I've Upped My Attitude, So Up Yours!

[Music] let's go ahead and get started so our talk is I've upped my attitude so up yours we were trying to think of something catchy so that was about all of our creative juices so the rest of it you guys fall asleep during we're okay with that just kidding so first things first about us name's Nathan Smith Twitter handle at Nate zone I'm a senior security analyst in contact I'm married and I we just adopted our first baby boy about five months ago and this is my very first besides presentation I'm Brian Hatfield my handle is stewpot I'm a security architect at in contact of course the obligatory alphabet soup there I have several kids my co-workers always joke

that I have a hundred but I only have eight this is also my first besides presentation before we get started I just wanted to let you know that this is presenting a topic like this at a security conference is way outside my comfort zone so I'd like to invite all of you to join us by stepping a little bit outside your comfort zone we'll do a little bit of interactive stuff here and should be some fun and maybe it'll be something useful for you so last year at the blackhat security conference in Las Vegas they interviewed about 250 attendees try to get an insider's view of the cyber security environment and and what the current state is you guys

all get to participate in this survey too today so one question how likely do you think it is that your organization will have to respond to a major security breach in the next 12 months five nines pretty likely let's see what the survey says so about three quarters of the of those surveyed said that they think it's likely they'll have to respond to a major data breach in the next 12 months 15 percent said they have no doubt that a major breach will occur at the bottom we have six percent that didn't know how to respond to the question those are the ones that are already breached so how much of a problem would you say a breach

would be for your organization if it occurred the average cost of a data breach is about four million dollars now by almost every measure the cybersecurity problem is getting worse and worse it's worse this year than it was last year why does it feel like we're losing the battle part of the reason we chose this nice colorful cheesy template but so that you guys didn't get depressed when we went through this this survey does your organization have enough security staff to defend itself no one about 3/4 again said they do not have enough security staff to defend their organizations against the current threats 19% said they are completely underwater when it comes to staffing only one in

four said they have enough staff to handle the threats and I would say they probably don't understand the threats in that case do you have the resources you need to do your job budget 63% said that their departments do not have enough budget in fact 20% said they are severely hampered by a lack of funding I think that's probably low I feel that way two-thirds said they do not have enough training and skill that they need to perform all the tasks for which they are responsible 10% said they feel ill prepared for the threats they face on a daily basis so to recap why do security initiatives fail well the biggest reason that security initiatives fail is the

fact that there are not enough skilled professionals whether it's a shortage of staff or lack of training the expectations placed on us are unrealistic we also know that there's a lack of support from management in many cases if your project is not a priority for management it's going to be very tough to get it done and we don't have the funding to get the tools and services that we need to be effective among other reasons so our next question for you guys is why have a positive attitude well you guys think perfect that's what we're looking for okay so one thing that having a positive positive attitude does is it actually makes you feel inspired you know when

you have that positive attitude you're going to feel like you can accomplish anything you're not going to feel so downtrodden so we were trying to start you off with let's feel downtrodden first and then let's try to pick you back up after that the next thing it does is we're going to look for solutions instead of dwelling on those problems if we do get a breach or if we do have some sort of indicator of compromise we don't need to focus on that problem rather we should focus on look we found that indicator and now that we found it how can we actually defend against that next thing is that being positive is contagious you're going to have co-workers around

you you know within our organization there's only four of us so we rely heavily on our network teams our systems teams and things like that so if we're positive about the outlook of things they'll also be positive about that out outlook again this is similar it helps motivate them the tikkun though it's going to make them want to work with you when you have that positive attitude they're going to want to be around you and when they see a meeting invite from you or someone from your organization if you guys are the the bubbly type or your positive and you're always thinking of thinking that way they're going to want to be around you the next one is a

greater self esteem and the last one is going to be it keeps your keeps you happy which in the end is going to be better for when you go home and you you're away from work and you come to your spouse or your kids and when you're happy that just again it's contagious

cynicism and sarcasm are prevalent in the workplace these days and both can really bring you down you may not be able to control everything around you but you can always control your attitude here are some ideas you can try be appreciative of everyone who does a good job and gets things done on time especially if they go above and beyond saying thanks feels good for both the thankee and the thinker for some reason people tend to focus on everything they don't like and things that are going wrong instead focus your attention on things that are going well reward yourself or praise another individual for a job well done if you're part of a team that does something successfully

have a get-together to celebrate it or send quick notes to others to outline things that are going well when you run into problems don't just focus on them change your focus by asking yourself how can I solve this issue and what can I learn from it every problem is an opportunity to learn so focus on the potential to improve and force yourself to smile even if you don't feel like it a smile will actually shift how you feel internally and one other see you smiling they feel better as well long as it's not a creepy or evil smile no one likes a complainer instead of talking about your problems try proposing solutions by focusing on possible solutions to

challenges you maintain the constructive atmosphere here's one of my favorite quotes no misfortune is so bad that whining about it won't make it worse nobody wants to hear you whine okay so when people think of InfoSec professionals there are some stereotypical things that they think about us so the first one is that sometimes they think we're angry you know we were I was just listening to a talk just barely where we have that knee-jerk reaction when anything happens a lot of us are plagued with that to where it seems like we're upset that we weren't ahead of the curve for that vulnerability next one is that we might be stubborn we want our way we don't want to do it

the way the network architect has designed it or we don't want it the way the systems architect has designed it we want it our way because we know better right we're security professionals the next one is that we might be uptight we're not willing to actually enjoy being around other people we we think that there's no joy in what we're doing [Music] the next one is that we might be irritable you know we might if someone says one thing to us we might get annoyed with them we might give them a look of why would you even say that so they're going to be a little bit more hesitant to come to you with an an idea

the next thing is no at all you know as information security professionals we are required to know quite a bit about everything you know so when we present things there's going to be a different way to present them rather than coming to them as hey you didn't do it right it's more of a hey we've learned of this what do you think the next one is apathetic that we don't feel for them so you know what your firewall is how many versions behind I can't even believe you'd be that many versions behind or as they may be like in our organization responsible for uptime so it might be a little scarier to go to the latest and greatest version

so this picture kind of should a good stereotype for me you know I don't need anger management they need to stop hiring stupid people so how do we get others on board how do we get them to work with us on our security initiatives try to find areas where your security initiatives overlap with the things that other teams are already doing for example if the network guys are replacing an old device because they have a new one with more features maybe you could you might be able to insert yourself into that project and get stronger ACLs or better firewall rules sometimes the pushback we get is simply a case of not clearly communicating our point of view or not making the effort

to understand those we're trying to collaborate with try to gain an understanding of their roles and responsibilities so that you can communicate with them in their own language and respond to their needs engage them in conversations about their work people like to talk about themselves so listen with an open mind and they'll be more open to listening to what you have to say if your company is subject to PCI or FedRAMP or HIPAA or some other kind of regulatory guidelines it's much easier to convince the other teams to work with you just make sure that you can definitively show that what you're asking them to do is required by that framework the first time you ask

someone to do something for compliance and they find out that it's not actually a requirement you lose credibility likewise if something you're doing improves alignment with company policies point that out as well the company has already bought into these initiatives so you should have management support on those things make sure that when you're asking for something you make it a very clear assignment who needs to act what you want them to do why does it need to be done when do you expect it to be complete and how will you verify it send meeting notes afterwards and reminders remember when people feel involved in creating a solution everyone takes ownership of it everyone is invested in committing the resources to

see the project through to completion so I just like to add one of the biggest things by our boss on this who what why when and how he always comes to Brian and I and says when did they say they would get this done and if we say well they said they're going to work on it soon he says you know if you don't get this when then it's just a wish you know they can do it some time in somewhere whenever ok so you know at times we may need to employ a little bit of social engineering and when I talk about social engineering it's not as much about the information security aspect it's more of

convincing someone to do something that they wouldn't ordinarily do so just like in marriage or any sort of relationship you need to pick your battles which thing is more important is that patch that's 2 years old more important than that zero data that just got dropped choose the battle which is more important to you which one's going to be the hotter iron in your fire which one's actually going to allow you to provide more coverage or protection for your organization the next one that we really like to do is an offer of lunch people always like to be fed so if you're offering to take them to lunch and say hey if we go to

lunch and you could tell me how this new application you code at work just so we can better understand it they're going to be more apt to say of course there's no problem I'd love to go tell you about my my new app that I coded for the environment but the other thing is it's a change of environment sometimes it's a little less threatening to be out at lunch to be able to be eating and just talking and you don't feel like it's such a stuffy environment the next one is going to be you want to ask like Brian said those key questions some of the ways to phrase things with them is going to be how would you do this so for

instance hey if you need to implement stronger passwords or you need to make sure a CL you'd go to them and say how would you do this like if you could do it how would you do it then it makes them feel like that project is just as much theirs at it as it is yours the next one is you can come to them and say what do you feel is best you know sometimes we get a little complex in our thinking and how much we need them to get done rather than doing that we can come to them ask them how they feel they could do it and see the steps that they would go through so that in the end

we're both hitting the goals that we want to hit and then the next one is how can we help you be successful in X project you know they may be deploying load balancers great but how can we help you be successful in deploying those load balancers with the proper security protocols with the proper list of ciphers in the way you want it done just yes you know he says those were the droids I was looking for so one of the things that we did that I thought was very successful well in order to get more visibility in the company and to promote understanding of security initiatives we decided to participate in national cybersecurity Awareness Month

last October this is an annual campaign by the Department of Homeland Security the first thing we did was to announce the campaign in a company-wide newsletter in that article we introduced the campaign described what to watch for throughout the month and announced that there would be a drawing with prizes at the end everybody likes prizes so each week we sent an email to all employees detailing aspect of cybersecurity in an entertaining way then we hung i catching posters throughout the building to reinforce the concepts at the end of the month we invited everyone to participate in a brief security quiz with the chance to win a Visa gift card in a drawing this campaign went over very well some

of the comments we received afterward you can see that people were really excited about it my favorite one you knocked this one out of the park Brian wave fun I have been at in contact for almost six years and this is the first time we have done anything like this well done that made me feel good but you can see that people who ordinarily wouldn't be very interested in security initiatives got on board because we were able to make it fun and engaging for them now keep in mind that this particular campaign didn't actually accomplish anything that we were trying to do we had a lot of security projects that that we needed help with but what this did do

was it got people thinking about security so that when we approached them and said hey remember that that one email you received about this particular thing can you help us implement that and these people are a lot more excited and ready to help when they when they feel involved when they feel excited and when when you're able to catch their attention with things like this so let's talk about we're just going to summarize the things that work things that we have seen work for us so the first thing is positive self-talk you need to be making sure that you're talking positive with yourself so people may not you know not talking to yourself so people think you're a little weird

but actually internalizing the positive message the next one like we said is you need to look for the wins rather than the losses there's a lot of projects there's a lot of things that we could all be doing but instead of focusing on the ones that fell through the cracks the ones where they guaranteed the time line and they weren't able to deliver that we don't focus on that rather focus on you know what that was great that you went out and you set up a schedule to update all the firewalls and you did it or you know what that was great you guys created the schedules to talk to start patching it wasn't all the patches but

it was some of the key patches that we asked you to do the next one is to assume positive intent you know when you're writing emails back and forth to others tone and actually how they would say it to you doesn't always come across sometimes it may come across that that guy he may seem a little more mean or a little more demeaning the way he comes across to you but you just need to remember that that's probably not the way he intended it to come across either so when you're responding back to make sure that when you're responding that it comes across in a way that it's clear and concise for them and one of the big ones is have

face-to-face conversation it's so much easier to talk to guys go down to their desk and talk to and explain to them and help them understand versus like I said email because you don't convey tone they don't see face facial or body expression and then last one is just to be friendly in general whether or not you have to work with that team if you smile or you're friendly to someone that will remember that you may not remember your name but they may say you know what that guy smiles at me every day and that made my day better so when you do come and have to interact with them they'll remember that

so thanks for attending this decidedly non-technical presentation even though this didn't have a lot of technical things that you can implement I do believe that the person-to-person interactions that you have will help you to get your technical and security initiatives accomplished so as Captain Picard would say make it so [Applause]