Advanced Soft Skills: Using Efficacy to Get Sh*t Done

not really I don't care okay cool we're on the Internet apparently good morning everybody welcome to besides Delaware my name is Claire tills and today I'm gonna be talking about advanced soft skills how you guys can use efficacy to actually get things done in security so a little bit about me maybe there we go a little bit about me I'm a communication researcher my background is in public relations don't hold that against me and I started studying cyber security when I was studying for my master's I was researching crisis communication and before I went to graduate school I worked for a PR firm that focused on high tech mostly security in that time it was 2014 there

were a lot of breaches going on so we had a lot to talk about in our PR firm involved in crisis communication and cyber security and what I realized is people are doing this really badly cybersecurity communication as a whole isn't really a field it's not a thing that exists in research in particular and it's still brand new in terms of practice I have a couple of friends who do cybersecurity communication but there's maybe a couple of handfuls of us so I started researching it I started looking into crises and from there I kind of expanded to be four broad communication about information security issues last April or this April I was in Rochester giving a presentation about

crisis communication and they had these lightning talks and a couple of the Lightning talks talked about how can we be more proactive in information security how can we get people to actually take our recommendations and do stuff and I was like hey I can help with that so that's sort of how I put together this talk I also came from a lot of the common complaints I heard from my friends and information security of ok no one listens to us we have recommendations we tell them to do things to be more secure then they get breached and they come back to us and say why didn't you stop this so hopefully you can learn some things here

today that will preempt that cycle of stuck and I also want to move InfoSec communication away from crisis communication most of what you see when people are talking about InfoSec is something is on fire something has gone terribly wrong that's not the best time to be talking about this you want to be talking about it all the time and here are some reasons so when you only talk about something during crisis you're creating the perception in people's minds that only crises happen here so if you're only talking to people about information security when something scary and bad is happening they're only going to have scary bad associations with information security they're not going to want to think about

it people don't like thinking about things that make them afraid we don't do things we don't plan properly for our wills or our end of life because we don't like talking about it we are in denial that it will ever happen because it's scary so by moving more proactive with communication about information security we're building those better connections or building better mental associations and trying to make people feel good about talking about information security so then they'll feel good about doing something to be more secure and also only talking about and permission or information security during a crisis create silos in an organization your PR team if you're in a firm is probably never talking to your

security team they're completely siloed and then during a crisis that's the only time they're getting in touch and so they see it as okay well I only need to talk to my security team when something goes wrong no you want them talking all of the time so and then what if the bad thing never happens so this is something that I've heard about a little bit where you know there's a lot of chicken little potential for some information security we keep saying if you don't do this something bad will happen you if you don't do this something bad will happen but we've seen so many organizations fall victim to these huge mega breaches that should totally end their company

but we haven't seen any companies actually go out of business because of these mega breaches that might change it might not so what if the bad thing never happens if you keep telling people something Bad's going to happen and it never does they stop listening to you so being more proactive it's just a better way to get people to listen to you into action so that's why I here hopefully to help you so I call this advanced soft skills because it takes a step beyond just learning how to talk to people building relationships it's the direct application of empathy if you read any piece on how to use soft skills or improving soft skills for

information security there are a lot of them out there they're all fantastic most of them are going to mention empathy and so empathy is the idea of putting yourself in someone else's shoes and you really need to do that in order to apply efficacy you need to envision a lot about the other person in order to use it so that's why it's called advanced soft skills just a quick little bit on that so why should you guys care have you ever had and I told you so moment at work where you gave a recommendation and it was totally ignored and then something bad happened couple of nods hand up thank you did it feel good to say I told you so

in that instance no it doesn't feel good sometimes it feels really good to say I told you so sometimes it feels awful so hopefully you can apply some of these skills and tactics to avoid the i-told-you-so moment and just tell them and then they do the thing so the premise here is that there's some risk or threat that requires action to mitigate it and you're gonna use efficacy to convince them to do some behavior you need to know what behavior they need to do to fix the problem and efficacy is how you're gonna get them to do it so I've used this word a lot already efficacy anybody familiar with the term they heard it before a couple of nods I

think you were my talk already you so count you read ahead so efficacy is the power or ability to produce an effect its effectiveness I use it because it comes from scholarship it's one of those words that they've decided to stick their hat on and so I'm gonna stick my hat on there as well no where does it come from it's got a medical background I'm not gonna say farm nope yep I did it in DC and I didn't have tried to do it again so in the medical field it is defined as the capacity for beneficial change so what's the therapeutic effect of a drug device or procedure know if something will cure a disease it has high medical efficacy I

think it might I've seen it a couple of times used in terms of technology you know the technology has some sort of efficacy to solve a problem the cop this concept eventually traveled across campus to the social sciences through health communication so that makes sense the doctors were using it in their research than the people who needed to talk about the doctors research used it in their communication and that's where sort of how it transitioned a crust across campus so what are some issues do you think health communication is using efficacy for any ideas just shout it out

you

yeah so medical advertising might use efficacy you'll see it in campaign so if you think of public health campaigns so your Public Health Authority wants you to do something they want you to get a flu shot they want you to use condoms they want you to avoid smoking all of those sort of pro health communications you see those public service announcements those are using efficacy so this is looking at how doctors and public health organizations convince people to do healthy things the one example that I want to show is a commercial that ran several years ago I'm not sure if anyone's familiar with it but I've got a video at the end and I really like this because it's a good

example of efficacy it's a commercial that's trying to tell you how to determine if you have pre-diabetes and then get you to talk to your doctor about it and so the way it works is this man in a lab coat comes up and has you answer a bunch of questions and with each question you put up a set of fingers so if someone in your family already has diabetes put up one finger if someone if your body shape looks like this and he has a chart put up the associated number of fingers and then at the end he says okay if you have more than seven fingers up right now you should talk to your doctor and this is a

really good example of how efficacy works because it's about reducing the barrier to action and making things seem simple and meeting the audience where they are so we're going to look into these tactics a little more but I want to cover one last area where efficacy comes into play and that's emergency preparedness and so that's sort of where I see information security coming into play as well as emergency preparedness is about doing things to prevent damage when something bad happens so do you live in an area that is subject to a lot of hurricanes or flooding here's how you prepare your house preparedness I think overlaps really well with information security so that's why I

wanted to throw this in all right so principles of usage so we're finally gonna get into what we're actually doing here I'm gonna stop kind of parsing it among different disciplines and just talk about it generally so we're not going to say this is from help calm or whatever this is just a kind of grab bag of all different ideas from efficacy so there are a couple of types of efficacy and I'm going to talk about - self-efficacy and response efficacy self-efficacy is the belief that you can actually perform the recommended action so whatever you're being told to do if you don't think you can actually do that you have low self-efficacy and then response efficacy is will this thing

actually solve my problem so if someone tells you to do something to solve your problem and you don't think it's gonna work you have low response efficacy so in order to actually use this you need to know a little bit about your audience and this is where empathy comes in because in a lot of cases you won't be able to ask your audience this but you need to know whether or not they actually recognize there's a problem and that's something that I think we struggle with in information security a lot of our audiences either don't know there's a problem don't know how serious the problem is or don't think the problem is airs so you have to kind of

argue with them and convince them this is your problem you own it you have to do something not just you can do something and then constraint recognition what are some thing is that your audience sees as barriers so what are some barriers that people might throw at you when you tell them to do something about InfoSec budget yes our favorite one what else though time budget time I'm sorry I didn't hear that one history yeah we don't do it that way or we've always done it this way or we've never been breached before so we're totally fine right those are all barriers and so what you do with efficacy is think about okay why do they see that as a barrier

and how can I get them around it over it through it or show them that it doesn't actually exist so what you want to know is where are they now what barriers do they perceive do they see an actual problem in existence and where do they need to be to act what is that sort of minimum level of interest or constraints or what-have-you that will actually get them to do something and that's something that we're gonna need a little more empirical research on I hope to do that eventually but you get the idea that you know you have to move them somewhere you don't have to get them to being InfoSec evangelists you just have

to get them far enough along the tikar to actually take the action you want so now you know where they are and now you know where they need to be so how do you get them from point A to B what we've been using a lot in InfoSec has been fear and I've mentioned before that hasn't worked super well and I think a lot of that stems from the sort of history of how InfoSec has been treated as a field and a discipline it's been treated like dark sorcery and hidden in a corner and no one really wants to talk about it so the information security people had to be louder they had to shout to get attention and now people

are actually paying attention but InfoSec is still kind of in that place where we think we need to be loud and shouty and scary to be heard because that's how it has been but I think we can move in a more positive direction focus less on fear because people are listening and if you move in a more positive direction people will feel better talking to you if they feel better talking to you they'll want to do it more and you'll build those relationships so I haven't said this yet but we're talking a little bit about manipulation you're trying to manipulate their perceptions you're trying to persuade and influence them and her PR and communication likes to avoid the terms

manipulation but that is what you're doing the thing here though is you're supposed to be using this for making people more secure you're trying to kind of hack their risk perception show them that they are at risk they can do something about it and make them more secure using efficacy so I can trust you guys to use these powers for good great promise right exactly that's totally the audience that I should be asking to use this power for good anyway this is how you actually do it so self-efficacy you can do something and you have to do something so first they have to realize there's a problem that requires action I mentioned that and you have to remove

perceived constraints so this is where you think about what are their constraints unfamiliar behavior trust money those are all constraints that I think really apply to information security unfamiliar behavior these people have probably never done the things you're asking them to do they have no idea what two-factor authentication is they don't know any of the controls you're talking about you guys don't necessarily speak the same language that creates a lot of anxiety in people and makes them uncomfortable and that's a constraint they stopped listening when they feel bad so trying to take a step back reduce the language reduce the things you're asking them to do into very small understandable steps it's important and that really does

depend on your audience if you're talking to executives they're gonna have a different level of understanding then if you're talking to a CEO or if you're talking to your mom at home they'll find out what language your audience is familiar with and stick to that so they don't have to ask you to define words you're doing it beforehand you're pre-empting their questions and anticipating their needs so that you show that you're empathetic and you're listening and you're caring so now that you have convinced them that the constraints are gone actually I want to go back so what are some other ways that you might reduce constraints for your audience so say that the constraint is trust

they don't trust security procedures they don't necessarily trust you cuz you're a brand new face what might you do to build trust or a different constraint if you want to pick that become their friends no show that you know stuff about them and we'll get into this with response efficacy as well but if you're consulting with an organization and they say okay well that's not gonna work for us your response should be okay well based on this this and this in your organization I know that this will work so showing that you've done your research and you know them and you've taken the time to tailor your responses to them as an individual they will feel special and they will

trust you more what about unfamiliar behavior I gave a couple of general ideas but what are some other ways you can reduce that constraint training go start early if you're trying to do employee awareness it should be an ongoing process it shouldn't be one and done ongoing exposure to these sorts of terms this terminology these sorts of behaviors is the way to make people more comfortable that gets rid of unfamiliar because they're seeing it all the time it is now familiar all right so now response efficacy so you want to prove that this is the best action for them why are you telling them to do this particular thing there are a lot of different solutions and information

security the thing that I always point out in this for sort of my friends and people who aren't as technical is I asked them okay how do you make a good password what what is a good password and they can't answer because to them there's no solid agreement on what a good password is that's the perception we're dealing with is that we don't have our ducks in a row we can't agree what the best response is so why should I trust what you're telling me to do now that's the thing you're trying to come and get across you're trying to say no this is the right response for you here's why so again you're going to be

tailoring it to their specific pace saying I know this much about your organization and that's why I know that this is the right thing because of XYZ if you have statistics that's fantastic anecdotes are also really good tell people a story to get them to change their behavior if you have it make one up tell a hypothetical story and use that to get them through and show that this is the best action so I want to circle back to fear one last time and talk about why we don't respond to those so if someone says to you you have 20% risk of this thing happening you're probably going to think you're part of the 80% if they say there's a 99% chance

of this happening to you you're gonna think you're part of the 1% that it won't happen - we love its human nature to think that we are special that's not a bad thing that's just how everyone works you're gonna think you're part of the percentage that is safe you're going to come up with lists of reasons why you are not at risk and so that comes in with response efficacy you're trying to convince your audience unfortunately you are not special you are going to be at risk for this you are probably part of that 20% or 50% or 80% that is susceptible and here's why so walking them through your rationale is really important it's like in school when you

were told to show your work and you were like I got the right answer why does it matter here it does matter because you're trying to lead your audience through your decision process so that they can see okay well I would have made a different decision here so I can negate everything else they say if you're walking them through your decision process and you're convincing they're following you and they will come to the same conclusion it's almost about tricking them into thinking they made the decision themselves so show your work yeah

you

I'm really glad you asked that question because I'm currently working on updating this talk based on research I've been doing right now into gain/loss framing and that's exactly what I'm arguing is that you should focus on the positive so you should focus on gaining instead of avoiding to move even farther away from fear so instead of saying you have a 20% chance of being a victim say this this solution will improve your security like focus on being more positive focus on the benefits that they're gonna gain and so that's something that I've been working on and I'll kind of plug my blog later so you can look at it but that's a really good question

moving away from saying here are your risks here's how dangerous this is for you try focusing on here's how good you'll feel after you do this thing you'll be able to step up and pass your competitors you'll be able to brag to your friends or you know when I tell my friends and family to start doing different security things I'll say ok well I'm gonna teach you and then you go to work and teach your friends and they're gonna think you're really smart they're gonna think you're really smart and cool and you're gonna be a badass in your office and so focusing on the positive side of things is sort of the next step of this oh thank you for that

question it's like I planted that but I didn't so No

you

yeah you yes you

absolutely ya know and so that brings it to a good point as well is knowing your audience is knowing where your audience is and what will persuade them the story I tell a lot in when I taught public speaking and we were preparing for persuasive speeches is whenever I was trying to convince my dad of something he is an engineer so he needs to know the math and the science and whatever sort of hard facts behind your decision so in it whenever I was trying to persuade him I would do calculations I would come up with at one point I actually used net profit in a conversation with my father to convince him whereas with my mom she is not as hard

science she wants just to focus on the more qualitative benefits so I'll say it'll make me really happy if this thing happens and so knowing your audience and what will persuade them is the foundation to all of persuasion is knowing what is actually going to be persuasive to these people so if you're talking to money people you're talking about return on investment so you need to figure out how to calculate the actual return on investment because they need to hear dollar amounts and so that is a really key point as well is you do want to be more positive but some people you will have to scare and you are gonna have to make that decision on your own

or hopefully you know talk to the communication people because their whole sort of background we've spent years in PR trying to figure out how to quantify what we do because what we do isn't easy to quantify its seen as fluffy it's seen as a lot of waste in a lot of organizations that's taken a turn now but we do have a history of trying to figure out how to show hard statistics in ROI for something that is avoiding bad so you can't quantify okay well because you you applied this you didn't experience a breach and you didn't here's the money you didn't lose like that's not the best way no figuring out how to quantify this is something that

communication and PR can also help with and there are other fields who have done it as well but yeah it's all about picking your audience and knowing they need to change their behavior so

and I think the balance is the key part is not only focusing on one or the other use I think the way the way that I would recommend is developing a narrative through what you're saying go start off scary start off with these statistics start off with their actual risk and the difficult potential and all of that and as you're progressing move in a more positive direction that's another principle of persuasion you start off with negative emotions and as you're communicating you're transitioning into more positive you're talking about the benefits they'll gain in addition to the risks that they're going to avoid so really taking that balance and creating a narrative with it so you're telling them a story and

they're the heroes of that story so I'm gonna skip the exercise for now and talk a little bit about some of these specifics for emphasis I've hit them a little bit but I want to kind of circle back before an incident you got to make the risks real so show them similar organizations to them show how those organizations are similar so if you're trying to use Equifax as a case why is your company similar to Equifax what are the similar cases are they in a similar field are they going to be targeted because of the data that they have so really tying together your carry statistics with why it applies to them getting them over that hump of it'll

never happen to me because I'm special why are they not special linking security behaviors to ones that they already do this is one that I think is especially particular if you're talking to end users if you're talking to an end user they're not going to be familiar with the language they're not going to be familiar with the behaviors if you're able to link the security behavior to something that they're doing in their life already so maybe using or doing a drill so I hear likening it to fire drills all of the time it's not a bad idea if you're talking about having them do security audits or penetration testing maybe liken that to quarterly performance reviews things

that they're doing on a regular basis so that's gonna be a little bit on you to think about okay I've got this security thing that I want them to do what is that like in their everyday life so think about it use that empathy that sort of putting yourself in their shoes even just think about what you do in your everyday life that's similar and then overcoming fatalism this is one that we see a lot in information security as well it's not if you get breached it's when companies are starting to get why set and they're like okay if I'm gonna get breached anyway I bother why yet why even do this and so trying to get them over that I think the

positivity might help showing the different benefits you're not just gonna avoid a breach this is you're going to be a leader in your field you're going to step ahead of your competitors whatever other benefits that they can get beyond just avoiding a breach because it is there's a good chance it's still gonna happen alright so during an incident you can still use efficacy you can still use these communication principles you're highlighting the protective powers of whatever behavior you're doing so instead of avoiding risks you're telling them doing this thing will protect you so when people are talking about doing credit freezes after Equifax this is how it's going to protect you that sort of example so instead of saying it will

avoid a breach saying how it's going to defend you once a breach has happened using statistics and anecdotes to prove your response efficacy is also important here and then finally you want to break it all down into small digestible actions so you guys probably do this already in terms of not just plopping a whole security plan in front of your personal contact or anyone you're going to take it into little bites did we do this first and it's really easy and it's like doing this in your everyday life and then you do this and making it small and digestible so they're not overwhelmed all right and then embracing uncertainty there is a lot of uncertainty and

information security and you're better off actually fessing up to this uncertainty in your conversations with people then trying to deny it if there is uncertainty if you can't make guarantees don't do it okay okay well this is your best case scenario because I'm an expert I know what I'm talking about here's why I think this is the best case scenario if you try and tell them that this will save them and it doesn't you're breaking down trust you're trying to build trust and actually coming forward to someone and saying this is your best-case scenario this is the best I can do it's not 100% but it will be better can help build trust because people are initially

reactive when they hear over-promising or think that people are overcome over compensating for potential drawbacks so if you come forward and point out the drawbacks proactively you're gonna build that trust they're gonna say okay they're not hiding things from me they're pointing out that drawback they're not hiding anything else you're gonna tell me straight up so a way to build trust with that alright so times of crisis I want to skip this a little bit and so today we've talked about moving information security communication beyond crisis we're saying how fear isn't the best motivator you don't want to have risk statistics but you also want to balance that out with more positive messaging simple explanations like my end users are

stupid or they don't care aren't sufficient because they don't actually get anything done and yes a lot of end users make mistakes and do the wrong thing a lot of executives don't listen to you when they should and it's horribly frustrating I can't even imagine but tapping there doesn't solve the problem of people being insecure using efficacy and understanding okay why don't they care enough why aren't they paying attention to their their risk thinking about the whys behind these simple explanations can help you get around them hopefully and then finally efficacy is direct application of that empathy to try and get across so what we still need to know here through empirical studies I want to find out

what are people's levels of efficacy do they think they actually have the capability of being more secure and that's all audience based few executives think this I've seen a lot of studies recently of usually the statistic is executives thinks executives think that they are prepared to respond to an incident despite the fact that in the last year 65 percent of them failed to do so so that's where you see it is they think they are capable of doing things when the statistics show that they are not but I want to get some some more statistics on that and then levels of problem recognition do people actually think that these problems are theirs and that they need to be solved so this is a

little bit more about end users the general public how concerned are they really with their security and do they think it's a problem that they need to solve constraints we talked about that a little but also thinking more about the psychology behind it so why do people ignore security recommendations on a psychological basis why are they giving the excuse of money is it because money is really a case because when you really think about it an investment in security shouldn't be that big of a deal it should be important enough to get over most budgetary constraints so what's the psychology behind them saying we don't have the money for it it might be legitimately we don't have the money but

there might be something else it might be we don't see value in security so how do you twist that how do you get them to actually see value and then finally what's the threshold for action what movement do you need in there constraint and problem recognition in their self efficacy and their response efficacy how far do you need to get them to move because if you only need to get them to move a little bit that's really different than if you need to them to move a marathon so figuring out how much distance is required how much persuasion is required is really important and then figuring out and this is more of a project for me it's

figuring out increased consensus on recommendations everyone's going to have their own solutions but trying to figure out how to communicate what the best practices really are so that's what I have to cover and further reading here where to find me I am on Twitter all of the time I have a blog that I write about every other week and so you'll see that updated post on gain and loss framing and so with that I argue about moving in that more positive direction focusing on the benefits that your audience can gain from being more secure and how to develop a communication program around that so that's my information I also include some scholarly sources I really

recommend you look them up if you're interested you can only you can read just the abstract if you want cuz they're probably about 20 pages each if you're not a nerd like me so let's go back to the overview and I'll take some questions

you

you

yeah so I kind of see two answers to your question and so the question was about sort of the stereo I'm doing this for the the web folks and the people in the other room the question is is there a place for the stereotypical antisocial InfoSec person in this sort of model and that one the answer is definitely yes I see this as it's kind of a formula so if you don't do well with people I'm an introvert despite all of this I'm uncomfortable talking to people I don't know and so having a formula like this okay I can brainstorm and think about their constraints what are their constraints how do I break down those

constraints and get them around it it can give you a little bit more of a script and a formula to be more comfortable and more personable if that's not your jam so you can kind of script out what you're going to say more so you're not necessarily talking off of the cuff and be more prepared so you don't have to necessarily be charismatic or extroverted you can plan ahead have a script have an outline have you know brainstorm questions and treat it a little more like an engineering or math problem rather than something softer and so that's part one and part two is if you are an InfoSec person who is more personable who doesn't fall into that

stereotype you can then kind of step forward on your team and say I got this like I will be the external face of our team I will use these skills so sort of double answer to that of if you're the stereotypical person you can take this a little bit of a step back make it a little less fluffy and make it more about a math or science problem of okay I have this constraint and here are the ways that they can get around it and make it a little more low charty and less storytelling but if you do like storytelling if you like talking to people and you're in InfoSec this can be a really good way to kind of flex those

skills and get that into your wheelhouse a little bit more did I answer your question okay great

yes

you

yes yeah that would be my dream for security teams and communication teams inside of an organization working together to develop communication and we see that in a couple of organizations you know maybe a handful of organizations are actually teaming up communication and security to develop communication programs and messaging and campaigns and all of that so it is happening and if you have relationships with your communication team you can go to them and say hey I need to do this presentation to get more budget can you help me out they'll probably have the tools to help you out they might have just general speaker training guides they might have actual like budgetary presentations that they've given that

worked so make friends with your communication people and I don't just say that because I'm a communication purple person and I like having InfoSec friends but make you know take them out to coffee meet them at just an all-hands meeting get to know them because hopefully what I want to see is organizations talking openly about security when isn't on fire so eventually my idea is that the security team is going to be working with communication because they're going to be talking about communication console are they're gonna be talking about security all the time so they're gonna need that relationship but that's just pie in the sky dream for me any other questions

you

you yes no I definitely good question so the question is how do you get someone to change when you're telling them that they're wrong and making them feel bad about being wrong and that's a big question and I think a lot of it has to do with giving them an excuse for being wrong letting it be okay that they've been wrong and maybe it isn't actually okay maybe you went to them two years ago when the problem actually started and they didn't listen to you then and you had to come back now and say hey look I was right you were wrong that's not the approach you want to take so giving them an excuse to be wrong making

it safe so potentially you're showing them brand-new technology or a new problem trying to find a way to make it okay that they were wrong and kind of protect themselves save face in their wrongness or depending on which direction you're going try and get just present them like hey I've got this problem how do you think we should solve it so let them come up with the solutions start at that conversation of just here's a problem that means a solution don't attribute it to anyone just say here's a problem that exists can we work together to fix it so they they don't have to be wrong they're fixing a problem or you know giving them

that safe that safety of like you were wrong but here are all of the reasons that it's okay you were wrong so many other people were wrong or here's a brand new technology that proved that you were wrong and you didn't know all of those things yeah

you

yeah no that's I think that's a really good plug so I'm going to repeat it for the internet public speaking isn't easy for the majority of people I was and sort of am still technically a professional public speaker and I couldn't have coffee this morning because I was going to just like vibrate at a frequency that made me invisible I was so stressed out and like I'm fine now I've given this talk before I'm very comfortable with it but I still have anxiety when I speak publicly he mentioned a couple of people web Reacher gave a really great talk at besides DC that's online that you can see about impostor syndrome and I think that

extends here as well but getting experience with public speaking or just speaking to small groups I think is really important or anyone and particularly if you're naturally introverted the way that I kind of solved this problem was when I joined grad school I had to teach I taught three 50-minute sections three days a week that's a lot of public speaking in front of freshmen in a required public speaking course so it wasn't a really excited audience no finding I don't recommend doing that for anyone but finding something like Nova hackers or a different local small organization that does these sorts of things if there's something like Toastmasters or anything like that that you can be a part of

there's a program called nerd night as well that's not InfoSec you can talk about security issues but anything where you're getting up practicing and talking to people is a really good sort of practice to get into pushing yourself out of that comfort zone will really add these skills kind of to your tool belt and when you're just a decent public speaker no one really notices there they're like oh he was good he was good they don't you know they don't notice your mistakes they don't really point anything out you're fine but when you're a good public speaker when you really hit your mark people remember and they notice and they remember you know that's that's one

way to get these across as well as to be memorable it's just sing your public speaking I think is a great plug as well any other questions

you

yeah so becoming friends I think with legal in particular is great because when organizations are making decisions about security they're thinking is this gonna get us sued so they're gonna talk to their legal team so if their legal team then can say oh wait no I know the person you should be talking to about this and that person is you that's great so even maybe before you talk to your communication people which breaks my heart talk to your legal team make friends with the legal team make friends with the people who write the budget understand why they write the budget in a particular way and try and slide in in that direction all right any other

questions all right so I'm going to wrap up now with that thank you guys so much for your attention I'll be around the rest of the weekend if you want to keep talking

you