BSides Knoxville 2018 (Second Track, KEC, morning sessions)
Show transcript [en]
you
you
well for there's a very quiet speakers that was the theme to the IT crowd so as nerdy as I am for those of you never seen that show you should definitely watch it all right so is that entirely too loud all right so as Adrienne introduced me my name is Corinne McReynolds I am a security consultant with sword and shield and today we're gonna be talking about using containers not just as a delivery tool for life and DevOps and things of that nature but to actually use it for security so this is a little overview of what we're going to cover so how many people in here are familiar you do know can correct me if
I'm wrong so what we're gonna cover is a little intro to containers we're gonna cover using it as a security tool rather than a dev tool and then we're gonna talk about the pitfalls so for those of you who haven't had a lot of exposure to containers I'm sure that this may have come up at some point in your enterprise endeavors
they can they are completely capable of running a full operating system like a VM but like I said the the real the real cake is when you drill them down to just the specific resources and access to
what did that if what that essentially leads to is that they are highly portable so everything you need to run a container kind of like once again going back to the whole the Java thing the Java Runtime environment so if you've got the Java Runtime environment on your computer and you download a Java program or app or whatever it may be it's got all the resources that it needs but it's based on that java runtime environment whereas a container actually has all the resources it needs built right in which makes it highly highly portable it's gotten so popular that as you can see there are all the major cloud computing platforms even the ones that
are contending with docker now have support built in for it does anybody here work for VMware no good okay all right so VMware has been so impressed with what docker has done there they're a direct contender and they've actually adopted some of the security features that you can get with containers in the in their own product however the VMware VMs still require all the underlying resources that a normal operating system would require unlike containers so what's the big deal of containers how many here have heard you know like maybe some administrative staff or you've heard some maybe grumblings or interests at the organizations that you work at that they're you know that you might be
looking at containers in the future does anybody here in that a few a handful if you haven't yet you will and if not you directly you will most likely work with another organization that is used to utilizing containers so Joe bata the former staff engineer at Google a couple years ago stated that everything at Google runs in a container they start over two billion of them a week and that's and that this is that that information was dated about six months ago so it could even be more now gartner is indicated that by 2020 50% of all companies across the board are gonna utilize container technology in some form and Forrester is indicating that 63% of these containers people utilizing
containers have over a hundred deploy and 82% of them expect to have more than 100 containers deployed within the next two years so that map you see up there is not just jinda that's actually all of the enterprise versions of docker that are running around the world and you can see this is actually from Dockers five-year anniversary down there where they're talking about and you know granted you can take it with a grain of salt some of their numbers here but even if you look at the 37 billion container downloads that really indicate indicates a very strong trend so whether you want it to or not it's coming all right so now we get to talk about the fun stuff
which is how to use containers for security so all of it is everybody here like had some experience with like layered security everybody pretty familiar with that concept there's some that aren't yes you guys are not very responsive come on wake up you've had some doughnuts and some coffee isn't me not had coffee it's me need some coffee there's one guy over here all right well you've got an excuse but everybody else all right so layered security as we commonly know is the best way of going about security nothing is hack proof there is no silver bullet given enough time and resources anybody can hack into anything the whole element of security is to make it more trouble
than it's worth for an attacker to get in and I'm sure Russell back here can attest that so they like the stuff that's easy to break into if if we as security professionals had our way we would just keep on piling on security and that's what that little cartoon there indicates to where nobody could access they did that data it would be safe but it's not exactly productive and not necessarily helpful so we know that that's not a realistic thing that we can do but that's where a compartmentalization comes in so along with adding layers to security you can compartmentalize stuff and so you can take the things that are more important more critical to your organism
and you can put those in a place that's higher security while things that maybe aren't as important or if they were to get lost or if they were to get breached you can put those in another area that maybe has less security that's easier to access so we've see compartmentalization a lot especially like in the government or if any of you have worked with military before you'll know that that's that's kind of a big deal to compartmentalize information as much as possible that way if there's a breach you limit the amount of damage that it can do so we can separate these tasks application systems and resources into these different compartments and we like to say we can
add more layers where they're needed that reduces that attack surface and mitigates the damage but the biggest dilemma that we run into is when you're trying to figure out how to compartment things when you have overlapping levels of access and the best example I can use of this is like a hospital is anybody here work in a hospital with IT in general okay so you guys may be familiar with this issue so you've got a lot of people and they have varying levels of access you've got nurses and doctors and they all have access needs to certain applications but inevitably when you have overlapping like you have some people that have a higher level but can
access lower level stuff but you've got other people who have a higher level of access but they're not supposed to access that other stuff you know it gets very convoluted very very very quickly an application delivery especially in hospitals is a very difficult thing to manage because of all those varying levels of access that varying departments and things of that nature so this is where containers can come in and really get us a hand so containers can be tailored to run specific applications with access limited only to those to the resources and data it needs to run that means essentially that you can take and build container it can run any application that you need it to run or any task or
process that you may need it to run and you can tailor it down to where only a specific person that has access to it while it's running it only has access to specific databases or specific networks or other specific containers or VMs or whatever the case may be but the the thing to latch onto is how tunable they are so you can really isolate that stuff down to a to a very granular level which is very important for security because we can really mitigate a lot of risk by doing that simultaneous containers can run independently of each other if so desired but also they can they can run on the same network or they can run on
different networks but still communicate with each other so there's a lot of flexibility that you can use in order to put in various separation various levels of security in between the containers you can have multiple containers running specific processes for a single application so if you've got a say you've got a process that access is a sensitive database and you want to protect that process a little bit more well you can do that by utilizing a container and really drilling down that security on that specific container running that process while the rest of the application is running on the other processes they're not as critical this lends itself to containers being extremely portable and if you build the
security inside of these containers whether they're an entire VM or whether they're a specific process or application that wherever that container goes the security goes with it so you don't have to worry about well if I deliver this application to this new department we've got do they already have you know the the various security tools in place that we already have or am I gonna have to make adjustments to IP access lists and things of that nature ACLs or whatever the case may be you can configure all of that into a container and then send it out deliver it and it can run with everything it needs ready to go so in using containers there are some things that we really
need to understand in order to zero in on the how dynamic they can be first and foremost so docker because of its evolution has really aimed itself as a development tool towards devs so because of that there they don't really build containers with security in mind they build them in such a way that they work they work quickly they work accurately that they're productive so in order to make that happen so easily especially if you download a container off the docker market they have a lot of very terrible defaults and like I list here it can be kind of equated to an any any rule on a firewall which is just a terrible terrible idea so as a default they all
come on the same network even though they can be they can be divided up most of them will have some sort of admin privileges and a few of them can even have root access though I should mention that at this point utilizing docker that at least one container must have root access in order for all of the containers to work so obviously that one needs to be protected the most but there's still room for improvement to where we can see perhaps there's a way to mitigate that layer so that we don't have to give root access to that primary container so start with developing the container with data security as the primary purpose so right
now we a lot of places use containers like I said in the development cycle developing apps delivering them so do we have developers in the room a couple all right I love you guys I may be a little harsh on you just a little bit but I do love you so as a developer right a lot of times there is undue pressure put on you to make something work to create this this this application or a piece of software or whatever the case may be to make it work well docker kind of does the same thing so they don't typically look at it and build it with saying well how are we gonna make this secure they go how are
we gonna make this work then after it works they go well how are we gonna make this secure and in that what kana lies some of the problem but a lot of that can be curved by utilizing like secure coding practices looking at stuff like a wasp making sure making sure as I'm sure your developers know using a complete secure development cycle or process in order to develop these these these these containers or the applications or processes that lay in them there is some security built into docker primarily it's static security so docker kind of functions the same way that like the the Apple Store or the Google Playstore work so they get an application they take a look at and
they go well it looks okay it doesn't look like there's anything about in it it's sitting there the image of it is sitting there and docker kind of does the same thing when they produce these VM are the not the VMS but the containers to run in VMs or standard desktops or whatever else the case may be when they put those on their marketplace they take that static image of that container they look at it they say well it looks good doesn't look like there's any viruses on it doesn't look like there's anything malicious on it it's good to go the problem the problem with that a lot the lies in that is that between the
time that you download it between the time that it's delivered or that it's changed or whatever else we don't know what might happen to her or what might get injected to it and point in fact most of the vulnerabilities that occur with docker in containers actually come from implanting containers with other containers with a rogue process or application of sorts and then they use a breakout to get control of all of them and then that's a bad day so we can do some things though to mitigate this we can look at containers kind of the same way we do when we look at Network segmentation or the way we handle privileged accounts we build them with
the principle of least privilege and mine create the containers only with the access and resources they need to complete their designated tasks and nothing else you know don't leave open ports you can I mean with containers you can really dig into the details of locking networks utilizing only one port for one process to access to only one thing on one network so there's no reason why we can't drill that down and get it ultra secure so another catch and there is always a catch so containers are still relatively young and they don't have they don't definitely don't have an easy learning curve a lot of people are familiar with containers in the sense of docker
because you know we've all heard of docker of we've seen their cute little whale carrying the containers but very few of Duggan to understand the underlying complexities and implications of that technology you know from a high-end enterprise standpoint a lot of you know c-suite folks will hear well it's fast delivery and it's easy delivery and it's you know it's just so quick and easy and you know it's got low overhead and they think oh that sounds great but they don't think about all the complications that come along with that docker Enterprise is actually and I've already mentioned this previously is the only enterprise offering that has adequate support and a substantial marketplace for containers so they're the only ones
that have like service level agreements and things like that but they are willing to to put up four organizations there are other offerings out there Linux LXE core OS rocket canonical lxd all of those are open source projects canonical is probably the I would say that kind of the second lead charging forward and I know that they are working on a enterprise level container product but it's not out yet but now where the real market competition comes in is with the container orchestration so Apache Google docker and there's about a million others they all have products that deal with orchestration so when you're developing when you've got a container you've got a bunch of containers and you can have hundreds of
thousands of containers running if you so desire if you've got the system resources to handle it but how do we deal with all those well with VMs you've got hypervisor or VMware some sort of management console to deal with that well with containers you have an Orchestrator which is just their fancy word for management containers are relatively easy to deploy using docker in their meeting and they're their pre-made marketplace that's really where that where that big perk comes from but as we all know when you buy anything pre-made and pre-configured a lot of times it's not properly configured and that's that can definitely be a big issue so definitely watch out for it and then and then the other thing is there's
fear in the unknown so a lot of us you know might not have a good idea of what could like like I said you might kind of understand you're like well I guess it's like a VM and like I said there are a lot of similarities there but there's so many underlying complexities to the architecture you can have containers inside of containers inside of containers and they can run different processes for the same application or different or different applications they can run full os's or they can run stripped-down processes I mean there's just there's so much to build there the connections in between them like if you look at various Network topologies it's up dealing with
containers it can look in Sam I mean it just looks like spaghetti on a plate when you get it to all of the connections that containers can actively make so you know there's a lot of fear and not fully understanding them and being worried that it might be too much to undertake and here's the other one and once again devs like I said if we love you so what happens when developers if we don't use the ones that are pre-made off the marketplace which we really shouldn't we should be developing on ourselves but then that will lays all of the pressure of developing these systems and that's what they are - a developer well that effectively turns a
developer into a sysadmin because they're making all the decisions on how these processes or applications or you know operating systems work and we have Syst admins in here oh your sis had min tips you're an exception to the rule where's the other one so sis admins are the exception to this rule by far because you you guys have a better knowledge about the way things like this need to be secured because you can handle it like a system in order for the containers to be secured and used as a layer of security this secure development process is crucial to this and like I said our got our developers with systems experience know this or if
they have security experience without that systems or security experience devs are not equipped to be able to handle the security they need to have be able to handle in order to develop containers because effectively they're it's like they're creating a system and they are the they are the the admin of that system and so if those of you who have any systems admin experience or you are security guys or whatever the case may be I'm sure that you have realized often with the exception of the developers that have system and admin experience all a lot of times the developers are focused on just making something work and they are not focused at all on the
security aspect because that's not their job they just want to get it up and running so we have to educate and train them if you're if you're gonna have developers that are going to be working on containers it is crucial that you that they get they get systems training that they get security training and they know about the practices so that they can build that with security in mind as opposed to an afterthought so simplicity vs. complexity which we've already kind of hit on just a little bit so like I said the concept of containers is simple but the underlying architecture is very very very complex pre-made containers are easy to deploy but how secure is that marketplace
who here trusts every Android application on Google Play that's what I thought what about repositories how many of you use github and stuff like that before pretty good number do you trust everything you would download off github all right so that goes to prove the point these are images these are pre-made images that are there for download but there's no telling after just a static security check that they're there as secure as they're intended to be so we can liken it to a traditional to traditional infrastructure security we can look at adding layers to it but it's no easy task when you start having hundreds of containers with lots of connections who here deals with a very large like
virtual machine environment anybody consider their environment pretty large and have you guys dealt with the security in that environment and is it a complete headache yeah so there's definitely a lot of things a lot of complexity that can go into this the biggest thing to focus on when we're looking at this consume this security is there's a number of ways we can approach it so there are a lot of companies out there that try to secure containers from the side or from above or from below so they try to secure the hardware the software that sits below the containers or the management engine or they try to do you checks on the connections on the
docker container so what's it connected to what's the traffic that's coming out of it they do like deep packet inspection and things of that nature which are all great and all important or they might even look at the applications and processes that it's spitting out but a crucial area that many have not looked at is actually building internal controls within the container which I mentioned earlier there's only one company right now that I'm aware of that that does actually do this but I think we can push and we can do better so where do we go from here so the biggest thing is education all of the information we need for containers docker all of the stuff it's it is
readily available and it's out there and even though that technologically speaking containers are still really in their infancy there's a lot of information and there's a lot of people out there playing with them doing really really neat things with them there are a lot of organizations that have adopted docker or have adopted containers and in some form they aren't using them in production they're just using them in development and so they once again there's that there's still that fear of well we've got it we're kind of playing with it but I'm not really sure that I trusted that much just yet so we need to experiment and test with it you know docker community is free to download
anybody can get a hold of it you can start messing around with it you can start playing with security protocols and things with it you can look at building security into it yourself you can look at creating your own images or applications or processes and a lot of those even if you're not a coder a lot of those processes are applications you can download the code for that to place in a container just to do some testing or to play with it and continue to spread the word so educate the people about containers this can be an incredible incredible security tool we have the capability to drill down processes applications all the things that we need to separate separate and
segregate and divide we can drill that down to a really really granular we can separate all of this stuff out and get such a granular level of control there's no reason we cannot make this stuff a complete pain for anybody to want to break into assuming that we're not using defaults because once again if we if we take the easy way out and we just use default applications just because it's easy and they're easy to deploy and they're easy to run it's just not gonna do us any good they're gonna be vulnerable in look and kind of like I liken this a lot to like DM Z's so our people are a little familiar with the
Enzi's pretty so okay so and as I'm sure a lot of you know TMZ's can be a great security tool right they can they can provide a great buffer for us in a network however they can be just as big as a vulnerability as a protection if they're properly and improperly configured can they not it's a big deal contain if not they're just as big of a liability and a vulnerability so get involved following contribute to the community like I said you don't have to be a coder or a developer voice as as a security professional as sits admins or developers or whatever the case may be you can look at what's what's going on
with containers and with containers security and you can voice your opinions at conferences you know directly to vendors there's no reason why you can't get involved and as security professionals especially we need to push them towards that those secure coding practices and the makings of security the focus instead of the afterthought so that's pretty much what I've got as far as the bulk of so I'm gonna take some some questions now if anybody hasn't I hope you have got a few or something like that I felt like it kind of rushed through it yeah what's up
so with Spectre truth be told there's there's not really I mean given that that it's at a firmware level on the chip you're talking about something that in all reality cannot be prevented we can mandate it but it can't be protected against so hopefully moving forward until an AMD do their due diligence to make that not a vulnerability but truth be told all we can do is try and secure now I will mention though that by using containers you can create a lot of layers of abstraction from the firmware so once again it's that concept of well if you put enough layers on or you make it so complex you know that individuals aren't gonna they're gonna look at and
go this is this is not worth my time to get into and break into whatever this may be so you can because like I said you can place containers within containers you can place those containers within beams there's a lot of layers there you that if you've got something really important or a really critical process you can really bury it deep and it can still function without any latency or worries because it's all still built on the same hardware so it's that kind of answer any others yes yes and there's actually a lot of work going on in that area so there's been so right now there they do verification signatures like and I think even docker
does this to a limited degree to verify the authenticity of like the marketplace the marketplace containers however there's a big push by a lot of companies to once again build those certification processes into the container so that you're not having to apply a certificate to it but it's got the certificate built inside of it so that wherever you transfer it it's gonna be able to get that authentic verification but yeah there's a lot of work going on in that area right now it's I mean if you're if you're like super geeky and nerdy and really like certificates it's pretty cool stuff
okay so just like with like when you turn on like say you've got a server you've got a desktop or whatever else and say you're you're running you know a hypervisor or whatever else you have to turn on the virtualization on your hardware in order to allow that to run docker is kind of does a similar type of thing so in order for it to and that actually will it will actually if you so if you've got a laptop or desktop you try this at home if you download docker it will actually tell you that it's going to enable certain features on your hardware and it's going to disable virtualization for other things kind of
like VirtualBox for instance so it'll tell you that Birchbox will no longer work once you turn on docker I know it's really crazy and that that's all on docker that that's not on containers in general but anyways so in order for the four of those containers to work in order for them to be a virtualized and broken up in all those processes to be connected in some way or in order to be able to build those connections it has to have that root connection down to the firmware it absolutely does not because Linux is very is very different structurally so yeah you don't have that requirement mm-hmm which is also why containers have traditionally been built
on Linux systems
and that's and that is an excellent question and that's one of the things that organizations will have to figure out in my personal opinion I think that if devs are properly trained if they have the experience and stuff that they need I don't think that there's a problem with because they're gonna be much more familiar with the architecture of that container I don't think there's any issue with them pushing yes yeah and this and containers in a lot of ways they you really have to and organizations will have a hard time with this you've really got to rethink the way you look at segregation of duties because this kind of breaks down a lot of walls where there used to be separate
jobs because you're you're once again it goes to that whole that whole concept of container you're building everything into one little thing so the people who create that they're really the owners of that they're gonna be the most familiar with it and they're generally speaking going to be the best equipped to make any fixes or configuration changes or whatever the case may be but they do need to be educated they've got in those security and they've got to know systems I mean it's just a necessity for them but you're totally right there has to be a cultural shift and that's kind of what I own you know what I was talking about you know spreading the word and you know
letting people know about this educating people so you know spin yourself up on it take that information when people ask questions know how to approach them there's nothing wrong with changing the traditional ways the final countdown all right so there's nothing wrong with it with you know changing the traditional ways that we've seen the separation of duties and you know using the principle of least privilege or whatever else but when we talk about something that's this new and this different architectural II speaking we do have to change our mindset it mindset and be willing to adapt to those changes but really honestly when you start looking at the logistics of it and all of the perks that come with it it's
really kind of a good change because now you've got people who formerly were just focused on making things work but now they're they're educated security people too so and you know this is one of my biggest emphasis with containers containers are our dev tool right now people are looking at them as a security tool but if we approach it just like if the way we approach creating application or piece of software instead of creating something that goes I want to create this application to do this why don't we create it with the mindset of I want to create this application to protect this so it can still do it can still function the way it needs to function but there's
always that mindset of ingraining security into what you're doing so that the the whole endpoint is to protect the user to protect the data to protect the connection rather than as approaching it as an afterthought sorry that was a little long-winded I apologize any other questions anybody got any even yep
so they're the one company that I had up on that screen earlier and there's only one company I'm aware of that's doing this currently but there are a lot of companies looking into it so and this is really cool sorry if I geek out so to answer that question they're on the market as a whole no but there are a lot of companies that are out there that are looking at like if you look at like alienvault or any of these other security appliances that i'll that are out there sims that deploy sensors they're looking at deploying or injecting sensors inside the container so that it travels with the container so that no matter where you go it's giving
that reporting and stuff like that which is very cool any other questions you guys in the back you look so lonely back there so once again twistlock and yeah and those those are very good examples of and once again it's its layered approach to security but there so they are looking at twist lock I think if I remember correctly they're one of the ones that are looking at like the connections between containers and stuff like that which is very very important I am completely in support of taking a holistic approach so having a couple of tools or even having God willing one day a vendor that looks at the container security from every perspective instead of just one we still
need to include all of that so yeah so those at this point those something like that would be a necessity but we don't need to forget about the security inside the container as well but like I said hopefully God willing one day we'll have somebody come along they're like hey we got a one solution fits all for these containers but not there yet yes
yeah yes yes so there are so once again some of the solutions that were mentioned earlier earlier they look at the connections and there's even like deep packet inspection watching the traffic going in and out of the containers and things of that nature but yeah there's there's a lot there's a lot of different ways because like I said you can approach it from you can monitor the software below or you can look at the connections from side to side or you can look at the stuff that is actually coming out of the container but yeah there's a lot of different and once again there's literally there's like probably 200 vendors out there right now that all have solutions to secure
containers and some of them kind of wrap that up is just general cloud computing or they wrap it up specifically for containers but they all approach the problems from different angles I know that's kind of vague but it's the best answer I got yes
once again I'm a security guy and some of you may fault me who or and more into ops but I would say both but that's the security guys approach to like if you can secure it secure it of course but realistically I think that it truly depends on on the architecture and what what you're trying to do with that applications so if it makes sense like if it's something like if you're talking about various physical locations or something that's going out to clients or something like that obviously there would be a bigger focus on that internal or that that core level but if it's something that's only being utilized internally that's not being executed outside of a secure environment well
then you've got a little bit more flexibility anything else before I get kicked off stage do you guys enjoy it relatively thanks appreciate that all right well I've got something to say goodbye you guys have a wonderful day if you have any questions for me or would like to discuss anything please feel free to catch me and talk my ear off or whatever the case may be I hope you guys have a great day [Applause]
yes
you
you
check check check check one
I'm fine with that
[Music] hey everybody my name is Jay I am with rapid7 and I help run our penetration testing services organization so this talk isn't a technical talk you guys just got through one of the technical talks here this one is really just a conversation a conversation about my experience building teams running teams and what I think it takes to put together a security team a pen testing team that really wasn't comprised at all of pen testers from the beginning and so really is just sharing my experiences going through that every security talk should have disclaimers my comes with some as well first of all it's not a formula or and it's not a recipe right this is really
all not science at all and it's not been peer reviewed not much is it really is all about just my experience over the years of putting teams together of really thinking about what it takes to put that team together and what those team members mean to the team as a whole so given all of those we're gonna doodly-doo a little bit and go back in time and talk about what my career has looked like over the last 15 16 years from El Paso Texas is born and raced so Austin is a mecca for us El Paso wins there's a ton of us there and we recognize each other just by the way we talk or how we wear our hats and I
started there in 2001 at UT Austin the other you teen yeah as a web developer I went in doing a lot of web applications UT Austin has at the time had their own web scripting language that was created to mirror the natural programming language how many natural developers in here yeah that's what I thought do you guys even know what natural is no natural is used by a lot of I wouldn't say alive by some universities and then some financial institutions like Bank of America for example and it's a mainframe programming language and so the UT had a ton of mainframe developers and they saw oh wait we've got a code for the web we
don't have any web developers let's create a web scripting language that has the same syntax the same language as natural and then let's get these developers trained or these natural developers trained on on web technologies that came with pros and cons and they soon realized that they actually needed a bolster their ranks with actually web developers because those natural developers were trying to code their web scripts just like a mainframe program and it wasn't quite working right they weren't understanding the stateless nature of developing in that way and so that's where I came in I joined you to Austin in 2001 I was there for close to ten years in that time I was a developer assist admin and
architect all kinds of roles as we grow in that environment six years into my stint there I moved into the libraries and I was working with the libraries for all UT System and other Texas universities like Texas A&M we fight but we like each other and we work together really well and we were doing the Texas digital library and it was really a repository of a lot of knowledge a lot of papers and also the workflow by which Texas University Doctorate candidates were submitting their paperwork so it was a huge repository at the time I was working on implementing Indy space which was a an MIT open source project that was a data repository and working
through that I found what I thought was a quality engineering bug it had to do with authentication and authorization I didn't think twice I think I submitted the pull request and it was accepted and so I felt like cool I submitted something in an open-source project let me talk about it in that talk the chief information security officer was in the audience and after that thought the talk he came to me and said I think I've got a spot for you on my security team it was like that's cool I don't know anything about security but that's where I cut my teeth it was a team of four risk analysts that I was a part of pen testers advisory services
whatever it is that any of the entities that the university needed in order to secure whether it was their building or their applications or you name it we worked with them to do that UT is a very distributed university so every business unit every college were our clients and so it was very much a consultant type of work in that way and so I became a security analyst in 2008 and I stayed there for an additional three years or so life and family happens and my wife and I decided to have children and so we needed more money and the state doesn't pay and so I had a ton of great experience I learned a lot but I needed
to do something different for me and for my family and so I moved into a security engineer and support developer roll out of Taro's which is small boutique development shop that does at the time a Magento and Drupal mashup for all of our clients so that they could do e-commerce and content management all within the same platform and that worked really well I manage teams out of Costa Rica Ukraine and in Austin and then I was also the security engineer for the whole company so securing all of our virtual machines securing our platform making sure that that Magento Drupal mash-up was actually secure both for the administrators but then also for the end users etc so and I continued this was
more of a hybrid role developer and security engineer and then finally I I moved over to bizarre voice in in 2012 you guys know bizarre voice anybody if you do any shopping and decide to do any review or rating of a product not on Amazon and I don't want more they do their own things but pretty much everybody else you're using bizarre voices product and it's a JavaScript drop in that then draws the Dom or on the Dom all of the functionality for that product and I was the only security engineer of a company of about a thousand with approximately 300 developers and so it was a tall order right when I came in they had no
security program and so I was lucky that I was that guy lucky because I got to build it all out from the development lifecycle to again physical security policies procedures all of that stuff right when auditors came in they put me in front of them so I had to do it all and I had to be embedded in the development teams as well because we wanted to incrementally improve the security of your product I was there for two years as you may imagine being the only security engineer it takes a toll right and and if you're pushing and pushing and pushing for a team to be built and it isn't being built then you find yourself wanting to be somewhere
else right like it's not a fun job to be the only person because you've gotten other people to collaborate to make you better and that should always be what you're striving to right here you want to make your company better but you also want to make yourself better at the same time and so luckily Rackspace had a spot for me and I went in as a manager of quality and security engineering at Rackspace security engineering falls under quality engineering and it's quality engineering performance engineering and security engineering and I was managing both three teams so I had security engineers I have quality engineers and performance engineers that I was helping to secure all of the products whether it was bare
metal all the way to docker from from Rackspace right as we were putting him out there in the marketplace we're making sure that we were testing them so that we felt that they were as secure as possible sometimes we did it all in house sometimes we brought in outside help all along this timeline I was a rapid7 client so we had all the product at ut-austin and then I brought it in haddock taro so I brought it in and bizarre voice believe it or not I brought it in at Rackspace which was a tall order it took forever but we did it and because of that ongoing relationship as you guys know opportunities come up and so I had
always had my eye on rapid7 local to Austin see all the guys had meetups knowing steam or like all of those things said this is where I want to be right I want to do nothing but security because no matter what role you've had along the way you're always asked to do something outside of security all the time and I didn't want that anymore and so I moved over in August of 2016 to rapid7 to manage help manage the penetration testing team on the services side since then my role has kind of changed and gone back and forth and now I lead the entire Penn testing organization and the consultant development side for rapid7 consultant development because as you'll
see we hire folks that weren't consultants and we need to develop them as a consultant and as a pen tester and so we need to do both sides of it right there's always a technical and the soft side of stuff if I want to put somebody in front of a client then they can't just be technical they've got to be able to convey that risk to our clients okay so that's me in a nutshell we're in a squiggly Lane as I think about teams I often think about baseball teams I love baseball if I played it since I was three years old I still play it now I coach my son's team it's this little guy
right here and so baseball is always in my mind right I wake up I look at scores and the afternoon I'm at practices we're playing or we're having our games and to me baseball is a great sport and very much analogous to the stuff that I want to do at work with my teams I know it seems kind of funky but it actually works because I think about who is the pitcher right that team lead who's the catcher that guy that has that knowledge of the team for a long time who's my rookie right fielder who's that star centerfielder right who's that all-star shortstop and you need all of those people on your team in order to
make that team really successful right and guess what the right fielder is actually good right it isn't just the worst player on the team that you put out there you want to think about that team as you're building it and this is what helps me so I'm not saying you should think about it in baseball terms but find that thing that you like that you enjoy that makes you think about a puzzle and apply it in a way that helps you to put your team's together right because there's always that right all right so as I started to think about a team that I was asked to build for rapid7 when I came in you know the director at
the time said listen I need you to hire 12 pen testers for this team that you're gonna have and immediately I was like 12 you're nuts like it took you six months to find me it's taken us on average three months to find the next pen tester for the team how are we going to do 12 in 12 months and you said well that's your challenge I said okay challenge accepted right like what else are you gonna do I just got here am I gonna say well I can't do it so I took it on and I said okay let's do it and so I started to think about how was gonna build that team who my
shortstop my pitcher etc and as I was thinking about it I started to go back to all of the roles that I had that prepared me to be a security engineer or a pen tester along the way and I wasn't going to find folks like me out in the marketplace unless I was willing to pay high money right and luckily we're in an industry that pays as well but unluckily we're in an industry that pays well so it's hard to put a team together given budgets etc and so rather than trying individuals like Pete for the really experienced pen testers I had the idea to say let me bring in individual people that I've held the roles that I have
held along the way that have an aptitude for security testing that want to do it or want to learn it and that's how I started to kind of say okay I think I can put this team together Austin luckily is a tech hub right we've got all kinds of technology companies there all kinds of technologists in the Austin area whether they're developers DevOps engineers even data analysts etc right and they're everywhere there there's all kinds of companies and so I started to think about like who are the people that I want on my team that I think that can help each other to become pen testers and consultants and so I put together and this is just a short list
really it's a list of icons that I could find that made sense for the role so that I can put it up on my slide developer obvious right sysadmin data analyst technical writer malware analyst quality engineer ethical hackers security analysts network administrators and the list goes on and on and on right because every one of these roles I have to know in order to properly pen test my clients environment right if I don't know aspects of this then I'm gonna miss them think there's gonna be a gap there there's gonna be risk that I didn't actually investigate right and so I then took this list and really started to say great but how are they gonna help each
other and so this is what we'll talk about right once I found the list then I needed to talk to my talent acquisition team right let them know exactly who I was looking for let them know where to look for them understand what kinds of teams right we needed to be loved what companies I wanted to actually go after what personalities why we were doing it right you can't just expect your talent acquisition person to your recruiter to get it immediately so it took ongoing conversations right and she started my knee and she would put people in front of me and there'd be like that one was close but this is what's needed and so having
that continuous kind of feedback for that talent acquisition person to really understand what it is that you're looking for and why right and initially it was way off the mark right it was like nope they're way too junior right a developer they actually didn't even know what security testing might be and so let's do a little bit better right luckily security is penetrating better into all of the other roles right and so I didn't have to find individuals they knew nothing about security we wanted to find individuals that already had a security component to the role that they had right that we're already in a secured development lifecycle or they were already part of the change
management team or they were already part of the risk management team or the audit team or the acquisition and mergers team right like all of these components or all of these roles have a security component that helps you to kind of start in the right direction so she started to do a great job she started putting in front a lot of people that made a lot of sense a product tester from plain tronics a technical writer from the state a malware analyst local you know a recent graduate but had already been super involved in the security community in Las Vegas speaking of besides having talks and interviews and all kinds of things right like being involved in the community and
that's what we wanted to see and it was great we were getting all of these folks but we needed to interview them we need to really figure out are these the folks that we want on the team we think we do right they're the right persona they're matching all of that criteria that we talked about with talent acquisition but dude we actually want them on the team and so really what it boils down to is to putting together another team right and initially I had no one because there nobody on the team right I had to hire but we did have other pentesting teams we had the Metasploit team we had our sales counterparts we had all kinds of
other teams that can actually help me to tell is this the right person is this the right person culturally is this the right team fit aptitude wise technical ability do you feel like you can work with them and so put together that interview team that is multiple people right whenever you interview for any of my teams you're talking to five to seven people right there might be 30-minute conversations or it might be an hour with two people on the line but you're talking to that many people because we want to see is this an individual that these seven people feel like should join the team but not just that they're interviewing you as much as you're
interviewing them so by putting together a team and having seven people they get to know more people they get to understand the company better they get to understand their role better and so it's a kind of quid pro quo right they get something we get something at the end of the day if we're gonna make an offer then they already feel like they know they understand the team they know players on the team etc right it's like playing catch and making sure that you want to continue to play with these individuals right okay so before I go in there there's another piece of it there was really really important and that's talking to your HR department and rapid7
call the people strategy and then talking to your finance department as well right figuring out exactly what that paint band is for this role that you are creating right this was in a pen tester right as a matter of fact the title of it is security analyst whereas we have security consultants senior security consultant and principal right and so they didn't even have consultants attached to it yet because we were looking for individuals that weren't necessarily a consultant that we were going to turn into consultants right so they helped me doing the market analysis does this fit within the industry and within the industry does the pay band fit is this where we can actually go and
find that people you're talking about that you want to find right that's really important because then when you have somebody in front of you go ahead it's awesome that with everything that I already said you already got there right because that's exactly what we were doing right I was putting together a bull pen if you will hello another baseball term right where people could be playing could be catching could be learning could be you know learning how to throw that curve that slider that circle change whatever right and they're building their skills and they're playing along with other experienced professionals that are already there so that they can learn from them as well that's exactly right
that's what I wanted to accomplish right the tricky part here is that within that band of financials right they actually needed to make their own money to pay themselves right so they have to be billable they have to be utilizable that's just how our consultant organization works right yes they carry a salary but that salary is paid out of the billable engagements that we put in front of them from quarter to quarter to quarter and so that was a huge challenge for me to be able to say what kind of engagements can I put these individuals on great and so be thinking about that and we'll talk a little bit about it in a sec cool so they're new right day one
here they come in my opinion day one isn't day one day one it is two weeks prior right three weeks prior a week prior whatever that period of time is right you're already reaching out to them you're already saying hey I'm glad you're on the team here's some stuff that you should know what kind of equipment do you want right for us we've got two separate packages you can be a Mac guy you can be a PC guy and then we'll give you a laptop with an image and another laptop without an image so that you can imagine so I need to figure all of that stuff out to give IT the heads up that they need to provide this
for them but it's really about welcoming them right for some of these folks I made the move for Atlanta from all kinds of places right and so hey how does it move going have you found an apartment you know we're providing your relocation assistance that that come already like being gauged before they land on day one because they're already nervous about that move they're already nervous about starting a new company and so anything that you can do to kind of set them at ease before they even land it's gonna mean that when they do land they already feel comfortable right if you can if they're local have a happy hour before they even start right I have the team out so that
they can get to know the team in a social event and not on day one now they've got to remember however many names right plus all the others for the office it's an awkward situation you guys have all been there and have all thought god I wish my day my first day was better right so be thinking about that for sure have their station already set up right whatever it is that they told you they wanted then make sure that you acquire it and then you have it set up for them and it's ready for them to use on that day one right we've got like dual monitor setups and standup desks and all of that stuff are
like make sure that you've got what they need and ask them right like how do you work better are you a stand-up person are you a sit-down person are you a mobile person right you're always like I'll set up wherever we can accommodate all of that at rapid7 think about what you can do where you are and start to put that together for them so that when they get there they don't have to waste time asking for an anti-fatigue mat or a bar stool height chair or whatever it is they need it's there right they're not wasting time not feeling like they've got to do stuff have a new hire journey for them right make sure that that you set out exactly
what you want them to accomplish in that first week or in that first two weeks right like what does it look like to be a new hire work with people strategy work with your office manager make sure that there's a tour have swag set out for them so that they know like a we value here's some stuff that you can help us advertise out there when you're out there right have expectations and keys to success right like these are all questions say all of you know or want do you know whenever you land that a new job how can I be successful here like what can I do to immediately make an impact and then
already be ready for shadowing and first engagements they're not here yet but our lead time can be four to six weeks which means that I can already be setting stuff up as soon as I know that they accepted the offer in that they're coming in right so be prepared just as you want them to be prepared when they first get here you should be prepared for them as well so you know here's these are examples of slides that I actually use for my onboarding stuff you know they they land with rapid rapid seven we're moose it's singular and it's plural so one moose and so you can see them progress right like they don't have
any antlers and as they're exceeding than their antlers begin to grow yeah it's quirky yeah it's whatever but people notice it right and they under they see that there's effort put forth into the somme boarding that is not just like wait click here and read this big bulleted list and you know here's a video etc right like make it meaningful for your team help set with that with that personality of your team is with your onboarding materials with with the conversations that you're having right help them understand what kind of team they just landed on here's the other snippets of slides right like keys to success what does it mean to be successful on this team how are we
acting as a team etc and then that week one schedule Riley it's not micromanaging you can't micromanage somebody that doesn't know what they're supposed to be doing on a day-to-day basis right and so you've got to tell them what it is that you expect for them to do on that day to day setting up their machine setting up internal tools meeting people write all their other roles that are going to help them to be successful here you should be introducing them to them right like don't let them pee go out and figure it out because they might miss out on something right so put in front of them all of the folks that you already want
them to know and understand right and I know that they're just a representative like arc we've got a ton of Account Executives and a ton of sales engineers but if you find a few that you really like how they work you really like how you work with them together then bring them into the fold and ask them to help you onboard your team they're gonna be happy to do it right and so that's that's you know if I focus a lot on what are you gonna do when on the first day that you land I've been in that time line at places where they actually said we don't expect anything from you for the first six months all right that to
me sounds ridiculous because I'm here to work right I'm here to learn I'm here to produce I want to do better and I want to progress and I know that that's the kind of people that I'm hiring because I'm hiring them right so I don't want to tell them like oh yeah don't worry about that it'll be a few months that just sounds ridiculous to me especially if I'm expecting them to be billable as quickly as possible so that they can start earning their keep right so I want to put all of these things in front of them and so if you look at some of the stuff on the schedule right there's already some some shadowing you're
looking at we've got kickoff cost let's shadow one of those we've got a closeout call let's shadow one of those you we have internal sex Journal Wireless whatever all the types of engagements that we have let's try and get you shadowing as many as those as possible right oh wait you already come with some experience heck let's put you on a billable engagement right let's do a vulnerability scan with validated findings or let's do an external if you've got that much skill right you'd be surprised how many developers are coming to us with OSAP already because they're super interested they want to know it they want to understand this whether they can apply it to their current role now we're
taking it out and saying now it is your role right and so there were some that I was able to get billable on the third week of them joining right because we were able to pair them up with somebody else that was very much experienced or they came with enough experience that I felt comfortable putting a p.m. alongside with them putting a technical sign with them that they'd be able to produce not just the soft skills but also the deliverables that we're going to make our clients happy and the value was going to be there right and so you want to think about that for every single one of them there were other individuals on the team that were
available for the first six months that they were on the team right and it's not because we didn't have a plan for them it's just that their plan took a little longer right and so because they they just needed to learn they needed to be comfortable and that's the other thing right don't force it if you if you see value in that individual then work within that value right because if you're forcing it they're gonna be frustrated they're not gonna want to do it and you're going to lose a lot of time and a lot of investment because they're gonna walk right and so as long as you feel like you can support it and
then be supportive right cool feel free to interrupt at any point with questions I think it'll be all right training I may be showing my age here but some of you know who this is and the the thing here is right is that you interviewed them you know where they're coming from you talked about what they wanted to learn you asked what they already learned and so you know them pretty well by the time they started so you should also start to be thinking about where are the gaps and what kind of training do I need to put in front of them so that I can get them billable as quickly as possible right whether it's
you know how to write reports or whether it's how to attack web applications or api's or whatever other technology right that they want to test then you want to put that training in front of them rapid 7 we have application of salt we have network of salt so those are easy to say hey take these you're gonna learn a ton from it and then we will send them out to individual trainings as needed right so it's important I you know you and then don't forget about yourself too and I think that that's something that we tend to forget as people manager sometime is that we're so focused on everybody else we're so focused on the
business that we don't refresh our knowledge right we know my certification lapsed or I want to go after that other thing but when am I gonna find time to do it carve out at that time really it's important and then it is about that supporting cast right so we want to make sure just like we talked about earlier that that bullpen was a collaborative environment that they were actually coming into the office right because it's easy to work remotely but we wanted to ensure that everybody had the opportunity to grow and we were not we I didn't hire 12 people in the same day right it was a period of about ten months that it took to actually get to
the number and so that meant that there were folks on the team that already had a lot more experience by the time that somebody else landed so they now become a part of that supporting cast right how did you order your Amex oh I know I just did it last week yeah I mean even with that right you need support because it isn't always about the technical right the technical might actually be easier for that individual to learn on their own read a book you know go through a course whatever but it's really about everything else and so you want to have a good supporting guest at rapid7 we're very lucky that we have a full team of
project managers to work alongside all of our consultants so they don't have to project manage we have a team of technical writers that are helping to deliver the high quality reports we have a stable a lot of like 34 pen testers now which means that any questions right can be asked and answered by the team and that's not just on learning or training it's also on a live engagement right if you're on site and you come across a technology that you've never tested before or you're stuck on then you know that you've got the support of that entire team to help you to do that engagement right and deliver that value and so that's important that you
continue to to foster that collaboration and that team identity so that they feel like they can reach out to each other and work together right so that supporting cast is extremely important to have you as the manager you know you have to be there plow you have to be there defense you've got to move barriers you've got to make sure that they have everything they need to be successful and then you also have to block write anything that is kind of asking for their time you've got to be aware and you've got to be able to say yes you can or no you can and hear the reasons why and don't feel bad about it right I
think that if you do it with transparency and you let that individual contributor know why they can't go and help whatever team on this cool new thing that is being built then they'll understand but at the same time don't just shut the door on things right find a way to enable them to be able to do that maybe right now isn't the right time but maybe a week from now or two weeks from now or let's put together a week of bench time so that thank you so that you are working towards that right and then there's there's a goal for it in mind and then all of this should be a scheduled maintenance right you don't
just do it at the beginning you should be doing it over and over and over again right have weekly or bi-weekly meetings or monthly meetings whatever works for that individual make it so that they don't mean right so that it's not on you it's on them to figure out what it is that they want to talk about how they want to grow etc give them the opportunity to control what they work on right if all I do is put externals in front of somebody and they're gonna burn out they're not gonna want to do it anymore they're gonna walk right instead if I have a conversation with them and I find out what they are interested in what
technologies they want to test right like I want to be a Red Team operator all right well you're here and our red team operators are here let's figure out how you get there right but figuring that out should be a conversation it should be something that they're helping you to understand right recognize and reward good work whether it's a beer or at rapid7 we give out guitar picks whenever we feel somebody did something really well do it right like be good about doing it and don't do it for one person and then forget to do it for somebody else because they'll notice right so be consistent across it I have clear expectations and then reasonable demands I let them know
exactly what it is that you expect on them but then make sure that it is actually attainable right and the expectations shouldn't be the same across the board for your entire team because we're all different and we all learn different and we all apply our learning different so make sure that you're thinking about that provide challenges and work outside of main responsibilities right for me this is really important because I've got thirty five pen testers that I don't want to burnout consultant burnout is a real thing right and so what we do is that we actually carve out a percentage of their time for research for bench time for you know making sure that they are feeding
themselves and not just feeding the business right that's really important to me the reality of it is that because they're doing that research they're still feeding the business but it's really feeding their own personal growth in their own want to do this right we're not requiring it they're doing it and they're providing it in that in that back sentence but then you know that's let's say two to three weeks that they didn't have to talk to a client they didn't have to write a report they didn't have to dress up to go on site they didn't have to do any of those things right so when they do come back to it they're gonna be refreshed renewed
they're gonna feel better about doing it and if you continue that good cycle then you're gonna get good consultants that continue to deliver good stuff right and then reduce the chaos in high pressure situations by planning and preparing right for me that means having the PMS having the technical writers having the managers for escalation having the principles that are working on our technical solutions so that my consultants are really just thinking about their job and how they can handle that job and they don't have to worry about all of these other things or pushes in pools of their time etc
and then you write they say and statistics are made up of 80 percent false statistics or something like that the people don't quit their job right they quit their managers or they quit their leadership and so that's why it needs to be a scheduled maintenance right like make sure that you're providing them what they need as a team and that they're telling you right and also be open and ask is there anything that I or the rest of the leadership team could be doing better right like what isn't helping what is helping what isn't helping and understand that right like yeah they you need them to act when you ask them to do something but at the
same time I also want to sit down and have beers with them right because we drink and so you've got to tote that balance and and they've got to understand that you're their advocate but you're also requiring that they do the work right so find that balance and work through that that one's not easy for sure no job no job should be too small for you right that's me up in the corner over there taping our lab we moved offices a few months ago we went to an iconic building in downtown Austin called the frost tower and we landed first in temporary space as they blew out in our building our amazing new space we have to make do with what we
had making do with that lab space wasn't going to work and so we put in a little bit of effort to make it what we needed to I needed to frost the windows because we've got client agreements it says that if I'm testing Hardware nobody else can see what we're doing we needed to get rid of carpet and put something that wasn't gonna have all the static electricity coming from it and so when I'm talking about preparing your team space for that day one that's exactly what I was doing right I was making sure that when the rest of the team landed in the Austin office they didn't open the door to the lab and say we gotta fix
this right I wanted them to open that door to the lab and say hell yeah let's get to work right and so all weekend I probably was high on aerosol like I not probably I was pretty high on yourself and you know you bring along some of the guys that want to help because then they feel the ownership they're gonna keep the lab clean they're gonna want to work in that lab and so yeah no job should be too small right like whether I'm in front of our board or whether I'm on my knees putting floor down it's all for the team right and that's that's what they should see coming from you I don't know what my
next light is and it ends abrupt so I know so all of this is to say right like I've been at a lot of jobs and I've seen the good I've seen the bad and I've taken them all to try and make it so that the good is what my team sees as they are working at rapid7 and progressing through and then questions yes
I bet I've led teams in all of those and so for me I think it's more of a hybrid for the current team then well I'm leading a team of managers right so that's those are the folks that the report directly to me or the managers that are now kind of leading these individuals and so we have to be very agile but then we also have to be kind of very pragmatic with the things that we're doing and and the the upper management that we're dealing with and the clients that we're talking to right and so we're agile at the individual level because I need them to pivot and pivot quickly and so it's very hybrid
yeah any other questions yes yeah work-life balance is a myth I don't like the term but I know it's important so I'll talk about my work-life balance right I think that you have to manage it yourself I don't think that you should expect your money to manage it for you we know you as individuals but we don't know where that stress trigger really is and so we can help you to manage it at rapid7 we have unlimited vacation and so as long as you can work that through your manager and the business then you can be out for two three four six weeks if you need to our schedule right for our let's just talk about our senior
security consultants there's 75% utilizable 25% balancing right see it's not balanced it's not 50/50 so that's why it's a myth what that 25% allows them to then do research or take vacations or do the things that they're interested in doing so that they don't feel the pressures of the job all the time right for me it's playing ball on Mondays it's coaching on Wednesdays playing with the little leaguers on Thursdays and Saturdays and practicing again on Sundays right so my balance comes from being on the baseball field and I make sure that I'm make time for that right luckily a lot of that time is weekends and evenings and so that's that's how you have to
figure out what it is that is going to reinvigorate you to get you back at work and your best any other questions yeah I think that there is but I don't think they I don't think that the the kind of generalization is truly there right I've hired a lot of young kids and I do call on my kids because they're really young right like I'm 43 years old and I'm hiring 25 24 year-olds right so they're nearly half my age and they're extremely high performing super responsible and they're they're doing really really well to progress yeah that's exactly right right and so what helps is the fact that they've got to talk to seven people that
are going to say yay or nay right and so we vet those individuals and that personality in etc do we miss yes right we had to let go of somebody because after four weeks we realized this is not the person right and that's another thing like quickly here I like if you know that they're going to draw away from your team then let's let's not have them here Riley and that stuff you're affecting a life but then you've got ten other lives that you need to worry you concern about right and then we lost somebody else that after four months they realized the consulting life isn't for me right like I didn't realize I needed to go on-site as often as it was
happening and we've got family and all of that stuff and so they decided to go back to where they were before so we do miss it's gonna happen what 2 out of 14 it's pretty good for the year it's a great question any other questions sweet I'm all done thank you guys
you
you
oh well no audio but how many of you remember that Super Bowl commercial from 2000 right or we can talk about the Millennials that he was talking about earlier that he hired that you know that's at this point they were still in grade school they couldn't stay up to watch the Super Bowl commercials
all right a little bit about me first of all I'm not a psychologist I don't play one on TV I'm not gonna pretend to be one here but we are going to talk about some psychological things not an animal behavioral specialist though we will be talking about some of that as well I do consider myself a self-proclaimed hacker since the time that I had my TI 99 for a with a 300 baud modem and you know doing dial pulse strings because we wouldn't pay for touch-tone phone in the house so fun things like that I spent many years at hewlett-packard as a field engineer traveling all over this part of the country East Tennessee Southwest
Virginia southeast Kentucky visiting customers doing hardware support network support installations a lot of things like that currently working as a security architect for Scripps Networks what now discovery used to be Scripps Networks get to work with a lot of our users do security education their awareness I'm also on the faculty with the University of Phoenix so I get to teach information security courses cyber security courses networking courses with them helped to work on course development and I'm really passionate about security awareness several years ago I got to hear Jason Street speak at DEFCON in their social engineering village and one thing he said really jumped out at me he said at the end of the day people don't care about your
security awareness training they don't care right they've got a job to do their job is to do X Y Z they're there at work to do that job to get that done so they can go home and do the things they really do care about when you take two hours out of their day to make them sit in the security awareness training that's just two hours that they can't be doing the things that they're important are important to them and so one of the things that he recommended was maybe we might want to change our security awareness training or maybe do some things to make people aware of the things that they can do to protect their
personal data or their family's data or or their social engineering profiles and then that would be something they'd be interested in and they might be able to then take those behaviors and transfer those into the workplace and so I started to do some of that over the last couple years in our company and have really had some success I've had the opportunity to share some of those with local library systems and some other folks in East Tennessee to really help to spread security awareness among non security professionals and among non IT professionals and and that's been fun I'm also involved in the East Tennessee is c-squared charter chapter how many of you have heard of that so far okay if
you haven't checked with the the check-in desks they're supposed to have information about it Charles Headley is around here somewhere he's the is c-squared East Tennessee Charter chapter membership coordinator we've got us a charter chapter we can't call ourselves a chapter yet because we're still getting all of that going so right now if you're involved with is c-squared at all if you're is c-squared certified come see us get your name down on so we can get you involved in the in the Charter chapter once we've met the requirements over the next several months we'll be able to open it up and anybody will be able to be involved and it should be able to to help to expand
our security community in East Tennessee so that's enough about me because you don't didn't come here to hear about me let's talk about what I'm gonna be talking about and let me give you a little bit of background I've got a son and a daughter who are in high school my son wants to become a vet and he's very excited and passionate about that he's my academic my daughter is my social butterfly she goes to school to spend time with her friends and if she happens to learn something you know that's that's gravy she does work hard at her learning but you know she comes at it from a completely different perspective and they've been bugging us for pets for
years and we tried to do the the fish and it didn't work and we did some gerbils and it didn't work and my wife had had cats before we got married but her allergies just got worse and worse and and I have allergies to them and when the kids were born we found it so we visited people they had allergies so this was really something that was not to be part of the equation for us and over the years the kids have asked me one a puppy we want a cat and we tried a puppy breed that was supposed to be non allergenic and it didn't work for us and this past year my daughter said you know
I've heard there are some breeds of cats that don't produce as many allergens and and maybe we could look into some of that and I heard from some other people who actually have some some cats that do that that it might actually be an option so I told her okay well you do some research and let me know what you find out well she emailed me a 12 page paper about the breeds of cats that wouldn't produce allergens and the things you could do to help fight the allergies and all this to make it work and I was really excited right but I'm a college instructor so the first thing I did was scanned or paper for plagiarism and
surely she just copied this from somewhere right no she'd actually put the effort into it and as my social butterfly my non academic person I really saw the value in that and that I said I have to reward this behavior we're gonna be talking about rewarding behavior throughout here I have to reward this behavior so we started to look into it the long and the short of it is a few months ago we adopted LC and Athena three month old female Siamese cats and I will say that so far they're working well with our allergy issues right now so as that happened that kind of changed our lives a little bit we're having to deal with all the issues that you have
with three four month old kittens right and how you adapt them to your family and try to get them to adapt to the things they should be doing and as I've been doing security awareness I started to draw some parallels with the things that we're having to do to get the kittens to behave in a specific way and the things we want to do to get our users to behave in a specific way and that's kind of where the foundation of this talk came from I kind of threw it out there is a fun topic and I was really surprised they accepted it so I hope you all enjoy it let's get started our goal is to modify behavior and to do
that you have to initially start talking about attitude right attitude is important you go into it with a bad attitude things aren't gonna work if you're trying to to modify the behavior of somebody that already is having an attitude you know you're gonna have some some issues so you have to take into account the attitude of the target and what perspective they're coming from and and take that into account I'll give you an example again I was a field engineer with HP I was responding to a lot of people that had stuff that was broken right by the time they called me they were already aggravated one of my customers up in Johnson City was
American water heater group and I got to work with them over several months with an ongoing issue with HP DDS for tape drives that were failing on a frequent like once a week basis and you know they'd get ready to do their their afternoon tape processing and backups and things like that and the tape drive would fail regularly I got another call from that you know tape drives failed again you've got a half an hour window to get our this replaced we can take an outage right before that before we have to start all our backup jobs to get in there they came in to with within a bit of an attitude because they had an issue
I was able to come into it with a bit of an attitude as well I was able to go okay American water heater group is about two miles from Greg's pizza so I'm gonna go I'm gonna call in an order how many of you are from tri-cities are familiar with Greg's pizza in Johnson City all right awesome place if you've never tried it and you get to Johnson City give it a try you can't eat there you have to take it out somewhere but it's very good so I stopped at Greg's pizza had already called ahead the order so I brought in a stack of pizzas so the IT staff was was enjoying the pizza and
and we could get that going to eventually HP figured out their parts problems and and got the issue resolved but you know you have to deal with the attitude in order to modify behavior so what kinds of behavior are we looking at or what would we want to do we're wanting to reduce or eliminate undesired behavior right in this case you know in the case of your cats this is one of the behaviors you want to eliminate that destruction of everything coming and going from natural things that they wanted to what are some of the user behaviors that we want to get rid of yeah obviously click links or opening attachments in emails picking up that USB stick that they
found wherever and plugging it in you know downloading installing software circumventing your security controls what are some of the other behaviors that your users have feel free to shout out that you might want to change there you want to stop yeah letting people in buying that laptop at the yard sale and bringing it in and plugging it into their desk so they can figure out if they got it work don't you hate it when your your IT admins do that and then they go well I'm gonna get on the network with my administrative credentials yeah so we want to try to work on modifying behavior and of course we initially respond negatively right don't do that
well before we before we go there let's talk a little bit about operant conditioning there are a lot of different ways that we can modify behavior and here's where some of the psychology stuff comes into it they call it operant conditioning one of the first ways is positive reinforcement I'm sorry that's so small the positive reinforcement is where you give something good when good behavior is it's a reward type thing right positive reinforcement in the case you see there so the dog is not jumping up on her so she gives the dog a treat passive dog and had that positive reinforcement type thing the next one we have is negative punishment negative punishment you're taking away something
good in order to change the behavior so the dog jumps up on them and and they turn away they take away that they're not gonna pay the dog attention anymore this is one I use a lot with the cats they've learned that when my alarm goes off in the morning they can jump up on the bed and they'll get a little bit of petting before I have to get up and take a shower and what-have-you but they can't tell time and they may not necessarily hear the alarm but they may think it's got to be time right they'll jump up on the bed is it time to get petted you know if I roll over the other
way and ignore them they've learned no you know it's not time yet and so that's that negative negative punishment where you're taking something away then you have positive punishment where you're adding something when the negative behavior has so you know the dog jumps up on you you may be you know BOP it on the nose or the classic with the cat scent water bottle right you know so that's a negative punishment where you're providing some site some type of a feedback to reduce negative behavior and finally negative reinforcement where you're taking away something bad in order to stop behavior so the dog starts jumping up on you and you're pushing them down and then when they stop
dumping you or stop jumping you stop pushing that's negative reinforcement we oftentimes will err on the side of negative reinforcement or punishment when it comes to security controls and when it comes to modifying user behavior right has anyone seen the the bad human bobble so we can deal with our users so what are some of the things that we do that are providing those types of feedbacks right you get the user pop-ups that say hey you shouldn't do that or we're blocking certain activities or or when users start to do something repeatedly you know what we're gonna take away their privileges your machine has been infected three times so you don't get to be a local admin anymore
we're reacting to that and making it look like we think our users are bad giving them that negative feedback again leading with negative reinforcement rather than positive reinforcement and users can see the attitude that communicates with that there may be times when we have to isolate their system and they can't do their job are we communicating that you know this is being done for a reason to protect the network are we communicating hey you're bad you did something bad again and you know now we're smacking you on the hand are the times when we have to call the users how often are we interacting with the users in a way that's positive or how often are we communicating to them
idiot what are you doing even if we're not actually saying the words we're setting ourselves up for failure and it's not gonna work so what are our options well we can look more on the positive reinforcement side where we try to reward the behavior or we try to redirect behavior in a positive way again I'll give an example with the cats one of our cats Athena likes to burrow she likes to dig in among covers and things like that so in the middle of the night if you're sleeping and she hops up on the bed she may try to crawling between the the comforter in the blanket or the blanket and the sheet between my wife and I and then get
that's no way to get a good night's sleep you know in the first couple times get out of there don't do that that doesn't work what we found is if we were able to very positively take her out put a little blanket at the foot of the bed set her down there and cover her up with that blanket she's got the same effect she's in there with us she's now got her little comfortable area under the covers it changed the behavior so it's not doing the bad thing anymore and it's meeting both of the the needs so you have to kind of look for those examples as you're having your user interactions and the ways that you can do that but
again you have to have the right attitude about it and people can perceive attitudes cats are smart they'll be able to tell how you're interacting with them and the attitude that you have along with it Smithsonian did a recent study they published it in 2014 about how smart cats are and at the end of the study they found that they said all we can tell you is cats are smart we can't tell you how smart because they're individual individual ality becomes such a factor in it you can't really evaluate intelligence you know with dogs you train them to do something you tell them to do something they do it with cats you tell them to do something and they may
choose to they may not there's no way to evaluate if it was because they just didn't understand what you didn't want or they didn't care right because because they're individuals right our users or is it the same way our users have other priorities our users are intelligent our users are not stupid right and and they're gonna have other priorities so you know we may be telling them constantly you need to do this you need to do this you may need to do this other thing and they've got other things that are factors in that that we're not considering it's not because they're stupid it's just because of the other factors that are part of the equation how many of you show of
hands how many of you fallen into this this trap here right where you talk about the the Pentek error problem exists between chair and computer or the ID 10t stuff right we've all done it we've all fallen into that trap of evaluating our users and our people that we're supporting through that filter of well they should know this stuff I mean we know this stuff they should know this stuff well maybe they shouldn't or maybe shouldn't have those expectations or maybe we should stop with these type of perceptions that end up communicating more than we expect even when we're not saying that directly to their face it's important our users aren't morons they're not idiots are not dumb they're
not stupid they're not clueless all right they're trying to do the things that they're trying to do to get their job done and it's our job to support them and to do it in a positive manner the other thing that's part of the factor is that shame and embarrassment are not effective motivators that's been proven psychologically time and time again you can read various different things there's a reference in here because you know a college teacher you've got a reference in sight everything and there's references with you but it's not an effective deterrent here's an example intermedia they're a business cloud provider did a survey last year a thousand office workers and in the survey day they asked them about
different things and one of the things that they found out was 59% of the employees who were hit by ransomware paid the ransom out of their own pockets rather than contacting their IT departments or their security departments let that sink in for just a minute we're talking about payments $300,000 a pop that these users are paying because they're too afraid of being shamed by their security department or by their IT department or possibly losing their job or other things like that what type of negative reinforcement have we done what security posture does this put your environment in if users are gonna do that type of thing when they've got ransomware instead of letting people know so that they can intercept it and
this could spread through your environments and who knows what else is left on their computers after they've they've maybe paid and yeah we've here's the key to unencrypt it and we're not going to get you again you don't know but we've set up a culture in an environment where our users are afraid to report you know if they called in are they gonna get a positive response or is that helpdesk person you know why did you do that is a security 2 person gonna say why would you click the link you know there is no prints there that's going to give you money if you it's how often are we responding positively I had the opportunity to
listen to start up security weekly back in August of last year and Ronnie Feldman was on there and he does he works for learning and entertainment and he does security training and he does it from an improv standpoint and if you ever get a chance to listen to again it was startup security weekly in August you can look for Ronnie Feldman or what have you but it's from an improv perspective are you familiar with improv how many of you watched whose line is it anyway who can tell me what the main key of improv is there's one small phrase that's the main key of all improv yes and that's exactly it I've got it up on the screen duh-huh I'm
like where is it that's supposed to be on my next slide yeah yes and when we can start to put our our training and our security awareness and even our interactions with our users into that yes and posture we can change the equation so a user says well I need to be able to install software don't you yes you do need to be able to do your job and we need to be able to secure the environment so let's work with you to try to come up with something that works together so that we can meet your requirements and the security requires instead of know you can't answer why would you want to install software it's
a completely different attitude a completely different perspective and our goal is to be able to develop habits right and to be able to develop positive habits change bad habits or develop positive habits before things become bad habit so we're gonna give you another example cats scratch stuff right they do we just know that why it's normal it's an instinctual behavior they do it to remove the dead outer layers of their clawed they can't chew their nails just like we can or they're true so they do it to remove that the the claws they do it to mark their territory they do it to stretch and flex variety of different reasons so how do we deal with that well
I mean we provide alternatives right you I'm a scratching post you have to make sure that you can provide alternatives that work for them and that work for you you know that might work well for your cat and yourself or you you might need to go to something a little bit more extreme we've settled for something in the middle right now though it keeps getting bigger and more every time my wife goes shopping I brought home some more cat toys okay but yeah you have to figure out the solution that's gonna work for them and it's gonna work for you that's gonna change the behavior and you have to make it fun again have that
positive reinforcement that way of working with them to make sure that it's an incentive to do the positive thing so then when they come over to the couch and they they reach up their claws you can be there and grab them move them over to the the scratching post let them know and then when they've done that or when they're on that you reinforce it yes that's very good you know you you give them that reinforcement you also want to limit their ability to do harm so you know if you have that super nice expensive couch that the minute they think their claws into it they're gonna leave things there you know you might want to hang a little bit of aluminum
foil there or something limit their ability to do harm so it get a little bit of feedback or you if you've gotten you in the nice vase that's sitting on a stand and they they might want to use that stand to scratch on you take the vase and move it until you can change the behavior you want to limit their ability to do harm also to harm themselves um I never thought I was gonna have to with two kids in high school go back out and find child locks for cabinets right by the way if any of you have gone through that and you're needing to find child locks now you can't get him at Lowe's and Home Depot
anymore they stopped carrying them I had to go to Target to get child locks but I had to put child locks on the cabinets because we've got chemicals and other things in there the cats quickly figured out how to open the cabinet doors and you know where there were things in there that can do them harm so while we're trying to train them not to get in there we had to be able to put controls in place to limit their ability to harm themselves or harm some of the other things around you want to be able to remove that access or limit access to too sensitive or harmful areas and you've got to be able to provide
constant reinforcements right it's got to be consistent you can't have it so that you you I'm working on the computer the cats over there scratching it on the couch I'm just gonna ignore it because I'm working on the computer you've got to be able to provide constant reinforcement all the time in order to modify behavior either you otherwise you've got an inconsistent message and remember that scolding only works if you catch them in the act so if you're gone for the day and you come home and the couch is scratched up you can't take the cat over there and say look at what you did it doesn't work they don't associate that work now even though our users and
people are more intelligent and they can make those associations better they've got better memory for being able to do that it's still ineffective for our users so let's take the same things we just talked about and translate them in for modifying user behaviors people click stuff they just do right why why do you use this click things well it might be habit that's what they do all day long right they get there they click this they click that they're used to maybe having a having to click through on an error on error or click through on a license or if they click things it's a habit they might open emails because why they're they might be important I might
miss something that's important I don't care that it went to quarantine it's got something in there that looks urgent so I'm gonna take it back out and look at it right or they might be coming from the perception that nothing bad will happen surely opening this email can't cause me any problems or clicking that link because we've got a security department and they're protecting us right so it may be that perception that nothing bad can happen or maybe even we're encouraging it ok how many of us tell our users all the time do not open attachments especially if they come from people you know do not click on links in email even if it does
come from somebody you know because you know who knows they might have you know given away their password and their accounts been compromised and now you've got a phishing mail that's going out internally from internal users to internal users and I mean it happens right so we tell our users that how many of you tell your users don't click on links in emails and write and then next thing you know they get a message from HR that says oh we're going to be doing the company picnic click here to be able to sign up or they get a message from from you know some other thing we're gonna be doing a survey you're going to be getting a message from
Survey Monkey you you need to be able to click the link or or we don't have the processes and standards in place that say this is what we're gonna do we're not gonna click on links in emails and we're going to empower all these other other parts of the organization to be able to not do that we have inconsistent messages and it confuses our users so part of that is our education programs right and I'm gonna step on some toes here how many of you tell tell users you know security is everybody's responsibility you have messages like that we have posters a net security is not everyone's responsibility at the end of the day it's just not I'm probably gonna step on
some toes I'm probably gonna make some people mad you can disagree with me afterwards there are some behaviors we want them to do but at the end of the day our users aren't really the ones that are responsible to first security that's why we bring in security professionals right you know after the the Equifax breach you didn't see the the users that develop the the code get fired you didn't see the the people that weren't you know necessarily consistent on their patches getting fired you saw the c-level person that took the responsibility for you know they're the people that are responsible and your security people are responsible for making sure that our users know what to
do we can't necessarily always go into it and say our users should know all the security stuff that we know and they just they should know it because that's our job we need to be able to give them the pieces that they should know and and not much more and that's really where the education comes in being able to treat education that's something that that is effective for our users and not just a checkbox you know you have that annual security education that your company puts together it's a two-hour video that they have to watch or they bring in somebody that's gonna lecture them for two hours about all the different things that they have to do so now they take
that time out of their schedule they come they sit right here they listen to it and maybe 5% of it is applicable to their job and the whole time that they're sitting there they're going really I've got to sit and listen to this again I don't need this all I do is mop floors or you know whatever so we need to be able to make sure that our security training isn't one-size-fits-all that we can customize it and that we can keep it simple so that our users understand the specific things that we want them to do and that we'll be able to empower them to do their jobs and do it safely they make it
specific so you don't have that same big two hour training for everybody you have training that's specific to the people in specific roles so when you have facilities staff that you know are doing maintenance and doing gym they do one or two applications you don't need to have them sit and listen to 15 minutes about business email compromise they're not gonna get that email that says hey send me w-2s and even if they do they'll go huh I don't have access to that so make your security training simple make it short make it frequent so that users get the points they need and can understand what they need to get out of it and be
able to respond there one way that we see that a lot is with phishing simulations do you Fisher users send out simulations they can be very effective as long as you you use them properly and we'll talk about some of some of that in in a minute or you may have tabletop exercises do you want to do with exercise with certain portions of your organization be able to structure those so they know what their role is and how they can can interact but again don't don't bring people into the room that are gonna be involved in these things that are gonna have to sit there for however many hours it's gonna be and they've got one thing
yeah I'm gonna have to talk to the media okay it's not gonna be effective so again we want to have alternate behaviors right you got that scratching post for the cat so what are some of the alternate behaviors you might want to have for your users to click things well let's take reporting fishing for an example you want to make that easy if you tell our users all right if you get a suspicious email message you need to forward it to you know this big long email address that they've got to type in and then they forward it to you and then you call them and say no I can't do anything I don't have email headers you've got to
open up a new message to me now you gotta take that message dragon it they don't know that make it easy figure out a way to have an easy button now a lot of companies have plugins or you can do an outlook where they can just click something and they can get that to you and they can get it to you quickly you got to make the positive behavior easy and then be able to give them immediate reinforcement so that when you do your fishing simulations and they report it because that's the behavior you want right that's that positive behavior you want you want to make sure they report if it's suspicious do you get them that
immediate positive reinforcement yes that was great you know have some Outlook rules or whatever going so that the minute they report that or within a couple minutes they get a response back yes you identified something that could have been bad and you reported it and we appreciate it or when they do report things that are outside of your simulations that are real real threats or even if it's just spam you've give them that feedback in a fairly rapid manner so they know yeah this is the behavior we want to do this is the things we may not necessarily want to do but if they just have this this button that sends it away somewhere and they
never get any feedback you know you might be able to use that to harden your controls or do other things but you're not gonna change the behavior you've got to be able to give the feedback back to the users in order to change behavior and you may want to gamify it a little bit right where'd it go come on there we go you might want to gamify us so as you get statistics back and say our ads sales department is great they've had a 60% reporting rate on our last fishing exercise you know you can you can say hey next time you guys might want to measure up to that you might not necessarily want to communicate that
your facilities department had a 12% reporting rate or that you know they had an 80% click rate but you know make it competitive because people love to compete have some way of rewarding the positive behavior to recognition status public recognition works really well you see here one of the things that we've done recently is we start to for fishing simulations we give out some little things and we have the little I mean we got them cheap oriental oriental trading company but we give them out with a little certificate on them you can't see their certificate there and they say we give the little ones out to the people who are the first ones to report a simulation so every simulation
the first one to report it will get a little little fishy right anybody want a fishy all right but are people that are reporting threats every month we give out a little bigger one with a little bigger certificate certificate on it say you know this is the person that reported the most real threats in the month of whatever and we'll get a picture with them and this guy had some fun with it so we've played it up a little bit but we get a picture with them and we share that with the company these people are the people that are doing the positive things we want here robbing and and that way other people in the organization know that
there's that positive thing we don't communicate that you know well this person clicked on it or this department didn't did poorly that's not going to get the behavior changes that you want to have
you want to limit the ability to do harm right that's the same thing that we were talking about um the child locks this is where it comes down to the classic cyber hygiene your see is top 20s your least privilege your multi-factor all those things that you know you should be doing to secure your environment you need to make sure you're still doing those you need to make sure that you can can limit the ability that our users have to shoot themselves in the foot because again you're the security professional at the end of the day or you're the IT professional so limiting their that ability to do harm is is critical and constant reinforcement right so we're
not just having that once once a year security training and okay go here and watch the thing and check the checkbox at the end people that you have ways of being able to communicate simply and effectively and frequently so the users know that those messages are at the at the top of their mind all the time and again remember that scolding only works if you catch them in the act and even then it's not very effective you've got to keep it positive you've got a to make sure that you're not shaming people if you're shaming your users they're not going to come to you so when they have that security event the likelihood of them actually reporting it properly is
fairly low you know at the end of the day what do you want the user is gonna click the link in the phishing mail right they're going to give away their credentials at some point in time how many incidents have you done and investigated where when you finally get down to it and you you get to the user that clicked and you say what happened well I got the email and the minute I clicked it I realized there was something wrong how many of you hear that message when you actually get to you know they know right the minute you click it you know well why didn't you report it well I was afraid of what you
were gonna say or I wasn't sure you know let's change that equation so that people know when they report we you know that's a good thing yeah we understand that mistakes are gonna happen right but make sure that they know that they can come to us and they can report it and we're not going to shame them we're not going to throw them in fact we may even take the opposite thing so we may talk to them after the fact and say you know in this security incident you came to us and you reported it and it's great can we use you as an example they maybe tell the rest of the company yeah we had a
mistake cabinet and somebody clicked the link and it happens and they came to us and because they came to us and they came to us quickly they called the helpdesk they knew what to do and we were able to go and find it and we were able to respond and we were able to quickly block those sites or we were able to quickly take that machine off the network and because of that we could have saved ourselves millions of dollars in potential damage because the user recognized a mistake and reported it to us if we can have that positive perspective we can change behavior keep the goal in mind right when you own a pet in this particular case we're
talking about cats there's gonna be a certain amount of unpredictability right uncertainty you can't be predicted you can't predict what they're gonna do they have a mind of their own you have to take that into account and that's part of the fun right remember that in our companies it's all about business at the end of the day they have to be able to do business it's not always going to be predict predictable and people are gonna make decisions based on other factors as well things outside of security you just have to to balance all that and keep a positive attitude about it does it work well much of the time it does work be adaptable be able to respond to
those times when it doesn't because it's not always perfect alright questions comments snide remarks and references go ahead
100% I don't see any reason that anybody should be exempted from your phishing exercises and I've battled this over and over and over again you know well we we can't send those to our executives okay so let's make sure we post a notice on our website that says our executives are exempt from phishing emails please bad guys don't send them to him if a user can receive a message from an outside source that they can potentially click on or they can that can potentially cause them problems they need to be part of your your phishing exercises they can be and a lot of times they'll have the you know they may use excuse well our
our execs handle those emails and we had our director of risk actually sit down with some of our execs our executive assistants after we did a phishing exercise where we targeted the executives specifically and those assistants were interacting with the messages and and we got some results in and he went online and he did a little bit of OPSEC and he grabbed some some data or he yeah he grabbed information about them that he could find just in social media walked up to their offices and just sat down and talked to him they didn't know him from Adam how are you how did your kids do in their soccer game how is it they started to give them
the perspective of what he could learn just digging information about them and then making them realize just how effectively they could be targeted as well as our executives and and some of the the risks that were associated with there and it ended up being a positive conversation yes sir
so if you don't have relationships with people you can't change behavior that that's what it comes down to if your security organization is perceived as these people that operate in this tower and they're gonna come to you and they are going to punish you and it's gonna be bad and you never want to hear from security they're not gonna come to you you're not going to be able to work with them to develop things if you have that partnership then they might say hey we're working on this project we might you know might be able to bring them in or you know if you start to insert yourself in positively in some of those things you can you can affect behavior a
lot more effectively yes sir
so it all comes down to risk right and you have to be able to communicate that risk to people who can make the decisions and thankfully more and more often as we have more and more compliance driven things that are being seen from a high level from a sea level from a bore level more and more those types of people are being exposed to security risks and security challenges so if you can start to communicate back up and down again through your CI SOS or through your other people that that have a feedback at that level you can drive change from both directions so you can have your security professionals that are saying you really don't need to do
this and then you can have the the people at the higher level being able to to say well how can we empower our organization's to function effectively and securely all right thank you for your time [Applause]
you
Related talks
43:09
45:08
1:00:09
28:27
1:03:19
47:45