Finding Harmony: translating tech into exec speak

[Applause] well thank you very much Thomas thank you very much and thank you all for coming this is the first annual b-sides event and I'm very proud to be part of this my name is Cory Kay I am the ISC director of communications for the Alberta chapter for those who are not familiar with who is C squared is is C squared is one of the largest or possibly the largest organization of volunteer security professionals and security practitioners with about a hundred and twenty thousand members globally there are about 60 chapters throughout the United States and Canada we are one in Alberta and there are about a hundred chapters globally so it's a very big group is see

themselves the we lovingly refer them as the mothership they supply us with training and materials and information and and they promote the events and they are instrumental in helping us with with these kinds of things they have a number of surgical security certificates the most common one is the CISSP certification which has been around for a very long time is c-squared has branched out into various other areas with very specialized securities most notably the healthcare profession and also the most newest one is for cloud security so there's there's sort of overarching security certifications that can be applied for and granted as well as specialty ones as well the alberta chapter specifically the part that we're

part of is a large group of volunteers who help make events like this possible the b-sides event is a very exciting event that we're very proud to be part of we're very proud to be part of any event that has anything to do with the promotion of the safe and responsible use of technology whether that be social media IOT devices you name it it goes on so but without the volunteers with IFC squared and the exit community and all that stuff events like this don't happen as Thomas had pointed out you know they started here with with very little budget and and here we are at at a large two-day event so this is this is quite amazing

that they were able to pull this together and I just want to again put a special thanks to her vendor because Harvinder has been instrumental in sort of gathering the troops making this whole thing happen so without him this would not have happened it so I want to just please everyone give a round of applause to our vendor thank you our vendor it's been it's been great you've done an amazing job and his entire team again thank you all we've got a booth out there I've already talked to too many of you some of you have told me that you're looking to take your exam very soon you don't have to be a member to engage with us we're happy to talk to

you and and if especially if your businesses and you're looking to bring in security professionals we're happy to help you find qualified and and knowledgeable people but of course stop in to the booth we're right outside take a look we're happy to provide you with any information and that we can to help you sort of through your security career so thank you very much and have a good show [Applause]

so just a quick announcement about the CTF event capture the flag if you are interested in participating in that Harvinder just said come out to the registration desk and we'll inform you about everything that's going on with that so just another thing to I would like to state before we hand the mic over to Tim as I'm trying to load up his presentations or give me a second here okay so we do have time for question and answers after every talk as far as I understand so if you are interested in asking a question we do ask still you wait until the after the presentation and over and simply raise your hand there will be some

volunteers with some wireless mics being able to roam around and you'll be able to ask your questions so so with that I would like to introduce our first keynote Tim agreat so Tim accrete is from from Evanston originally from Nate I'll let him introduce himself but he's got a talk on essentially finding harmony so translating all the technobabble speak into the business and you know some stories from the trenches of his long career in information security so so with that let's get the talk started so Tim the stage is yours welcome to V sides first up could everybody hear me awesome even in the snow I'm just yeah I'm from Edmonton I should know better right this is I

should know better thanks everyone and good morning I understand my place in the sequence of events for this morning I'm here to keep you guys laughing not throwing [ __ ] at the stage and getting ready for the next set of speakers so let's see if I can pull this off in 35 40 minutes what do you think sarcasm too heavy let's take a look a couple things I want to talk about today I just want to go over a real quick agenda I do this because I've been trained by the government so I always want to have an agenda either behind me or in front of you so let's go through this really I'm gonna pick on the government a lot

you'll you'll hear this coming up I want to talk about me just a little bit not a hell of a lot just a little bit some headlines that you folks may have already seen or had a chance to take a look at or been part of even so I want to pick on executives because I am one now so I want to talk about what we see what we hear and honest-to-god what we feel when we're dealing with a group of people just like you and then a lot of talk about things that we're missing and how am I gonna translate some stuff I want to give you this ability to find harmony in your career dealing with guys

just like me so that you can go home and not quietly drink and wonder why your dog is looking at you funny that you can actually come up with a better solution for managing yourself so today I'm gonna get some questions at the end but first up look if you got a leave I'm okay with is this on film now am i interrupting all right couple of things let's go over this from a headlines perspective I just really want to talk about actually before we get going on that I want to talk about if I could get back to you me before we get going to this let's go through this there we go hey perfect so really

quickly um this is year 37 insecurity I started 1981 some of you may have heard this story I got out of the Air Force the reserves a 1981 I ended up in Winnipeg Manitoba I don't know I don't know why I just did and I was an air boo miss you did I got out and I was so desperately in need of a job at the time because my mess tab when I left the Air Force was fairly horrific so I think I owed more to the government for drinking than I did for what I made and I took a job as a security officer in a hotel in downtown Winnipeg it was called the

plasti real hotel and it's still standing today anyone ever been to Winnipeg that's too bad so my job at the plaster reveal hotel was to make sure that the hookers got kicked out of the hotel if they weren't paying their bill and get rid of the drunk curlers because the year I was there the bonspiel bikini impossible was in Winnipeg so we had all these drunker that was my introduction to security in 1981 and I got lots of stories about what do you do when you go to a room and the hookers naked asking to spend more money with you so yeah that's a different story anyway let's leave done so throughout my career what I figured

out though is I looked at things just a little bit differently whether I was a security guard or whether I was an investigator or whether there was somebody who was looking at an IT screen or when I was looking at a screen from a firewall so the logs I kept trying to figure out why am I looking at things a little differently because I knew I was odd to begin with but my perspective of what I was looking at was more from well what does this mean to the business what does this mean to the company what does this meet the organization I wasn't just there punching a clock and trying to figure out how do I get that drunk curler out

of the lobby without getting my head kicked in I was looking at things a little differently and it's this idea of enterprise security risk management I'm gonna get there we'll get there eventually throughout the presentation yeah I love dogs more than people sorry but I do like talking more than people and I'm spending my time now at this place called the Alberta Alberta animal rescue crew Society really odd name but it's arks in Calgary and I get a chance to spend I've been there for a year now as a volunteer I get a chance to spend time with dogs that have come out of some pretty horrific circumstance but because nobody's figured out how to

actually speak dog or understand how to work with dogs they rate them differently like they give them high byte risks they make sure that these dogs are left by themselves or nobody goes and play with them so this guy here I'm working with I just finished he got adopted just a little while ago because of this picture and this guy was a level 5 by tryst that was in a dogfighting ring in a reserve outside of Calgary so I actually figured out how to talk to this guy and get him to actually I don't know licky on the face so translation works ok maybe with just with dogs but transition works I meant neat yeah I

actually I was talking to Don about this we were here in this room 20 years ago in September when we first started CST in 1998 Jesus that's like 20 years ago and for me it was like I was sitting in the back with all of the cool old kids because I was at I was thinking was like 32 at the time when I went back to school I pulled myself out of the workforce I had a really good career in physical security I had gone from kicking out hookers and drunk curlers and I actually was doing investigations and interrogations with a local telephone company that quickly became a national phone company does that subtle enough

did I do that good enough starts with a tea anyway so when I first started there was still a government-run organization and we had some great physical security programs that was one of the managers of that but in 1998 I thought you know this internet thing's not going away I should maybe learn a little bit more about it so I pulled myself out of the workforce cashed out my Rs peas and went back to school and I ended up here at nape and I spent two years here so DOM and I were here with we had 30 other people when we started in this room it was pretty awesome and we were talking about this fear inside that some of the

folks who graduates in this program have actually done some pretty impressive things in their career moving forward me not included but some folks have done some really impressive things it's subtle right the sarcasm it's been a busier it's worse right it just gets worse throughout the morning I've had a chance in my career to actually go and present globally I've worked overseas in Southeast Asia I've worked in Japan I've had the pleasure of speaking in Europe and it's because I started my career when I got out of Nate and graduated two years later I'm gonna have to see you after figure so two years later I had a chance to actually become a VP in a

software security software company and then I've held the role of C so in four organizations because of this because of this so I don't do anything technical anymore I don't do that [ __ ] anymore I'm not that guy right I do this stuff with dogs I'm not that technical guy anymore but the skills I learned here set me up for a career that has given me a chance to travel the globe to speak to audiences like you and sometimes actually had to have a translator so that the folks in Japanese could figure out what I was swearing about it was pretty cool and yeah I'm from Edmonton originally yeah what the hell happened here to the weather you guys what's like

and can I ask how bad is this LRT system gonna be for next to the wall just Oh short point sorry I'll just let me use it all right some quick headlines I'm not gonna bore you guys with a lot because I'm sure you have seen this already but let's go through a couple of them just for shits and giggles so you notice the profanity kicked in right away yeah okay so the nudies gonna start right now right here yeah I can't do this anymore sorry there we go just leer one yeah we're just gonna go there one right so so hole first up so mm the counts are identified by hackers or do we call them

security researchers now what's the palooka correct word of calling them anyway so from a hacker perspective these were identified as at risk anybody remember reading this article not quiet really Wow I thought to pick some good ones how about this one struts anyone's favorite application development program yeah framework yeah this was back in August 24th again still remember in the first struts came out first pain in the hospital had to deal with we had to start patching we had we were panic in the streets people running around yeah well it hasn't gotten any better right there's one of my favorites from a telecom guy yeah the Ox you remember hearing about this before I think this was correct me if I'm wrong I

think this one was announced that black had her Def Con this year that somebody actually got through the LTE in wire Wow right I'm sure that there were a couple of executives in some telecom organizations whose stinkers were tightening when this one was released you can follow along anytime like it's you don't you can laugh at some of these things and not to leave Southeast Asia out but it's nice that they actually identified that hackers were engaged by the administrative defense as opposed to targeting the Ministry of Defense and that they found some low-to-medium vulnerabilities at least that's what they reported yeah at least that's what they reported and anyone go here I used to go to hacker hacker all the time

right hacker was one of my favorite places to go until I started reading stuff and I'm like you know I'm spending way more time on Google than I am reading this so I should probably let my really smart guys read this and tell me what to think about it right but if you haven't gone to this site if you do get a chance there's some amazing information that's up there and that you can distill it to a point where you can use it in your own day in your own life and I'm gonna show you how to kind of do that but to get there first let's say with all of this stuff right see okay so here comes layer two right

we're gonna just keep it's it's gonna get worse right looking on so as an executive what are some of the things that I see so I've gone from being a technical guy to an executive right and you come into my office and you show me let's say as a telecom executive that oh my god boss that LTE networks just got hacked holy [ __ ] we're in trouble you gotta seal this report we've done some reviews it's horrible blah blah blah right so is the executive the first thing I'm thinking of when I see this stuff come in and I see you come in with your long face and a big stack of data and a really ugly PowerPoint

presentation well this is what I see it's the walking dead holy crap there's pandemonium what are we gonna do does any member December 31st 1999 yeah familiar until finally someone Australia said hey the phones are still working oh I can still get gas look I took 20 bucks out of the bank didn't matter some we're still doing this right mystery this is what executives see right you come into the office and I've had this I have done this as a technician and I've seen it as an executive I've come in as a technician I've actually done my homework right stacks of data I've spent time correlating this with with friends and family who understand this stuff

we've gone through this we understand it no I can replicate this on any box out in the network boss this is really this oh my god you've got to fix this this is all I see is an executive I gotta put my arms up and run down the street right because all you've done is scared the [ __ ] out of people and don't get me wrong it's fun when it's a kid or a dog but it doesn't work when you're an executive right when this kind of stuff happens to me the first thing I start doing is parts of my anatomy will begin to close and one of them is my brain as an executive I stopped thinking when you

start giving me this stuff because this is what I'm gonna react to right oh the pictures get worse hang on so I'm an executive my favorite now I'm on an international telephone conference we're using translators so they can figure out what the folks in Japanese are saying to me and it's time to talk technical problems it's time to talk gulnur abilities it's time to talk issues and concerns did you not read the email I sent you with the 400-page report attached to it well why don't you take a minute and take a look at that before I finish up with the conference anyone ever had one of those conferences yeah I can pick a day in the government

where I had a confident conference call like that with Ottawa right so just for fun some of my days and when I was at the government of Alberta is the C so I would pick up a phone call and start walking to work at 6:00 in the morning because apparently in Ottawa that's the center of the universe and their call started at 8:00 so I would be listening to this [ __ ] on the phone in-ear earbuds walking to my office and what you'd hear but did you not read the 400 report I sent you yeah and I'm listening to you now and this is exactly what I hear but meaningless I hear nothing all right because if you're

telling me I have to read a massive report I had to take a look at all of these vulnerabilities all of these exceptions you fell oh my god we did all this research this stuff is really important boss you've got to understand this yeah blah blah blah right that's what I get out of it because you have an attached context or meaning yet for me you giving me more information we're not we're not running down the streets anymore right but you haven't given me context you haven't given me something I can work with and the last one and I know people don't appreciate this but I do isn't executive like what do you feel and here's an example this is background

I won't pick on the government Alberta I'll pick on Alberta government up for us so when I was at egt and I was doing I managed the fraud unit the physical security team the disaster recovery group and I had investigations so I had quite the little pot pourri of stuff going out of my office every day and one of the issues we had was we were launching a brand new service and we were spending these brand-new switches so my guys as the smart guys that they were they took the switches back that allowed me my boss you're not gonna believe this but we found all these vulnerabilities we found these big holes holy [ __ ] this is really bad so they

actually showed me the stuff they walked me through and first time in my non-technical career because I was so pretty close to being a tech guy I look at him wow this is a real big problem why couldn't somebody catch this before you went bought all this [ __ ] very not so being the brilliant manager that it was at the time I created this amazing presentation okay not this amazing but anyway I had this great presentation it was on PowerPoint right so it wasn't that great I was gonna say Harvard graphics but that's dating myself probably it was on PowerPoint had all these great topics pointed out specifically what should have happened in the buying process what the hell were

you thinking right blaming the executives who had bought this crap you're putting it in the network awesome right laid this out and I watched the executive who was responsible for this VP right and the guy who was I can do this because it was a blackberry the BlackBerry prayer and then he stopped and he put it down then his face withdrew and then he leaned back anyone play poker get what he was doing yeah we'll talk later so what did this guy feel yeah like this little kid left alone in the parking lot because mom didn't pick him up after the soccer game that's it right that's what I did to this guy I turned it executive into a little kid

and then I couldn't understand why for the next two years this guy literally pissed on every project I brought forward from security right uh-huh what creates just crazy we can't roll out with that program because that's gonna cost you much money oh and then I would get kicked out the door what the hell's McCreight in this team doing they're just impeding our progress for launching this next application and McCreight kick out the door you can figure out where this conversation is gonna go all right so until this poor sap got laid off thank Christ I was stuck under his boot for two years because of the stuff I did in that presentation too right I didn't take

into account that an executive actually has feelings actually gives a damn sometimes about the things you're gonna say and if you're taking a personal shot at him for his inability to see something that was glaringly a technical problem right no I took a crack at the guy and I lost because this switch is still went through the fraud still happened and I got this [ __ ] for the next two years doesn't have to be that way and we're getting close to how not be that way so what's missing so I spent 37 years in this business and I'm starting to get a little better at it than when I first started right I can't move as fast as I did so I don't

think I can kick those curlers out and I'm fairly certain that I would just be embarrassed as hell with the hookers standing in front of the door but what I've done is I finally figured out there's a place on the security world for me and it's not where you guys are today and it's not doing the technical stuff that literally still scares me because when I read this I still have a kind of understanding of what it means and then if I have a Google screen nearby I can actually figure out what what the hell oh my god and then I actually get it but what I figured out is the path that I've taken in the last

15 years of my career is what if I just was gonna help people that were just lost in translation what if I have to actually help you folks take the information that's in your head that's in that stack of 900 pages it's in that amazing PowerPoint slide deck that's gonna take fifty five minutes to get through and leave only five minutes for questions at the back end what if I could turn that into something that exact I kind of go damn I should probably worry about this make sense want to know so how do I get there so what's the translation and it went assets right Tim how do you get from A to B how do I get

people to understand well this is it it's just one word it's risk executives care about a couple of things in life one when does their bullets gonna hit I'm one of them right when do I get my bonus what I have to do to get my bonus and second one what is the risk that's facing my organization and is it going to be catastrophic enough that I'm no longer going to get my bonus that's it and I pick on any other execs in the room and I okay thank God a moment I always asked tubes there any lawyers in the room do I got to worry about lawyers okay good so I'm an executive perspective that's all we care about all

that other stuff that oh well we're doing great things for society and we're employing people now we don't give a [ __ ] I don't care what I care about is what does my check clear and if something's gonna impact that check clearing holy smokes wait a second wait a second kids we gotta figure this one out I'm being very facetious but understand this right executives understand risk because they make those decisions on a daily basis you don't see it thank God and you don't actually hear when they go for coffee or the phone calls or the minutia meetings that we have to see them as executive so listen people bla bla bla and we have to figure

out yeah we'll go this way we make those decisions how many people consciously made a decision to take 118th album you said 11th Avenue to get here today was it just me really crap I screwed up it took 18th anyway I'm gonna take the LRT instead of the bus I'm gonna buy the insurance for my windshield as opposed to not how many people do that how many people pay the extra a couple of bucks a month to pay for the windshield insurance nobody okay okay thank God right good I thought you guys right zombies like so can I ask then from a risk perspective did you save the 700 bucks to replace your windshield because

you're driving in Alberta Northern um Burt right executives make risk decisions all the time and they balancing the objectives for the organization the goals that the organization has for the next one and three in five years against the crap you just walked in the room with and dropped on desk oh man we're in right executives make those decisions all the time the trick is what if I was speaking at a language that the executives understood same as when I'm talking to the dogs at the shelter what if I can get the dog to lick me as opposed to bite me I know that sounded really bad yeah okay I don't can leave that so yeah told you this doesn't any

better as an executive when you come into the room with this and you only got like five minutes left to fix this problem because everything's gonna break and blow up look all I see is executive is is this but we kind of datacenter or it's in the cloud it's behind the cage you got like a yellow box around it with cables in it huh what I don't understand help me understand because that's the struggle executives have is the perception that I have had over the years that has been changed because of the world I met is not the same that I have my peers at other companies I've worked at their perception is look you

got a data center we gave you a shitload of money they go build it you told me you have extra power what more do you want and then you got you're gonna quit drinking quietly in your office roll your eyes and carry on but this is their perception so the trick now is what if I could translate the words that we know that are in trouble and give it something they can understand anybody speak Russian holy crap really did I get this right don't answer it don't answer it yep hang on okay good okay thank God I was I was I was killing myself Portuguese anybody know public Greek German yeah am i close because yeah we're in [ __ ]

so I love Google right I should have bought shares my ham soul it is I just sad last night and went into google translate myself we're in [ __ ] pick a language Wow what if I did the same to an executive group what if I actually just not same [ __ ] but what if I would so just you know I actually swear like this is me regardless of my speaking to a prime minister or a premier or a CEO I don't really care anymore I'm that point my career I just don't care right and so when you kids get older you can say the same thing yeah I just don't care right so from my perspective when I get into

this position we are in [ __ ] but we don't have to be right like we just don't have to be because this is why I'm going to serve it so I talked about this thing of called enterprise security risk management right this idea that what if I was able to translate business objectives understand what's required to make my business and my company successful looked at the risks that we're facing it and then let somebody else figure this [ __ ] yeah exactly well let's start with this up on the top of this diagram I know I'm gonna taking pictures I'm gonna give this slide that guy oh right so at the top of this

picture it begins with and ends with the business this is a cyclical approach to understanding risks within an organization and I start with the business why they own this the business sets the objectives the business sets the tone for the organization it identifies what they need to do strategically and more importantly it's telling everybody else this is what we need to do to either serve our customers make a crapload more money or provide services of the citizens of fill-in-the-blank right it begins and ends with that perfect so as I get through this the first thing I'm gonna do is I'm gonna take a look at and understand from a business perspective what are the assets I have on that first

box when I head down that support the business objectives and the stuff that we do and you folks are going to talk about over the next two days support this whether it is a vulnerability in an application framework or whether it is an inability to log in to the LTE environment because 2,000 accounts were hacked whether it's because the framework that I have that I keep having to focus on from Adobe perspective keeps crapping on me I got to keep patching to keep updating etc but that has a direct impact on this application facing the web to make more money right that's what executives want to under here is that you is a security professional when you have found a

complicated IT problem can I link it back to the asset and can I show how if that assets no longer available because it was breached it went down it blew up dude you're not so we're not gonna get your bonus this quarter that's what executives understand right because as you work through the rest of the cycle once I head down here unless I understand what the assets are it's our job now as security professionals to be that trusted advisor to the organization to get them to understand the risk and not the oh my god I can't believe that that vacuum cleaner with a camera on top of it was hacked and somebody can see me

while they vacuum in remotely I don't give a [ __ ] what I do care about is if you're telling me that the stretched that stretche application framework that we have that's facing the web that's generating a million dollars an hour for us could be at risk now I'm gonna care but the risk has to be practical and pragmatic right every time I've gone in to talk to a bunch of executives to explain risk to somebody if I haven't got a story where it actually could impact our business they aren't gonna hear right we'll wait for you okay from an executive perspective what if you came in and said look we've got 35 applications sitting out on the

web all of them are based on struts and all of them are vulnerable that means you've got off 1 out of 35 chance like wrap a note do you want to roll that dice do one rule the days and I've actually had discussions just like that when I was at the government I've had it with other companies such as Sun Court of Court tell us pick a company and every executives like ah no I don't want to do that okay can I get four hours on Friday night to patch these babies and get them up to where they should be you have a Tim we're gonna have to take everything down for hours awesome I'm

good with that if you don't want to do it terrific terrific because I just went through the mitigation strategy with you we can patch it and we can fix it or I can not patch it and take the weekend off I'm good either way I literally get paid either way I don't care because at the very top when you take a look at that box on top of the business the acceptance of it is from the business not us how many people have ever had to accept risk on behalf of an organization how did you feel short of your colon puckering how did you feel cuz I hated it first day when I was at Suncor first week actually my

crew came and said boss you got a look at this letter we gotta get this thing signed by Friday imma go hey wait hi I'm Tim nice to meet you and can I look at this letter and it was a vulnerability that was found on some fairly significant pieces of equipment that were running on a wireless network way up in northern Alberta that the potential could be then to turn the truck left and set it right yeah I'm kind of worried about that so no I'm not signing and they said well but we've always said wait a second you have you personally have signed this letter yeah we accept the rest we moved up you're uh

not to pick on can I pick on analyst just for a second you're a security analyst in my sock and you're signing off on a risk that could potentially impact us at a million dollars an hour I just need to understand you were pecking order in the organization no we're not signing this [ __ ] when I have Suncor they gave me this great t-shirt it was said team we don't sign [ __ ] it took me a year to beat that into their heads but they finally said yeah wow we have all these things we've signed it's not so my first meeting with the executive when I went back with this letter going I do this

are not saying this [ __ ] again I they will but Tim you always have no not anymore you were signed because in this diagram you're the guy right this is a catastrophic enough risk you're the guy and besides you're the one who set this objective so this [ __ ] ends with me your assignment anyway oh I know we we can't have that oh you mean so we can go back a box and look at what are the options to mitigate the risk yeah that can we do that awesome let's do that it was like a four-hour fix but my guys would have signed it because that's what they do right my favorite line that I was in security

was that well we'll just give the security because he gets [ __ ] done there's a lot of [ __ ] on my presentations I just heard that right so I'm kind of worried about that so I went from at the government marks here yeah I went from the government we were first we started doing our Manor security service then we roll that out to a partner we give it to somebody else then we decided let's do some forensics we'll take that why don't we do risk management which had on Tim you're doing such a great job we're just going so DRP BCP your way to assure [ __ ] I'll take that on right

what was he thinking right so in my career there we had for instance where we had to roll up the big red book going is this a disaster flip the page 5 and we would flip the page 5 this data center fire we had write what wasn't in the data center but the water dripping down at data should cost the problems had to be played in Calgary what remember that we left a couple of buildings slave late big fire yeah had a weapon go off and wait court yeah that was there always funny those are always fun but it's because as a security professional we think that we continually have to embrace more and more to make our executives feel better

and better stop stop stood a your job is to present risk to executives so they can understand it in terms that they're going to accept and more importantly when they do decide the option of mitigation strategy it's this is the Mafia you can sign this or you can bleed on it I don't care but I'm leaving the room and I actually have been I've done this at executives offices put the paper in front they go what am I supposed to do this sign it you're accepting the risk oh hey oh and my favorite in the government well I actually had a deputy mission for would he hold that pose I took out my blackberry took a picture

this is good enough and he went what yep this is good enough you're nothing is still an answer right it's not our job to accept the risk it's our job to take the information that you've spent an incredible time understanding and interpreting and turning it into results that link it back to the business link back to the assets and identify the risk to the business if that asset isn't the functional that's our job and if we do it right that's when we become the profession of security not the industry of security right big difference between being an industry and a professional this is the path to being that profession because we're those advisers now I don't have a skin in this game if

you want to go ahead that's awesome just like a lawyer just like a doctor just like a dentist right a lawyer will give you advice it's up to you to take it right my favorite is those Senate hearings right guys sitting there getting grilled quietly in the lawyer maneuver you me not what answer that question sneaks back out if the dumbass answers the question you're on your own buddy but I've given you that are we doing for time almost cool let's see if we can wrap this thing up take it home couple more things I think from my perspective we'll leave the questions for last I just want to go over this one one more time in the middle this is

where we live right security lives in the manage the risk part so whatever executives throw our way and what we ever end up from a business perspective this is what we have to manage it from an incident response perspective understanding post mortem what do those incidents bring to us and what can I learn and then what's that continuous improvement program looked like right from a business perspective those are the things that we manage we run that middleboxes what we run everything else goes around it right makes sense so far questions I'm gonna do it real quickly at the end this is the one I want to get to so I've been to a number of b-sides already in my career

I had the pleasure of being invited to a Edmonton and Calgary ever took our Vancouver so this anyone ever gone to the b-side say do you look so Jack Daniels and his team wrote this down a while ago I never met Jack Daniels awesome guy right especially with a full beard and hat awesome guy and get him drinking even more fun right sorry you better what I want to look at is his last period this last paragraph it's an intense event with discussions demo is an interaction from participants it is where conversations for the next big thing are happening this is what I wish for you folks for the next few days is to have the next big thing here in

Edmonton that you guys can walk away from this after two days and realize that you were part of a next big thing I'd love to come back here in five more years like I said I've been away for 25 years and come back and see how things are in here you guys have a great opportunity of head of you for the next two days to learn from each other in this room from the speakers coming to the stage and have a chance when you get out there to talk to each other some of the best networking you're gonna have right is when you get inside of this room and talk to each other during breaks and lunch excetera alright

questions gotta be a couple like does he have Tourette's and just like to swear a lot right so yeah great

thank you great presentation can you go back just two slides back to the risk circle instead of a question specifically above that sure when talking to the executives this is really helpful and I and I've sort of adopted something like this but that's part that I struggle with is what are the sort of the key topics and I'm just wondering you know when I'm presenting this I try to present it as sort of like a single page with all the information and so you know I'm limited myself so I'm not handing them the four hundred page report but do you or would you recommend attaching dollar figures to each one of these steps and are we

our is the goal to say that the total risk is a hundred thousand versus you know the project is worth eighty thousand and therefore it should be going forward or you know how do you can you talk to me about that yeah absolutely so everyone get the question right so what kind of information you want to provide when you're presenting to executives and what if you're gonna focus on things like return on investment right from a risk perspective I've tried to get on that path a few times the question that I always get brought up with will Tim how do you qualify your eighty thousand dollars how do you qualify the hundred thousand dollars so what I do is I take it up a

level above I focus on what the objective is and that the opportunity to miss that objective is high and here is why right so on the slide deck I have unless it's a picture of a dog I don't have a lot of text anymore right the pre read I give to the executives that devote a page and a half and what it the first thing I start with when I'm dealing with the executives because this is what I want to see is what's the impact what what business objective is going to be impacted the next line is what's the potential impact and the third line is what's the up what's from an observed perspective what's the

mitigation strategy positive or negative and then I just leave at the bottom signed by and fill in the blank that's altogether one page and it's about five paragraphs and they read in ago is this it yeah I'm gonna spend five minutes talking about it and then you guys are gonna in executive room at the board of directors level you're gonna figure out what you want to do with it it's easy from that perspective but but it sounds easy the prep work to get to that point it means that you're spending time at the line level the manager director executive VP finally the board so in each one of those times to spend time advising here's what we

have found at the line level it's like that's when you're gonna see the hands up and remember the zombie people running away oh my god we'll spend time at that level as a manager level talking about what the potential issues are right the technical issues then you work way up to the director get into the VP role get to the board so this the messaging gets shorter on the way up but it gets more concise and it gets more business by the time it gets to the board and the money a couple of things you can always get on the path if we don't fix this if we don't spend X Y could occur and that's terrific but I've

had that come back and bite me my favorite was if we don't spend X Y could occur and then they decided you know what we're not gonna spend X okay great then they come back and said look at all the money we saved because why didn't occur and then the question was so what's your program bringing the table to wash it right now I gotta go back start all over again and bring them back down the path you just have to be careful with who you're dealing with and understand your board your executive one thing I did mark I think marks over you can pick we can pick on the government for a bit I've made my directors read

every strategic plan for all 22 ministries I've begun Goldberg over a weekend man these guys made me write three guys came back you know what tough and I'm like look there's a reason when you go talk to a cio an ADM or Deputy Minister and they come up and say ah man we got this great website we want to launch on just a sec what strategic objective does this new website support and then you'd hear the hmm you know what we'll get back to you awesome Thanks so what that did for me is to cut out all the [ __ ] superfluous requests and Miss Concord projects so my guys will never focus on something focused on something anything

else any other questions does it make sense somebody want to try it the difference with this kind of stuff is when you actually put it into the field and get it to work you will actually find you get weekends off I actually had brown hair before I started with the government it took a long time to figure this out took 37 years to get good at this but when you finally do the chance for you to proceed in your career to be looked at from an executive perspective that you are now a trusted adviser for risk as opposed to the technical guy who drops that nine hundred page report off on my desk it's a huge difference in how you look at

this and the perception that your executives will have whether it's at the board level the VP director doesn't matter they're actually one look at you as a partner in the business as opposed to the security guy who says nope right that's the trick and if I can leave that with you guys when I walk out this door today I think I'm good so no other questions time is good no thanks

[Applause] thank you so much Tim