Hacking into the pyramid of resistance against security initiatives by Ashwini Siddhi

good morning I'm Janice squil Paro I'm the other co-organizer of besides and um I have the pleasure of introducing our first talk uh before I do let me uh remind everyone that we have turned off chat so as not to distract the speakers uh the way that you can interact with them with your questions is to use the Q&A feature that you'll find at the bottom of the zoom screen so uh that's where you can leave questions for them and then they can answer you uh during the talk if they want or at near the end so um I'm going to get Ashen started where our first talk is hacking into the Pyramid of resistance against security

initiatives this talk is by ashwien siddi and I would like to welcome you ashwien hey thank you so much hi all of you so let me Begin by sharing my screen uh please let me know if you can see

it I can see it awesome yeah all right that's great uh so hi all you so uh this is a not a technical talk as such this is more of how we can work with security as a strategy right so it's interesting it's based on my um experiences uh so let's talk about it and even uh before I really want to talk about these security initiatives I really want to talk a little bit about myself right so I'm ashini Sidi and first and foremost I'm really excited to be here it's my first time at bides Austin and what do do I do right I do all things uh threat modeling primarily threat modeling right uh for

uh the data protection Suite of products from Del Technologies uh but uh like a lot of you I do get distracted and I get involved in other areas of security like ransomware supply chain and privacy right I'm sure all of you relate to it if you've been in the industry for long I think we have all of our uh fingers in different pies so if if you're somebody like me who's been in the industry for long and who can relate to this I'm sure this talk um uh is also relatable in the sense right we let's say we've been involved in some work for a really long time let's say threat modeling threat modeling because um that comes naturally

to me and I'm so constantly involved in it uh example so I I work with different products and I've been asking them the same repetitive questions right like U I know they use tools uh tools generate results Etc but to do a holistic threat model I always ask them uh questions above and beyond what the tool has to offer right example like uh is your design logical is it simplistic enough and still achieving the objectives uh business objectives questions like that right and I realized like I was wasting a lot of time asking these questions to each and every product each and every release obviously there had to be a better way of doing it it could be like

in form of a spreadsheet obviously it came uh with its own Pros or it could be building a questionnaire a web based questionnaire where everybody can log in and pre-answer so that I don't really have to go back to them and ask so this is just one example of security initiative where we U talking about improving a process uh because we've been there for such a long time and trying to make it better right but it's it it could be a small thing or it could be something as elaborate as starting off a uh complete supply chain security program it could be anything in between two it it applies to all of these areas of the spectrum right so so that is what

a security initiative uh would be called as and I'm sure a lot of us identify with it see he like yes I have an idea and sure this has to be taken to the table our leaders need to be hearing about this so we put this in a paper and or a PP and we make it look fancy uh we set up a call with um all the important stakeholders we get all of them on a call we're really excited uh we go uh onto the call and blah blah blah this is the best idea ever this is why we need it and you go on right and people listen to you patiently yes and and if it's a

great organization like mine I mean I've set up calls with my boss like n number of times with n number of ideas and he patiently listens to me all the time right so if if it's if it's a leader like like that I'm sure you're going to get a lot of time uh to go put out your ideas right but what happens after you put out your idea right most times nothing really happens people say yes it's a you know you've done a great job you've actually thought about something which they didn't think about so it's great all of that you get the Kudos and good job but nothing really happens after that there is no followup there is

no action item there's nothing coming out of it right so so if you're used to this most probably you'll just get back to work and continue doing what you were doing like every day no change right you're not improving any process nothing's being done things just carry on as is but if if you're the overthinking type then you know more often than not you're going to judge yourself and if if it becomes a repetitive process that none of your ideas are accepted you also might begin to second guess yourself right you might wonder if you're in the right place and and and you know and and then things go downhill from there so uh we don't even

want to go there right so I think with this talk you'll have a fair idea about what we can do to know how we can get there right how we can get our security initiatives out there um and make it happen right not not like right away with a bank but maybe eventually we'll know how to get there and make it happen so to make it happen what is that we need to understand right uh we we just go back and think okay I presented my idea to uh leaders but the leaders said no right I don't understand why they said no that that is a typical uh response when a security initiative does not get accepted that's not always the

case because resistance to an idea comes in three different levels right I mean at least in uh business strategies and Business Schools there's something that is defined as a pyramid of resistance so this pyramid of resistance is not necessarily applicable only to secur initiatives it can be applicable to anything right in development in business in in a country where a government rolls out new policies Etc so it can be applicable for any given scenario anything new that is introduced as a policy tool a rule is always going to be met with some amount of resistance but for all practical purposes in the stock uh I think let's limit this to security initiatives so the pyramid as

such talks about three different levels of the lower level would be not knowing and then we have the not able and then at the top would be not willing uh obviously you can come back to me and say that you know it's it's interchangeable I don't agree with the order all of that uh but this is the standard def of pyramid of resistance which is defined for business strategies all right so in our case what would not knowing be right not knowing would be that somebody does not know why is that we want to initiate something new how what is the value that it is going to bring to them right so that that is not

knowing and not able would be that maybe somebody is at a level where they can actually understand things uh but they certainly don't have the capability or of bandwidth Etc and Leadership um I I just wouldn't say leadership but at least at the top level is not willing uh because they have other priorities Etc at an individual level right most people are focused on what they have to do deliverables sadly security uh domain has a lot of um we've always heard of resource Crunch and all of these issues right people are generally overworked it's it's something that's uh been talked about and people tend to focus on what is their goal uh for the year and

try to stick to that it's very few people tend to step out of their comfort zone to achieve something so that is a barrier at an individual level that might be the reason a lot of people uh would say no to anything new that is being introduced and also there's a psychological barrier all right so example so um when I come to you and say that I found this really cool tool um it automates everything it uses uses AI uh machine learning so you don't really have to do anything manual let's say threat modeling again right you don't have to do anything manual for every release right you can just put feed in your design for One release and from

there it uses Ai and ML and continuously takes care of things for you would people be excited uh despite uh all the promises that it is making not always right maybe there are some people who are willing to experiment but most of them would have a psychological barrier against something new right it it's a natural human phenomenon and this is one of the things that adds to the Pyramid of resistance so that is at an individual level but what happens at the program level right this is where our uh midlevel leadership comes into the picture uh the program has other priorities let's say you come up with an idea in the middle of the year for the

given here we already have our goals very well defined I mean if you're an organization that works uh with ogms and your goals and strategy very well defined right you already have things that you need to achieve for the year your certainly not going to move things around to right away introduce your security initiative but yes I mean if it's if if things work out it can be added to the backlog to pick up the next year so there's always other priorities and things um might not happen when you want them to happen right and also there's a bit of compered s example people use open source threat modeling tool they download this tool and use it

they're comfortable with it because they've been using this for like 10 15 years now and they just don't want to move out of the comfort zone right this comfort zone is giving them results yes it has some manual effort involved but they're okay with it because they've been used to it right so that comfort zone is there people are not willing to move out of the comfort zone and also the leadership uh when I say leadership the mid-level leadership wouldn't like to change the winning formula and it's not just about uh mid level leadership it could be anything right we have the FIFA World Cup going on uh India is so much into Cricket so any of the teams um that have

a winning formula right the winning team members we tend to stick to it we don't want to experiment especially when we are winning especially when it is working for us so that is the comfort zone uh that we all try to align to and we want to play safe uh while it's good to play safe this comfort zone might also create barriers for new uh innovative ideas so that is the uh program level resistance that you would encounter and at the leadership budgets right I really wanted to call out budgets especially in these times uh right so uh you're using an open source tool again for threat modeling and let's say you go go to the leadership and say

I found this amazing Tool uh that follows infrastructure as a code uh just pulls out models from your existing code and gives me results sounds amazing but you will have to pay uh the cost of the license right for every product there's a license Associated uh would you be willing to spend it at this point in time in this current economic situation no all right so the timing matters the budgeting matters how well uh the cost of this uh initiative fits into the current organizational expenditure what is that they uh intend to spend for the year does it fit into it so the budget is a major barrier and based on my experience and I can say it is the biggest barrier

I've seen so far right so we'll have to be considerate about the budgets too when and how we want to approach it uh Etc so I'll talk about now what we can do to work around the budget um in the next slide and a lot of times we have a culture inertia uh this is a very soft uh Power uh barrier that we have it is not right away visible it's not something that anybody would call out right for example uh let's say uh there's an organization that does threat modeling very quickly right so they use an open source tool and they draw a diagram generate their results and say yes we've done with threat modeling whereas there's another

organization that believes that okay I don't believe a tool can actually look into my design because my Design's very specific and I don't think a tool can do that so I would like to get onto a whiteboard collaborate with my people spend about 3 to four hours looking at the design and then understand the design Level Threats and that would be my threat model right so there are two different thought streams uh organization one is focused on the time whereas organization two is focused on the depth of it so there's a culture inertia already associated with it if you went to organization one and said I don't like the you do threat modeling it's too quick you might want to change

something the immediate response would be no that's not happening right uh it effects time to Market and time to relase all of these um fair enough reasons would be heard right so culture initia is something that we uh have to keep in mind though it's not very obvious one of the other examples uh that I can think for culture inertia very relevant right uh it's also about the type of organization gation that we work with there are organizations with extremely restrictive work culture like you know your track every minute of the day what is that you do every little hour that you spend on when do you log in when do you log out but there are other organizations that

are very flexible all right and and when they say flexible they don't even Define working hours right you can log in whatever works for you whatever time works for you obviously you need to spend that minimum time of ours but in in in such an organization which is so extra flexible right you go and suddenly tell them that you know I don't think I would like uh to allow these people to get in their own devices into the organization it would be met with a lot of resistance because it just does not go well with the culture of the organization right so it's really important to keep in mind how our initiative aligns with the uh culture of

the organization itself so this is what the Pyramid of resistance looks like and more often than not a combination of all of these actually uh uh stops the progress of our initiative but not to worry uh there's a pyramid of resistance there's also a pyramid of influence around it right so there's always something that we can do about it a lot of us have worked around it um You Must Be Wondering right so okay I presented an idea but it didn't work um my boss said no but uh my coworker presented an idea and it was immediately accepted right you must be wondering how did this person do it how did it even happen it's not partiality right and

that does not happen that business so what has that worked for your coworker what is that happened with the other idea probably knowingly or unknowingly this coworker or the one who presented this idea that God accepted worked through this pyramid of influence so what does the Pyramid of influence look like right so it starts at the top of the organization with the leadership so what do you do here right we spoke about culture inertia right so your idea did not fit into what the organization believes in what the mission of the organization was Etc so it's important for you to ensure that the idea that you're proposing is in alignment with the organization example again right

your organization is all about Cloud now providing Services Etc over the cloud which also mean things are more agile and maybe you have releases every week or every two week and during such a time you go and say that I have this amazing idea of doing threat modeling not just for security but for privacy but for compliance all together in one so that we shift um it left completely at the design level and save a lot of manners at the later time and probably have a tool around it too right it's an amazing idea yes we should all be doing that but does it work really well in the context of the organization uh doing all of this

if not planned correctly would easily take a week's time and you have a release timeline of two weeks right is it really aligning with your organizational goals no that's not going to happen right so uh you need to have that Vision uh to understand what is the strategy of the organization what is that we trying to do right what is the overall goal of the organization and ensure that any given initiative always ties back to the bigger vision of the organization and that is the first step um that we will always uh need to align with right and what after we've done that uh the leadership most times understands numbers only right it's all about kpis and metrics and costs and we

also spoke about budgeting so what do we do in such a case maybe you don't really know you know security is not uh your your leadership might come back and say security is not Revenue generating so what am I to do here right you just don't drop your idea so what do you do you understand the cost that you can save from the breaches that happen if you're not doing this or you can highlight the time that you're saving with all of these um activities by introducing this initiative and call out how the time to Market has improved right or you can also call out um how this ties back to compliance or legal and what is the cost you can say in

terms of um litigations or reputation Etc right so showcasing in such numbers or a combination of these numbers I I wouldn't say put an exact number out there but um some sort of a projection out there I think it'll speak well to the board and you'll have uh good uh reception right so it's important to align your vision as well as call out these benefits of your in initiative right uh you cannot just tie back your initiative to your very specific problem that you're talking about it has to tie back to um a budgetary scenario either about money either about saving uh your reputation or about time to Market Etc so once you've done all that

you know done your homework put in a PP uh aligned and presented to everybody what do you do next right you get a sponsor and and and when I say a sponsor I don't mean monetarily a sponsor yes your organization has to monitor sponsor your initiative it's not necessarily that when I say monit it means only a tool it can also mean that you need uh resources in terms of let's say developers contractors Etc so you might need to spend on them or even time Etc right so that is a different kind of sponsorship but when I say get a sponsor what I mean is that get a sponsor who can support your idea see it's important to remember that in

the corporate world unless it is popular to support you nobody is going to support you right so you have to find that somebody who's popular who can support you only then your ideas will gather Steam and then get spoken about a lot more and then get percolated much down the pyramid so get a sponsor who believes in your idea as much as you do um and and it's not easy right it's not as easy I would say alignment with the vision is much more easier than getting a sponsor uh because getting a sponsor requires courage right you need to believe in your idea you need to have trust in your idea and you need to know

that you are the in this area and this idea can really work and there are times a lot of people will not see or have the vision that you have they're not able to see as far as you can so you need to be confident about it and get a sponsor and get the sponsor to believe in your idea too and once you've done that I don't see any reason why your idea would not be accepted right so you have your idea accepted and then you get down to uh the senior mid level management right so what do you do here here it's important to initiate and drive actions yes you've um got the go ahead for your initiative

but you just can't go ahead right away and you know uh and start things rolling out things immediately right you will need to create a POC a small bit and see if it works um and and then probably do things in a phased approach but even before that right the when you initiate and drive actions it's important to know that an idea completely depends on people uh you might come back and tell me that no I'm a technical right I'm I'm I'm a security pro I'm an expert in this area I don't need to be managing relationships uh but sorry to say a wake up call any job after a while is about managing your stakeholders it's it's

about managing people it's not that just a manager manages people but all of us at a after a given point of time need to manage our stakeholders and need to manage relationships and the best way to do this is to create a core team right so let's say You're Building this tool as a security engineer for whatever reason right doing threat modeling or maybe you're automating your testing um Etc you build a core team and what do you do with this core team so this core team should have representation from all of the important stakeholders uh when I say important stakeholders it could mean your managers uh it could be end users it could be end users from different um

suborganizations within the organization Etc right so get all of these people together create a Coe team have regular Cadence talk about uh action items Etc and most importantly assign um activities to each of these people right it's important uh that there is some sense of ownership in each of these people uh it it's a small trick when you give uh get people to own things uh they actually go about doing it so they have invested in the effort um and they own that bit of it so they're always going to be vocal about this idea and they're always going to talk Pro about it uh it's a strategy that a lot of governments use it to right sometime um

recently uh our government rolled out a policy where every person had to contribute something and every person who contributed to this policy had only good things to say about it it was the people who did contribute to this policy uh had doubts about it so the minute you get somebody involved the minute they are invested in it they are going to most probably right uh be towards or be for the idea so it's good to have people that always talk about how good the idea is ETC so they get things going uh you get to do your pooc all of that uh but it's always important to have one Devil's Advocate on the team all right um I always do that I always

have one Devil's Advocate on the team so these are the people that are completely against the idea right and and and they ask you questions like you would be like okay why did I even come up with this idea why did I even take up this job right so they make you think a lot but it's important uh to listen to them because they might give you the most critical feedback and the devil is in the details right so this is what will make your initiative much more finer this is what will make your initiative much more uh applicable across all spectrum of users users whom you hadn't thought of finer details that you hadn't

thought of right so it's important to have this Devil's Advocate but also to keep in mind right this person can um stop progress completely because you're so focused on doing the final things of your initiative you might completely miss out on the bigger picture so it's about uh achieving the balance um keep in mind that um Perfection is the enemy of good so don't try to achieve Perfection for your security initiative right away get a p going uh get feedback and prioritize it and then start applying it uh to your initiative and then divide the rest of these into different phases the first one has to obviously be the MVP the minimum viable product uh which is just sellable right

the basic structure and the core of it is ready and after which you apply U the P1 or the P2 uh related activities around it so that is how you would put the road map to initiate and drive actions and one other important thing you will have to keep in mind is that you have a core team and core team can always there can be scenarios where they're not always uh agreeing to single point right uh person a might say I like this idea person B might say I don't like this idea but it is up to you to show ownership uh and take a call yes I will decide on what uh goes in this so

it's not about um one man show here but it's also about taking ownership right uh ultimately the buck stops at you you are responsible for it so taking that ownership uh is really important we all like to be Democratic we want to be we want everyone to be heard especially in a C team because we feel like they're part of a team all of that but as long as you don't stand up and take ownership things might just go here and there and you might have any different ideas to work with so that is with u u initiating and driving actions and once you've done that and you have have a basic structure ready for your idea it's important to go

back to your end users all right so where you effectively communicate with them what is that you're trying to do with this initiative right because they have no idea because they're so focused on what they are expected to do and they're completely uh overworked and they have a psychological barrier remember so it's important to drive effective communication if you have a communication team work with them draft Communications appropriately review them multiple times and then send out this and also create trainings for people right don't expect that you get onto a call give them a demo and they're going to be awesome at it the next day you might find it easy because you've been thinking about it day and night but it's

not the same for that uh the other people too right people have different um uh degrees of how they can scale up to something new so it's always good to have a training created and um sh uh with these people and once you've done that right It's always important to connect the dots back to your leadership at the higher level go back and show them the results if you are not showing the results right things might not progress your initiative is a continuous Improvement it's not that you start right away and stop immediately uh things don't work like that right you have divided it into phases right so how do you get the funding how do you get uh

the support for it in a constant manner over a multi-year tenure you tie back your U actions uh as results and you show it to your leadership to say that okay this is what you've achieved and this is what you've been doing showing results and closing the loop becomes really important in your pyramid of influence and two things that have not really called out here is that uh the power of Storytelling right that is really important across all of these U stages in the pyramid when you're highlighting a problem uh to your leadership the problem has to indicate the pain that is present if there is no pain that you're solving if there's no problem that you're solving your

initiative does not really matter right you will have to highlight the pain um that is caused and um clearly call out a problem statement and the objective for your initiative that is important and the second tip would be that the power of deliverables right it's important to go back and TI as kpis and metrics um so always try to kpi and metri your initiative so that gives you an added advantage over any other initiative and last but not the least at the individual level right where people are like oh know another initiative I think you should try to reinforce beliefs and experiences and how do you do that when you go to talk about your initiative as

training or as a demo don't always make it about a technical talk right I know we are security so we tend to talk a lot of technical stuff but always have a backstory associated with it right the messaging has to be emotional it has to connect at that point right you'll have to talk about what was the problem that you faced and why you worked around this and how you came about it you might be inspiring somebody else uh to work around this pyramid of influence too when you talk about your backstory and that's how organizations grow and that's how organizations do great things and innovate stuff uh so always ensure that you add your personal backstory uh when

you're reinforcing beliefs and that gives an additional Edge to your initiative to your persona and to your reputation at the organization and that's how you would make uh changes happen in your organization so that's all I had um about how you need to work around your security initiative uh any questions um I'll take it or I'll wait around the Discord Channel too questions thank you Ashen thank you very much for your experience that you just shared with us I um unfortunately we're out of time for live questions um but uh we have a channel set up in Discord just for this talk and asheni has agreed to head over there next so um if you have a

question for her if you'd like to discuss this talk with her please head over there um there was a question in the live Q&A that someone left so please head over there to ask it and um we need to get started on the next talk I'm so sorry but thank you so much thank you okay thank you okay so we're going to um transition give us a moment please