Centering Security Around Humans

[Music] i am so happy to be here um thanks so much to b-side seattle josh and hugh for you know getting me to this talk um i one of the things i'll say just off the bat is i'm so glad that i do not have to be up and speaking at 9 a.m seattle time i'm actually in my home in columbus ohio and it's about noon um but what i want to talk to you today is about this idea of centering security around humans um and it's it's a really really um personal and very passion oriented subject for me uh mainly because of who i am and what i do and so it's probably important that i

share with you a little bit about myself so i am julia covfor i'm the ceo and founder of revolution cyber and uh my company focuses on user behavior risk management and modification and you're probably wondering what that means and a lot of people do but essentially what what what my job is as a security professional is to get into the minds of you know people of users and i've been very weird about this idea of hacking the human or hacking the human mind um you know i i just don't believe in that but ultimately what i feel like is we've got to gain a better understanding in order for us to really focus on risk

and compliance and do what it is that we are um supposed to do as cyber security professionals we need to better understand the people who we're working for and the people who we serve so i'll give you a little bit of a background about myself and i'm not even going to focus on the professional piece i want to focus on the personal elements because that'll be critical to what we discussed today um i am a um a human empath so i don't know if anybody in the audience is an empath but i'm somebody who connects on a very visceral and spiritual emotional connection with other people um and i have this ability to really feel

how other people feel um and it makes it so that i have these great connections with other human beings but it also makes it so i can often feel very overwhelmed um and so one of the other traits that i have is that i tend to be a highly sensitive person um and so i am i i get overstimulated and then i tend to um need to be re-energized so i've got to spend a lot of time uh alone and really figuring out what the things are that are like draining my energy sources and i'm also adhd so i've got um attention deficit disorder i've had it since i was a kid they they uh they um diagnosed me in law

school because everybody else in my class was able to you know digest these large books in such a record number of time and i struggled with it and i was diagnosed at that time and had no idea that i had this problem because i'd done pretty well previous to that um but i but i also found out that i was neuro-diverse there was just a way that i thought that most people did not and all of that is kind of revealed in all the things i just mentioned so i've had a very very interesting foray into cyber security um started in sales i started as an account executive about six years ago helped to build out build out the first

stock in um the bank of zambia zeroco and i've also managed really large scale teams um sales teams in the philippines india and and really across the globe um also working in tanzania and south africa but one of the things that you know my time in cyber security has taught me is that there's a lot of benefit to what we do in fact so many people that i know just like you are drained by how much there is to do um you could spend 24 hours doing your job and really never get to the uh the end of it there's always more work to be done but one of the biggest areas that i found

um inside of security is that we were missing the reason why i felt like a lot of the burnout was happening is that we were focusing so heavily on technology we were focusing so heavily on building out security operations programs security operation centers what is it to do penetration testing that we have never really started to really think about what the purpose is of what we were doing and who is it that we were trying to benefit i think you know when i joined the um the security space about six years ago one of the biggest um values that i was able to offer both my clients to my customers was i was able to talk them through the

value of cyber security the benefit of penetrating penetration testing systems the um the impact of having operations that included the business operations processes of the broader parts of the business and over and over again one of the biggest things i found is we were rarely ever considering the people in which this had to work for right so people in organizations people like myself who are you know either um they're busy they're distracted they are um overwhelmed they have still a job to do that has nothing at all to do with cyber security and one of the questions i found that people were not answering is why do these people even care why would anybody care

that the organization is at risk is it my job to protect an entire organization and why would a hacker come after me i'm just this little person that question is asked by individuals over and over again and yet in order for us as cyber security professionals to design you know effective programs to build out world-class um you know uh technology we have to gain an understanding of the humans behind the system and i think that remains one of the biggest areas of threat for us in cyber security and the reason why i thought to bring it to you guys today in this keynote is because i really wanted us to start to dive into a new way by which to filter

this idea of cyber security i wanted us to really focus on what i perceive and what i'm hoping you will start to perceive as soon as the biggest threat to cyber security it's the human in the middle and why why am i praying off the man in the middle we security people have our own language our own lingo we talk to each other and it makes sense to us but we're often talking in you know zeros and ones as it relates to the broader business i mean really um what we're very good at is coming up with new cool tech new cool uh um language and and and and things that we say to each other

which makes sense to us but in the end we've got to start to shift the way we communicate shift the way we think about this big threat and start to talk more directly to the humans that are in the middle of any process program or system that we actually build so the points i want to discuss for uh for us today is um human centered design and um my background is as an attorney i i have not been a designer i have not been um just on the surface someone who focused heavily on the way in which things were built i'm not an engineer but what i am is somebody who had to in the way i operated with regard to

sales and marketing focus very heavily on what the end result would be what factors were being considered by the person who used it and i had to figure out the real world applications of technology so i feel like i'm best suited having designed in my career several large-scale security platforms and programs for companies that are global 2000 companies um in addition to really small mid-sized businesses that don't have a lot of budget so we're going to talk about human centered design we're going to talk about its applications the challenges that we have in sort of you know having us all center around the idea around it and finally i want to talk to you guys

through that cyber revolution what does the future look like for cyber security so this idea of human centered design it means accepting the humanity and therefore the inmate ingenuity and insolubility of technology users it is i find it disappointing over and over again when i hear um professionals uh infrastruct professionals saying you know users are stupid um they're not you know they they get in the way um often i hear that you know they they just want to do the same things over and over again and they don't care that may be true i'm not gonna go ahead and tell you that most people they care everyone cares um that's not true not not all humans not all employees not

all users don't care i think one of the things that we need to keep in mind as it relates to risk is the biggest risks are attributed to and created by humans and so as we look at this idea of cyber risk without the idea of the people who actually create the risk we miss a huge part of where the actual uh opportunity exists for us right we can continue to build great technologies and systems but if we're not thinking about the end user the user experience how it will be used we are missing an opportunity to create and impact the way in which cyber security works in the real world and we're actually hindering the

performance so when we talk about human centered design i also think about this idea of system design right so how do the disparate part of a program come together and if you think about the human being where do they sit in the middle and as they sit in the middle how do they impact the various parts so when i think about users when i think about employees if we're talking about a business or government or government workers or even people in their homes i think about the fact that when you really think about the human mind people are smarter than we give them credit for what i'll tell you is if you create an obstacle it is human

nature for someone to try to get around it it is natural for people to want to ignore it it is quite um possible that any security control you put in place some human will figure out how to bypass the thing and really that's what we call hacking so if you think about the people who are hacking or you know the the black hat hackers they tend to be really knowledgeable about how the human mind works as well and they're very good about surreptitiously going around security controls so if you think about the fact that on the other side of a breach or an incident or a system is a human being attempting to get into a system then

it's important for us when we're thinking about design to think about the human being who might be getting into our systems and also the human beings who would be using the systems and figuring out how do we mitigate via technology be a process be a policy the ways in which that human being has the ability to get around to avoid or to ignore uh security control if we think about that on a broader scale we have the ability to to start to really dig into and start to address the reasons why uh security controls in cyber security despite all of the investment is just not working it requires us to take a new approach and

i'm suggesting and i recommend strongly that we focus on human centered design humans and design the technical definition is it's a process mindset and approach to solving complex problems once i joined this industry one of the first things i said to myself was if you know i'm a problem solver i i don't see that what we're doing is any different than when you know uh people first started to get into uh you know pharmaceuticals if you think about the way a pharmaceutical company works it's designed to create medicine that solves ailments that solves disease you know like vaccines the work that we do is complex as well the the difference is the problems we're solving often can't

be seen until the bad thing happens so what we're trying to build with regard to our cyber security are solutions that anticipate the way in which a behavior might happen that might cause an impact that would negatively impact a system or an asset and this can be very complex because it's not just what i'm telling you it is in the context of a business it is a phishing email it is an employee who perhaps is socially engineered it is an asset that has vulnerabilities that have not been patched it is two different departments with shared data that don't have the right policies attached to them and therefore data is being leaked outside the organization these problems are these problems exist

they're dynamic ever-changing and it requires us to have a cyber mindset and my thought process is that a cyber mindset is really entrenched in this idea of human-centered design and what we have to do in the space that we exist is to empower individuals to design new products new services and systems that address what the core needs are for the people who identify a problem so let's let's break that down a bit cyber security using human-centered design should be about the empowerment and the enablement of people it should be about technology that is only built to enable the performance of people in doing their jobs for instance the the purpose of a sim when it was initially uh built and you

know we'll all argue about whether sims are aren't valuable whether they check a box or don't check a box but the idea was you wanted to create a technology that was able to notify an organization of possible um intrusion or other threats to the organization now initially when those were built the idea was very was very simple it was if people know when something goes wrong and they're notified then they can respond that's great but a human centered design approach and i think a lot of sims are moving in that direction they're moving into this idea that it is not just about the notification that something happens we also want correlation we want to make sure that the

information we're giving is accurate we want to think about um the reduction of noise too many alerts so that it's the idea of are we notifying about the right thing at the right time and who is the person to whom should respond in that situation the other idea of human centered design is that we want to ask ourselves where does the film fit as it relates to people process and technology and if you think about a sim the idea is who has access to that sim what my what monitoring um uh end point or is it detecting from what parts of the business perhaps and then you also want to think about what should the response be if something

bad happens human centered design actually pulls into focus this idea of a system design the idea that nothing we're doing should be isolated and that every person on the team their contribution to that team is valuable because in order for each technology and tool to work it must be done in alignment with other humans and i think the more cyber security begins to focus on this idea that um it is about human the human element it is about human error and mitigating that but more importantly it is about human and system design and this um combination of human and technology working together synchronistically so part of why um you know i joined cyber and part of why i stay you know i you know i

am part of a community of wonderful cyber security experts and every day i hear over and over again um about how hard it is to do the work we do and how little we are appreciated for the work we do and i'll tell you the reason why people security is is really understood uh by those outside of it is that we often don't um we often the thing if we're doing security well people don't even know that we exist i mean really we want to stay out of the way but we want to guys it's a very difficult job and part of what i've seen in terms of organizations being able to bring security to the forefront because

i believe when enterprises bring security to the forefront it reduces the load on us to justify ourselves and that can be so painful um and so what i'm also i'm always asking us to think about as we do our jobs are how do we focus what we do on people right and that requires us to leave the security team to leave the security department and to go in and have conversations with the users themselves and i'm not even going to tell you that it's fun it is not fun i do that on a daily basis and on one hand if you're an extrovert it can be a good time it refreshes you it rejuvenates you

but i'm more of an ambivert so i would say that it can be draining but our jobs and there are very few security people that i find that don't want to do a good job and oftentimes when they have the conversations with the production team if they're going out into the lab if they're talking to the to the users while they're working at home or in on the go they find out a great deal about ways in which to do security better and i think that's all this is about is how do we do security better how can we improve upon what we know what we're doing but ultimately in the grand scheme of things isn't working

um what what i found is that 80 86 of breaches are today financially motivated right so people are um are taking part in breaches for the fact of making money selling data getting access to particular systems how much of that goes into the way in which we build out our program how much of that do we take into consideration when we are building out awareness programs um how often do we talk about this when we're buying technology if we know that people are behalf of the humans on the other side are really looking to get access to data for the purpose of leveraging it for financial reasons what part of that is going into the

strategies that we're using you know as we're doing penetration testing right so if i am a penetration tester and i'm thinking my job is to secure our systems then what i want to do is put myself in the position of the hacker right if i'm going to do penetration testing better i should know the mindset of the person who might do the hacking because that's in fact what a penetration test is it really is your ability to test the system the way a hacker might so we've got to really understand why something's happening i think too often we're missing that as a function of the conversations we're having we need to really stop and think about

the humans that are in cyber security because we are not being hacked by bots on ever on the side of every bot is a human being who is pushing the button or is actually um writing the command right so i just want us to kind of think through that i think we we we have this we're in this great place i think with cyber security today where i think that we have an opportunity to build a a future that is designed around that is designed to secure from the beginning it is designed it is by design that we take into consideration the human elements of things and i think we stop and sit back and say what are the parts

of the way we do our work that we could do better and i think the next step is that human element so as i was preparing for this i started to think about ways in which i had leveraged you know this idea of human centered design and um about five years ago i mentioned that i built out um with a team with our security operations team um an alien ball splunk integration um that was the basis for a security operation center at the bank of naco um to do that so i was responsible for selling the solution um and effectively in order to sell the solution i had to understand the different parts of it and part of what was

different about this solution is that it had to operate in zambia and i am not from zambia and so when we started to work together with the customer and we started to think about the solution we came across several challenges one of the challenges was latency uh because they didn't have steady internet and steady um electricity we had to figure out if we were to build this solution in zombie if we were to transport it to zambia and then build it within their environment what are the things that might happen that would impact its ability to work to perform the way it was designed we had to think through that we also had to think about the the

people who were running the security operations center and what were the disparate responsibilities they had in addition to this that would require them to divide their time between the security operation center the building of it the ongoing management of the solution and then finally we had to figure out okay in this situation that something bad happened given that we were an american-based firm how would we be able to deliver solutions to them in the future and all of that is not just plopping the technology down it required that we take a multi-step approach in which we had to figure out if the end result was that we had a up and running security operations center

in zambia thousands of miles away what would be the impact who would be need to be involved and why would we have why would we be um responsible for ensuring the long-term continuity of it so part step one of that was we had to put ourselves in the position of the free cell at that time the ciso was a really very highly strategic person who was very clear on what the purpose was he had a rock-solid team of people who um he had to support him but what he didn't have was a dispersed team of individuals who could help him run that program run the the stock so we built a stock in um in the capital but it had

that he had endpoints and he had other uh banks across zambia and so what we had to do was figure out what was going to be his role the roles of the of the people that we had to put a racy together and then we also had to figure out how we could enable technology in the situations where there are no humans involved so human-centered design also accepts that there will also be a lack of human labor and it allows for automation but what we had to do was say what is the problem who's involved and how can we make their their um experience with the solution easier it started with empathy secondly we had to find the why

why did this stock matter right so i showed you the picture of the people before the mattered because if there had been a breach of zamako that bank would be taken down and they would be out of business they'd lose substantial revenue and so it's not just that we as security people are doing this in um a vacuum the work we do is so important because we hold up businesses i think more and more organizations understand that a good cyber security program is a protection and it reduces liability but we've got to keep driving why it matters the purpose of it and then even as we're building security control if our job is to enable the business to

secure it we have to make sure that it keeps running and therefore our security controls can't stop business so as what so and i'll take you back to zanaco when we were on site and we were working with the teams to build out the solution we had to operate in the middle of the night and i believe we did most of our work on a wednesday here's why on wednesdays the organization was already used to a shift change they were used to lots of uh midweek interruptions and therefore our interruption if joined with the rest of the interruptions would be a great way to get in get get into the business process without disrupting it

so because we understood why we were there we understood that although securing the organization was important it wasn't more important than the operations of the business and so that was important we then brainstormed so we got on site and we actually put together a um a um a a white board and it had the all the tasks everything we wanted to do we had the cso we have the ceo of the bank come in we had uh the auditor come in we had finance come in and our team came in along with our um our stock leader in the u.s and we all sat together and brainstormed now that we were in zambia understood what the limitations were how

we were to proceed with the with the um with the implementation and each person contributed and indicated what their part of it was and why they thought that they needed to be considered and what would be a no a non-negotiable for them and it was only in bringing all these things together writing them down outlining them deciding what the priorities were that we can understand the best way to build out an implementation plan and so it is about the talking it is about the the diversity of ideas the collaboration that's where we got all of the rich thoughts process going and in doing that we came up with the solution that solution that we finally came up

with was storyboarded um we we built out a a model so it was wireframed um and we outlined what the um the steps were from step one to four um and then there was high level one to four and then of course we had sub bullets but essentially we we laid it all out and it allowed each of us to really take a look and see had our thoughts been reflected did we cover everything did we did we create a system that we could all live with at least in the interim and then we also wanted to figure out if we delivered it as it was would we be insured as much success as was possible and

in doing so um what we found is that the best way to you know implement the the uh the the sim uh the sim but they also the security operation center was to um work with the data center you know work in the data center in the morning we would then um have a number of um disparate teams going out um across the entire country to work on getting the um and the solution implemented in the endpoints monitored at the different banks where they do that over a period of two to three weeks and then we also came to the conclusion that um we wouldn't actually launch the security operation center for a few weeks um so we would set it up

but we wouldn't really turn the switch on until actually my team was back in the us and we could better manage anything bad that happened so it was it really was about how do we ensure that this that the bank is secured how do we design a solution that meets the requirements for all the various stakeholders how do we um visualize it so that everyone can see and ensure that what they've contributed is actually reflected and then finally we had to test it um and so we did do a small test i think we did it on the hq um using a very limited set of things so they they basically had a um they had production and then they had

uh the test um that arranged so we set this up on a range that existed um with the same solutions and the same uh limitations that we expected that they would have so the latency issues um we actually use the generator instead of using um regular power um we actually loaded it with a lot more um systems and um um employees than might be so we had to proportionately reflect what the actual uh situation would be and so we overloaded it to see what that response was and um we found that that was not a good thing to do um we our first test actually got us shut down um our the the generator failed um we

ended up um blowing some other system and um and so we we stayed up and and stayed actually a week longer in order to get it up and running but we were prepared for the thing to go badly and what we needed to make sure is if we understood what the problems were up front that we could ideally pivot and what we were able to do and i'll tell you it was not a perfect engagement in any stretch of the imagination but what i'll say is it taught us to pivot it taught us you know how to how to lead a program with a lot of different challenges that were against us in the project but also when

the thing went wrong how to respond quickly to minimize impact and i think because we had planned it because we understood that we could not predict what employees would do because they had very low maturity i think that their security systems are much better now but at the time this was the first security operations center they had so we ran into so many challenges but what we had to do was predict what could fail test it and then we had to pivot and i think the pivot is where i think we had the most success but you know i'm talking about one story you know and i'm doing that because i want you guys to understand that i get

that what i'm saying sounds really rosy like i put a lot of this to the test i've actually seen a lot of great success in applying a lot of this um and so the four areas that i feel like we could directly apply a lot of what i'm saying is in this the context of privacy um and i have privacy bolded because i think it directly human central design and this idea of privacy is major because everyone is talking about the intersection between security and privacy today and where security ends the security is is is really one facet of its role is to provide protection for the privacy of data for users and consumers so one thing we

are responsible for is for privacy of data and in my mind the goal for privacy is to do no harm so there's a conversation now that's going on with this idea of um digital harms right what is the actual harm caused by technology um and and really more specifically what is the harm caused by breach of technology and the idea when we think about um privacy is we want to reduce the amount of data shared without permission we want to make sure that people are only getting access to the data zero trust that they need to get and then we also want to make sure that if a a person indicates that you have the right to use their data

it's being shared only in permissible ways only in the ways in which they told you that that's okay and in the situation because i'm an attorney um that it's not um it's not done in that way if there are legal protections that there are other protections that ensure that the impact to the person the individual is mitigated um and so when we think about human centric design in order for us to better understand um and protect privacy rights we've got to understand why privacy is important why do people care about the data that is about them how could it possibly be used in ways that we haven't even thought through and what are the harms caused

once when data is shared without permission or it's shared in ways that are unanticipated applying human centered design there means that we are being very specific and we're being very thoughtful in the way in which we're using data we're thinking about the ways in which people interact with data what systems they use to um to um extract data or to in to engage with it and then we're also seeing what are the costing what was the the the risks and benefits of actually sharing data right so if i'm on the security team i also have privacy under me or work closely with the privacy team it is my my is my thought about so if

i'm going to be implementing a new system who needs to have access to it why do they need to have access and what do i need to ask of them in order to use the system and if we do take that data what is my responsibility in terms of protecting it so these are greater questions about you know the it actually elevates security because we're actually the protector of uh of a person's identity right we have more that it's more than just financial now it's also about this idea that we are the arbiters we are the protectors of how people people are seen viewed and how they're interacting with the digital world response resilience i am a an

advocate for this idea of resilience i think where i get concerned is that we use it in this very um broad context when we talk about resilience we've got to we've got to boil it down to its finer points and it's got to be about when we say resilience what does it mean for an organization's security program to increase resilience and if we focus on human centered design it means we understand intrinsically in the way in which we roll things out how it is that we want people to respond when bad things happen we are able to predict when something bad may happen we have the controls in place at every step of a person's interaction with a

system to ensure that were there a breach there's a counter action a notification or a a termination of service that reduces the way in which someone might exploit a system so resilience is not just in isolation something that's intrinsically good resilience without the idea of human central design is an obstacle if you think about a fort um businesses used to be built like sports but you can imagine now the digital world requires that things be nimble that they be moved around that people be on the go that things be mobile if you're a security team building a fort you are not building resilience you're building obstacles and human nature is to go around it so

what will happen is you'll get um shadow id you'll get um you know issues with third-party risk you'll get all sorts of additional risks because we're not taking consideration the ways in which people are motivated to build resilience to act in ways that are in alignment with what security would want it's got to be a a collaboration between security hr legal all the other areas finance all the other areas of designed around protection security must be resilient alongside those and in the context of the culture of the organization so the cyber mindset is not about users thinking the way security people want them to think it's about how we better understand how to build and design programs how to

engage and interact in ways that align ourselves with what the users want so identity and access management that is also an area in which i find um is is becoming more and more important in fact more people are saying you know identity is really the uh um the um uh the perimeter so it really is about who you are and and and who you are to this particular system so the protection of data becomes important so if i'm juliette okafor you know in discord and i and i um have a different name i think it's new um and a series of numbers but then on twitter i'm jules management right on linkedin on jules o'connor my identity shifts

with each system i interact with and so human-centered design means do i interact do those systems interact do i make it easy for people to leverage different profiles and personalities what are the features that i expect because i've now gotten into the system what things should i have access to given the identity that i've put up what things should i be sharing or not sharing this idea of human sense of design takes all of that into consideration

so if we if we figure out where we've gotten started um i'll i'll be honest let me let me let me share that when i first got into cyber security i was confused i'd say i i entered it and just i could not understand why and i've met with government security operations centers i've been in um those of credit unions early on i was working with a lot of small and mid-sized banks and you know my job was to sell security systems so i was like okay well they've got a lot of problems great they'd love for me to help no that was the last thing they wanted me to do was to touch the thing that

they'd set up for months on end and they had just gotten to work in some you know recognizable way um and i felt like i was watching a game whack-a-mole and what would happen is there'd be an instrument that would crop up they'd shoot it down then another one will crop up they shoot it down then they have all kinds of fires people would be running about people would be burning out there was lots of drinking of course you know and i i'll admit to having you know join them but they weren't solving the problem it was just about getting that one thing done so you could move on to the other thing we're so overloaded with things to do

we don't have time to look at things strategically in fact what's happening is even when we're bringing on talent new talent with fresh ideas we're asking them to submit and fall into the very bad processes that already exist and we're teaching them the bad habits we have as an industry what we're trying to do is we're trying to figure out how to um to to fight the bad guys and to stop the breach and to to be you know to get ahead of the problem to to move to the left um but the issue is that we don't have enough time we don't have enough resources and typically we don't have a lot of internal support

and so i'm not blaming us for doing guacamole i just want us to start to figure out what is it that we need to do to really start to change and revolve so that the cyber of the future is not those of the past because what we're doing now isn't working and i'm hoping we can all agree that it's just it's not working one of the things that i've seen that i thought was really really smart but unfortunately only happens after a company is breached they have one team that is responsible for maintaining and they have another team responsible for strategy and building and what happens is when one team is focused on reacting they can keep

everything going the systems are running you know they can respond um to uh employees and users who are telling them the bad things are happening they can you know uh have analysts who are um reviewing you know the the notifications in the alerts as they're coming in but you also need a team that's sitting to the side and not a big team maybe two or three people who are really taking a systems design look and saying we've got now technology everywhere we've got you know all the good stuff we've got we've got technology that's been here for days but we also have technology that we've had for years that is no longer um is end of life we need

to pull out we also have users who are complaining that they can't get access to certain systems and we spend a lot of our time with i.t um you know telling them who should have assets who shouldn't and having these fighting these fires fighting these wars what is the thing that we can do but if we assume humans are the center of both the problem and the solution we can use technology to enable their work product their communications and make it easier for them to do their job it should be about how security and technology enables the human to do their job it's got to be about the behaviors we understand in humans that we anticipate will happen we do

this on the other side when we think about the kill chain and attack kill chain we have the ability to automate responses based on what we how we think a hacker will attack in fact the whole idea of threat intelligence is the same way what we haven't done is then applied that inside the organization so we can anticipate the way users will behave and then we've applied technology to respond it seems on one end when we think about hackers we've done our job there but when we think about our users we think of them as either just neglectful reckless or stupid and we haven't done our homework there to really start to dig into how could we have both user experience

service delivery right meat service delivery time but also make sure that the security works i think that we're deploying security but we're not making sure it works and it can't work if we don't understand how it's supposed to interact with the human beings that are the focus i think that every one of us in cyber security are designers i think our craft our trade requires it and i'll tell you a little secret i also think that many of us are a much more artist than we are scientists cyber security compared to the rest of the industries medicine um manufacturing it is still so new that we all act as artists and designers there is that scientific

uh um foundation i will not say that that does not exist what i will tell you is that we all have the ability to design the way in which we deliver and perform in our roles and the way in which the future will demand that we design cyber security is by encouraging and enabling humans as a part of any product or solution that we put out as a part of any report that we create is the report that i'm creating makes sense to me but could a common person read it could your mother or grandmother read it would they care and if they wouldn't care in your first draft how do you make them care

as a designer you have the ability to empower yourself and others by the way in which you do your job so it is important that we take humans into consideration throughout the entire life cycle of any project or initiative any change management strategy management strategy or any even any instant response program we have to begin to design the way in which we want users to engage with us and with the systems that we're providing so i want us today to begin to imagine a world where we are reducing friction and some of this sounds soft and it sounds you know uh it sounds like it's something that's kind of made up and fuzzy but i i imagine each of you was doing it

in your job today it is about um going against the brain it is about asking yourself ways that you could potentially be better it is about asking whether or not and this is something you can ask in meetings with your bosses is what we're doing working um how is is what what i'm doing supposed to work what does performance look like if we succeed what should it feel like those are human-centered design-centered questions in addition we've got to figure out how what we do fits into a broader subsection of a system a system is the business outside of it but more importantly the different domains inside inside of cyber security how do they all fit together how does

the penetration team fit with the threatened coach team that fits with the awareness team that fits with the vulnerability management team how do they all work together and what should that feel like i think right now a lot of it can be very clunky human centered design will focus on if the humans at the center of this what should their experience be in each of these domains and that will be what brings it together i think a lot of security tends to be very disparate we also want to ask more questions so what is it that we what's happening why is it happening what's the purpose of asking purpose-based questions we want to conduct our research so

what is it that we see um where is it that i can get more information who else has done this i think twitter is a great place um for that i think um you know i find a lot of interesting stories on reddit um but there's a lot of forums that you can find where you're really doing your research on what what people have done but also if you're looking to move into systems design thinking let's start to talk to some systems engineers also you might be able to work with some people in 19 who've done this kind of work um that's that's really the goal here and then pretend to be someone else uh we have

some very very uh great personalities inside of cyber security but in order for us to make a change we've got to sit in the position of of someone other than us someone other than someone like us so i'm adhd highly sensitive empath i but i have extroverted tendencies i've got to sit with someone who is introverted maybe not as highly intellectual not highly analytical who really just doesn't care about security it is that person who will give me the best perspective on how to change my communication i have to go outside of myself and actually to the opposite side in order to better understand what the possibilities are so i mentioned that so you've got to ask

who will use the technology what will they use it for how will they use it and does it solve the problem that they're looking to solve cyber security is a problem solving industry it is about the end result and the way that we get there is by asking questions that are designed around the human part of the process that i encourage is find inspiration so when i say inspiration i mean what you want to start to do is let's look at um what what what is possible so i like to when we're doing brainstorming put out all the different things that are possible you want to be bringing in different uh industry work so a lot of the work i do

is really um inspired by marketing um i like a lot of the i'm working on diversity job descriptions i look at marketing job description um with a lot of the work we do i actually look at coding um for the for the kind of thinking that i need to actually um empathize with so there are ways to be inspired you've got to find that inspiration you've got to be outside yourself ideation brainstorming collaboration so talking it through lots and lots of communication back and forth all of those planning sessions those work groups those are so critical to human central design and then implementation you got to put it into practice put it into operations test and pivot

but that's what i want you guys to do not to think but to do it's in the doing that we see the change happen ultimately what we want to make sure is that we are with human centered design doing three major things we can see an increase in performance we need to be measuring whether the security controls are putting in place whether the problems that we're building and whether the awareness areas that we tend to uh communicate are actually performing is it working do people care and and are we seeing a reduction in risk based on what we're what we're having happen we need to improve the user experience so are people coming back to us and saying this is

great or are they saying please no more or you know are we telling them no before they come to us what is the actual engagement that we're doing with users so that they feel like they are part of the process by which we're working we in security can't work in isolation and then one of the things i learned my first day of law school by a professor who i remember today but he was very very mean to me um when i rambled on and on in my law school class what he said was keep it simple stupid and i thought it was a little bit of an insult but what he was saying is if you cannot explain to the average

person in a short amount of time what you're doing and why it matters you do not understand it as security professionals if we're thinking about other people all of the language that we think works for us is great but it may not work for other people and our job is to solve problems to increase performance and really to enable others to do the best job that they can when we do that we are actually delivering on what our promise is so our future our collective future looks like this i want you all to go out and start to imagine the ideal security scenario what does that look like over and over again i hear how little

people get with regard to you know they're doing the job but they they don't see the progress or they're they are they are in a situation where they don't feel appreciated imagine your ideal scenario imagine that you were the person who was impacted by your security how would you want that to look like or feel start to practice saying yes but i envision a future that is security that is future um that is um forward-thinking but it's also service leading it is about delivering a service that is really complex but it's also high impact and so you want to start to say yes but instead of no we're going to be the organization that says yes

but we also then finally want to understand the users understanding security where do you we have to meet the users where they are so it's not it's not enough for us to take our shirts and not for us to go to all the cons and for us to um you know do the gamification what is it about what we're learning that we can apply and translate so that a user with little knowledge about cyber security can benefit from that we've got to start talking less about knowledge and more about benefit that is what i see as the future of cyber security and i again want to thank you um this is the end of my presentation

and if you're looking to connect with me feel free to visit me on twitter linkedin or instagram thank you

you