TimMcCreight

foreign

folks welcome to day two with b-sides everybody enjoyed last yesterday got something on yesterday yeah awesome awesome um I'm gonna go through a presentation on talking about risk so I thought today is going to be a kindergender Tim so this is why you got the Mr Rogers outfit today so I thought I'd serve it up the sarcasm and the humor is not going to get any better all right so Jack up on coffee now because it's just going to go like this for the next half hour or so all right so I got a couple things I want to go over I want to talk about our presentation but I also want to open this up for questions part way through

I'm going to ask everybody here in the room and also in our other other side of the house to think about things from a different perspective yeah hold on to that one let's see what we can do first up so our journey this morning I want to talk a little bit about myself not a whole lot you guys you can get to my LinkedIn profile it's fine but I want to talk about our current state with cyber security where are we today where do we need to go as well into the future and then I'm gonna I want to discuss this concept of transiting what we do into risk and what's the benefits to you and

more importantly how can you change along with the profession of security so we offer more benefits to the organizations we work with whether we're on staff or as Consulting teams and then open up for a question answer so far is it good makes sense this is interactive folks I need you to stay awake with me I appreciate what my role is here it's comedic relief for the next 45 minutes I get that but I need you to be part of this exercise with me so let's jump into this all right first up besides has everyone read this from the site please nod I'll be really good yeah that's true okay awesome so the concept of b-sides is something I really support

it's an opportunity for all of us within the community to truly appreciate the skills we bring the things that we want to uncover and explore and more importantly how can we benefit the tech sectors in each one of our cities right everyone know the history of besides where it started anyone yeah where where'd it start who with foreign does get a chance to look up Jack Daniels in the yeah Nixon as well right so absolutely so if you get a chance look up the history of b-sides and see what the team has done and what Jack's role was initially and starting in somebody's I remember correctly somebody's house right in Arizona was the first b-sides

so if you get a chance after 20 some years here's where we are today so we stand on we stand on the shoulders of giants who brought us here from the infosex profession all right history lesson over just in case I know I don't know when the hell the sweater is coming off but yeah no just from the head up yeah I'm wearing pajamas for those who can't see all right just so you folks understand right so yeah and that's a lovely uh CGI red just so you folks are aware right so all right let's move into this quick introduction so um yeah I'm not ashamed of this anymore I probably should be but I think I'm

I've been in security longer than some folks have been alive in this room and that's disappointing as hell um I have been in uh this is year 42 in security for me I started in 1981 when I got out of the military I owed 250 bucks to the mess in Winnipeg because I drank so damn much when I was in and I needed a job and there was this PO I I do you remember if there's anyone put up your hand if you remember wanted ads in the newspaper okay just the old folks thanks everyone thanks Doug I'm picking on Doug lease when I see that right so so I saw this ad for a security guard in

a hotel I'm like well this can't be that bad right and at least I could pay off my mess bill because I owe money and the government of Canada at the time was really good at chasing you down for the money yo so I took this job as a security officer Hotel and my introduction to security was kicking out hookers and drunk curlers from the hotel lobby not in that order but eventually and I went from being the security guard to being the chief security officer and that was a short period of time to get there but it was an interesting introduction to the profession of security man I love about this thing times this

is awesome right so so from that perspective yeah I'm going to let the technical folks manage this stuff I got to keep someone along here so what I did from that perspective is I spent the first 20 some years of my career in physical security and I've done everything from managing an executive and getting him from the bar home safe and sound in the car to dealing with fraud files harassments helping out with law enforcement doing wiretaps and even working with homicide cases so it was a blast the first half of my career then I decided Well this internet's not going away I should probably do something about it so in 1997 I pulled myself out of the

workforce for two years and went to Nate and got my computer system technology diploma and from there I remember I was I think I was the second oldest person in the class again second model is going to class and everyone's like I can't wait to program games this is going to be awesome really I wanted to learn how to break into a system so I could protect the system when I came out of that role then I became Chief Information Security Officer or chief security officer for I had to count yesterday how many companies I've been with do you guys remember the movie Soldier when he had all the battles on his arm yeah 18 companies I've been with

is either an executive a VP a chief information or chief security officer so it works you just don't need to spend 40 years to get there folks you just don't need to get there so other things I've done in my career and what I'm really proud of is Enterprise security risk management I'm going to touch on it briefly here today it shouldn't be a new term to everybody but the concept of how we use it should be so I'm going to talk about that later on in the session yeah dog lover um this picture that you see on the screen this was the first year of the pandemic and my wife and I were out walking our dogs

and I just saw this amazing picture that some of the kids in the neighborhood put on somebody's fence and I thought this was super cool it also is something that I'm trying to strive for in my career and as I'm sitting here giving back to you it's an opportunity to be kind to be empathetic in the world that we're in with insecurity and find that human element to the work that we need to do every day to keep our organization safe and secure plus I just thought it was a cool way to show my dogs in the slideshow stuff there all right current state so I'm not going to go through all of the different

vulnerabilities that we have you guys were doing an awesome job with that I'm not going to talk about some of the different hacks and the breaches I'm not going to talk about that I want to look at things from a business lens and from a political lens so let's get into this first up blank screen no it's not James doing that that's just me I told you folks doesn't get any better sarcasm the humor don't get any better first up serious topic War how many people can honestly say that this is that they they have seen in your lifetime the use of cyber prior to a physical assault on a nation we're here now right prior to the conflict in Ukraine

how many people were following what was going on between Russia and Ukraine what Russia was doing with its Army of of hackers and what they were trying to do to be disrupted inside the Ukraine but also other countries right this is now going to be the norm right for every conflict that we're going to see as it realizes prior to that you'll be able to see the escalation of cyber and the effects that they're trying to rain down upon the country that they want to invade or the army that they want to stop this is something now you in this room are going to have to deal with scared yet I am nation states from the last 10 years I have seen and

all of you have in the room as well the escalation of the involvement of countries in the art of cyber warfare right their ability to spend an inordinate amount of time in planting advanced persistent threats so they can execute it at their Leisure at their time without us knowing anyone ever had to deal with one of those in your organization yeah scary as hell but it's something now from that perspective we are seeing more and more Nations getting involved in cyber realizing the value that cyber can bring and more importantly what if I could just damage some of the supply chains for another organization or a bank or critical infrastructure or another country how many people have all the money and

time and effort they need to do their job every day hang on just just yeah same where the hell did all the money go and the people and the resources right resource constraints are something we have had to deal with for the last decade or more and it's becoming more prominent now as we face this next year coming forward and I want to talk about that point as well because this work from home work from your hotel work from Hell wherever all of this has been part of what we've had to deal with so when I was at the City of Calgary as the chief security officer one of the things that we had to manage

was sending you know 15 000 employees home to go work from home in the middle of a pandemic yeah that was fun um but we learned like we learned a lot of lessons along the way I think all of us have done that right how many people now have a hybrid environment where you're working from home part-time or working from work office work how many people are just working from home great this in case you were wondering was to keep you awake right the questions are asking but you can understand now that some of the things that we have to worry about we didn't really have to focus on in years past now this idea of I've got somebody

sitting at home who's going to be calling in with a security problem and it's because their kids doing something on their short Wi-Fi we didn't have that before we do have that now inflation and recession anybody follow Banks Canadian National Bank anyone yeah anyone figured out where where we're going the next six months not not good and my stock portfolio is showing it it's not good so and in times of inflation right and then in times of recession after that what's the first thing that happens to everybody's budget shrinks cuts and when people start looking at activities and trying to understand are they necessary do I need to do this do I need this many people do I need

this much stuff because I'm asking that personally at home right now do we need this much and I was gonna what what can we get rid of our stuff here like how can I sell some of this stuff to make some profit on what we're not using so we're going to be seeing that in businesses and it's happening right now and that means there's a direct impact to the Cyber profession and to the Cyber Security Professionals in this room and the organizations you're going to be going back to on Monday so it's something we all have to be concerned about and we have to start looking more now to what's happening in the business environment

more than just what's happening in the Cyber environment because you're going to see behaviors change as well and we have seen this in the past when there's been cuts to budgets and we're seeing changes to the security posture based on budget what's the first thing that a bad guys are going to try hack the hack the company with less money always because they can't afford the level of protection they should have and they're making do with what they've got because the folks on the other side of our line our patient is held they will take their time they map out what they want to explore and they're going to wait for us to make a mistake or cut staff or announce Cuts

in the newspaper yeah that's the world we're in today supply chain instability this we're going to pick on Doug Leeson his Lego so I dug I got it right so how many people are finding now from your perspective when you order a part well how long does it take now to get gear and boxes and equipment you get it overnight anymore are you a Prime member you can get it tomorrow delivered on the doors now we're waiting right we're waiting because of what's happened over the pandemic the time it's taken for organizations to get their supply chains back into a stable order is impacting the work that we do and more importantly the equipment we need I was down talking

to the folks at the capture the flag and some of the things that they've had to be fluid with to change based on part availability for the work that they're doing in the labs that they're running so it was interesting to hear from a micro perspective even just the that aspect of what Supply chains are doing for the training that we're offering here today for b-sides picture that now from an organizational perspective and the stuff that we're going to have to deal with moving forward we're almost to the bad stuff hang on finding people how many companies have everybody they need on board do I gotta put my glasses more importantly how many how hard is it

for you to find resources to come into this world anyone found that magic bullet yep no right the last survey that went out was about we I understand it was between two to three million cyber Security Professionals we are short of so I'm just going to ask both Valley what are you guys going to step in to help out with that number right so just just picking on James yeah we're trying and folks this is across the realm not just within cyber but across I.T and also application development we're seeing that across the IT industry is that the concept of finding people is getting harder and harder there's a couple things I want to talk about

before we end this slide as to what my thoughts are for part of it one of his legislation regulations how many folks have had the chance to review bill c26 were you that bored it's just not a character okay yeah and James as well so if you get a chance take a look at some of the legislation that's going to be impacting our environment from cyber security Bill 20 c26 and c27 here in Canada this critical infrastructure and updates to privacy if you have a chance take a look at some of the work that's being done in the United States there have been over five pieces of legislation at the Biden Administration since the time they came

in their Administration put part of their uh their plank when they were being elected was on cyber security and strengthening it and they've done it right they have made changes to the Transportation Security Administration they've enforced cyber security reporting requirements for critical infrastructure they've made three changes from a legislative perspective to acts that they had within the us including the Homeland Security Act and my favorite the SEC so the Securities Exchange Commission and that manages all companies that trade on American stock exchanges they put I don't know if anybody read this or maybe I'm the only geek that read this because I like policy sorry about that but I like policy and structure it's the military in me um so from a

policy perspective the SEC put out a proposed ruling on May 18th of this year and they identified that every company that reports on form 20 or form 40 and files it with the SEC annually must identify by name the Chief Information Security Officer you're programmed to address cyber security risks identify which board of directors has training in cyber security risk management and how the board of directors is going to manage cyber Security Programs moving forward and that thing is about ready to go into from proposed rule to requirement so how many com how many people here represent a company in Canada that trades on a Stock Exchange in the U.S yeah you have to do this now

and the reporting requirements are becoming more severe and the concept of reporting a breach of failure Etc now has to be reported to Federal authorities in the U.S anyone looking forward to that one I'm not but we're gonna have to and the reason why is that we have not taken up that baton when we were asked to industry was asked over the last 20 years to get better at managing cyber security sharing information and providing information on breaches that occurred so that they could not only make aware of the government of what happened if there wasn't a cyber terrorist event but also to forewarn shareholders the statute that you have within your cyber security program we

dropped the ball because we walked away from the requirements and said they weren't they weren't necessary yes they are and now unfortunately someone decided they're going to make us do it it's like Mom and Dad telling us what we have to do now because we weren't smart enough to figure out to get our own hair cut sorry I'm just picking up my haircut so from that pandemic recovery how many cup companies here in this room that you represent are absolutely 100 functional off the pendant yeah there's not many hands up right are you guys just you're not tired right you're just not why why is it taking so long right it's because we got comfortable sitting at

home and now that we're past that recovery stage and we're in that awkward do I do I shake your hand are you okay if I hug you now we're into that space right and that's going to be here for the next that's just going to be here all right so we're going to have to deal with that and the next variant and the next variant and the flu season Etc and finally quiet quitting I love this term well not I don't personally love it I just I love the term of it how many people are starting to realize that there's something other than your desk in your life it's just because I'm old right I'm just

getting older but so we're starting to see this now in the workforce where when we have traditionally asked individuals to step up and help us out and stay after four o'clock on a Friday it's not happening as much anymore and that's starting to have an impact on the work that we're doing and what we're expecting our employees to create and can you see now what happens when you have a group of individuals who may have been performers and cranking out 60 hours a week if they back that off I got to find somebody to fill in that 20. oh that's right we've talked about that whole finding people thing right you can draw a circle in this

entire slide that I've just put forward of where it's coming back to so and the question that my wife asked this when I was practicing with her it's like so this sounds like a real mess right and then her next question why the hell are you still in this business because I can't retire yet but anyways that's another topic well look what if we looked at this from a different lens what if as cyber security or as Security Professionals we took a look at things from just a different perspective and I started translating things to risk I'm pretty sure that's an important message but I'm going to get rid of it anyway what if I was able to take all of the

stuff that was on that screen and the things that we do every day and I turn this into risk right just out of curiosity how many people understand a really good definition of risk other than Doug because we do a podcast called caffeinated risk other than talking to anybody else what do you think of uh prior that results there you go that's good that's a very good one I'm going to give you something even simpler that I do with Executives because I use sock puppets and crayons when I talk to Executives and I did with a Premiere honest to God people were there um so the way I Define risk is if you get a

chance and you have access to the iso 31 000 definition of risk it's the effect of uncertainty on objectives that's it one sentence super simple because it doesn't mean it's positive or negative it's uncertainty so what if we're able to take everything that we saw in that previous screen and the idea that how can we deal with this from a risk perspective well let's let's start into this once I get going so it's always nice to have a picture this is something that we've put in place at ass International so I am the president-elect for ass it is the oldest security Association at 68 years old we have 35 000 members around the globe I'm

the president-elect I take over as president January 1st but for the last 10 years we've had an opportunity to look at things from a different lens and we want to take a look at what we do from a security perspective but in a risk lens and if I look at this diagram it looks fairly complicated but if I begin at the top and work my around it's not that hard bye let's let's see what we can do with this and can I make this a little simpler Tim because when I'm talking to Executives they get kind of frightened when they see big diagrams sure let's do this instead so I've recreated this diagram in a bar

in 60 seconds with a drink in my head it's out there actually if you search YouTube it's 60 seconds esrm so this one's simpler right so it starts and ends with the business this is a cyclical approach to understanding security and the risks that you folks find every day but wouldn't it be great if we actually understood at the very beginning of it all of us here in the room how many people in your organization whether you're working as a consultant or as a member of the security team have taken the time to read the Strategic plan the last filings with the Securities Exchange Commission and the budget that's published every year on their website I'll wait you guys

been a couple Vince doesn't count because it does this for a living that doesn't count so folks why are you the first thing you need to understand is the security professional is who the hell are you protecting again why why is your organization in place today what is its goals and objectives what are the stated Mission values statements that you need to understand as an employee when you became part of your organization is that not one of the first things you did yes Tim it sure was what I'm asking and challenging each one of you here in the room from this point forward in your profession whether you stay in your current role or move to

someplace else the very first thing you need to understand is who are you protecting and why why is this organization in place in the first place why do they exist because if we can't answer that question then what the hell are you trying to protect or more importantly why makes sense because there's a quiz on this later right all right so look I spend the time so what I did at the government of Alberta I'm gonna pick on my team in the government anyone from the Goa here before I beat off on a company I work for him so one of the things I did at the government of Alberta is when I first came on board as a chief

information security officer I spent time with my director so I had three of them at the time and I said look guys this is awesome thanks so much for me being part of the team I have some homework for you I want you to go and read every ministry's strategic plan you got the weekend and come back on Monday we're going to talk about it so that's 23 separate companies at 100 some odd pages per you have a good weekend I'll see you Monday because I did it before I came on board and the questions I asked from that point forward is every time you speak to a minister a deputy Minister a CIO or

team member and if they come up with a project the first question you get to ask is well how does that link back to your strategic goal as objective can you show me where this new website is part of a business goal that you're trying to achieve oh well it you can't well I'm kind of curious where you're getting funding for that who's supporting that who's endorsed that just in that process alone yeah Fun's over so in that process alone what I've what I found when I got everyone to start reviewing those plans is that knocked off 60 of the projects we dealt with every year because you couldn't give to me the business benefit of why I was doing it

you couldn't show how I was linking that particular project to your overall strategic goals and objectives wouldn't it be awesome if we could do the same thing in our profession and ask those questions how is this supporting the goals and objectives of your organization all right let's move from there so I understand the business everyone's done their homework right great Next Step how do I get a chance to Now understand what do I need every day to support that goal and objective what are the assets right what's the people the property the information that I need to have in place every day 24 7 so that you can achieve your strategic goals and objectives right and once I can answer that

question now I can start looking at well okay what's the risks right and what's the security risks that face those assets and when I spend time with my client with my department with my team with my business units wouldn't it be awesome to sit down in a room just like this and go over not only what are the assets you need but what are the potential risks they're going to face those assets that's a collaborative exercise that we need to do as Security Professionals to really understand the business and the risk because it leads us to the last one which what's the mitigation strategy how can I reduce that risk so the business has a chance to be successful in the

future when I developed that mitigation strategy with the with the group with the team I come up with a collaborative approach I bring it right back to the business because it's not Securities job to say no anymore we lost that right a long time ago our job now is to identify what is the risk and let the business make the decision and if they make a shitty decision so be it so be it because business makes decisions on risk every day our job is to identify what the impact is to that risk and what's the impact to the business objective and present it to the business so they can make an objective View and they can make

an objective decision on the path they want to take forward to reduce the risk and don't get me wrong folks I'm I am like many of you in the room as a type A personality I worry when but you don't understand this is really bad early in my career that I remember actually blurting that out in front of a CEO I was like well explain why it's bad but it's been and it's a cve and it's out there running it I did it that shortly right where what if you step back and said so if if your servers do

oh so what could happen 24 hours oh you're worth a million an hour well that's that's gonna cost that's gonna suck

in my entire career I've had one risk acceptance letter 42 years I've had former Minister of Finance and the governor of Alberta didn't want to didn't want to spend the effort of typing in four digits to lock his BlackBerry [Music] okay sign here he's like awesome yeah I'll sign it I'm good I said you understand Minister you have the entire Financial portfolio for the government on that damn thing you get that right yeah but it's always with me sure okay do you take a cab anywhere from the airport yeah no I'm good I always know where it is it's blue and it's awesome I know where it is so he signed it um I took it back to the team and we

framed and we put it up on the wall and then he retired a month later and then I got to wipe the black right so with this whole structure what it creates as a requirement for us to become Business Leaders to understand the business that we're responsible to protect right and that's the fighting part because not everybody I'm not asking you all to go get an MBA no what I am asking to do is as we go through the rest to figure out how do you translate what you do here every day and some of the amazing stuff that I'm seeing from the classes and the capture the fact how can I explain that to God

guys you got to get better at this because I need to change or more importantly why should I because if we don't change we're going to be left behind we will be that group that all they do is they just create these 100 page reports and I have to read the first page summary and then they got to come in and explain it and then it's just like I give it to somebody else and then they draw me the diagram that I need to see and they bring out the sock pump and then I understand it stop stop what if we did this what if we took it upon ourselves to start changing our approach to looking

at what we do every day and translate us that they understand it from a risk perspective yeah well let's start we Security Professionals we have to learn right that we need to speak in a language that business understands and again I go back to the puppet crayon example I actually did I use puppets to explain what was going to happen to your iPad when you landed in China it it was embarrassing as hell for me because they still they're throwing down a lot you know iPad but that's fine that's another story so business understands risk that's it if all you get out of this session is that business understands risk I'm good with that because Business Leaders make decisions

every day and they decide what markets they want to enter they decide what margins they're going to provide on their products they decide what services they're going to offer their citizens Etc but they make a conscious decision on risk every day why are we not tapping into that as an opportunity to explain what we see from a cyber perspective and how can we enable the business by reducing that risk let's carry on conferences like b-sides are awesome for sharing risks in your classes yesterday in your sessions yesterday and what you saw from capture the flag and other exercises what was the first what was the common thing that you folks caught with this I'll just wait I'm good

common theme would be I'm sorry collaboration yeah yeah teamwork my other favorite one is hey you guys uncovered a whole bunch of vulnerabilities that you can pop something you can reach something you can get into something you can take over something right what is all of that about I've identified uh oh my God thank you guys okay just just on that I don't have anything else to Cheers but thanks guys that was awesome right all right if we have that your work uncovered risks every day when you go back to your organization starting on Monday what if you just stopped and thought about the work that you're doing every day the things that you uncover and more importantly things

that you see and what you're reporting on what if you just looked at it from a different lens that you've just identified another risk make sense scare everybody we're halfway through we've still got a couple you know I got a quiz or two at the back at night we need to report our mitigations and our findings in a different way right we need to get people interested in what we're providing to them without the 100 page backup for the addendum on the report how many people enjoy reading 100 Pages unless they really have to I don't as an executive you've got about two and a half minutes of my time right that's it in most presentations

and most sessions that I've been as a VP or a chief if if I'm sitting there and this is uninteresting you will see me grab my phone we used to call that the Blackberry prayer and it's not the same anymore I found prayer the iPhone prayer doesn't sound the same the Blackberry Prairie that was pretty cool right that was so I looked for that when I was giving presentations I'm looking for it now how many people are awake looking on their phone I'm good if you take pictures I'm okay with that but if I lose interest and I'm presenting something to you technically and you start looking at your phone I've lost you short of taking off my sweater and going

with the nudity Clause I'm not going to get you back right and that's not going to happen right now but what if we align what we see from an impact perspective and bring that to a business objective what if we're able to clearly tell an organization that look my favorite was log4j how many people spent Christmas working on log4j yeah I did so how did you explain it to your family I gotta fix this and that doesn't work right so how I explained was that if we don't do this then the potential for somebody to pop a server to bring down a train Etc is pretty high right and here's why we have to explain it in a business

understanding so we have to get to the point where we can explain what we see in business language because without that right we're going to be falling back because there are benefits to this approach I know there's been a lot of talking about here but let's get to some of the benefits what's in it for you right why should you actually follow this approach as a cyber security professional and what's the difference that you're going to see not only in your career but the approach that you take within your organization well I got a couple first up if goals are at stake businesses listen right I remember that this is about 20 years ago the first time so I want to

give an example of what happens when you grab business attention so I'm going to pick on Doug again because I'm picking on his Lego but so this is back when Doug and I were first starting to work together with um at the time it started off as in trigma then I get me wrong you correct me if I missed this it was in trigna melon trigna Bell West Bell in the west then Bell Canada Jesus Christ that was like five anyway so we started off with a numbered company called intrigna and then we became Bell and Trigger so we got lucky and we got the Olympics right so we landed the telecommunication contract and sponsorship for the

Olympics in 2010 in Vancouver well awesome right we all went down to Red Deer got drunk got bike on buses and one group went to Calgary and we went to Edmonton was awesome after the announcement we decided one of the ways that we were going to provide service back to the Olympic Committee and the ioc was we were going to use this brand new technology called voice over IP yeah okay look it was two thousand something so that was pretty cool about that like I'm just dating myself the gray hair is getting worse um so we we worked with Nortel under anyone remember Nortel it's Huawei now in case you guys are wondering well good you guys got that that's it

yeah so from that perspective we they had this brand new platform called hosted IP telephony and it was on h323 that was a long time ago um and they said this is awesome it's going to cut costs you can you can bundle data on top of voice all of the athletes can have it in their room you can have teleconferences we can even carry all of the signals back to CTV so they can broadcast it out to the world this is awesome so we thought this was terrific right we've had a 120 people on the project we had this the project plan itself took one of these screens as long as they stayed down it would take an entire

screen to show the project but that's how big it was so we had a map we had room in Toronto Ottawa and Montreal we called it the Tom rooms and that's where the three teams that were managing the Olympics they had that entire wall printed off with the project plan to get this Beast up and running so uh we did a risk assessment on hosted like I didn't smarter people didn't so I asked Doug to to run this and uh so uh this is before Doug realized that sometimes people in suits are okay right so I was the guy in the suit Doug was not I'm where that's why I'm wearing the Mr Rogers outfit today so I don't look

like I'm an executive yeah is it working you guys buying this so Doug and his team took apart and took on the hosted IP telephony tra and in less than a week he phoned me he goes you got to hear this all right this that never sounds good right so so he played a wave file on an MP3 file and it was the CEO of Bell Canada at the time in French ordering lunch with his EA from Montreal and we were in Calgary I'm like what the oh sorry what the who what was that right then he goes well we intercepted the call and we decoded it and this is what we have I'm like

because we were doing the risk assessment and we were at page 130 and I'm like oh crap we got to fix this so so we did we updated the risk assessment but we were investing hundreds of millions in this piece of technology and uh Doug just killed it yeah I gotta I gotta drink because it still brings back bad memories just coffee just coffee so we finished the risk assessment and typically we would just dump this up and hope for the best bad bad thing to do right so I'm applying the principles of esrm with this report and the first thing I did is I I sent it to my boss just to test the

water I said hey can you read just the first page because the impact to the the business objective of providing seamless communication without the ability to be intercepted is now at risk hope you're good with that off I go half an hour later Tim you're going to change this holy Jesus we can't no no I'm not changing we're done this is what we found and actually we attached the file just so you could hear it well I don't know what to do with this send it up so we did I said make sure they read the first paragraph because the effect of this risk was you were no longer having secured communication up and down from

the mountain in Whistler oh okay up it goes it went to my VP same phone call and just in French this time and I'm like I don't I don't do French what do you seems and then we stopped swearing I mean it's like you gotta fix this because this is going up and I'm like no this is what we found and as long as you're okay with signing off on this puppy I'm good too because I got another meeting waiting for me what do I do now it was like two o'clock in the afternoon Montreal time I said we'll send it up it goes so now the chief security officer a pure Chevrolet at the

time he's a good guy um he phoned me into Sprint so I said well I don't understand what this means I said well the first paragraph says appearance this you can no longer Val you can no longer secure Communications back and forth to the Olympic Village wow this well what now you got to fix this or sign off on this either way I'm good same thing I got a meeting to go to I got I gotta do thanks that didn't last very long less than an hour later I get the email and the phone call from the CEO of Bell Canada with the EA saying your plane ticket's waiting for you and we'll see you in

Montreal tomorrow

all right so uh and it was first class it was awesome because it was too late to book a cheap ticket for Tim in the back right so I got to sit up at the front with a real business guys so in my suit and tie I brought no bags I just brought my badge this is where this is going right I I've been in the military I know this drill right so I'm okay uh get that get the call I go there I get to Montreal I I wait on the top floor of the bell tower which is just beautiful view of the valley and I mean this is the last time I'm going to see this city and remember

it all right perfect sat there waited and then the same lady who I heard her order lunch for her boss said in that time you can go in I went awesome so I walk in and honest to God the office was bigger than this I'm like holy and he's just a little guy right so he's got this huge we said Tim said I don't know okay he said I read this report I read the first paragraph like you asked us to what are you standing behind this yes I am you said how far I said I brought my badge he's like that's all you need to hear we're good he said could you explain to me that we

won't be able to provide the service we said we would so thank you yeah I didn't bring a change of underwear at the time I probably should have anyway um so after that I went holy it worked then I got drunk on the plane on the way home that was awesome right because I was first class I was like I left the car at the at the airport and I just drove in the cab on the way home but um so that whole lesson that was over 20 years ago and what that explained to me is that business understands risk and they will accept a risk-based statement if you provide it that way and a hundred and some odd Pages the

report with an amazing technical explanation from Douglas on how he did it it relied on one paragraph we will not be able to provide secure Communications to the Whistler facility if we rely on this technology in its current state two lines that was it now does it make sense business understands risks if you're putting a business goal at risk Business Leaders will listen to you right also you become an advisor not a technician that's important for our world because even today cyber security is still viewed as an offset of I.T it is not cyber security is the approach of looking at risks all risks but from a cyber perspective first we have to get out of that mindset as we are just

technicians we are not we are Security Professionals who identify cyber risk right everyone not because this is our profession right we become objective in our Viewpoint and perspective and we become some someone that the business can trust more importantly I say this all the time I run a business unit it just happens to be security because I understand profit and loss I understand goals and objectives and what I have to do from a perspective of protecting the business and enabling the business all right this is easy if all you remember from this session today other than we're not sure what Tim was drinking in his coffee but other than that translate your information so that the

business can understand this unit on how important cyber is to the ongoing success of the organization and for God's sake apply empathy to everything you do the only way we can break out of the mold where people just look at it as an offset of I.T or where the technicians in the back room that we don't want out talking to the public sound familiar because I've lived that space we can provide a human element to the work that we do and more importantly we can offer benefits to the organization that they haven't even realized yet but it's on us now to provide that back no quiz just questions make sense just nodding is or you just guys want

coffee right I think we are on time roughly I just want to say a couple things I want to thank everybody here for listening to this rant because I've been saying this for 25 years the path for us to become a profession is to be viewed by the business as a partner and that we're here to enable the business to be successful by the work that you folks do every day feel proud of that feel proud of that this is something this this industry did not exist when I first started my career back in 81. right I didn't remember when the internet came out 90 .4 think of where you are today's from 1994 till now that's when the depth of what

we've been doing is starting to become more important to businesses how many businesses now rely on our presence on the internet the ability to sell Buy provide interact chat Etc anyone if you are not yeah all of them so why are we taking a back seat get to the front talk to the business understand what the goals and objectives are do your homework and then be able to translate that back so the business understands the work that we do is important for them to be successful every day of the year and on that note I am thanks folks [Applause]

it's just coffee honest to God it's just coffee