Building The Right Business Culture To Manage Human Error by Ryan Pullen

um thank you for coming this talk is going to be slightly different to some of the talks that you've probably had throughout the day not talking about tooling or attack but very much people and kind of like touching on the Maslow sock discussion that that was presented earlier today so my name is Ryan I'm the head of cyber security and a shareholder at stripality and we're a Bristol and london-based MSP and mssp providing managed Security Services offset Services information security and managed I.T and I think through covert many businesses particularly outside of the tech space faced many many issues both with kind of adoption of remote working but also the cultural adjustment that comes with it and I I face very much the same issue because the business was scaling very very quickly and we doubled in size in the last 12 months and because of that the the kind of hiring strategy especially in cyber security is is an issue for many and maintaining and retaining the right people was always an issue and it's been keeping those people at a certain longevity for you to enable growth and so we found that there was significant trust to relationship issues when building those teams through covert because the quick adoption of remote working and needing to be able to fulfill your obligations to your clients in a profitable but also proactive way and I think many businesses face this issue and didn't treat it as necessarily a human problem but very much very much a systematic and system-based issue and from from my perspective and what I did with my teams was very much an enablement of trust and trying proactive to the to the issues that we were finding and so with with the enablement of that we saw huge increase in productivity and retention and I'll take I'll take you through some examples but also some of the client issues that we face as well so when I was providing consultancy to some clients the issues they faced throughout this kind of this journey and the the evolution of remote working specifically in the tech enabled world and so the first thing we did was provide that kind of project and self-actualization piece that was discussed earlier and if you weren't there self-actualization is the real fulfillment in your role and your um kind of self pathway for success and when you really achieve that that position and so what we did was we brought the issues to the team to ask them how they would resolve problems and what it enabled us to do was manage the risk to some businesses and the business culture by by managing human error in a different way and so what many businesses do they might use fishing campaigns for HR metrics or they might use it to understand which employees might be being bad potentially and I take a slightly different approach to that when in fact that might show the business isn't providing the right mechanism for support for some of these people and so fishing campaigns used as a kind of a negative statistic was what we were seeing throughout the the kind of covert adoption period and it was really important to kind of try and change that narrative for me and so when someone does have an issue or they do do something wrong or they do click something they might not be the most educated in that field but they need to get it to the person who does as quickly as possible therefore managing the kind of human error element for that specific attack kill chain and so what we did was we tried to enable those people to have those conversations in a proactive sense so where making a mistake wasn't necessarily a negative and it enabled that kind of mean time to respond in the mean time to detect from a security operations perspective reduced massively and so with that we saw such an increase in kind of communication between the interdepartmental teams and naturally through a covid kind of remote working world it really challenged the way we as businesses kind of operate and what what tooling we use to provide us the metrics and the stats and sometimes they could be negative and so we kind of we took a step back and for one of our clients in particular we we analyzed the way that they run as a business but also their hiring process and their hiring structure and specifically in cyber security your culture can be kind of influenced by the backgrounds and the diversification and so some businesses you know you need to have XYZ qualification and XYZ degree to be able to meet the the requirements to get through to the interview stages and I challenged the industry in a way where I've seen Junior analysts coming for their first job and having to go four rounds of interviews with four different decision makers and I don't necessarily think that really drives the ethos and what we're actually trying to get from it these people are trying to get their foot in the door and learn from us and four different people have in their own say might not be the most efficient way of getting those people into the right positions to understand their longevity and journey within cyber security like there's a saying around if you measure a fish on its ability to climb a tree you're never going to get very far and if you're managed measuring a bit someone's ability on how to detect and resolve an issue for a client versus a penetration tester they can be similar but the end result might be different and so in my teams my hiring strategy is quite it's quite different where I I like to think we build um human capacity and support mechanisms through diversification and so I don't mean that in the traditional sense I mean that from my sock manager I I hired purely on their basis for being able to manage and build efficient structures and high performance teams so how do you enable your teams to be able to take those problems on instead of bringing the issue up across and then down to the other department is very much more lateral focused and how you can enable those people to take those challenges on and so when I brought him in in this particular instance I saw a very different side to how teams were being managed and what we actually saw was the the backgrounds of our stock analysts that we hired from there on out and in other teams like information security and our offensive security practices were not from your necessarily your conventional pathway of you're going to go and get a degree in in the appropriate discipline and then you're going to get your first job and progress up through so what we actually saw was is the Simon sinek performance versus trust Matrix I don't know if people have seen it but he he draws a y-axis or an x-axis either or um and kind of says your high performance of high trust people are where you want to be and Trust in the in the sense that they're going to do right by you but also your clients and a high performance of low trust individual is someone of a toxic nature and a negative leader in Your Capacity maybe someone who looks after themselves but not in the interest of the department and the team and we saw many many clients doing this where they would go for the metrics and the stats and don't get me wrong all businesses need to operate in that capacity and high performance is very important but he references SEAL Team Six being a a high performer of high trust is your self-actualization piece but a medium performer of high trust is where you might want to go as instead of a high performer of low Trust because of how they might impact your business and so we kind of took that on in in our hiring strategy and you can kind of see in the blurb that from my perspective what I want to see from someone's CV and people coming into the industry really struggle with this I've done lots of mentoring and I've had conversations with people trying to break into the industry and we've got this cyber skills Gap when actually I believe we're hindering ourselves through the hiring strategy of four rounds of technical interviews when we're expecting people to know how to enumerate networks and things like that when they've not they've not been able to do that in production and we all know that with certain nmap flags and things like that we Google them on a daily basis so why are we asking an interview stage and so sometimes we hinder ourselves through through negative interview processes and what's more important to me is knowing if you're a a volunteer paramedic on the weekends or if you've done four years work experience in weatherspoons and you know people have got angry at you and you can deal with those difficult conflicts and those high pressure situations and so in in the teams that I've hired I've one of the key kind of things I've looked for which you can't really write down but you can only get through from conversation is how do you deal with those ever-changing circumstances and in a security world that is every day in my in my experience anyway if that's not for you then I'm pleased for you and so what we've seen is hiring people that are able to navigate those difficult changes and circumstances so ex-military Personnel um are very very good adopters into that kind of that difference of world and so what we saw was people who struggle to kind of adapt don't necessarily fit some of those roles necessarily but could be very very highly qualified and so they might need something more static or not necessarily customer facing and so by doing so you understand the underlying metrics and kind of cultural fit enables you to be a bit more of a high performance mechanism and so one one of my team in particular they were they were a scaffolder and it I I was feeling uh I was feeling willing and uh and I had a conversation with the with the guy and it was Friday night on LinkedIn and we were having a conversation and they asked a question about how do you break into the industry um this person was has a scaffolder up up north in Liverpool um working all the you know the Rainy shifts and excelled to the peak that they could they could get to but every evening they were going on try hack me and trying to educate themselves and they didn't have the resources or ability to put themselves through some of the certifications that were the industry were demanding and so I had this conversation and what I saw was an overbearing kind of well a very highly infectious motivation to want to help customers and do the right thing and get out of a toxic working environment and by doing so when we enabled a a very very positive business culture and we've kind of done that through the difference of backgrounds we've got people who have done biomedicine who are now working in kind of fishing and anti-fishing based on the analytical mindset and we've got people who were working in healthcare where their ability to be able to explain to people is second to none they can explain complex issues in a way that people can understand and I'm sure we've got people sat here today where they have very very technical people but can't necessarily translate that into useful um information for the for the end client and so from all of this what we've what we've really tried to focus on is enabling our customers to do that and enabling that trust relationship and so when people do something wrong it's not seen as a negative necessarily and we see that as an area for improvement and an area that we can help develop them and so coming right back around to kind of where I started and the the relationships of trust with covid and building those trust relationships have given people the opportunity it's actually really enabled our business to become way more efficient and so because of that because they feel enabled and because they feel that they can take on that next role or that next problem and they have those pathways We've Ended up automating I think 29 of our initial triage into autonomous uh scale so we can immediately escalate and give a better client service but also our slas have improved the team cultures improved and because of that we've been able to incentivize that team relationship and bonding where through cyber security people can be quite introverted sometimes and especially when you're working in your home environment it's difficult to communicate and feel as a part of a team and so are things like away days are very important but also team goals whereas kind of them versus the business in some ways where it might be a metric based thing so if you're SLA slas based on your team being able to perform at a certain level what we did was we said we wanted to see a certain assalator for a certain time period on a certain challenging requirement and we said we don't necessarily mind how you do it and it was kind of the born out of a hackathon and we enabled the team to come up with their own creative problem solving and their own Solutions and provided them the resources to do so and within three weeks we have consistently hit that and above the SLA that we set across all of our client bases across 20 000 plus endpoints and so effectively what what the underlying message is is around business culture could be your biggest asset so both defensively also operationally so if you're not a cyber security business and you run your cyber security function within your business building a relationship where people don't see you as a negative and you are an approachable resource and if someone has an issue your mean time to detect will improve you'll be more a more resilient but also a more efficient department and if you are a cyber security business enabling your teams to work in into departmental so for example our head of offensive security was working with one of our security engineering team and we were able to provide some detection logic to local councils and people who may not have the resources to be able to do so and those kind of things come out when you don't kind of inhibit your teams and say this is your this is your task and one of the previous talks today did did touch on this and it really kind of drove at home that these people are creative and can see the solutions often better than yourselves and try to hire based on their uh their Cultural Drive and inspiration because not everybody has the piece of paper to get them through that front door sometimes and so I've got one last thing and it was around incentives and motivating your teams through through the times of covert and it was really really difficult for some lots of businesses having to reduce staff but also lots of people looking for new roles and wanting to take the opportunity as a career change and so what we did from a from an incentivization perspective was we wanted the teams to work more collaboratively and we didn't want to necessarily to have kind of siled infrastructure so what I mean by that is this team only operates as this team and this team open only operates as that team and there's times and places for this in a pinch assault with the analogy maybe but what we see is those teams solving issues before they become that kind of second or third line escalation and then having to go to management and then come down the other pillar and the incentive for us was we would buy gaming chairs for the teams that hit the certain slas and it wasn't even about the product it was about the goal and that they all achieved it collectively and so the business culture and and the way that humans exist and the way we work together can also become your biggest defense mechanism that's not you know a piece of software or products thank you