12 Monkeys, Curtains for Security Theatre

all right thank you so much for that very kind introduction um again we will be doing the final keynote for b-sides vancouver 12 monkeys curtains for security theater a little bit about me i spend a lot of my day dealing with clients in a variety of different industries and essentially what i end up doing is being responsible for translating the needs of the security team to their executive and decision-making team who have the buying power and the decision-making capabilities for the organization i focus on not only blue team compliance assessments risk assessments and risk analysis identification of vulnerabilities in people processes and systems but i also get to simulate attacks against those systems and do some red team type

theatrics phishing and voice fishing over the phone smishing or text message fishing all the silly fishing names i do those as well and i participate in collaborative engagements that include things like tabletop assessments for clients who want to test their response capabilities um with a simulated attack um so moving on enough about me i would like to thank this besides vancouver team for inviting me to speak to you today for giving me the honor of rounding out the keynotes with a closing keynote for the event and just recognize all the hard work that these individuals put in to organizing putting together managing hosting and enabling this event to happen facilitating an event like this is not

an easy feat so thank you again for the invitation to speak for all the hard work that you put into this and all the other individuals who contributed behind the scenes to make this event possible our agenda today in curtains for security theater is pretty simple but we'll get into more of the detail here as we go we're going to talk about an introduction the process culture people and then close with some final thoughts i'd like to remind everyone that this is by no means enough time for us to go into enough detail i really wanted this talk to focus on sparking a new interest in the audience and people who review this talk to

look further into how they can resolve some of the struggles that we have related to what i like to call security theater and we'll get into what that is here in just a second so introduction the purpose of security why does security exist ultimately security exists to protect people to protect information to protect people and information and a great illustration of that is the campaign that was brought about in world war ii that used propaganda to spread awareness that gossiping and talking about where their loved ones were positioned where resources for the military and people related to the military were positioned could lead to enemies learning of where those resources were and then attacking them

so the idea of security goes back to more of this basic need to protect lives to protect people to protect information and to keep those things confidential and private for the sake of protecting rather than simply keeping data secret or client personal identifiable information or health information private we really want to think of security as a means of protecting our population our people our information about those people and how security has a real impact in all of our lives on many levels everything from locking your car doors to keeping your home alarmed and secure while you're away all of those things relate back to security and what drives that security is a passion to keep those things safe

and that i think is something that's very important to keep in mind as we progress through this because essentially our perception becomes reality and what is popular in media and what we see when we learn about security that becomes the truth or our perception of security and sometimes that can be slanted away from its original purpose when we learn about information security we learn that it is specific to confidential confidentiality of data and information it is related to the integrity of that data keeping the data intact and complete and accurate and our it systems information all of those things operational and accessible and available so the availability of that data to the members of our organization

and our clients to keep our businesses operating to keep us making money all of these things relate back to that security keeping those systems secure keeping that data private and a lot of this has been driven by a need to define a process for business security when we think about information security we think mostly about business security and not so much the original purpose of security which was to keep our information private for the sake of protecting people we think of protecting systems now more in corporate information security so related to a need to define this process we identify process drivers things that are driving the process behind information security in our corporate security programs for

our businesses some of those key process drivers are related to third-party risk management these third-party vendor risk management programs have come about out of a lot of recent incidents where third-party vendors were used as a means of accessing a corporation or a business through a utility an application a piece of hardware or a connection that was made to that victim of that attack using a third party that has a trusted connection to that business meaning the attacker used a neutral third party and their trust and access with their target to basically step stone through them to the target and this has really pushed the development of third party risk programs in corporations and a lot of my clients

from basically non-existent to extremely important in the last couple years especially since we've moved to a more distributed workforce and become more reliant on that remote access to complete processes updates and to connect with each other another metric that has essentially contributed to this process requirement and information security is the cyber security insurance requirements we've had a multitude of incidents over the last couple years especially that have had claims made with cyber insurance companies that spiked the amount of dollars going out of those insurance companies significantly enough for them to start putting in requirements and restrictions on how claims will be made accepted and processed and so these insurance companies are insisting that the companies that they

insure check a certain number of boxes or complete a certain certification or show evidence that they have a competent security program we also have the corporate audit and compliance frameworks that are being pushed down from corporate levels into more franchise locations and larger organizations that dictate how those locations are allowed to store transmit and process data for example you may have one large company with a headquarters in canada but they have many branches all over the world that are subject not only to the you know compliance and audit requirements of that state nation province or location but they're also subject to the requirements of their corporate headquarters as to how they can manage and process their client and

vendor data so the solution has become to create more certifications to create more compliance frameworks that are specific to different industries specific to different areas or business sectors it's become this need to certify an organization as compliant or security conscious rather than examining the culture of the company and finding out if they are truly secure in the way that they process data transmit and store that data these audits only look at a snapshot in time and not the ongoing state of the security of the organization a company could pass an audit could receive um you know compliance against a certain framework one day and be vulnerable the very next day so we see this cycle of

insufficient security the overlay of the compliance process and this solution to make this company more secure then we see analysis and assessment and then we revert right back to insufficient security whether it's through unpatched applications poor security posture in the defense of things like social engineering phishing emails and a variety of different types of attacks despite technical technical controls and compliance that we have in place that checks the boxes on those frameworks so to draw from 12 monkeys there's this theme that you'll see in my talk here that we all feel a little a little crazy and i think that's because a lot of us wake up in the morning and we go to work and we defend

our organizations we defend our clients we help stand things up we create new security processes we execute security awareness training we measure we simulate attacks we analyze data and it seems that the very next day we have some kind of a breach or an incident or a situation that hits the news and we all feel like we're fighting this uphill battle where we work and work and work and work and we're not seeing a net result that shows that our work is valid that it's producing a measurable um an impactful result and i think that that is mainly attributed to the fact that real security is not compliance and compliance cannot be made to be security

a framework can't account for the subtle nuances of your company its operations the environment your people how those people interact with each other these audits only look at a snapshot in time they're not going to be able to see the ongoing state of your security and you know i can demonstrate that i have a policy document that says that we do not have hold or process any cui or certified unclassified information within a company and meanwhile i can go look say and do a review of email and find oh shoot there's a whole bunch of it all over this company and i had no idea i mean we had the policy the policy said we didn't do it so i believe that

we didn't do it but the practice or the process may be different um and so sometimes you have these audits that are maybe not as thorough you have folks that are self-assessing you have um even the most cyber resilient organizations that treat compliance as a baseline and it's not true security um so essentially what i'm saying is compliance in most instances and that is a blanket statement and a generality in some cases it can be a wonderful tool to measure an excellent program so i'm not saying that the two are never uh present in an organization and simultaneously only that you can't rely on compliance to create security what usually ends up happening is i have

a client that will say okay well you're telling me that there's a recommendation that i should do x y z but i'm going to ask you since i only want to be certified as compliant with this framework does this framework mandate that i have to do x y z and if it doesn't i don't care that's a problem that's really a breakdown in the security fundamental purpose of protecting data if the recommendation from the security team or the general best practice from the security team is to do xyz for the sake of protecting people processes systems and the client and company data then that is what we should be doing but what ends up happening is

that we are simply checking boxes against a compliance framework and creating this appearance of security and saying that everything is fine because we're doing this list of controls and we've you know developed a way that we can show that we're doing each of these controls whether it's 100 accurate or really rooted in a culture of keeping the data protected through that control is different and that disconnect in the security culture of an organization versus compliance and a security program that is mapped back purely to compliance is fundamentally the problem that i'm discussing today and that's what i want to improve so we've talked about what security is what really a passion for security looks like it's protecting

people it's protecting information and it's protecting companies data their clients vendor and company intellectual property data and having a passion for doing that and i think that is why so many of us originally came to this field why we got involved in security it was that passion to protect data and people who are at the root of all of these organizations and who stand to suffer the most if that security is not in place and what's happened over time is that that passion has been eroded by the process and the creation of these frameworks for security compliance so what do we need to do essentially we need to fix the culture behind security and get the buy-in and investment from

the top down in all of our organizations it feels to me and this is my personal opinion only that most of the clients i speak to their security teams have been siloed away from the rest of the population and they don't feel like they are being heard like they are being understood or listened to by the folks who are making the decisions about where the investment financial or otherwise is going to happen within the organization and what i love about my job is i get to bridge that gap i get to take the people who feel like they've been locked away in a corner to protect the organization in the dark with their keyboards and

i get to bring their wants and desires and their passion to secure their systems and protect their businesses to light and i get to give that validity through issuing a report that says that this is important and typically what i'm doing is just restating what the security team has already known to be the main or primary issues for this organization that will help and enable them to better protect what they have been tasked with protecting for the organization you can have this incredible security program you can have the policies long detailed beautiful styled letterheaded gorgeous branded policies along with aspirational procedures that say exactly how all of your information data and assets and ip are going to be

stored delivered handled transacted you can have all of these things in place along with the practice and have all of your people trained aware of the practice aware of the policy aware of the procedure and you can still be missing that security culture that uh drive that passion and the buy-in of everyone at the company to behave as a team and essentially create this masterful puzzle with each person playing their part and acting as a piece in that puzzle of the organization to form a wall and protect this data and information to make these systems available to protect the integrity of the information and to secure all of the hardware software business systems and other processes linked to

making the company function and be able to do business so how do we fix that how do we remedy that and essentially marry these two sides of the equation find the security culture and then marry that with this amazing compliance framework um supported security program what it really boils down to in essence is people and people are going to be at the core of pretty much everything that we do um and so why not get their buy-in i've heard some incredible talks today i've heard people talk about um systems that hold up our infrastructure and how these systems can be breached and how they can be protected i've heard people talk about creating security awareness training programs and how to

get the user and executive and middle and management buy-ins from an organization to make that security awareness training adopted and engaged with by the employees i've heard just some absolutely incredible talks about adversaries and threats and ways that we can protect and defend our organizations and i think all of these different facets of security work together and it is so important for us as security professionals to understand that we each have our part to play in this we each have our own specialty and through working together we can show the rest of our organizations people who don't really think about security and who haven't been tasked or or made responsible for security what's going to happen if we don't

change this culture breakdown within our organizations um from 12 monkeys there's a line about cassandra in greek legend you'll recall she was condemned to know the future but to not be believed when she foretold it hence the agony of foreknowledge combined with the impotence to do anything about it and what that means is she knew what was going to happen in the future she would tell anyone and everyone who would listen nobody would believe her and she was left with this agony of knowing where things were headed but not having a way to do something about that a way to shift this perception that she was wrong and to make people understand that what she was saying was in fact true and i

think we're all kind of in that boat um i mean correct me if i'm wrong i can't see the chat right now but i'm sure you'll let me know at the end but we all feel like we're constantly screaming at a wall telling everyone who will listen what's going to happen if we don't protect this system or handle this process differently or adopt this new method this new best best practice um you know patch this system upgrade this hardware get new software uh dispense with old vulnerable software we all know and i'm sure you can think of it right now the top three things that you would change in your organization or for your clients right now you know what those

things are and you feel like you're saying it over and over and over and everybody just goes aha and they don't actually believe you about how severe the problem could be if we don't rectify that and mitigate that vulnerability so the definition of insanity doing the same thing over and over and expecting different results now this quote is often attributed to a couple different people and frankly a large number of people who probably never said it so i don't know who to attribute it to but it's kind of true we keep falling back to this position of wanting to use a process to create the security that we need for our organizations we want to find a framework that's the

magic answer like if i can take all 20 of these boxes you know with three to five sub controls on each one of them like this will be the answer and now i'm secure and it's really just not the case i think it's fantastic that we have all of these um you know tremendous leaps and bounds that we've taken with technical security controls and means of mitigating a lot of these types of attacks and avoiding um having our staff and our co-workers dealing with having to defend against um a lot of the volume of phishing emails and other types of attacks that typically target folks within an organization i think those are fantastic and i'm not

at all saying that we shouldn't use those technical controls and those capabilities and monitoring and alerting and all those things to the fullest but what i am saying is we can't just say that we ticked 10 boxes on a framework and that we're secure without really looking at ourselves and at the culture security wise within our organizations and doing something to get the buy-in and i know you're like okay well what's the thing i've got to do it's really different it's different for a lot of organizations i don't know the culture of your you know nation your region your province your state your city your town it may all be different what will encourage people's

buy-in in some areas won't help make a difference in others but it really comes down to continuing to try that persistence that drive in that effort you can't have one security awareness training and do one fishing test and know where you are you can't execute a one-time plan to you know check all the things in a compliance framework and say yeah we're good you know we're eternally fine because back in you know 2010 we checked all the boxes on this and everything was fine and we're doing everything the same way so it's okay it really takes this constant work and effort and continued uh trial and error to determine what is going to be the thing

that helps people to understand how this can impact them not just in their daily lives at work but in their daily lives in total and choosing the right humans for the job is very important in inspiring that security culture so to encourage that creation of the security culture within your organization i want you to think about both your existing and your emerging workforce not only related to security but in general i want you to think about encouraging innovation hiring or encouraging the individuals that you have on staff already to use critical thinking skills and go beyond simple process docs to study adversarial tactics and learn about how to defend against those and new threats to go to continued education to attend

conferences to seek certifications that they find interesting and relevant to their jobs or completely irrelevant if it's just something that is security adjacent maybe to their position but that they find very enjoyable to learn more about and understand to foster environments where you have collaboration and sharing of ideas and support for that that will ultimately contribute to innovation within your security program to review the requirements in your job descriptions make sure that you are evaluating the whole candidate that you are reducing the education and experience requirements to the bare minimum and then maybe list some nice to haves if you have some other certification or educational requirements that you would love to see in your unicorn ideal

candidate make sure that you're not leaving potential candidates feeling like they shouldn't even apply if maybe they have some other real life experiences and other skills that could compensate for that lack in education or experience offer non-wage compensation especially related to work flexibility there are a lot of jobs that can be performed at a not a set shift that will allow people to have more flexibility in how they balance their work and their lives to have that perfect balance struck between work and life so that they can you know take care of family or friends as well as attend to their own personal um priorities and make sure that their work gets done you can measure

most humans effort through their work product and not simply their green dot availability status on a messenger application or something like that invest in your candidate pipeline what i mean by this is find programs that create amazing security people find programs that invest in things like capture the flag competitions not just for hacking but other security related areas that focus on innovation and um people who are inquisitive and who lift those people up and give them an opportunity to learn more about information security and participate in programs like pisces which is something that critical insight puts a lot of effort into and i'm happy to share the details of that following this talk if anyone's curious but

essentially we help college students to get into the industry um using our pisces program look for programs in your area that do similar things so that you can find those folks who are most passionate about security because the folks that you find who are the most passionate will have a much better chance of creating that culture of security and buy-in from people at all levels within your organization encourage diversity through embracing unique perspectives uh trusting your employees to complete their work i mentioned that a little bit earlier measure folks based on their work output and their work product and the quality of that product rather than simply you know hours in a day or being

available increase your opportunities for a variety of work types and what i mean by that is part-time full-time remote fully remote wherever that's possible make that an option um you don't want to limit your candidate pool just to your specific geographical area if you can avoid it because you can source talent from all over the globe if you're motivated to do so then foster that security mindset within your entire team you play as a team you operate as a team you win as a team you lose as a team don't single people out mentor teammates maybe have more experienced teammates mentor those who are newer or emerging workforce candidates also make sure that you have cross

training and the ability for people within different teams to learn new skills from their co-workers and share that knowledge so that you don't get stuck in that rut of tribal knowledge where you know just one small pocket of the company is aware of a process or how systems work or just one individual knows how to operate maintain or handle things within a specific application or system or process encourage transparency throughout your teams empower your people to speak share their minds without judgment suspend your own judgment of others reward new ideas you want to give people a space where they feel like they are valued where they can share their ideas where their perspectives are taken seriously

and where their recommendations are thoroughly evaluated

in conclusion there's this uh the sentiment from 12 monkeys where james cole is saying that you know the human race is just asking to be wiped out and jeffrey gohan says wiping out the human race that's a great idea that's great but more of a long-term thing i mean first we have to focus on some more immediate goals and i think we all get overwhelmed by the big picture we all get slightly discouraged and overwhelmed when we think of how far we have to go and i really want to encourage you to look at this short term to look at your daily goals your weekly goals your monthly goals and then maybe start projecting outwards towards the years

and the three years and the five year plans it gets really overwhelming when you look at a three or five year road map and just go i cannot do all this this is insane it is insane so bite off one little chunk at a time start standing up your frameworks your processes and start measuring what you've completed each week i start every week writing out a task list i would show it to you but i can't and essentially it's on a post-it note to the right of my mouse and it just says you know this is the client this is the thing i have to do this week client thing client thing client thing and for

you maybe it's application thing application thing and you set this list of things out for the week and you knock out one of those things per day and you'll start to feel that sense of accomplishment and an achievement and at the end you take a post-it that has all the things and you physically cross it out and just that that manual tactical physical being able to cross it off really does a lot just psychologically to help you feel like you've made some progress because a lot of us stare at the same screen using the same mouse and keyboard all day long and it just feels like it looks exactly the same every day so try to make your goals more

bite-sized try to set out a framework that reduces things down to the daily weekly monthly level and tackle one week's worth of things at a time try to delegate as much as you can and if you're being delegated to don't hesitate to push back if something is not going to meet a deadline if you need to for your mental health your work life balance your flexibility ability to function and be productive don't be afraid to ask for help to push deadlines out to create more realistic expectations of yourself and your team and communicate those effectively to leadership management c-suite all of that will help to not only keep you on track but also to make sure that the

expectations are managed appropriately so the future of workplace security i believe that the future of workplace security is human it's going to start with the people that we put in the position of creating these training programs of getting the buy-in of you know top all the way down from everyone on the team to participate and to engage in our security practices that are mapped out and framed out by these frameworks and policies and the procedures that support them it's going to take real human investment to stress the culture over the compliance for the individuals who really only care ultimately about themselves most people are going to do what is in their best interest and empowering someone to believe

that what's good for the company is in their best interest is what comes down what it comes down to when we're talking about creating this culture you want to have people who want to support your clients your vendors your company and be a part of that team that is actively engaged in fighting the adversarial threats in defending the systems and the data and uh you know buying in to this culture of security and creating that culture fundamentally comes down to understanding people and processes and behavior and how we can shape mold and influence that through leadership from our positions within the security team so oh wouldn't it be great if i was crazy then the world would be okay

we all kind of have our little spot in the security universe and some days we can feel like we're absolutely losing it and if we were crazy and the rest of the world was fine then everything would be okay but i think the truth of the matter is we're all a little crazy for a reason and our passion really boils down to keeping our companies our organizations and our people safe and to do that we need to find what makes us passionate about security and remind ourselves why we got into this mess to begin with and that comes down to what we talked about at the very start of this talk and that is protecting people protecting

lives in a lot of organizations that i work with they are literally protecting lives of people in hospitals and clinics um and so i want you to take a moment today just to review everything that you saw here today and yesterday at besides vancouver what are you passionate about what brought you to security you don't need to tell me but jot yourself down a little list of things that you think brought you here and what you're passionate about and try to figure out how you can walk into work even if it's walking three steps from your bed to your desk tomorrow and find that passion in what you do every day again and that's a wrap for me so i will move

it over to questions these are the ways that you can reach me um and thank you again to besides vancouver to everyone who contributed to making this conference possible to everyone who attended um and listened to talks and contributed talks all of the speakers um it's absolutely been a joy to watch everyone share what they're working on and what they're passionate about over the last two days um so please reach out to me share your feedback um i want to hear it all the good bad and the ugly um and i hope to connect with you all irl soon thank you elise that was great amazing you know really good talk i see all kinds of kudos in the chat here and

looking to see if there's any questions um i see lots and lots of love for your talk that's for sure um and the besides crew thank you alisa i appreciate that um let's just see if anybody has any questions here it was amazing lots of love exactly it was a great yeah i know you guys are all fantastic so appreciate everyone we appreciate that it was really a really amazing talk that's for sure you got it well i'm going to give it a couple more minutes for q a and see if you guys got any good questions i know i i know at least hasn't answered everything in life so uh you might have some questions for her

yeah you i left a couple easter eggs behind me too if anyone can find the thing that's connected to vancouver in my background i'd love to see if you spotted it let's make it bigger here hang on a sec what do you got in that photo so you'll make it bigger she said oh woman exactly what do you got back there what's your biggest what's your okay here here's one question for you what's been your oh hang on a sec i got two people throwing things up there uh what's been your biggest challenge my biggest challenge um well let's see it related to security my biggest challenge for my clients really has been expressing um

that we can't rely 100 percent on technical controls to keep us safe and i don't know if you picked it up from the theme of my talk but if something is a best practice and security and not specifically required by the framework they're trying to get audited or certified against doing it is the smart thing that's my biggest challenge is communicating why and getting that investment definitely yeah i hear that yeah okay let's see if we got any more here q a [Music] stage q a

awesome okay lots and lots of comments all kinds of good stuff lots of love okay okay uh i see i think i see ryan reynolds in the background oh you moved your camera hang on so you're gonna make her bigger there see oh see but you know that you can't see as much in your background there i changed no you can't so so ryan reynolds is right there where's ryan reynolds see it dude and gibb says exactly right you got that exactly got it awesome okay well thank you elite we really appreciate it that was an amazing uh and keynote we super appreciate that definitely um i'll be seeing you at the next tracelab ctf at uh def con

absolutely you got it uh you have a good uh day take care and we're going to start here in a couple minutes um thanks take care ladies have a good day