna scroll through the chat for another question

or two hi there this is rita and you actually um started on it and the question was so we need that balance between do care by making people follow our policies and we have to have sanctions when you don't follow it to this whole concept of democracy of technology which i love i love that term so so like you said we don't want to be dr no right even though that's what they call us and we have to show our metrics so our internal phishing and then they mess it up and they have to come to us and say forgive me for i have sinned which only racks up the hatred level for us so where where do do where do we go

to find that balance so that they have the freedom for that democracy that you're talking about but at the same time we can say here is our dmarc line here is where we are safe we we have a place where we can huddle and hide for a second and we know that here's our security posturing when you walk in to our perimeter i have had so that is a it is such a relevant area and i really believe that that is the art where i've had success is by making it a risk conversation instead of making it a you done bad or you done good conversation to make it a risk conversation and tune it to the level that you're

speaking at a concrete example here the one thing that my organization keeps and and manages is for every uh report to the ceo at hp we maintain a dashboard for that pillar at the company i am at and this is where audience driven communications is so key and the ability to read the room is really key if i rolled into a ceo staff and i showed that dashboard and i gamified it it would not go well just because of the personalities some politics some history some various things everyone would be more focused on trying to look better than someone else than they would think about their own area and i know that at another company i

think you could do that and it would be productive but i know in my company it ain't going to work so what we do instead is on a quarterly basis i meet with these individuals one-on-one so they don't feel shamed and they don't feel embarrassed and i make the conversation about risk and i just say look if this continues this is the impact that you're potentially going to see how does that sound to you and on some days they go i'm cool with that no worries and on sundays they go oh crap what do we do about it so if you make it about risk more about you done good or you done bad personally

i've had a lot of success with that but that's why i say it's an art because that's harder it's harder to do that than to just roll out metrics to everybody and go hey look at this do something about it all right i've got real work to do i'm out of here yeah thanks i have um so what i'm gonna do is there was another comment i'm going to paraphrase into a question thank you rita and there's some more comments there a lot of people that seem to want to engage in conversation and just maybe as a final question here i'm going to take something that came from dash dash dash dash made a comment about leadership buy-in

and hopefully i'm not going to do a disservice by paraphrasing but um how do you take some of the things you were talking about or in your experience how do you communicate up right so you you you've listened to this keynote you've learned something and now you want to do something with it but because of where you work and what you do you're going to have to communicate this up how do you do that successfully and what would you advise a person who wants to take it and do it uh to communicate this up what do you think about that um two things come to my mind it's a little bit unstructured so i'm gonna

think out loud for a minute one is in any situation in my experience the best chance of success is to understand what motivates the person you're talking to so if you know let's say you want to take something that you're you learn at b-sides maybe from my keynote maybe from somebody else you want to take something back and the right person to take it to is two hierarchy levels up from you do you know how that person is incentivized and what motivates them because if you know that you've got a massive leg up on not only will they be willing to listen to you but you know fundamentally people are self-motivated if you can explain to me what you want

in a way that benefits me i'm all over it right um that's just human nature doesn't mean you're a bad person so if you're able to tie that to something you know they are incentivized by beautiful another thing is if you want to take something somebody that you don't think they're going to like and you think they're not going to like this answer i got a really good piece of advice one time ironically from a terrible leader but this was great advice he said never give an executive only one choice if they tell you to do something and you know it's the wrong thing don't say well you need to do this instead bring them back two rocks bring them

back three rocks and structure your rocks in a way where they can reach the right answer without losing face and without looking bad there may be a way to kind of take those two ideas and