If You Can't Explain It You Don't Understand It - Simon Chapman

does anybody have any questions um I think that you can either put in the chat or I think you can come up and talk through a microphone if some if anybody wants to do that

no doesn't seem to be any questions for you there Johnny obviously you must have covered everything perfectly well done thank you yeah um I mean uh if if anyone does have questions or you know wants to ask Johnny anything at all um are you hanging around for a little bit yeah I'm gonna uh I'm going to watch um oh sorry there's a question in the chat actually Thomas which CTS are worth the cost um that is a difficult one to answer because I know that sort of more recently is more uh sort of cheaper and more cost effective SS have come out than things like OSP um you might get a similar amount of um content covered but if like I said

about HR potentially not having a clue what an alter security SE is and they've been told to look for ocp then the ocp is the one that you need to get to get you through the door um but I think the industry is ch

oh my mic got turned off there um yeah uh you can have more of an interest and passion than somebody who actually has more knowledge and you can be taught the knowledge um so I think yeah I do feel like it's changing a little bit in terms of that um like I said the alter security courses I definitely think are worth the money um they tend to be about 250 or $300 including an exam attempt um so that's to to 250 I guess for 30 days lab access and uh they're quite specific so they've got AO ones they've got um ad ones um and yeah I've done a few of those and I've always learned something

and they give you you know a collection of tools that you might have to spend time finding out otherwise and things like that so um yeah and Nick Hill who puts those courses together is uh kind of an industry uh Legend so yeah that's what I'd say for that happy to discuss further if you want to get me on LinkedIn or email or anything as well perfect yeah and as you said you're going to be wondering round so um if you want to speak to uh speak to Johnny just walk walk up to him um he's going to I think you did say you are going to listening to Simon's talk next anyway though um which gonna go sit on the

bench and uh yeah one of the things that you said actually Segways quite well into um what Simon was Simon's going to be talking about and that was the communication side of thing um from working with a lot of testing companies and a lot of testers it is something which um I feel can be improved upon at times and uh Simon having been doing it a lot longer than you Johnny um which you'll you'll see from his look when he gets on stage um no doubt you'll be able to tell he's got a lot of experience um he's uh he's been there and one of the key things that he knows about and talks about his communication um um for uh

within security testing and within Professional Services as well and but thank you very much Johnny and um don't are you at the actual event tomorrow yeah I'm hoping to come over yeah yeah perfect well we I'll see you tomorrow because I know there's a few people here um who are um in the auditorium listening to you be there as well so you can always ask him some questions tomorrow potenti we can come ask you questions in person tomorrow as well but cool fantastic thank you very much Johnny thanks everybody yeah throw throwing some conf Petty there you go perfect so next up we've got s Chapman who's I can see he's already next to the stage he uh looking

forward to this he's excited um again I'll I'll leave you to do your full introduction but as I said people be able to see your experience just from your video uh there Simon so is that a compliment I think that's a compliment yeah take it as well right I'm pass over to you Simon to uh take on the next talk all right cool thanks thanks Lee thanks Lee and thanks Johnny as well I enjoyed I enjoyed your talk and I know we haven't we haven't collaborated on our particular respective talks but there is kind of a bit of overlap really with with what I'm going to talk about in fact before I start talking about it

when I get the slides up uh that would be good uh let's try that one okay does that work uh yep let's just see if I can get the presenter view up in the right place okay that looks about right um there we go we'll go back one all right so um I'm gonna about well the communication skills broadly um my background is in offensive security so um I've spent the last 25 years I guess um that's why there you go that's what of the FES of a man who spent 25 years in offensive security looks like um the um the thing that I've learned during that time is that although technical skills are obviously important they um

as the longer you're in the industry the more you realize there are other things which are actually just as if not more important and I'll hopefully go into the theme of that a little bit more during this this chat and and and explain why why that's the case so I spent 25 years leading offensive security teams building them um and I currently help other pentest companies do the same thing basically uh but with an emphasis on on those communication skills um I've got there's two parts of it Contents I don't I call it contents just call the contents we've got two sections we got the fooling yourself bit which we'll talk about now and there's

the the rocket science bit later on uh which hopefully this will all make sense as as we uh as we go forward so all right so the first part is about fooling yourself now when we when we're communicating with our clients with our uh our colleagues whoever um we work in an in an environment in in cyber generally I'm not focusing particularly on offensive security here so those of you who are not necessarily interested in offensive security pentesting whatever else this is not this presentation isn't specifically about that it's it's General to the subject of of working in a in a a an environment where there's lots of complex ideas being banded around but we tend to fool

ourselves when we uh don't really know what's happening properly um where we think we know what's going on but we've kind of pressed the button and we've seen something happen and we've kind of assumed um that actually what's happening and the fact is that that's not always the the just not always the case uh this quote from Richard fman probably sums it up the far more eloquently than than than I can um the first principle is that you must not fool yourself and you are the easiest person to fool when we're doing when we are working in things like offensive security we'll we'll make findings um things like you know SQL injection findings or um there'll be some

observation we've made and that we may well that first observation as being oh yeah that that's what that is I work with uh with with pentesters all the time and they'll show me a finding and the finding will be look I've got this unauthenticated uh SQL injection issue um and then when you look at it really carefully it's not actually aut authenticated it's there's actually something else going on there's actually some other token being passed which is authenticating the request so what turned out to be a critical you know Ultra ious finding it's still significant but not as significant as originally thought and once or twice in your career you can go through you you

well you will go through in in your cyber career uh one or two instances where you uh burst into the room and say my God guys I found something amazing and it just turns out not to be the case and that's sort of a humbling experience you can listen to people like me talking about this but it's not until okay okay so uh where were we we we're talking about U there's so much tooling in our the environments that we work in these days that it's very hard to sometimes work out exactly what is going on but the the truth is if we're being a bit hard on ourselves we maybe we shouldn't be too

hard on ourselves um cyber is is hard you know the subject that we're all interested in that we're talking about the field that we're all either in or looking to get into is is tough um it's it's it's very wide but it's it's not very deep sometimes you and and in the offensive security but well in all spaces you sometimes find you have to know a lot of a little about a many things and it's sometimes a bit of an expensive luxury to know a lot about just one thing you sort of have to be a bit of a generalist and people expect you to be an expert um even if you you're not you don't consider yourself

an expert um here's that imposter syndrome thing being TW tweaked again but the expertise is nevertheless expected of you um and of course we all want to please people you don't want to look like an idiot um and yet sometimes you find yourself in a situation where for whatever reason um you're at a disadvantage I was remembering a story when I was writing this slide about a time that I was uh asked by a well-known Bank to contribute to a project about it was a cryptographic based project there was a security discussion going on and uh I was doing some testing on some infrastructure to validate some controls they had in place some payment based

system and I went to a meeting with the with the client and basically the client um was uh there's a number of people in the room and I was talking to them about to cut to the chase random number generation now I'm not a crypto analyst I'm not an academic but I kind of thought I knew a few things about random number generation and its effect on the security of the system we were looking at so I launched into this great lecture about random numbers and how random numbers are not really random numbers and strategies for defeating that and all sorts of things and predictability and anyway I went on for about five minutes or so but and then there's two

guys opposite me and after I finished they sort of looked at each or then looked at me and they said well that's that's interesting s but you know during our PhD Research into this you know we've we've done some analysis and we think we've got some answers so of course which point I realized I've completely overreached uh and sort of embarrassed myself in front of these two guys who were effectively complete and utter experts in this field and because I didn't have that situational awareness I just kind of blundered in to tell these guys about all I knew about random number generation which of course was was pathetic and insignificant compared to the knowledge that they had

so um you have to know your audience it turns out and again this is one of those things that's part of the communications strategy is knowing who you're talking to in the first place whether they people that need all the detail some of the detail or they need an interpretation or a summary or or whatever else um so we have to know your audience um now obviously this I'm trying to use humor in my own inevitable style but there's a serious Point here and then and that's because there's there's a lot of this in our industry to cyber industry generally and specifically in offensive security we find ourselves um uh not necessarily being sympathetic with our audience and imposing our view

upon them and and talking down to people um another story is where I was uh explaining to a client different client this time about a we vulnerab vulnerability I had spotted during a uh a test that was being conducted and we had this again this was going back a few years when it was very common to go back on site and have a wash meeting face to face with the with the client such things are less common these days but um I thought that this was an indication that there was pretty pretty weak security uh awareness amongst the developers and that some of the mistakes they've made in my humble opinion were uh were pretty Elementary and ultimately

could be um explained by just poor training and poor awareness and I could of banged on about this for a while and again I didn't really know who I was talking to I did not know my audience the the person who I was addressing was in fact the head of development and they were the person who commissioned the test in the first place so quite a part from me you know supporting the process and supporting the client I was actually embarrassing the the our our sponsor effectively by by telling him how bad the developers uh security awareness was so again lack of awareness and lack of empathy um was ultimately my my undoing during that occasion I have to say at

this point though when you tell these stories and you s of tell people about the mistakes you've made in the past um you might you might I talk to my wife about this and she said why are you telling people this they'll think you're an idiot well I mean yeah people may think that in any case but um yeah this is this is over a long period of time okay these these are not mistakes I make every every every week this is over over over many years in my that's my in my defense yeah okay so um how do we how do we do good explain okay well I would say that how we do good

explain is is first of all focus on grammar that's a that's a an oldie but goodie so I think with with much material that we communicate to clients um it's in a written form whether it's an email it's a report or whatever else uh there's there's writing is is critical to any any mode of communication so there there one of the basics you want to you want to get sorted out okay no points for guessing that good grammar is is a good thing but there's other thing is does empathy self-awareness context and obviously technical understanding I've already showed you examples of how my empathy and self-awareness let me down by not knowing who the hell I was talking to

and and you know straying well out of my depth in terms of uh the the audience U but there's also context um and that's something which we'll explore you know in the in the upcoming slides uh but before we do that we'll kind of divert slightly about I focus on some surprising truths and this is something actually Johnny sort of touched upon perhaps he didn't realize he was doing it but uh there's a bit of an overlap on this next slide but before I get to that it's just um worth remembering that in our industry and in the uh the cyber world there's a lot of technical knowledge and we give that priority sometimes when we're

communicating with with clients but without without the other parts of the picture you know the self-awareness the you know the empathy the context of what you're talking about then the knowledge sort of gets in the way of the message um and that creates a division between you and the client we've all been in situations where the client is is kind of looking us either disagreeing not understanding us and we're getting more and more frustrated by that and the relationship is is becoming is becoming difficult um and that's a cause of stress for us as well I have this secret um not the secret I have this this idea that be there's a lot of stress and burnout

particularly in offensive security and I think perhaps one of the reasons for that is because of these these communications issues that there's a frustration on on our side that the client just doesn't bloody well get it but that's not true always maybe we're just not saying things in the right way so maybe the benefit of all of communications uh Clarity is is to make your own life easier and a bit less stressful everyone can get behind that idea I'm sure so here's the surprising truth section this is one of those things when you start off in your career um you and and this is a good thing I'm not not going to criticize this you you

like to think you're trying to make the world a better place you're trying to help people um and so on and these are all fine objectives and Ambitions and and and indeed there may even be true you know that there could be that there could be truth in that we may actually be making the world a better place to our work but often the the way that's perceived by clients isn't what you think there's this mismatch so on the left and right there you can see quite clearly there's the client perceptions uh versus your perceptions and how many of us have been in a meeting when you're sort of banging home a point saying I'm

providing as much detail as I can and the client is just rolling off the client's back like water off a duck's back and the clients's just thinking this this doesn't have to do with me this is not my problem this is an IT problem this is this is a this this is a third party supplier problem this is not me I don't know why you don't even know why you're telling me this and the same again you know you're explaining stuff which really infuses you you're like oh this is so you guys have I've found this amazing exploit look at the proof of concept I've put together and the client just going nope didn't ask for that

that's more than I wanted you're overd delivering you're giving me a problem you're making it harder and you're coming back and thinking they're gonna love this when I show them this they're gonna go thanks guys thanks so much but the client is thinking I just have so many other things to be getting on with this is just far too much information um and again you're thinking I'm really helping them here and they're thinking we're just going to do the minimum and then the the big one is where you go in and say this is a really important finding you need to address and the client says no it's not we're just that's just not a priority for us

so you can see that there's going to because of this mismatch and perhaps and because of the way that these things are communicated that how that stress can happen and how that dissatisfaction can happen um and it's not um it's not something you see coming until you've experienced it a few times and and then you just think why why are clients so stupid why don't they understand the severity and the importance of what I'm talking about and this is why because they just don't perceive it the same way um okay so let let's talk about um let's talk about context for a minute so context is one of the things we talked in the slides earlier which

are important in terms of how we communicate in my little part of the world offensive security how we communicate maybe a vulnerability or a finding but this this could be anything this this could be this is a gen a generalized abstracted idea about an issue that has been located and it's entitled a small fire has being detected so you might think to yourself a small fire has been detected that's cool but the context is in the picture there is a small fire it has been detected how severe is that we can all say quite clearly it's not that severe at this time it's pretty much contained is there any danger of it escalating possibly somebody might not

like the way that woman singing and smash a guitar into the fire or something so they could there but that's very unlikely and in reality it's probably all cool so the context tells us that this isn't really a a particular issue and that's something which we can think of too are we aligning the findings with the client's operating model and their risk API and so on so you need empathy there to understand that so let's take take the same finding and take it into a different operating model here's a different operating model so now we've got the same finding under the same same terminology has been used the same the same finding a small fire

has been detected so now we have a wholly different Kettle fish I know this is a slightly silly example and it's sort of overstated but it's designed to sort of super simplify the the and illustrate the point it all depends on the context the same finding small FES detected right now in this context in this operating model that's a massive issue and everybody that's an an executive in this situation either to people in front there need to know about that immediately and act upon it um so there we go that's so much for context but as you can see the same finding just because it a SQL injection just you know that's not automatically a problem it

really isn't I know it's it's hard to hear that for some of us they in offensive security but it really isn't um just as an aside there's a point at which uh the CL will tell you that actually this isn't an issue for us you can ignore that you can take that out the report yeah I don't need to see that so then you presented with an ethical dilemma about reporting things and this is a whole this is an off this is another presentation Al together about the ethical angles of communicating findings and when you should simply ignore the client report things everywhere anyway or whether you think yeah okay we'll take that on the chin

we'll take that's not fine that's not relevant we'll we'll remove it that's for another time okay moving on time's moving on swiftly isn't it here's another here's another context one so uh confession this is something I did put on my LinkedIn thing a while ago so this is not completely fresh content but I kind of I liked it more than everybody else did so it's going in here right now um this is about context so the context here is to ask the question spot the odd one out I I probably I can't do a show of hands because I can't see them but I'm guessing if I ask you which the odd one out was there most

people would pretty quickly identify the uh the clown Soldier as being as being the up on out that's okay but that's because we don't know any context or we've assumed a context in reality we can uh never assume context we have to learn it and we have to empathize and we have to pick up on exactly what the situation is because when we apply context and suddenly we realize oh actually know this this is not what it seems this is clown combat school the only guy that's turned up correctly addressed and prepared is the is is the clown guy everyone else is missed did not get the memo I I know I know what you're thinking a fairly ridiculous

example but sometimes ridiculous examples serve to prove a a straight A simple point which in reality is quite subtle and hard hard to see it's very easy to see here that the context has shifted we don't always get that a black and white straightforward comparison in our own work we have to we have to work at it um right so uh the last slide in this section is so here's here here's the thing when I was doing this presentation I downloaded this presentation pack from PowerPoint and there was one slide this is a slide was just in the default Microsoft One haven't changed it um and I just thought oh look at that that's an

actual actual slide that actually fits what I was going to say what are the chance of that um so there you go thanks W Disney here to to get started just to quit talking and begin doing let's move to part two the clock ticks so uh episode two is not rocket science unless you're a rocket scientist so the whole the whole time I've actually been paraphrasing Albert Einstein um I think if you're going to quote someone or you're going to model model your ideas on someone it may as well be someone with big ideas but the point I'm making here uh this in this second piece is that our industry I think can learn quite a bit

from other professions and other disciplines and in particularly the science Community generally um Albert Einstein uh gave me the inspiration for the the title of this talk and his quote is I think fairly straightforward and easy to understand which in itself sort of proves a point um but we can learn more about effective communication by people who are very very expert in their field and know things to a level that most of us don't know some examples we could always think of of people who are um uh good communicators the point of uh good communication from a position of expertise is to inspire people you're talking to them you're not talking down to them and one one of the other

mistakes that happens a lot is where we assume that the audience is stupid and the fact they're not an expert in your field they they they don't deserve to understand this and they're you know they're not worthy of understanding it you might not think that exactly but that comes across in the way I hear a lot of people uh talking explaining technical Concepts to people who are not technical if you look at the examples of people here these are all people who are highly highly qualified accredited and experienced in their field and yet we we notice we know them from from TV and from uh uh programs where they've communicated very complex things to us

when I listen to the these people speaking I feel like I've understood something I don't know anything at all about planetary science uh archaeology um criminal forensics but when I listen to these guys presenting I feel like I've learned something and that's what we need to aim for is the fact is is the point at which we we feel like uh we we've educated our our uh users not in a preachy way but just in a in a way that makes them feel like they they they've learned something from the conversation let's move on here's the thing summarizing I can't have a conversation with anyone these days without without mentioning somehow AI um yeah I know I

felt the collective groan coming down the wire U I'm not going to talk about AI anymore any more than this what's on this slide however I would say that one of the for me personally one of the things which is I use chat gp4 to to great effect a lot is summarizing stuff it is absolutely superb if you ask it nicely to summarize things for you it does an amazing job certainly a great timesaver I think it's the most daily useful daily application it's certainly in in my experience um do ask the do do ask it though to summarize things in a different style I like the Charles Dickens mode it's very very amusing ways

you ever heard deenan English used to describe uh Civ asde request forgery it's that's amazing it's it's beautiful absolutely beautiful um but with that all this comes with the warning though uh as as we all know with AI it's okay if you want it to um Carry Out tasks that you haven't got time to do or give you in it that maybe you haven't got but if you and if you don't know what you're asking you don't understand what you're asking for it then then it will replace you ultimately that's that's the there you go there's my there's my talk on AI if you don't know how if you don't know what you're doing it's just going to

replace you the only thing we've got left as humans is empathy self- awareness and context um that's the things that AI is still perhaps not quite ready to replace us yet so I'm going to start rounding off the presentation now with something which if anyone's worked with me before if anybody who knows me from from a work life in the audience but ACDC uh I'm not necessarily referring to ACDC uh the band but there's a little pneumonic pneumonic thing I came up with some years ago which is actionable correct defensible and clear and it's just a checklist just sort of something to leave you with I suppose uh something which I always ask people when they're

sort of QA reports or writing reports just use this as a little list just to help yourself double check that your communication is is hitting the mark so does the client does the reader know what to do when you have given them a recommendation have you give them clear guidance so clear is it in plain English or the language the appropriate language um is it unambiguous in that regard is it technically correct we talked about fooling ourselves have you actually made a mistake fundamentally within the technical aspect of what you've reported which means that what you're saying is is just wrong um and lastly but not leastly probably the most important one is it defensible everybody in this audience

who is wishes to be or will be involved in some kind of cyber career uh will at some point have to defend their work uh to a critical audience and this will be a peer it will be a client a courtroom uh somebody it it will happen to you um and defensibility is the moment where you think right this is can you justify your finding can you justify why you said that and what the recommendation was of why you recommended that why you did or did not do something that's something which is hugely important uh and I can tell you all about that all day but you'll have to to experience that for yourself sorry if I

could bottle it and sell it I would okay so we're coming up to the end so I'll I'll wrap it up I didn't I didn't get chat GPD to summarize this because I sort of I I should I should have done should I should have followed my own instruction it's great at summarizing stuff but I I didn't summarize it okay I'll summarize it for you using using my own brain um understand that you can be fooled try not to fool yourself have empathy with your audience and always give thought to the the context of what your of your discussion and what you're saying if you have those things in mind then your Communications are likely to

be more effective more defensible and hopefully your life will be just slightly less stressful or you can reserve it for other things that are stressful that's it that's the end of the presentation um if anyone's got any questions I will be delighted to answer them or I will be I'll be hanging around anyway if you want to catch up and chat about something so thank you very much