Small and Mighty: Making Security Happen

I'm going to start by saying there's way too many of you around here which is very great thank you for coming um we got a beautiful morning at a beautiful place also I'm I'm really sorry that you chose to see me I'm just going to tell you that ahead of time a couple of times so but also thank you very much um this is small and mighty right yeah making security happen in a small security team which is also the part that makes me sad is that there's so many small security teams I feel like the more of us there is in a team the better um so maybe we'll take some good and fun away from

this and make our teams bigger my name is Chris Honda uh I work at wistic I am indeed a goober and occasionally I do security stuff too oh my goodness as you can tell I'm also fantastic at animations and PowerPoint so that's going to be my next career uh career step this isn't it either my goodness no it is never mind no it's not okay so before we get started classic disclaimer right um these are just my opinions again apologies you're going to hear some hot takes probably um I'm also getting the meme making game that's actually most of what my talk is is just Phill and me trying my hand at making memes so please be

kind please be gentle if you love them great um I have links somewhere um but if you don't love them that's all right just please be nice also um right we're in the security we're in the risk and sometimes legal liability game uh this is not advice uh also we're going to try something new o and also for the reminder for

me I'm learning to play I'm practicing playing catch with my daughter so um I am looking for an excuse to throw candy at you please interrupt I'd love to hear your thoughts your experiences your opinions um and I'd love to reward you with some candy and I mean that please like raise your hand so despite the glasses my eyesight and my hearing are terrible I the glasses are supposed to help my hearing anyways but um please be loud wave your hand say Hey you and I'll I'd be happy to throw you something so um I am known of consequence I I didn't make this one if you couldn't tell um but I I I I I

really just like to share my thoughts share my opinions and and feelings on things so I I really don't think much of what I have to say but I love having the discussion anyways so um I have a very I guess diverse background in terms of what I've studied in terms of things that I've worked not really been good at anything in particular um but I just like doing things I like learning I like practicing failing at things and eventually I find something that you know I'm not terrible at and I like to think I'm not terrible at standing and being goofy so um right I I I wanted to be a band teacher I lived in Korea and I

thought well I need an underground degree let's go for Korean so that's my undergrad degree I speak Korean on occasion um mostly at restaurants it's fantastic um I started at my current company as a software engineer and I mean hi Juan I know you're going to watch this in a minute I am a I I was not a good engineer so um out of the mercy of of my blessed CTO heart he'd let me move over to the security team start the security team up and do this fun thing called sock to so I'm now also an officially GRC nerd if you want to talk about that stuff too so um all right uh those are just things

I've studied I I was a marching band instructor I'm terrible at selling as most of you can tell I was talking with with Kate up here that I met this morning that I I'm a terrible salesperson and I almost sold her into not coming to this talk so um if I can persuade any of you to leave early then I know I'm improving as a Salesman um and most recently before I got into the world of tech I was a broker I I worked for this uh tiny company called Vanguard doing some stuff with mutual funds and what have you and it was really fun but the work hour will get to you pretty quickly um right I mentioned I

occasionally do security things at wistic which is a vendor risk management company thanks wistic for sending me out here I love Seattle and I love the folks here um and I'm probably about to lose this Crown but I am the reing cahoot champion at my company so trivia is also one of my super fun things I come from all over the place but I was born and raised in garlic country in the middle of the Central Valley of California so enough about me um I like to give people the tldr in case you decide to leave like I said if I can convince you to leave early that means I'm getting better at selling um so tldr of what I'm

hoping to talk to you about is if we don't have a company if the business isn't doing business stuff then we don't have anything to secure I know not really that hot of take not really that Unthinkable but it's been brought up in enough discussions that I feel like it's worth mentioning as a precursor um also right we I I feel like we as security people as risk people compliance right we like to think we got to secure all the things and then we quickly realize a that's not feasible B it's really expensive and C that means that we're telling other people how to do things that sometimes just aren't objectively aren't the best um and then last point

and this is where I think I'm going to stir the most angry buzzing remarks is that you know what sometimes if we're in a tough point we just got to go and do stuff that means we got to stop looking for the most automatable solution we got to look for stop looking for easiest path sometimes you just got to roll your sleeves up and try something and you make it work right or if you don't make it work at least you learned you know what doesn't work and you know something else you could try right and the doing is what gets things done also money is nice money is nice but it doesn't fix all the things right the existence of

money doesn't fix problems we all know that right money is great but all right so some of the goals of being in a security team we're getting into it now um we like to secure things right so part of my personality and what I'm guessing most of your personalities also is is that we like to feel good about things we like to feel that we've put enough walls and barriers and Rules and Things in place that things will go as expected right and that's great a lot of people want that a lot of people feel that way about life about their work um right we like money for our teams because that means we get shiny new

tools that means we get extra teammates we get um we get paid It's Always Payday is always nice I like eating again I'm going to mention that again but I like eating um we like feeling helpful I know that this is I I I know that it was like that for me that's why I wanted to get into the role that I'm in is because I just like doing things I likeed helping people and hearing people say oh thanks for your help on this project it was really fun we learned this and that and I know that's a common trait for a lot of us um and then also we just like feeling cool because hack um and and and

those are all admirable there are some problems um one of the biggest one meaning money right uh the lack of right so if you were to ask most of you here I'm assuming because you have small security teams I Venture a bet that most of you probably wish your teams were a little bit bigger whether it be bigger in terms of tooling teammates representation at the board or leadership level um and money would almost certainly solve most of that not all of it right we're we're operating under the assumption that money is nice but doesn't fix everything so um I I I found again and and many of you probably know just just as well if not

better that um lots of not having money causes even more problems from that perspective asking for money how all right no I got asked for some crowd participation now how many times have you gone to your CTO ceso VP someone in the leadership position said hey we need more money can you just get it for us and it actually worked I'm so jealous here keep your hands up I want to throw candy at you one two did we all sign waivers oh three more oh there goes my curent MLB one more all the way in the back I'm quitting today if you catch this oh oh oh oh oh I'm [Music] sorry if if if that doesn't make your

way make it back to you come up and I'll get you one later I should also mention that I'm not athletic whatsoever anyways um and then from a risk management perspective right so on top of us not being able to do our own things um usually when we try and get other people to do stuff for us right the tendency is we got to fix this or else we're going to be breaching and then the compan going to go to business and none of us are going to have any money something along those lines right and that's not fantastic so as we we learned from Michael Scott right we want to be feared and loved or what is it we want

to people to be afraid of how much they love us something along those lines um office was a great show but Michael had terrible terrible managerial advice so we're we're we're going to kind of go away from that a little bit so my proposal of solution and again maybe a bit of a hot take um this is HEI Castle in Japan um it's well known for being one of the few original standing castles where it hasn't been burned down crushed by an earthquake completely right so not everything's original most things aren't original but it's still standing which kind of implies success right so however was built however was maintained and also by luck considering the number of

things that have happened in Japan in the last several centuries not to mention you know the Whole World War II thing um it's it's pretty amazing that a big structure like this is still standing essentially how it was I can't remember it's been like four or five 600 years something it's been around for a long time and part of the reason of why it's attributed to have been so long standing is um by the way the image on the left that is supposed to be a what do they call it a skeleton rendering of what it looks like so essentially if you were to shrink it down the scale this is what it would look like in terms of

supports and everything so there are supposed to be two polls that look like this not supposed to be this is one of them this is the East pole so East great pole something like that um and and there's there's two there's two one on the east one on the west side and it's off of all of this that everything's built right so if you look around the buildings right you got a bunch of pillars and a bunch of these rooms which provide support throughout whereas um and I I never really could see it I was hoping I'd be able to see it bigger on the projector but allegedly assumedly everything that you see on the left is built on two

poles that look like those on the right and you're probably expecting I'm going to say well secure is one of those poles we're not surprise right and and it's not to say that we're not important but if you were to take away the security of a company most companies it's not that we can operate they just couldn't operate ideally right because what do we do we reduce risk specifically we reduce information security risk or cyber risk right it depends on the function of your team right so at my company at wistic we we're a little more broad sweeping because we're like a team of one and a half plus my VP so we touch everything

whereas some of your teams might specifically be it risk or cyber risk or Financial Risk maybe even right like I met some folks here last year I think that just did Financial stuff they were coming to learn more security stuff so right you take away like the Cyber function yeah your product's not going to be secure and that's going to be terrible in the long run for the confidence of your customers for example and maybe for your insurance rates but it's still going to function right at least for a time so that's right kind of hot take oh almost at hot take number one kind of semi hot take number one is is that we're not the main

pillar and that's not to say that we should downgrade or devalue our value for ourselves to our internal clients to our customers but it's putting ourselves in proper perspective of how we work with a company because that's going to set up good relationships with the rest of the company for us to effectively operate do our jobs and then support the overall business so you know we all get to have jobs right we all have jobs everyone's happier everyone gets paid everyone has money yay um so and hence that's the catch right we're going back to the catch of right if there is no business we don't have jobs which is kind of terrible right I like eating I

need money for food until I get to run a small farm which is seeming more and more just not possible so as long as I'd like to eat which is preferably for the rest of my life I got to work and and right we're operating on the assumption that everyone else is feeling the same way so that's where we want to avoid doing what the car is doing right let's keep operating under the assumption that there is no security without the business so we want to circumscribe our interests how we operate to what the business needs fine line to ride but hey that's that's just part of the job so kind of controversial but not really

main point number one is right security is just part of the bigger picture right the business operations inevitably have to make money right so if you ever talk to sales folks and they talk about how great of a commission check they just got it's because they brought in company money lots of company money and I I encourage you to to to feel like man I want a big part of that and learn some skills that help do that right I mean work with your sales people the more that you learn how to sell internally the more that that your pocket is going to start feeling that impact as well is essentially what that is right and it's

not all about money but that's how we deliver value we deliver more value the company does better we get paid and then we go to dinner all right um that presents a little bit of a problem though in terms of how we think about securing without going too far to either extreme saying hey this isn't my job I'm just going to do security things without also saying hey I'm going to get involved in all the things right um right not all risk is worth eliminating because it takes time and money and effort and people and money I think I said money again but right things are expensive now things are just really expensive so instead of having the the

mindset of hey we need to fix all the things like hey let's maybe think about what needs to happen what needs to happen first and best let's start prioritizing essentially right so again small security teams if you had 20 hands and 10 laptops that'd be awesome because then you could do the work of 10 people but uh until that happens right we got to prioritize and and that's a big part of the issue is figuring out what needs to happen I can't tell you how to do that but I can imagine because it's worked for me that if you were to ask people whom you want to be partners with business partners with and say hey I'm

looking to help our company reduce risk or I have some concerns about this what are your thoughts they would love to have that conversation with you because most people in some capacity are thinking how do I manage risk how do I do my job better with kind of putting as big as helpful of a safety net under us as possible and you get to go and be a big part of that function of that safety nut function so that's a recommendation there right um and I I I I gave a talk about this a year two ago or something like that the goal of business and it's shocking to everybody that the goal of business is to make money which is

fantastic and also minimizing how much they lose right both by paying out for salary and tooling and extra people uh but also by loss right getting sued getting breached right these things are all expensive and I'm pretty sure that you'd rather have that money go to something else than you know ransomware fun things like that so kind of controversial but not really Point number two is that the people that own the risk are the ones that own the risk again we're getting into some linguistic fund right just because you're in a risk team or you're part of a risk coverage team doesn't mean that you should be responsible for all the risk because if you're not the risk owner it's it's it's

it's it's not really up for you to say and this is and I mean this in a good way that hey this is something that we got to deal with you can recommend and this is what this is what I recommend to you is I recommend that you do recommendations right document what you found and why and what you feel about it so that the person that ultimately has to address that and then has to answer questions about it can then say okay I understand where you're coming from I have similar feelings I have conflicting feelings this is how we're going to deal with it and then you just support the best you can or to the most that your

time will allow um yeah I kind of fell in my face on that right one I thought it was going to be better but I was probably like one of those one in the morning ones so before I move on how many of you had uh made slides before and thought man this is going to go so smoothly that you just have to shake it up you guys are feeling it right right now this is one of those slides all right um right so risk management 101 isn't hey you're going to fix everything it's just managing the risk and there's four different four generally four different ways to manage risk right you can accept it say hey

it's okay if that happens up to this level you can avoid it say no we're not dealing with it you can mitigate it which is hey we're going to do something about it to at least minimize the chance and or the damage that's going to happen if this does happen or you can transfer it which is pretty much Insurance um so that it's it if you're ever that kind of in that kind of position where you just get to make the call and all risk I would love to talk to you because that just sounds so fascinating but in the meantime I I I I would like to I guess semi arrogantly give you permission to feel

not responsible for the risk of the entire company that you work for right be be a good partner and support where you can but don't take upon yourself that burden of make making everyone feel like you got it all under control because that's just part of performing a job part of performing a role is that you have to learn how to properly calculate and manage risk to some extent so you're all a little bit relieved hopefully right soever anytime you get stressed over like oh shoot like I got to help this team fix this thing just remember like tell yourself I don't own this risk unless you do in which case don't say that and go fix

it all right main point number three out of options roll up your sleeves I'm running out of time so I I promised two good folks that I work with this is essentially the embodiment of our information security function at wistic now um is is that we we've made it work I I wish that I had more time to tell you more about some of the cool things we've done but I mean look these folks up on LinkedIn or something like that or hit me up and I'll get you connected but we have gotten into a Cadence of and I'm not saying we're miracle workers or anything but I I I can just say because I've worked with these people these guys

are super czy creative and I feel really jealous because I'm not I just kind of smile and wave and do do stuff like this every once in a while um Cory was our It Rock not our it was our technical support Rockstar and he was so cool that we stole him sorry Mark um if you're watching this I'm sorry Mark um but he's really good and he's good at just finding Creative Solutions because he's had so many different perspectives and relationships in the company and and that's part of why I keep harping on relationships is just by talking and engaging and asking questions with other people you find find problems that you didn't know existed and then you just

happen to have a conversation the next day with someone else totally unrelated and you got your solution or at least the makings of solution and it's awesome and it's the same thing with Shane Shane's been here almost as long as I have at this company at wistic and he's he's it he's still officially our it office manager but he's always saying hey I was doing this thing and I thought this would make us more secure like dude you're awesome if I had we I'd give you all the Kudos I can't remember what our system is called but I'll I'll give you all the Kudo dollars that I can for this month because you just came up with a

problem that ay again I didn't even know existed and you fixed it you got awesome people like that just by talking and saying hey what do you think so if if I could seriously recommend one thing just say hey talk talk to someone say hey I've been thinking about this or I'm curious about what your thoughts are and I think you'll be amazed at what ends up happening um open source tooling is great most the time they're free minus whatever the cost are to host in your infrastructure right like we use some of these I know there's really really big Mega Corps that use some of this stuff too if they don't have a team to make

their own tools right open source is a great place to look because it's usually free or at least free options so it it's it's all about getting creative when you're in a small team right if you don't have an appet guy right like for a while I was our appsc guy and I told you I was a terrible developer right bad developer and appsc don't really go hand inand um so that's where we start looking at open source right I'm not telling you like things are bad cuz someone much much better at appsc than me came in and fixed all the stuff that I that I bungled so um but it it's it's it's about getting creative we got a

great tool called Google which is super duper free and chances are if you spend more than like two minutes there you'll find something great or you know what come to these events and start asking people it's it's it's pretty fantastic in summary these are the things I'm not going to read again because I'm coming up on time and I thought I was going to let you off with even more time to go and talk and do more fun things and listen to me talk so summary um in other words because security is not convincing um right we don't own the risk unless you do so make sure you're working with the risk owners to do it right and don't

be afraid to learn and try and ask and conversate and experiment right that's how we learn and get things done uh if you I think that's it if you have questions uh take them outside or here I think we got to SK outle in just a sec that's my LinkedIn th a copy of the slides not sure why you'd want them and I work there that's whistic friends thank you so much fellow troublemakers you have a great Saturday and we'll talk again soon [Applause]