Bringing Critical D&D Skills to the Workplace

okay still waiting on the youtube side there okay should be soon and checking in the back end too for other monitors and we're live three two one go hey good afternoon everybody uh thanks for joining the b-sides event today and i just want to thank the event organizers for having me uh this will be a little bit different talk uh it's not about red teaming or blue teaming or purple teaming it's about polyhedral dice teaming so this is all the skills from dungeons and dragons that i think are critical that are used in the workplace so i hope everybody has their little polyhedral dice ready to go this will be a little bit different time all right so i'm not

going to spend too much time about who am i i can make the slides available later if anybody wants them i'm an army veteran served 10 years i spent several years as a contractor a few years in federal government backing contracting my area of expertise is cyber threat intelligence analysis uh i will take all questions about role-playing games and about soccer so i'm assuming most people here watching the stream have some idea what dungeons and dragons is but if you just came across this randomly and you don't know this is a tabletop rpg a tabletop role-playing game generally in person with between two to eight people obviously in the covid world the online aspects of this have

increased so there's a lot more online versions and groups doing this and yes the nerdiest game on earth requires you to play with some of your closest friends or frenemies um so we have tons of books dice miniatures or the little figures um and just so you understand some of the lingo the dungeon master or game master dm or gm sort of organizes the event they're the narrator the arbiter of rules they run the sessions that all the players participate in and the adventuring party are all of the people who are playing in the game that are not the dm or gm we use dice to add randomness to the game so polyhedral dice are a thing that all

of us rpg players use so what does dungeons and dragons look like it could look like this people sitting around with a map right so this is the non-online version it could look like this it is available for people of every age or group every background plays dungeons dragons and role-playing games and it looks like this because everybody has a ton of material and books and references and actually i don't even play dungeons and dragons anymore technically i play pathfinder but that's a whole nother discussion we may get into so why so to get into the meat of this skills that i have acquired through dungeons and dragons and role-playing games that i use in the workplace

research and reading comprehension so i have a few terms up here meritocracy oligarchy patriarchy i learned about all of these terms from books that i was reading when i was a teenager that's the first time i read about why is the feudal government set up the way it is um and it was like the library of alexandria because yes this is a fantasy based game but there's a lot of elements in it that have historical or real world applications like governments monetary systems um how we want to organize the a lawful system of government what are the laws who gets to decide right so a lot of a lot of times you might not think that that goes into a fantasy

setting but it really does so as a gm or as a player you might be doing a lot of research and a lot of in-depth reading comprehension if you take these games fairly seriously and then as a gm or someone that runs the games we're interested in you know reading up on what's the weather going to be like for this session what sorts of religions might be involved are there unusual plants different monsters how will magic work are there some podcasts i should listen to to get ideas right and it goes on and on and on in terms of research and reading comprehen comprehension and a lot of people who are interested in role-playing games

are voracious readers right we are consuming large amounts of information right does that sound like something we might do in cyber absolutely regardless of where you're at in cyber security we're consuming huge amounts of information so i said i work in cyber threat intelligence so i am focused on a particular geographic area in the world but even with that limitation there's a huge amount of threat actors that i have to follow so being able to consume a lot of information and understand it is really critical so the other big one here is written in verbal communication skills so again not a hard technical skill there's no there's no comp tier ec council presentation plus certificates that you can get but we all

know that people in our field have to have these skills this even came up in an earlier presentation about the pen testing where we talked about the written reports and how critical the written report is and who is the report for is there an actual executive section is the executive section something that an executive can actually read and understand and benefit from from a business aspect and and obviously anybody who plays role-playing games and dungeons of dragons communication is huge right so notes to the players planning your sessions trying to figure out npc backstories as a gm as a player character figuring out your backstory right there's written communication and some people do that more or less than

others but from um people i know friends and associates that play this game especially if they begin early writing and speaking in front of other people tends to come a little bit more naturally so i think there's a direct correlation to being involved in dungeons dragons and role-playing games like this and having a comfort with some written and verbal communication so this is not to say that you should necessarily play dungeon dragons to increase these skills but these skills definitely are used both when i'm running games playing games and at work as well so the next thing cooperative problem solving so anybody john real quick sorry could you stop your share and reshare it it looks like we're getting some

share issues where it's going over the screen thank you sorry about that so i've reshared perfect presentation thank you is that working yeah perfect thank you all right sure it wouldn't be an online event if there weren't some technical difficulties so um cooperative problem solving everybody who's done a group project anywhere in their school understands this right so at work we are going to routinely be asked to solve problems overcome challenges in a team right in a group right so from the dungeons and dragons perspective like every encounter every session is going to have problem solving and this can be both in game in the fantasy world itself and out of game right there's going to be problems that

arise out of the game as well how do you interpret a particular rule how does this spell work i remember going back and forth about you know the mathematical formulas about volume related to fireballs at one point um it the rules did not really go into that level of detail necessary so this also will tie into critical thinking as well because in cooperative problem solving we often should be getting diversity of ideas so we don't have group think and that's really important as well and we'll come back to an idea related to groupthink when we talk about creativity but problem solving and understanding team dynamics and how to work within a team is going to be really important

in your cyber security career right i am not a fan of the mantra of infosec rockstars i don't think that works i don't think that they have been particularly helpful the ones that i have encountered and the people who are better at working as a team and collaboratively and cooperatively trying to figure out solutions to problems are probably going to do better than people who are rugged individuals who have trouble in teams that's not to say they might not have a good career but i've seen that person not do as well as people who can embrace cooperative problem solving so everybody who's played in a role playing game knows how difficult this can be so the other thing if you're someone

that runs games is a gm or a dm man the planning you have to do to run your game and get it successful especially now in covid and maybe it's gone online or maybe there's certain people in your sort of family pod that you're playing with and you've had to change the game because other people aren't you're not in contact with them so this is basically project management i mean this is planning right any time you're planning people planning anything with adults it's complicated right we've all had a facebook invite invited 150 people to some facebook event and then three people show up right that's just how it works when we're all adults so what do we do with conflicts so

conflicts around planning right just like the meme on the slide says do you if if 75 of the crew can make a session do you have the session well what do you do for the person who couldn't make the session how do you handle that are they going to be frustrated are they going to be upset do they understand what if the do they get experienced if they weren't able to make the session or are they going to be a level below everybody else because then that might have to change the encounter level right so all of that goes into planning hey john real quick sorry again could you stop sharing reshare again we're getting the screen

artifact again thank you sorry

how's that you're good you're good all right so and then this is also in and out of game right so there's planning in game of what's gonna happen in the session are we using a pre-made adventure am i gonna run my own adventure you know what what encounters am i gonna have am i gonna have some random encounters am i going to wing it right i actually enjoy winging it quite a bit when i'm the gm with certain things planned but not everything and what about the calendars and emails and invites and coordination right which also ties back into communication right and there's some other planning and project management also around dealing with your friends right so it's

one thing at work to have teamwork and project management and cooperative problem solving it's another thing to do with people that are your friends in you know from your role-playing groups as well that adds another level of uh you know potential stress to to get things working uh with everybody so moving on so creativity and imagination so this is one of the ones that i think is often undervalued in our world but those of us who are ever in the military have all have at some point and probably multiple times ask the question of why do we do it that way and the answer has been because that's how we do it or because that's how we've always done it

right so no one has thought of a better way to do some particular process so this could be technical this could be directly related to something technically that you're doing in the field or it could be something related to process right it could be an sop that maybe doesn't make sense anymore because it hasn't been updated in three years uh it could be about how we handle patching and why are we patching this way right so imagination and creativity is obviously hugely important for those of us that play role-playing games you know dungeons of dragons or whichever role-playing game you want cthulhu d20 modern and we can use this in the workplace when we are trying to overcome

a problem or a challenge right those of us that are creative and really do use our imagination routinely can come up with some other ideas the other place that i think that this is really important that's not on the slide is to be a to play devil's advocate if you are in a situation or a meeting where everyone has sort of agreed very quickly to do x right you might want to play devil's advocate to throw some other ideas out there they might not actually even be ideas you want to see implemented but it may help to get the conversation going it may help to figure out some pros and cons on solution x that people have already

decided is the way to go and then in my world and in red teaming and adversary emulation and pen testing can you think like the adversary and i don't mean can you think like the adversary that i might once i'm on the box use a powershell exploit to to laterally move i also mean think like the adversary like we are a large fortune 20 bank who is being attacked by apt-123 and what are the motivations and goals of this persistent threat actor it could also be understanding the geopolitical environment right if you are working at a very large organization with offices worldwide the geopolitical climate in different places is going to change over time the threat landscape may

change much differently in those disparate locations so can someone who is creative and imaginative also better lend themselves to think more like the adversary so i think that's another area that this can also be applied to so i covered a number of different things already so hopefully the slide is good because there's a lot of other infosec related skills that i think are directly applicable to those of us who enjoy role-playing games and participate either as a player or as a gm red dm so i like thinking on your feet right because no matter how good you have planned an encounter or a session the players are gonna railroad you and go off on some tangent

right it always happens so as a dm or gm i wanna embrace that and i wanna come up with something real quick off top my feet off the top of my head right and this is actually applied to me before i was in the workplace and a senior uh executive just walked up behind me and starts talking to me right man you want to make a good impression right i know who this person is they are very important to this organization so think on your feet answer the questions it also basically got me my first job in cyber because we were walking around because we're on the bench which is in consulting you're waiting to be client

facing and we basically overheard some people talking about a problem they had and uh that was how my buddy and i signed ourselves up to make a four-week course for the army about cyber in three weeks which was very interesting critical thinking and root cause analysis root cause analysis why is the evil wizard in this village why does he keep attacking this village what is the deal with him and this small village of 75 people like what's the what's the motive that he has to cause mayhem for these poor peasants out in the wilderness right and obviously that's the d d example but root cause analysis finding the thing that's wrong is obviously an infosec scale

whether we're talking about like figuring out a firewall problem um is it a discord problem that root cause analysis something that um we're doing in the game but we're not thinking about it routinely so uh the social emotional learning or social intelligence is not something that gets discussed a lot but as you play games with your friends and there's conflicts in and out of the game with your group of friends right that is teaching you some skills around social emotional development and social techniques to solve problems right so this is something that i think is pretty interesting as a as a person who's led individuals led teams at work right trying to resolve problems with

people at work is sort of one level of difficulty and stress right you may like some people at work you may not like some people at work you might like your boss you might not like your boss right but when you are in a group like this and you want it to be fun generally you're playing with people you get along with to some degree but when there's a conflict there you are now in a conflict resolution state with people that you care about which means that hopefully then you could parlay that skill to being a better conflict resolution manager at work because you have done it in this environment i really think um all of the skills

that kind of are on this slide speak to the soft critical skills that oftentimes we're not talking about a lot in the cyber security and infosec community um like the researching the ability to communicate effectively um there was a presentation at hacker halted earlier this week where we talked about communication we talked about report writing so i know that a lot of very technical folks do not like to be the people writing reports regardless of field if you're a pen tester you're on a blue team you're in cyber thread intel right a lot of people don't like writing reports i do not have a problem with writing reports a lot of problems also have a lot of people also have some

challenges and problems with speaking even in front of very small groups right so those of us that you know go and play role playing games have spoken in front of at least small groups of people which is generally how we encourage people to build up their confidence to speak in front of groups not everyone in the career field needs to get on stage at a b sides or get in front of executives but if you want to have career flexibility and growth and promotion both of these things are going to be critical writing reports briefing people it's a huge part of how you'll be able to advance your career in addition to all of the other things

on here i know i sort of briefly touched on that project management and planning and scheduling but that is huge in a work environment understanding your boss's schedule making other people informed of your calendar i mean i take that skill for granted but based on first-hand experience this is not a set of skills that people just inherently have um so that is actually really important because we need project management we need people to make sure everybody's coming together at the right time frames to accomplish those particular tasks so we can deliver the solution or you know come to come to whatever that project needs to be at the end of the day so i think and those of you who have

played dungeon dragons or other role-playing games right there's a lot of things that we're doing in the game in-game out of game with that group that translate into some really important skills that you can use in the workplace so i did want to leave a little bit of time for some questions and answers so i will try to see if i can see anything in the discord chat um and if not then i can talk about one or two other points so let me see if there's anything in discord john i'm not seeing anything yet i'll let you know also from the youtube also just to let you know the slides you might have to reshare again there now i

can see it okay thank you oh interesting okay um yeah so if i don't have any questions um i'm a big big advocate of especially for junior folks who are trying to make their way into cyber security right there's been a few presentations that sort of talked on that subject today it's obviously a big concern is um one alissa miller's presentation for on barista to bartender barista to penhester where we talk about the skills that a barista might have right i take multiple inputs and prioritize them to accomplish certain tasks right so when you're if you're a junior you're trying to shape your resume based on your volunteer work projects you did in school right we we want to think about all of

the skills that are critical to make you successful at work i mean clearly clearly we you're going to need some technical skills to work in cyber security obviously depending on your specialization that might change a little bit but most of these skills are on the slide and that i've talked about are gonna really be helpful to you uh regardless of which specialization you find yourself in in cyber security um so i'm not necessarily advocating that everyone should go play dungeons and dragons to get these skills but i think that there are there's methods to get these types of skills if some of them aren't something that's already in your toolkit there's classes about critical thinking there's

classes you can take about root cause analysis and this may vary depending on where exactly you know you find yourself in the community because there's so many different specializations um yeah in terms of gamification and learning i see a comment in there that's definitely something that you know certain organizations and businesses are doing to gamify learning as well so that's another tie-in for those of us who have skills in the rpg arena and have you know or our gamers right we can translate how that works to gamification i understand how quest lines should work right there's there's a lot of theory we could get in about why people play video games and what keeps them hooked

into video games right so could we gamify ctfs even more so that people are earning you know rewards as they go along to make sure that they get hooked you know that's you know that's pretty interesting um to think about from that perspective um so yeah i don't know if there was anything else if i missed any other messages there yeah yeah so i yeah i yeah um i don't have a off the top my head i couldn't tell you where to get additional resources related to that but if you're in the infosec twitter space which i highly encourage there are definitely people you know doing gamification um of cyber related uh learning so yes that is definitely happening so

again if you want to bridge two things that you're interested in and you have you are a gamer in some capacity and are interested in helping um a lot of the companies that are doing training virtual training range training are trying to incorporate gamification into that as well

all right thank you john sorry about the technical difficulties there but very good information thank you yeah and if any my contact information is now on the screen as well i'm on twitter a lot as much as i can be which probably isn't healthy but you can find me there thanks for having