BSidesSF 2017 - Security through Visibility: Organizational Communication Strategies (Katie Ledoux)

so to get a more complete sense of what it looks like when infosec teams are interacting with the rest of the company I just talked to as many people as I could at different size companies different Industries about their experiences working with infosec what went well and what didn't go well and you don't need to read all of these Miserable quotes I'm going to try to teal thear it as much as I can at a high level it sounds like there are two areas that we need to focus on and those are the two areas I'm going to split this talk into today so first we need to increase visibility make sure that people know where to find us and do our

best to make sure we're working alongside the rest of the business instead of just getting looped in once something is on fire and secondly we need to communicate effectively so I can make myself and my team super visible by sending 15 mass emails a day but I would not call that effective communication so in the second half of this presentation we're going to go over strategies to just make sure our Communications are impactful and they're really having their desired effect starting with this visibility piece so perhaps unsurprisingly most of the people that I talked to did not know anything about their company's infosec teams and a lot of them didn't know what infosec was at all and most of those

people were my close friends who don't know what my job is which is fine one individual I talked to who works at a hedge fund told me that the word that he used was non-existent his security company his security team is non-existent which was like alarming and I was like okay well I'm going to go hack this hedge fund obviously but so first I did a a LinkedIn search and I saw that they actually have a really sizable security team that is in the same office as him which is alarming on many levels so there's a lot of reasons why fixing this problem is important visibility matters first of all if people don't know where to find us

they're not going to reach out to us with questions and they're not going to let us know when something sketchy is happening which is obviously not deal from an incident detection perspective also maybe less obviously being visible is important when we are competing with other business units for resources so what I'm trying to say is this presentation might help you get that cash money so what can we do to fix that problem and increase visibility we can start by hanging out with people in real life [Laughter] okay that's fair don't worry we'll we'll get into how to do this on the interwebs later but so so forming trusted relationships I would argue is part of a healthy

security program a lot of the people I talk to think of us as Gatekeepers that they're scared of getting in trouble with so our goal might just be to we don't necessarily need to be BFFs if we can just get them to think of us as an acquaintance that they're comfortable shooting a quick question to that's a win so I would argue that there is actually a business case for attending the company happy hour or you could maybe host your own happy hour or another event with your department just to as a reason to get in front of people another suggestion I got from interviewees was uh to crash other teams meetings so this guy his team has a

status update meeting every Monday about once a month someone from is or it joins that meeting and just gets a sense of what everyone's working on and answers any questions they might have obviously you can't do this with every team in your organization but if there's one team in particular that you want to partner with more closely this might be a good idea and he said that it was really helpful and they offered a lot of really great suggestions other excuses to get in front of people in real life might want to host a lunch learn every once in a while or just work from another office so that you're interacting with people you wouldn't normally interact with now

for how we can do this online and not have to leave our desks one suggestion was making a corporate wiki page so that's would be a page that sort of lists everyone on your team and everything that they're responsible for at a high level and how to contact them that's great if you want to just reach out to one person with a question instead of reaching out to you a dozen people you can also consider if there's anyone in your company who would benefit from newsletter or blog style updates from the is team this could just be an update on projects your team are is working on or even just like tips for interacting in a secure way it's

whatever is relevant to your audience okay this is my favorite part I got really into chat Ops in the last like two weeks so let's talk about how we're using chat applications obviously I mean maybe it's not obvious I find emailing a whole distribution list kind of intimidating and I even find emailing one person I don't know a little intimidating so it's great if we can make ourselves available on more casual channels hopefully we're on slack or Skype for business or if you're the one company in the world that uses Yammer then you're on that so so in addition to a that was a sick burn in addition addition to the private is slack Channel my team has we also

have a public is channel that anyone in the company can join this is great because sometimes people join they see their question has already been answered sometimes people answer each other's questions that's lovely can just sit back and watch um other times you know communication works both ways we get great suggestions from people in this group and if you're rolling out something new and you want feedback this is a group of people from from across the organization who have some interest in security they're in the group and they're probably going to be willing to give you feedback so it's a great resource in that way too we can also monitor for key words on tools like slack so a great example of

when I did not do this well um my an old job I went to another office and discovered that there was a pretty big miscommunication about a project that my team was working on so I worked out in person not a big deal but I do think I could have avoided that miscommunication altogether if I had been monitoring our public slack channels for mentions of that project and then when people were talking about it just make sure they're all getting the right information we're on the same page from the GetGo and this slack monitoring example I think highlights sort of what I'm going for with visibility here we don't have to be visible in a disruptive

inyour face sort of way contrary to the impression that Nick Cage may be giving you right now we just really want to be part of the process so we don't want to be we don't want to swoop in when there's an issue and then like disappear into the night we want to be working alongside people as much as we can and just part of the right conversations but we do have to be realistic about our bandwidth every time we open a new Communication channel we can be creating a lot of extra work for ourselves so now we're monitoring all these new notifications we have to monitor this new is uh slack Channel that's open make

sure people aren't going rogue giving crazy answers we have to reply to all these people that are sliding into our DMS it's like it's like a whole thing it's crazy but one way that we could maybe solve this problem is to integrate as many of these tools as possible just to try to keep everything in one place we don't have to switch gears constantly my team integrates a lot of tools with slack it's a great home base for us but the best tactics for making your team visible and available are going to be different at every company I don't know what's going to work for you as well as you do but there is one strategy

that is going to work for all of us when it comes to increasing visibility it's like the worst one but we have to do it it's planning boo I know I'm getting booed more than I thought I would so I am always trying my boss is here I'm always trying to convince him to send me to the LA office if you see him his name is Josh just tell him to send me um just because I want to go to La but I don't have like an actual reason to be out there so leveraging spontaneous visibility opportunities is fine but I do have to admit we're going to get more of a return on investment if

we stick with these more strategic planned engagements so this means we have to plan bullet one think about what type of involvement works for you and actually think right now about something that you could Implement with your team your company and then so you can keep that in mind as we move through this wacky cycle I'm going to use the example of implementing quarterly lunch and learns because that's super simple we're going to start with a premortem we're going to think about how it could fail before we even get started so tell me someone tell me why a lunch and learn quarterly would fail at your company no free lunch no free lunch that's so good it's really

good I didn't even think of that one um yeah maybe you don't have a budget for free lunch so no one's going to go um I would say you know if you're on a two-person team quarterly Cadence doesn't sound like a lot but that really is a lot of work that might overwhelm your team maybe the audience that you're talking to wants something that's more direct than an hourong session like this is only half an hour it feels super long so um you have to be realistic about what's going to work and then we want to map back to goals so like any other work that we do if we aren't keeping track of this and holding ourselves accountable

it's going to slip through the cracks so I'm going to go ahead and add post four lunch and learns to my team's annual goals in the other side of this coin we also want to make sure that our visibility efforts are also connected to even Broad team goals so if one of my team's goals for the year is increase awareness about secure coding then I could ho like host my first lunch and learn about that whatever you want it to be we wouldn't want to be visible just for the sake of being visible if we can get another goal in there too so using a lot of gesticulations today feels good so another the next step in

planning is going to be practice we're going to start with a small small pilot group in this case I'm going to start with one department or one group of people before I roll out lunch and learns to the whole organization then we're going to document make sure we're writing down everything that worked everything that didn't work all the information we need to do it again and do it better the next time and then we measure so think about whether you accomplish the goals you set out to in the beginning get feedback so in this case I'm going to send a survey to everyone who attended the lunch and learn see how they felt about it and

then we use all that documentation to update our plan and we do it again and again forever forever okay so we increase our visibility and now everyone knows who we are and where to find us we have so many new opportunities to interact with the rest of the organization but none of that matters if we're bad at communicating effectively So based on those conversations I had with people I sort of broke it down into to three issues that kept coming up again and again and it sounds like we need our Communications to be intentional and thorough consistent and prompt and blame free so let's dive into each of those three intentional and thorough so here

is a checklist we can walk through to make sure we're being intentional and thorough this section could also be called I took a linda.com course on organizational communication and all I got were these six bullet points but they're like fine bullet points I guess so again try to think of an example of an actual communication you're going to need to send out in your organization a project you're working on that is going to require communicating to another department or the rest of the company so that you can keep that in mind I'm going to run through the list using an example from someone I interviewed this is a law associate who is super peeved about a

new policy that requires him to request access two client files from is sometimes it takes three plus hours for him to get that access and the access expires after a certain amount of time so this is something he has to do again and again every day it makes it much harder for him to do his job so let's imagine we are the is team rolling out this new policy here's what we need to consider one who is the receiver of this message so we probably only want to send out this communication to people who need to be involved first of all it's good security hygiene a lot of times to send this information out on a need to know basis but also

when people get messages from us over and over that don't apply to them we become white noise and they start ignoring us we also want to consider this receiver's goals and priorities so this kid cares about doing good work for his clients as efficiently as possible because he would like to sleep more than four hours a night so we have to consider his priorities when we're sending out that message two who would be the best sender so your sender should be influential to the receiver let's say that hypothetically I'm a total joke and the open rate of an email for me would be under 3% again completely hypothetically I might need this message to come from

someone else maybe my boss three what is the focus of this message thinking about this will help you keep it SU syn into the point if the receiver needs to take any action that should be extremely obvious to them four how will it be interpreted the way this interviewee interpreted the message his big takeaway was that the is team did not understand how the business operated at all not an ideal takeaway if we took the time to explain how this process would limit the ability of an attacker with compromised credentials to access sensitive data he might be a little less frustrated and he might be less likely to try to find a way to circumvent this

policy so it's probably worth an extra paragraph in there to explain why it's happening also I mean the process does seem pretty brutal I have a hunch about what happened here there are a lot of new requirements in the legal industry and also in every industry and sometimes when a new threat or requirement pops up we have to come up with a quick way to address it sometimes a temporary sloppy solution until we can Implement something that's more permanent and I think it's okay to communicate about that I think it's okay to let people know that this is temporary and there is something better on the horizon if that is the case five is feedback necessary and if

feedback is necessary have you explained how they can offer that feedback I was very surprised that the lawyer I was talking to had not talked to because he was so he was super mad that he had not talked to anyone in is or it about how disruptive this new policy was I think that if they had offered a Clear Channel for feedback he would have reached out and a lot of other people would have reached out and they could be working through working towards a solution that works for everyone six last but not least what is the best Channel email is usually the easiest and worst option if you outline this policy in an email that's not helpful to the

associate who starts in two weeks and didn't get that message if something needs to be continually referenced and updated you can send an email pointing them to those resources but it shouldn't exclusively live in people's inboxes also if it is a critical communication we can learn from the best fish campaigns and use multiple touches so give that person a call and then send them a link to more resources because you know 100% of the time you're going to click that link okay so we have established how to be intentional and thorough now let's talk about being consistent and prompt one of the mean quotes I got from interviewees said if I reach out to three different people on that team with

a question I will get three different answers but we can fix that so let's talk about staying on message flying members of your team out to other offices is less effective if they don't know the message they're delivering like when I go to La I'm going to be super on message I'm going to know exactly what I'm talking about it's going to be super useful so yeah I know thanks Josh are you you got that okay so um maybe think about three things three big takeaways you want everyone in your organization to know about how they can help protect the company it might make sense to really document those and just make sure everyone on your team is well versed in

those talking points secondly templates and documentation for all the things you probably already have a template for companywide security alerts if you don't obviously pull one of those together everyone who gets the email knows what they're looking at as soon as they get it that consistent format but I think even more importantly having a template for security alerts or really any company communication forces the person who's filling it out to really uh think through all the parts that need to be included you can use that list uh on the last slide and just making sure that they're not forgetting everything you might be super comfortable with everything that should be included in an alert like that but as your team scales

and that becomes someone else's responsibility you want to force them to include all the right information and when you are answering someone's question that answer should live somewhere so start building out an FAQ as early as possible it's a lot easier to do that as you go than it is when you're adding more people to the team and have to document stuff for them you'll probably start with a private FAQ but it would be great if down the road you could also create a public FAQ that's available to other people in the company and of course there are ways to Ure we're being consistent and prompt through automation anytime we're doing something over and over we look for a way to

automate it this helps me so much because I don't have to constantly remind people to do their access reviews or do their security awareness training a computer does that for me it's great so in addition to saving time well so it helps us be consistent and prompt you know they get those emails at the right time we write a great email once and it's the same one that goes out over and over um it also saves me time and it makes me feel like less of a jerk because I am not the one emailing them over and over it's it's that computer you know don't hate the security analyst hate the game that was so good I really nailed it

yeah it was good that makes up for all the booing um there's also a lot we can do with chat Ops here we can go above and beyond having those FAQ answers available to copy and paste and we can employ slack Bots to answer people's questions for us so if someone uses the word the phrase guest Wi-Fi I can have a slackbot send them to the Wiki page where we keep that information we can also use slack Bots for policy enforcement so if someone posts something that looks like a secret API key we can have a slackbot let them know that they might have made a mistake and they might want to to delete that post

of course as we have touched on already automation is a slippery slope no one knows about alert fatigue better than Security Professionals and we don't want to cause communication fatigue on people by over automating a thousand messages Okay so we've explored how we can improve the quality of communication by being intentional thorough consistent and prompt blamef free is the wacky one but I'm going to explain it now so I first came across this topic in a blog post by Jacob Kaplan Moss from last year in that post he explores the blameful culture in infosec his word not mine uh that focuses on individual failures rather than systemic ones so I'm going to use an example and look at

the two different ways that we could handle this problem let's say a user clicks a link that he's not supposed supposed to oop ww so a blame focused infos team could maybe chock that up to a bad apple and say well that's the user's fault uh he's silly that's not good maybe they get sassy with the user they close out that ticket and never look back but uh we just we created two problems here one that user had a bad experience with us they're less likely to report an incident next time happens that's not great and two we didn't force ourselves to explore why this problem really happened and we missed an opportunity to fix a systemic problem so

what we want to do instead of looking for a person to blame is zoom out and think about how this slipped through the cracks I want to team up with that user and consider what we could do differently moving forward maybe I need to do more end user awareness training maybe I need to change my email filters in general we don't want to just assume in every situation that someone is good and someone is bad we want to approach these incidents with a new mindset that something bad happened to us and we want to fix that moving forward that's really the same reason we don't include names in a root cause analysis the bottom line is don't get

blame get Solutions K

jokes I was gonna stand like that until someone made a sound um so I don't expect every strategy outlined in this presentation to work for everyone hopefully you just get one or two tips that will work at your organization I definitely learned a lot having these conversations with people and I'm really excited to put a lot of the things that I learned into action at rapid 7 uh before I go I just want to say that if again this was my first time doing this I've got a lot of help check out infos mentor.net if you are looking for help with a project or if you want to Mentor someone like me and follow me on

Twitter I tweet thank memes good [Applause] night thank you Katie uh on behalf of Fitbit and besides we thank you [Applause]