Trust: From Zero to Hero

[Music] wonderful thank you very much for joining this talk and good morning and thank you to josh to all the volunteers and to everybody that's making this possible today i wish that i was there with you in seattle but i'm located in spain so i guess this is the the win of the situation is that we get to meet over over the internet and have a conversation and so before we start to talk about trust in security culture who am i and why am i talking to you about this hi i'm annie i work as a security culture manager at outsido a company that provides authentication and authorization services for developers i also am the chapter lead of wasek

madrid women of security which is a non-profit that aims to connect women that work in the cyber security field and share trainings networking opportunities and so on and you can find me in twitter if you like to continue the conversation any questions i will also be in the discord channel and so as a security culture manager i work with people security full time and i'm really passionate about it and throughout this time i've done a lot of research on different topics like behavioral economics influence negotiation how can we change people's mindset and so what i'm presenting to you today is is like putting all of that research into a 50 minute presentation mixing everything up

and finding the core of the topic essentially so that's what we'll discuss today and before we get started i would like to ask you what do you see when you look at this picture with your infosec lens i know it's just people essentially but depending on on your perspective maybe you see a group of people that might be insider friends to the company or just like warner boggles for instance he might see idiots that just click keep on clicking on the link over and over and over again or maybe you might see conflictive engineers that just keep on coding the same vulnerabilities over and over again or maybe that don't fix them fast enough now maybe that's what comes to mind

when you look at this picture bugs vulnerabilities human ever just waiting to happen now let me tell you what i see and especially after doing all of this research what i see when i look at this picture is opportunity maybe the most important and the most undertapped opportunity we have because is it a ridiculous idea to say that if we get all of that people to think and behave securely then we can make the internet a safer place in a scalable way i don't think that's that's a crazy idea i think it's i think it's something that we can achieve if we if we actually put ourselves into doing it now why do we need to essentially take

this opportunity in and take advantage of this gold mine that people represent well if i was with you in seattle in person i would ask you to raise your hand if you think that the cyber security industry and everything if the internet is is a safe place if we if everything is fine i think it's not so we have bridges all over the place security incidents happening all the time i think we have a problem that we must fix and the people side of things is something that we haven't really touched too much maybe we have some very boring and long trainings but i think that people represent the goldmine of opportunity that can really make an

impact and that could help make the internet safer it just becomes a question of how we have an opportunity we know why we must take it how do we do it and so what i'm proposing today then again it's my perspective it's a set of ideas that have come from from a lot of research but it's what it's it's just a perspective and i love to share with you so i would like to explain this with with an example imagine we have company full and we have company bar and company foo everything is full so so here the security team is feared people are afraid of us we are the naysayers or the police we just say no all the time they might

be afraid we might they might feel that we blame them all the time they don't care or want to hear anything about security at all and whenever we try to do anything or to maybe put out a process policy something it feels like fighting an uphill battle everything is just very very difficult and if we have a security incident or an issue in company foo then we are not resilient it's it cost a lot of money to fix and it's a very dangerous situation so essentially we don't want to be in company food but i would dare to say that there are many company foods out there maybe this is how you feel it's a toxic

or a difficult work environment to be in and we have company power company bar is opposite completely opposite here we have collaboration and the security team is seen we people are not afraid of us they they engage with us they care about security and have a secure mindset they grow and learn about security they consider it's it's an important part of their professional selves and of their personal lives as well they want to learn and engage with us and here instead of things being an uphill battle it feels like going downhill instead everything is much easier much simpler there's less friction and and overall issues and so maybe in company bar we will have a security incident there

will be security vulnerabilities for sure i'm not saying that this can be completely eliminated however in company bar i bet that we will be more resilient that we will fix him faster and and everything will feel better overall and i would dare to say that everybody should want to work at company bar where security is valued people care about it we engage and people engage with us it's a it's a much better environment to be in and if you put these two companies side by side and if you start to think at the core of the issue what differentiates them we can put that into a single word and that's trust because ultimately without trust there

is absolutely no room whatsoever for collaboration or engagement and learning there's no room for for essentially anything that have anything to happen in this context people will not engage with us the right way they won't care about security trust is the one thing that changes company 2 to become company bar now trust i think it's a it might be a difficult word for us a difficult concept because we're used to think about zero trust and trust but make sure that you always verify or every social engineering attack happens because people trust too easily and we may even consider that it's a fluffy topic hearts and [ __ ] and rainbows however trust at the core

it's a skill and it's and it's actionable it's measurable and it leads to economic growth so if you get good at inspiring trust and being a trustworthy person then it this ultimately leads to better results and there are studies that show that companies or organizations that are high trust environments get things done three times faster and a lot cheaper because when there's trust between two teams and which into orgs that everything just happens faster and everything is just cheaper financially and time-wise so we want to get good at generating trust and trust at the core if we study it it starts with each of us individually with the trust that we have in ourselves and then after that it goes to our

relationships the trust we have with every single one of our teammates and everyone else in the in the company then that goes into the org and then that leads to market trust and so and trust in the society but the one we care about the most for this topic and for this area is relationship trust and then organizational trust so that's what we'll talk about today and let's define it before we go into the security side of it let's understand class a little bit better because then again it's not a fluffy topic and and we might we might think that it it just has to do with kindness and honesty and integrity however when it comes to work settings

trust is a measure of two things character and competence so on the character side you have integrity and you have intent and on the competent side you have capabilities and results but let's explain those two things more so character the roots of trust is your integrity and this is your honesty your congress is what you say and what you think align with what you do the courage you have to speak up for what you believe in the right way and the humility you have to accept that you made a mistake to learn from others to accept other people's ideas then after integrity you have intent and this is having a good purpose and a good motive for doing things having

the right agenda not not a hidden agenda not not seeking self um win but seeking to have a win-win for everybody involved and generally caring for others and ultimately we have our behaviors so our purpose translates to our motive which goes into our agenda and then this leads to what we actually do and we have to think and do and providing the best for others and after we have character you must also have competence because maybe you will trust somebody with high character and trustworthy character to watch over your pet perhaps but when it comes to work we must also showcase capabilities and results and on the capability sides we have our talent whatever comes to us

naturally we also have our attitudes our growth mindset for example the skills we have and the fact that we're always learning drawing sharing all the knowledge we accumulate and the style we have and ultimately at the peak of the tree of trust we have our results this is the performance we have our past our present and an anticipated performance and methods that we use to achieve those results meaning not stepping on everybody's in anybody's toes seeking to have win-win and when it comes to results it's not just tangible outcomes but also learning is a good result supporting someone else's goals is also a good result it's not just a metric so to speak so we have those two things so and now

we understand that if somebody has integrity has good intent is a capable person that also has results then that is the most trustworthy person like that you can be and that leads to our relationships as well and this not only this is good for you overall in your personal life in your professional life these skills will just make you better and social skills or soft skills they don't go outdated so this is just overall good for you but it's also good for the security of the organization in the domain of culture security culture so culture is essentially what people do when no one is watching is the behaviors the values the way that people just

act on a company level so first we have the company culture and this is the overall organizational culture this is the values of the company the way even the way that people dress is part of the company culture but within that culture there is always a security culture and this is a way that people think behave and the way that people react to security and this is people in engineering marketing sales everybody security is something that touches on everyone's everyone's role essentially so this if you become if you're a trustworthy person and and the security team is a trustworthy organization this leads to to a better overall security culture and ultimately culture drives behavior not policies not processes

but the culture of the company is what actually drives the way that people act in the organization and if we want to take that opportunity we have discussed before where we want developers to code securely we want people not to click on facial links or report issues we want people to think and have a security mindset it all comes down to culture because that's what leads or that drives behaviors so i really like this explanation about the different types of security cultures that a company might have and and any any company won't have just a single type of one of these but a mix of everything and if we have a tight control and an internal focus company we have a

process culture this is the company that just seeks to enforce policies everything is very rigid here there's barely no room for innovation or creativity here we have everything standardized everything is a policy and there's not a lot of room for collaboration even now we have tight control but if we focus externally then we have the compliance culture or the checklist culture here we just want to pass audits essentially and then again we also have everything documented and there are many standards but there's also very little room for collaboration as well and and it might feel very rigid as well if we go to lose control but we focus externally we have the autonomy culture and here the directive is to get results

just one result i call this the shipit culture and i think that a lot of a lot of startups might might initially have an autonomy culture when they are growing and expanding and here people have a lot of freedom to essentially innovate and and decisions are not made in a hierarchical way but it's pushed out to everybody and this can be a little bit of a chaos in a way when it comes to security and then we have when it go to internal focus and i lose control we have our trust culture so that's what we now know what trust is there is there is this this we can't have a security culture of trust and here we focus

on empowering people and on growing human relations in a trust culture people are knowledgeable they are committed they are accountable and they they're engaged they consider that security is part of their job and part of what they do and so in this culture this is the the most easiest way that we have to scale as an organization and to really make all the company more secure and ultimately make the internet safer now the question is how do we generate a security culture of trust in our organization it becomes a question of how again so this is my my proposal and and what i what i've come up with after mixing all of this research i've done that

considers different topics so in order to have trust i believe that wimbas have two pillars on one side the security organization in the company is a trustworthy organization so we are people-centric we consider that people represent this opportunity that we want to take and we put a lot of effort into building that layer in our program we seek to have change through influence rather than enforcing something enforcing a policy or mandating people to change their mindset we influence them instead we seek mutual benefit so we don't just consider security but we want everybody to win and everybody to achieve their goals and so that's on one side and on the other side we have our company

allies everybody in the company becomes a security ally and they are knowledgeable so they know about security between their within their needs and their domain they are committed they're engaged with us and they feel responsible for security i believe this is what we we can consider having that security mindset that we wish we had a little bit more of so we have these two pillars how do we build them so we want to have a security culture of trust then each party must make trust deposits so i'd like to say it this way essentially imagine that you have this trust account in your organization and every time you behave in a trustworthy manner or you

influence someone or maybe a developer considers security or somebody reports a fission link we make trust deposits essentially now if you're a leader in the organization and you have a a bigger sphere of influence then you can make larger deposits but that doesn't mean that individual contributors and or anybody essentially can help this to happen then again trust starts with each of us so we want to make as many deposits as we can and as as as constantly as possible and here are some ideas how we can do that on our side and if you want to change the world we can start with ourselves so first is the concept of win-win mindset so here we consider

essentially the security teams considers the goals of everybody else in the company so for instance we want to help sales sell more in a secure way we want engineers to be able to ship more ship better ship faster securely we want marketing to be able to do their job and in a secure way so that means that we consider other people's in other works goals and priorities as well we don't just consider security and we think that everything must be secure without considering the needs the constraints the risks of everyone else in the work as well we seek everybody to win win essentially this acknowledges the fact that between any company we're all part of

the same team maybe we play defense and everybody and someone else plays a goalie but we all want we all have the same goal we should all seek to win together as much as possible so shifting our mindset for just considering security and security at all costs to a win-win mindset then after that we must i believe have strong customer service principles so whenever somebody in any company whenever somebody has a question or like how do i enable mfa how do i report a phishing email how do i get a threat model or a risk assessment or report a vulnerability having a good customer service is key for the engagement that we need and so

these principles are are absolutely key for to have a good service first is approachability how is it how is it decision to contact the security team do we have an email or a ticketing system a channeling slack can people send me a direct message maybe with that scale what's the easiest way i can i can do to help people reach out to me what's our turnout voice do we sound or do we sound like we want to help them or are we we don't we we hide from the requests for instance and what's our reputation so for instance if we are a security team and we don't we don't participate in company-wide activities or people don't see us in the office

in the slack channels we have no disability and the reputation that we have is is negative like the naysayers or the police and this makes us less approachable for instance somebody might feel concerned or afraid to reach out to us but we can improve that after we are approachable then we must show interest in the in the query and in the customer so we create a safe space for the user this means that no matter the question that's being asked no matter anything at all we show empathy and we show that we care and then after that we actively listen so this is listening or reading the query to understand not to reply but just to understand the situation the

problem what's happening not interrupting the the person when they're talking and paying attention to what the user doesn't say so sometimes they sure might not express themselves the right way and they and we might see something that they're not saying and then interviewing so asking questions to clarify but not in an accusatory manner and here this this is a lesson that i had to learn and i sort of learned the hard way i used to ask why do people a lot because i believe in that that we must always do things for a reason so why do we have to do this and not that for instance however that why in general it makes people

feel accused so we can shift something like why did you do this to what caused this to happen how did this happen shifting what from why to what or how can really make a difference and i i invite you to try it out maybe with a friend your family of anybody try not using why use it what or how instead and the conversation will likely be more fluid and and feel better on both sides then answering so we always thank people for reaching out to us some people it might be hard then again we might feel a little bit intimidating maybe that person used to have had a bad experience before so we make them feel good we thank them

we praise them for contacting the security team and this then again this is another tip that i strongly encourage you to try remove no problem and you're welcome and change that for any time habit of help and things like that things that show that you are genuinely happy for helping the person instead of making it look like you did them a favor or that they were actually bothering you no make it look that you are happy to help so this i i invite you to try it out as well and then follow it up so we have our our slas we keep them and if we set when we're going to do something by extant we do it or we manage

that expectation so we have customer service and principles and we have an excellent customer service then we have communication which is the key theme overall first we communicate with touch and with empathy not with blame or not without caring we genuinely care for the person and we can communicate as tactfully as we can we keep our commitments so then again we said we're going to do something we do it we set up a reminder anything we need but we do it when we said we were going to do or we manage the expectation we created explaining why i think this is absolutely key to gain adoption because people might not understand why they need to follow

a control process a policy so explain why does it exist what problem is it solving why should they do it then they will have a far better understanding of the situation and they will adopt it faster and they will care more about it clarifying expectations so if we expect developers to follow the secure coding guidelines then we get an agreement from their leadership that this is what's going to happen so we clarify expectations on both sides if they want us to do something we clarify that as well accountability is also key so this means that we keep people accountable for the expectations and the commitments that were generated that were approved so so this is something that that we

must do as well and we keep ourselves accountable and my personal favorite is no fear knows uncertainty and no doubt i feel that historically security has always been something that has been sold to prevent something really bad from happening and for some people this can be very scary and for instance in trainings we can remove all of that fear all of that doubt and change that for commitment for why in a in a in a careful way not to make anybody scared but just to understand the situation so no fear no thought essentially and this is this directs the way that we communicate within ourselves and with everyone else in the company as well and this vulnerability so this is not

related to technical vulnerabilities this is personal vulnerability for instance a lot of people especially non-technical people might feel that the security team is absolutely perfect and we don't make any mistakes we never fall for a scam or for everything we code is secure 100 of the time we might have that reputation of maybe a little bit of perfection if we want to call it that way so if we allow ourselves to say hi i made a mistake now or when i was starting for instance this can be key to help people up and up with us so the other day we had an event in the company i work at and i told the company that i had almost

had a security incident back in the quarantine and i told this story with a bunch of memes people laughed about it and then after i finished that talk a lot of people came to me and said hi i made a mistake hi i almost got scammed in the mall the other day what should i do my wife gave my credit card details to a scammer what should i do and so a lot of people allow themselves to feel vulnerable with me because i took that initial step and that made me look and everyone else in the team as well made us look more approachable and we need to create that sense that that safe space

because sometimes falling for a phishing scam coding or vulnerability or any any security situation that might happen can be just essentially a very stressful experience so then again if we allow ourselves to be vulnerable we help people feel a lot safer as well and ultimately all of this comes down to relationships empathy and caring for everybody in their organization caring for everybody to have not only a safe experience online for their personal lives but also that their actions lead to a more safer space for our companies as well so that's on theirs on our side what about their side how do we help them become the allies we need to have this culture of trust

and the core of the matter is changing the behavior now you will have in your company you likely already have allies that care about security that know about it are committed and engaged but maybe a lot of people doesn't have that yet so we must help them change their behavior and here i want to bring up what the fbi does and especially in the hostage negotiation team there's a great book about it so back in the 90s the fbi was going through a very difficult time they were essentially losing all negotiations and this led to a lot of loss of lives and so the director back in 1994 the fbi director assembled a special team

whose only job was to figure out what's what's wrong with the way that we negotiate and how can we negotiate in a way that actually changes the behavior of the criminal on site and helped us save lives and this was a special unit that had people that dealt with crisis management incident response behavioral sciences psychology anything that was needed to fix this problem so this team went and did a lot of research a lot of experimentation a lot of learning they contacted harvard they contacted the best minds they could and one of the things i found was the research that was done back in the 80s few years before by daniel kahneman that said that essentially people are irrational

beings so back then in the 80s the the economic sciences thought that people do things because it's the right thing to do because it's cheaper because it's rationally better but in reality what was found is that we do things because of how they feel so we feel before we think and feeling is a way of thinking and the way ganimat explains it is that we have system one which is the emotional irrational beast side of our minds and we have system two which is the logical rational side of our minds and whenever something happens question uh uh and a stimulus in the environment we first process this through system 1 and then that response informs our system 2

response so this means that if we want to change the behavior of anybody a criminal a terrorist a person then we first must appeal to emotion rather than to rational thinking and this is the mistake that the fbi was making before because they used to see negotiation as a problem-solving thing fully rational and that's why it didn't work a hostage situation was extremely emotional and especially everything else is as well and so after they they found this research they came up with what is today called the fbi stairway model for behavior change and so whenever there's a hostage negotiation no matter the type no matter how dangerous an expert negotiator from the fb guy goes

and essentially establishes trust with the criminal and first the first thing that they do is that they actively listen to them they want to understand why they're doing what they're doing without asking them why just using what and how questions they want to make the criminal feel heard first then they employ what they call tactical empathy which is like empathy on steroids they mirror what the other person is feeling they label it they manage to understand the criminal as much as possible they build rapport they become not friends but they have the established relationship after they have all of this that influence the behavior of the criminal to get them to see things as they see it and this

ultimately leads to behavior change the reason why i'm bringing this up in this talk is because this showcases that establishing trust being able to be perceived as a trustworthy person an organization can ultimately lead to behavior change and if this works with hostage and and crisis this way with terrorists and with criminals then we can use this to get anybody to adopt our secure coding guidelines to enable mfa to care about security we can change that perception and those behaviors by establishing and liberating trust with people so it's a skill then again it's actionable it's measurable and it works in the field and in general and it goes back to listening to empathy building reporters and

relationships influencing instead of mandating change and then ultimately using those techniques to change the behavior so let's say that we manage to change the behavior of the person they now accept security they care about it it's part of them so so now we want to make it part of their identity so this means that they believe in security in a way so we talk in their language that means that whenever we explain the topic we we don't use this complicated jargon we have we don't talk to sales and marketing the same way we talk with engineering we help them understand our message we explain how does it benefit them in their professional lives in their personal lives because

ultimately people do things for their reasons that's just the way it is and we use intrinsic motivation so purpose mastery and autonomy as much as we can and after this this it becomes part of their identity now what happens when we change the person behavior it's part of the identity they care as much as they can care about security what happens if their leadership does not value this so executives directors leaders must also be allies so they might have competing priorities say that security is not prioritized from a project management perspective and then they literally can do can do anything what are the price behaviors so is there a focus on shipping or is it a focus on shipping securely is

security consider a quality metric in the organization and what support do they have do they have the time they need to learn security the learning resources the learning opportunities the support they need overall because security is not simple i would dare say and and we need to give people the space to adopt it to learn about it to interact with it and if they're leaders managers program managers executive directors if they don't value security then we must start at the top with that behavior change to help individual contributors behave securely as well and now say that we change behavior people care about security it's part of their identities we adopt we adapt our messages to their language something that they

can understand and this is actually valued by the leadership in the company now we enhance their capabilities so this means training on a constant basis not just one hour annual training that we would dislike ourselves no this is a fun engaging training that happens multiple times a year we can have mentorship as well grab people from the security team and do one-on-ones or do one of many's lunch and learns uh ask me anything's gonna be very useful maybe we can grab leaders from the security organization to talk with people and what do they think we provide all the resources they need blogs books video trainings conferences even video youtube talks anything that might be needed and we

have focus groups maybe we have a team of people that's working on completing x certification we have our security champions with a special learning path security ambassadors with another learning path we we do our best to help everyone in the company grow in their security journey throughout the year on a permanent basis and so we have all of this but at the same time i want to make a not a warning but but also add this as well so we want to extend trust we see that trust is the one thing that changes company fool to become company bar it's a way that we can leverage people and take the opportunity they represent to make the internet safer but at the

same time we have to extend trust in a smart way with judgment this doesn't mean that we extend trust blindly that we just trust everybody and trust that everybody will define and have no controls no we must always have judgment as well so this is like adding another layer in our security program we still have our detection and response our logging our serious trust mechanisms our processes policies we still have all of this what i mean by all of these stocks and all of these behaviors is that we have a high propensity to trust that means that we don't go around without extending trust anybody or distrusting every single person we see thinking that they're just human error

waiting to happen that's what i mean by this we can change our perspective we have on people to help them become the best they can be and to turn them into another layer in our security program with judgment in a smart way so with this we we have these two pillars to wrap things up we on one side the security organization is trustworthy it's people-centric we influence people we seek mutual benefit so we want win-win mindset on another side we have everyone else in the company who are allies to the security program they are knowledgeable because we've trained them with everything they need they are committed because we change their behaviors we change their perspective

and security is part of their identity they're engaged because we're not scary we're not we're not intimidating we're fun we are engaging we are seen we participate we are part of the company and they are responsible because they care about security and they also have all the support they need from their management chain and with these two things and all the things we can add on top of this i believe that we can have a security culture of trust that actually drives behavior and makes the internet safer and so hopefully if they have if this happens then maybe next time you see this picture maybe you might not see inside their threads and phishing people

that click confusion links or engineers that are conflicting and that code insecurely that don't fix anything you see trouble overall hopefully if this happens that's not what you see you see an opportunity that was taken and you see people that you trust that also trust you back and with this a security culture of trust that i strongly believe has the potential and the capability to make the internet safer in a scalable in a humane way and with that thank you very much you