Alex Dreams of Risk: How the Concept of Being a Craftsman can Help you Find Meaning and Avoid Burnout

I'm not going to use that I'll try and hold it up to the laptop I do have a little bit of video are we ready we didn't be good all right

sorry

you could always give it without bugs ah sorry sorry

good night at till you've lost weight okay so my name is Alex thanks for coming and I wanted to give a talk this is not a normal talk that I would give about really risk management or data or data breaches or all that stuff this was actually spawned by a couple of discussions online in person past b-sides presentations and so forth about burnout and it really was kind of my thoughts on the subject and I want to get some things like straight away set off between us it's real right I think that it's a big deal it sucks I've seen a lot of really really great talents just get burned out and not contribute anymore and I that makes me kind of sad

really to watch friends just not want to be doing what they want to do to watch them sometimes they're come self-destructive so forth but most importantly what I wanted to talk about this is not a panacea right this isn't like I'm a psychiatrist a professional this is just kind of some things that I have self-identified that helped me and keep going and I figured if I can help somebody or if I can give a different perspective or maybe identify a root cause that somebody would burn out might be feeling that might be cool right maybe we get out of discussion I'm not trivializing this there's also a kind of a tone when you get into these took

sorts of burnout discussions there can be a tone from the couch over side that says what's wrong with you and I don't want that to seem like that it's coming across either so it's not a panacea I'm not trying to trivialize a serious problem all I'm trying to do is tell you what's kind of working for me so far I've been doing information security since 94 ish there was a point in time when believe it or not people had just cisco routers with static packet filters and my first job straight out of college k was to explain to people that a actual firewall might be a good idea and you should spend fifty thousand dollars on a freaking firewall

at the time but i'm not i'm not an expert on burnout um apparently this year we had a really really specific speaker request for mr. Hutton we did we asked him if he needed possibly like a special adapter the grooves laptop mr. Hutton had a request for long a [Applause] briefcase full of cash okay we're joking we're case full of cash

two blenders we got 10 station 3 hurry up excellent work on the way check out a pomegranate which are actually on the way access to a lawyer this is a thank you yes convertible with some American me get him up after the talk we're gonna wrap up some of it off later so that's disturbing as hell yeah the other thing that the thing that was redacted was PE seara is going to be wearing fear and loathing like the two of us that's pretty badass so I'm not doing this because I think I mean expert I'm not not a psychiatrist I'm just some schmuck that's been working in security forever I'm really doing this because you know I

look around this room and I see the faces of friends I see the faces people I care about I see the face of people i don't know that frankly you're disturbingly young and you might get to my age long time and still be in this industry and i think that we're an awesome emerging discipline I think it's that means that we are the basis or something much bigger than all of us going forward kinda for Western and Eastern civilization right i mean the internet's not going anywhere until everything breaks down basically yeah i'm one of those 90s I okay so i went to Mayo Clinic and I saw the the causes is Mayo Clinic identifies

them burn out I thought we talked about some of those in the context of security for a little bit first begin with a lack of control man I deal with this on a very regular basis I have no control I work for a bank for those of you don't know I have no control versus what the government wants our security program to be like I have no control versus what the auditors think my straight a' program should be like the internal and external I have no control over a lot of those things that I have to answer for and frankly must sugar time it's a complete waste of my life and it doesn't help catch bad guys unclear job

expectations is another source and I think that's something that that we have several contributing factors that will create unclear job expectations for us not the least of which is isn't this guy osos job kind of a sack rebet right because that if we're frank with each other just about anybody can be owned at any time right if the expectation that is unclear or unsaid is that when that happens you're gone no matter what no matter what other diligence you can provide us dial get your friend out pretty quick and frankly I know a lot of my success so peers who suffered through that dysfunctional workplace dynamics all this work places artists but this does come down to us because we

have to enhance security professionals and risk professionals and so forth we have to interact with the business right and we have two more times than not we're just either a speed bump or a stop sign to them making more money in their mind or doing what they really want to do I have both vendor management and risk management functions and it's really difficult to tell the business sometimes hey look this vendor has to be a list that at least this tall to get on the ride here and they'd suck right we we had one we had one organization where we said okay so tell us about your security program because you want to do this myth like banking thing with our

software and I said well we coded to quicken specs in PHP so we're secure thats that can create these sorts of most functional workplace dynamics with the rest of the business can create some big problems part of that is also mission and values the business wants to make money we want to stop them from losing money that's not always apparent poor job fit friend of mine and I here's a very little secret about chief security officers many times your chief security officer that you will encounter in the wild mine's different but many times the chief security officer in the wild doesn't know what he's doing there were when in 94 there was no freaking handbook for this right the security

officer that was made security officer in 2001-2002 2005 they were basically the guy that didn't [ __ ] themselves in meetings they were the final event that we could withstand in the large meeting that doesn't mean you're a good job fit to be a leader of a larger team as this entire industry is expanded in the last one year extremes of activity mainly that's something that's really boring or way too exciting all the time anybody worked them go from from fire alarm fire alarm fire alarm and their job and then have this long period of just you know VPN access requests that can be a huge piece for an out lack of social support is one

of the reasons why I'm a big believer in B sides of even a big believer and I used to say my sock that to some extent recognizing my mind where they do fail because I think we do need the social support not just online that you know based based human contact like you have now now I'm going to work life in balance too many people working 60 hours of these so these are some of the ways that Mayo Clinic is identified it I'd like to add a couple of things that we've talked about as themes that with my observations first screen is not easy you know we're changing but we're at a point where wearing it always defensive

mode anybody here watch basketball football some sports of some kind how many teams win in a purely defensive mode none right you have office you get that's what we're doing the most part we won't talk about them straight security is a cost Center anybody here run a business at some point a few of us right those who do that know what this means for those who don't how many of you guys use a free and open source office type tool to do your work instead of microsoft office or something a hand for folks mainly the CEOs right that I just saw but that is for that is you're using something open you're doing that because you don't want to spend the

extra money that would feed your kids or yourself instead of giving it to Microsoft right or whomever security is the same way my CEO doesn't want to lose money but he sure as heck doesn't want to spend money on security and he doesn't have to we're a cost Center and we're always going to be seen as a cost Center I mean that's always going to be a difficult business value proposition at a boarding level ah doesn't have to be that way if you track the metric so how many companies customers you bring in who care about the security posture of your organization start tracking that over time both terms of total bookings and in terms of proportion to those

customers who can you can start demonstrating how security brings in business I think for a b2b plays I think that's absolutely probably something that you can pull off yes for b2c play gets a little more difficult than numbers get a little squishier in the meantime if you're asking for 20 million dollars of security versus marketing is asking for 20 million dollars we get our revenues they tend to believe they're made up numbers versus are made up numbers but the point is this is that revenue generating propositions is where is where businesses like to spend that money it does because we can do some sort of imaginations as somebody involved in this manager I tried to no

time facilitate decisions but at the end of the day we're still a constant even today that's where that's where we hit the general ledger and until accounting rules are changed it becomes very difficult to get political by in a large organization state law now if you're our b2b if you do have government in interfaces now if there is a specific cultural pressure that we might have to acknowledge it is temporary you may be able to get more buy-in than you know you currently get that's not going to change the fact that as far as general Ledger's are concerned we are expensive and expensive seems like people see me feel like a peer security is not

spreadsheet that you have lost the business instead of wedding business that you pass so more potential to be seen as negative and positive because the salesperson still one business you just passed the minimum bar that's right and i like i like i love both of these comments don't get me wrong and i would love to work on making it easier for our entire industry to recumbents i think that would actually be worthwhile and possibly considering that I stock you can make me a bunch of accountants one beats anyway it would be useful to the interface there and trying to figure out how to make that happen in the meantime in our lifetimes you've got gray hair

like me that might be a long cultural change to start to me and part of that is because our benefits aren't directly observable anybody ever try to put up a you should try to put up a can we stop this much span or just raw firewall metrics in front of a large CEO or somebody how's that going for you David possible yeah yeah we stopped 30 million attacks last month gray but the benefits of sturdy are not necessarily directly observable unless until you have an int then they're very observable unfortunately so these things are just some observations that I've had that actually also a kind of outside fact industry and cultural factors that can contribute personal I've identified some

types of things where I've had to change my mindset a Western expectation of self-fulfillment get a little more into that a little bit but that has to do with what makes me feel like I've had a good day at work is that because somebody like Josh Norman thinks I'm smart thanks Gary for expectations we have from our audiences so for years and years I was one of the guys who for a penetration testing company would start to talk to house the guy didn't poop himself in meetings and I would fuse in our deliverables and for a long time I thought the you're not secure don't you get it battle right I had these expectations of our audiences that they

would share my risk tolerance that they would actually get security and the value that they would really appreciate my work that might be a poor expectation we'll talk about that a little more a lack of experience where I have been an experience can be frustrating for me the tape on something new I think some people that I've observed in various security teams and felt that way as well i had a friend who dropped out of the pen testing company because he didn't feel like he was getting mentored getting had the experience to do to you know basically break into credit unions and banks ironically enough two weeks ago I was think about you when I wrote

the slide two weeks ago contact you like them to see if I would do is a cissp recommendation rather than explain I don't do that so lack of experience can be one lack of self-confidence so I I think those of us who have been who lived through the 90s we you can kind of identify what this means right we didn't have a blueprint we didn't know we were doing we don't know what we're doing but the end of the day some of those people who have been successful it's not because they're really smarter than anybody in this room I'm certainly it's not because that that they were even monumentally more luckier had better information to use than anybody else in

this room a lot of times is just because they got it with a lack of self-confidence and did [ __ ] to be frank with you stubbornness where I get stubborn and so I have a that lack of self-confidence to somebody else I have to do the whole I got my skirt and get going stubbornness I give me a stubborn [ __ ] but all that say I can want to do things my way without listening to others and that is a hammer against no nail many times a constant need to be the expert in voice rather than out that's fairly self-explanatory because we kind of go through these these are these are some of my personal cause I

don't know if they resonate with you I came back to that Western fulfillment thing because I recently got introduced the idea of a craftsman and namely the Japanese perspective on that through this gentleman so there is a a film his name is Jiro Ono and he is actually it's amazing and I'll show you the trailer in just a second he's this 85 year old gentleman who has a sushi stand inside of a subway station in Japan anybody seen this film by the way a couple people loved this film it's 10 seats at a bar I think they were talking at the time its prices started at three hundred bucks I believe right eight-month waiting list three Ashland stars the

only michelin-starred sushi joint if you will and a perfectionist and what I really got out of this was really this whole fall in love with your work angle right so as I looked at burned-out burnout and I thought about it and I had this movie influenced me a little bit I thought okay maybe just maybe this idea the craftsmanship is where I've been successful in avoiding burnout maybe that's something where I had embodied this unwittingly in the past so let me show

so what my witness is really it is about the craftsmanship it's not about being smart guy it's not about listen to you about creating an excellence in the eyes and the people that I serve and I have to realize that sometimes I act the other way as an industry of a tendency that the irony of this slide is I ate there last night and the salad did a number on me the salad or a lot of liquor probably also if you go to the grid Ramsey think the pub just remember to one to one ok so full of each other balance mr. screams a lot with the genteel old man that you saw recently I

Gordon doesn't have three Michelin stars right instead he you know we have those fish and chips and twenty dollars of shepherd's pie that big and I think there's a real difference in the life and a mindset and so for me I'm starting to try to adopt this it's not easy and making him my new life not responsive and thinking about this and the times where I've been most productive in my life it was definitely a there was no conscious choice to wake up and try and blog or right or create day a deliverable that somebody was going to consume that's not always the case I have to drag my ass in front of a computer screen sometimes to

do stuff that I don't want to do namely HR work but it's it's definitely one of those things where you realize you're in that groove and it helps contribute to this obsessiveness the whole of Jared dreams of sushi is because the man actually dreams of sushi has grand visions of it he self-identifies with his craft but that obsessiveness is not about him it's not about marketing him it's very much an obsessiveness about the deliverable it is essential to check every detail as the club there and if we don't recognize what the details are that we have to check and I'm not so much talking about having some unpatched vulnerability it is the ability to jacobi detail in our ability to explain

that to folks and to get them to make better decisions that's where this every detail comes in it's about the craft the product is the result of that craftsmanship for me that's something that I'm trying to take into my work now you must dedicate your life to mastering your skill this means to me I'm going back to school learn things that I've had to be either an autodidact on and to learn them better or it means for a chance going out and finding things outside of security and bring them in and try to apply them to see if there's any benefit there when we did the data breach investigations report the true brilliance did was wait

Baker and Peter typic dr. Peter Tippett had a background and applied an epidemiological approach right he was an actual natural medical doctor right he was like oh well data breaches we're going to take a CDC like approach and we can figure out what goes on and you brought something outside in the risk I Oh talk that just happened right the guy who is standing up there basically blew away cbss and actually had evidence-based probabilities for trying to find what vulnerabilities can be exploited the most it's a seminal talk over there just he's a data scientist he knows nothing about security has that ballast with him he used to be a CISO just explaining it wouldnt within that context but that

company brought somebody completely outside of security you take a firewall admin and bring them and say okay now quick learn game theory right they brought somebody concluded outside now that doesn't mean we have to continue always bring people outside that means we need in my experience I need to bring things from outside and start applying them in its it's also not just settling right this the quote here is I don't think I've achieved perfection now if you watch the movie you'll watch the food critic just absolutely just gush over this guy and say you know when he dies it will be centuries before there's anybody can bring this level of perfection to their work but here he's

85 and he wants to continue to improve contrast that with our security rock star mentality that's kind of humbling right there on the other hand it's also about rebelling right this foot is great i love this always doing what you're told you can you'll succeed in life for us one of the great things about i know i'm still on that risk I yo talk from next door one of the great things about that was everybody who started going holy crap this means I have something to discuss with audit have something to discuss with my pc I qsa and so on and so forth and what was cool about that was will good luck because now you're a

rebel now you're using data using evidence using the real world again somebody's made up standard right but those people who are going to do that and be successful they're really rebelling against that sort of status Club sacrifices are going to have to be made if one of the things that comes through and this is how much of his personal life he sacrificed I can't advocate that as a father of five I just can't but I think that's an interesting quote because this is somebody from the outside obviously ma jiro saying keep you have to be insane to have any regrets the craftsman is recognized for that never stopping obviously we've talked about how for him the journeys

matter or even though he's 85 and considered possibly the greatest sushi chef ever there's a point in which we have to go to love criticism of ourselves and create that feedback beat I want to make this and maybe some Holly there's too much java but but it really is about understanding what the really for me it really is understanding how somebody can look at what i do and give me honest feedback that will make me better for those who know musics one of the greatest things that's happened to me in the last year is after my RV a sec convicts came up to me and said that sucked ok cool do tell and you know I

think I wouldn't proved that specific talk this way based on that feedback and I love the fact that he came up and give considered me friend to come up and do that for me there's some things I find about this as well as I've looked around for craftsman and I think not just a zero here now I'm starting to think about you know craftsman Reese vandura Franklin rides some other people like that who I would consider it as top of their game not all of them are ego less but the craftsmanship itself is not about the person it's about the work product it's also generally shouldn't be mean right just shouldn't be this guy screaming and if you find yourself in an

organization where that is your CI a-- CSO and ever my i encourage you to leave their service in your all speaking of which it's this is not there's no guarantees this is a smooth read right everybody just because you think you're a craftsman or you start adopting these principles doesn't mean that bad things are going to happen and that you're gonna have to deal with it the other thing that really came to me is this is not something that you're going to attain there's no power ups there's no level up here right it's actually more about who you decide to become as I see it right sure I never set out to say I'm going to be the best sushi master ever

it wasn't like he was going to go to try and save the princess there he wanted to make great sushi he decided to make great sushi you decided to become to adopt that Constance appear so um last kind of few minutes I thought I'd talk about I see cooking like jarrow and my current job and maybe we can apply that brought more broadly so first of all I just identified a handful of things here so the first one is understand your customer use there's this great shot where they have like Tokyo's greatest film I'm sorry food critic and zero puts out the sushi in photo and the guy should you know and I was like how

Cavalier is this guy right if I had this wonderful piece of sushi chef you like he just shoves it in and while he's doing that right I'm gonna pick on you cheers like this watching and chew like watching every little piece of his face for some feedback they're right and so it's understanding your customers needs and so as we think about it I think the question that that we might want to ask ourselves whether we're consultants or whether we work in a large organization is what is it that our customer needs I'll open this up this is I won't make this a rhetorical slide question what do your customers need who are your customers what they need they need

visibility visibility hey Paula challenges

large

good they need a solution to the problem solution to their problem I drop value for their money value for their money realize they do have problems better understanding threat betterish annular threat whatever you see okay they say spoken like a true consultant making a good choice for the organization oh you win you win for the organization when I build this down and I think if you talk to a really good CISO what arkin everybody who answered this question and body this into some degree what our customers really need to do is make good decisions that's a weird decision support we're not a longer an expense truck sure if we're going to get to the point where we can tie ourselves

to revenue or profit right it's because we're contributing to some quality based decision now that's going to include things like educating about threats educating about probabilities on friends it's going to include whatever you want let me listen all of that stuff but this is a craftsmanship it's not necessarily i'm going to create a great exploit or i'm going to create a great defense in depth structures as curry architect right it's understanding that and going business language business language right if you're going to be a true craftsman right you're not going to give them decision support in the language that they don't understand right oh my gosh so there's a sushi place by us in in Utah anybody anybody ever been to

Utah interesting place right so they have something there called fry sauce anybody ever had fry sauce yeah those of you have it fry sauce is this wonderful mix of ketchup and mayonnaise right mix all up and you put it on french fries right it's kind of like Thousand Island dressing about the pickles so we went through this cheap sushi place and they're like hey do you want some yum yum sauce with your sushi a hat you know in the waitress was really apologetic she's like I promise you it's not fry sauce okay and so they brought it out and sure enough it was fry sauce Capri good but it really is what is your work

designed to do it when's your work is going to do is is really what your customer needs is your work designed to actually give them a better experience I mean as much as I'm joking about fry sauce on sushi for the Utah market some people think that that's great they know their market these people want ketchup and mayonnaise on everything right so what is your doesn't work decided to do and sometimes it's going to mean we have to fry sauce but sometimes it means let's take a look at our deliverable and how we deliver it right let's take me up to all you know we have to all start dressing like an executive it doesn't

mean we have to say things like paradigm shift right doesn't mean that at all but what it does mean is understanding what they want what they need and how would you get them to make that better decision in a language that they're going to understand I love that understand their experience this next one now for somebody who doesn't like dry sauce right the experience that I got at that sushi joint was awful I was like how why would you do this to perfectly good fish that experience was very poor it's it's also something that I think we tend to embody at times if you wonder why you're not getting repeat business as a consultant if you wonder

why that the business isn't necessarily listening to you if you wonder why you're getting feedback about geez I have to go request the firewall rule change from the business it's because that customers experience is absolute crap why this is excellence inside in the eyes of your audience and obviously once have the obligatory Apple example here we talk about craftsmanship and the customer experience so this was a samsung windows phone into october two thousand seven anything right of course in january 2007 that fund was introduced and there's a very unique customer experience difference there and i know its try i know it's it's obligatory to talk about an iphone being different but i honestly remember my first iphone and

sitting there and going holy crap it was a all day and i remember being on a skateboard when i was in 14 in a skate park with a giant walkman listening to ceremony by a new order right 1983 whatever and all of a sudden that sound came on my iPhone I was like holy SH I live in the future right and it's it's like this it's not this and I don't have all this crazy stuff it's it's the little slab of glass that I touch and things happen and I'm just older and fatter now I can't ride a skateboard more but it definitely is somebody has crafted an experience for you and now what is

Samsung's phones up like right you know they look like this they look like a black slab of glass because that's our experience in the same way right what is the parent test report of five years from now look like where's what are the risk values and how are they presented are they still stop lights right how do we use data how'd it come to a conference and find out crazy people doing crazy things with probabilistic statements based on data in order to optimize the patching experience understand the product you deliver is is much the same thing right that past that sweating the details I'll tell you a story from my work this is from the

operational is from an IT risk game at risk now where they had been wanting to get a policy change through banking honest and then presented data and they talked about this and not the other thing to these folks and I looked at the reports they gave and I said let's give it one more shot this is when I was brand-new at the bank and so I went and I threw away Excel and I went into different visualization tools different reporting tools i created a succinct scorecard using the same data same information took away a lot of the you know applied a lot of data viz principles to it read my Steven few we presented again to the Operations

Director the bank and she used to be head of audit and she said this is the best risk work I've ever seen meanwhile the guy I was working with is looking at me like what the hell just happened because he had presented the same data 90 days before and had it rejected right it was all about that experience it was all about the product ID bird there that made a better decision in the forum it was understanding the data biz and pulling away a lot of the craziness in the large 7 page report with all the all the 3d pie charts and so forth and just saying minimalism understand the decision I has to be made

and lead them to that water colors here right yes okay I actually would it I didn't gradients understand how the ingredients create the product that's more on the on the data this I understand how the customer experience is going understand how the work that you do in the details around thread and tell and the details around the vulnerabilities we exploit and how easy they are to exploit how those ingredients combine to create that report it's a so I thought I'm getting short on time starts officially of doing this I thought I'd talk about a couple of experience here farwell administrative administration has an experience so new rule set into the firewall you know how does that happen at a large

organization typically there's a word document form somewhere that somebody fills out clicks on something here there sends off to some Q emails to somebody and you know three weeks later suddenly the tickets clothes and the rule set changes and everybody's frustrated right or it's denied even worse yet like you want to use Evernote no you know all that's the packets firewall administration in the customer if we look at the entire experience it would be how we would want the firewall change to happen how we would want some our moms and our dads to know how a firewall change would happen because they would not be necessarily exposed to the magic to the backend pentest sales scoping

execution delivery right what you do the main value it's not there that's cool for us that's what we like to do right but it's not it's honestly not there there's a huge amount of benefit in facilitating you're scoping process the best pen testers that I've seen the best pen testers that I've employed they scope well they give me good decisions about what my scope really should be you through that and it's been a lot of time there delivery as well it is aesthetically pleasing it's succinct into the point yes there's detail if I want to dig through it but ain't nobody got time for that security decision support and this is the this is one of

those other areas and if you're feeling burned out because you're constantly saying no then maybe you're burned out because you're constantly saying no we're not considering how to get to yes with the business decision support is a huge piece I think what it means to be a craftsman in our industry so understanding the ingredients obviously and then here's the tears that particular for me is thank you creating the in using a feedback loop without me go so I I travel some and I had a really bad travel experience recently I thought me I will never use this airline again of course I use them to fly out here to write because what other choice do I

have but I had this awful experience that everybody's had a bad airline experience and I wanted to give feedback right and so what does the airline do this to me here's a survey fill out the survey well if you've ever had a poor experience and you've presented with and here's the survey how do you feel like well okay great i'm going to fill out a surveys and then my information is to be one of thousands of poor experiences they're going to identify some trends of them never going to fix the real problem that everybody has which is that the airline sucks because of block that's how I feel every time I see a survey about

customer experience how often are we doing that and not having a real conversation with those that we serve successful or unsuccessful right I think the feedback loop without ego has to be discussion based I can't be a survey it can't be something where you click through some multiple choice it really should be based on feelings it's yes the data guy just said that as much as as it is data how we the feelings and the reactions that we create will help us as long as we do it without ego that's also very very difficult seemingly difficult and so when I think about cooking like Jiro when I think about this from the contacts these are some of the things

that I'm I'm starting to self-identify for security so now this wasn't a huge security talk sorry if you were expecting something about risk and fair and scatter plots and monte carlo simulations and talked about that blue face I thought I'd open it up for some discussion we have five please Josh I love the chair of the meats I know that he used it make more sense people watch it I'm struggling yeah I've seen a lot of her friends Burnap gave up two different things Chandler energy so I'm very drawn to the truth and what you're saying that we should focus on doing excellent work and excellence I also struggle with back that you can be an excellent qsa it's not helping

anybody not saying that gave us a be fine excellence and the lung taxes how we I'm also seeing a different group that say let's focus on outcomes and be very creative experimental in so how would you balance excellence in one trade how you choose which straight to be exploited how do you choose the focus balance that with results okay so right no I think you asked it but I think that this is i'll give you my experience and i'll use the qsa analogy because goodness knows a lot of our friends that have burned so in 2004-2005 just first well i really started embracing risk analysis before that I was doing octave I was doing 830 2002

in 2002 my pen test company CEO figured out that we could charge an extra 50 grand if we made up risk statements you know right that's what that's what generally happened and plus the government said thou shalt do risk to the financial institutions and so they said Alex figure it out right we created this these standards bodies based things around what that meant I hated that God hated that right because I knew that there was absolute [ __ ] between it was totally subjective so what I did was I went out and I found this guy who actually