Dwayne McDaniel - Championing Security

check it out uh if you want these slides they're right there they'll be at the very end too I'm also put them on the internet I guess they're already on the internet if they're on Tiny URL just this quick shout out to Tiny URL they're awesome they put URLs up forever and don't ask you for any money I should probably pay them at some point anyway you want to hear me talk about tiny URL you want hear to talk oh what the heck yeah uh you're here to hear me give a story tell you a story about Leslie Leslie is a friend of mine she's a real person she said I couldn't use a picture of her and not say where

she actually works but I could use her name so this is her story she works in an insurance company I won't tell you what kind she's in Chicago she's an accountant there she's a really good accountant she is really smart and she logs into a bunch of systems a day like we all do and she believes in MFA she's got MFA on her phone she is security minded in general she really is smart uh and she does believe security is important she thinks that you know they should do things the right way one day she got something to look like this and this is the Wikipedia Wikimedia almost all the images from this are from

Wikipedia uh all the images are cited in the speaker notes when you get the slides she got an email that looked like this and of course this is a classic fishing email and she's like I think that looks suspicious because I know I've seen something like this before but she can't remember what to do about it so she asked her boss and says hey boss what do I do with a fishing email and her boss is really busy and I'm assuming get his account they were counting something uh said I don't remember I don't know just go figure it out so she goes and looks in slack and she goes and looks in her onboarding material she

goes and looks in anywhere she can think of she gets buried in notion like we all do and it's terribly organized and can't find anything and this is on camera so I'll stop talking about notion um she's looking in places where she normally doesn't ever look and after a while she's like man I spent too much time on this I don't know what to do so I'm just going to forward it to security at and she forwards a fishing email to all of security and they come to her desk and yell at her and made her feel really bad and said hey you went through a training about this 6 months ago a five minute

video you watched and you clicked a box that said you knew what you were doing obviously you don't know what you're doing and over a beer she tells me how bad this made her feel and I said that's horrible and that's when I said we should do something about this and I said Leslie what if what if what if what if when you ask your boss she's like oh yeah there's that slack Channel go go check that out and she searches for slack and she sees security party what the heck's that I don't know any of these terms what's a guac salsa and guac oh that's a weird way to spell that okay um well

it's a slack Channel let me look at the the information here um smiing what the heck is smiing uh oh yeah here we go um yeah just ask your questions and we'll learn together and have some fun okay uh so she posts a screenshot of her of her fishing email and immediately she gets fireworks and a giant thank you from the robot says hey thank you for doing the right thing we are going to review this and let you know as soon as you can but since this is a fishing email we can detect that um go ahead and hit that little box the one looks like a stop sign that's the that's the right

thing to do and then security rights leader and says hey congratulations we didn't seen this one before you're the first person to report this one you get a $25 gift card drawing you're in the drawing this month so now Leslie is in a situation where she would have been like I don't know what the smiing thing is I I kind of want to know what that is hey I can ask any question here about security and nobody's going to get mad at me I got celebrated for doing the right thing even though I didn't know what the right thing was and the whole rest of the team's like hey you're that person that security came to their desk and said hey

great job everybody let's give her a round of applause cuz she did the right thing and they elevated her to the status of security Champion I'm Dwayne I come down here from Chicago I co host a repo uh a security podcast called the security repo podcast Rihanna one of our former speakers earlier today was on it I'm trying to get mad on it uh for the future episodes we had Jason hadex Jason Street other people not named Jason people that all name in this talk uh we talk about everything from pin testing to building C2 to literally anything you can think of as long as people are fashion passionate about Security find me on the internet mostly

I'm on Mastadon and U LinkedIn these days uh and I love rock and roll on this stage Seven Dust will be playing soon I love Seven Dust I just saw them I have a long backstory about not being able to see them for 25 years and then I just saw them last year and it was so amazing and not get to be on the same stage as them not at the same time but that'd be cool too I work for this company and get Guardian love to talk to you about secr detection that is how attackers are getting in last year we crossed the Rubicon and it's the number one way they're getting in is stolen credentials

it's no longer exploits they're not doing zero days people they're just walking in with credentials hunting tokens early warning signs shrink that dwell time to nothing let's do some uh Source composition analysis I configuration and public monitoring talk to you about all that stuff all night long back to our Point I've been doing security now for a couple years um I'm an old devops guy I'm an old Drupal guy and the thing I've heard repeatedly from stage from people way smarter than me and people that have been doing this for 20 plus years is security has become the department of no and everybody I talked to about this cesos anybody is like yeah uh one of the most terrifying talks

that's ever been put on the internet was from black hat Europe last last year uh called guest is all you need and it's how business teams have been told no by it so much they went out and built their own business systems tying together things like zappier and these power platforms and now it's like 60 plus perc of business applications they run have no it oversight therefore no security oversight because we kept telling them no so they got to get their work done so they just work around us what I'm proposing and why I'm giving this talk I want to encourage you all to think maybe there's a better way maybe there's a better way to scale this instead of

having to go out and buy a one:1 ratio of new developer to new security Personnel oh yeah that's actually the the talk I was talking about um so instead of doing that we can not do this all you need is guest and we can do this where we Empower people within the team to be those Security Experts the keynote this morning actually tired of talking about this briefly not a keynote with the talk that was in here first this morning on we can't be in the room you can't scale to be in that room when they're first making the design decisions you can't be in there when the Whiteboard is being made and they're having this

conversation we can't just keep shifting left and saying hey here's a new tool for you congratulations you're a security expert now here's another thing that's going to get in your way oh we're going to meet you where you are but here's a bunch of crap that you have to deal with now that you never did before and you're never going to have time to deal with it at the rate it comes at you but what we can do is Empower people and say hey who wants to come to a little more Sal a little more training who wants to be the empowered champion on your team to be the person that says can we use that

data hey I've never used that system before did any anybody ever check about does this even work with OCTA or single sign on and if you can have those conversations just early enough you can divert millions of dollars of bad things from happening the earlier you catch it the cheaper it gets I use the Whiteboard as the extreme left I think sometimes we think shift left and we think developer machine and that's as far as we want to go no we can shift all the way left to when this is a silly diagram but again public domain um or Creative Commons whiteboard ink is the cheapest investment you can make as a company you can buy a pallet load of it for a 100

bucks and it's so so easy to redraw lines in boxes and take Fields out when it's on a whiteboard it takes you 2 minutes versus it's in production and we have no way to un want un unwind that see once somebody there says wait a minute you simply don't do that and I'll get the documentation how we do it properly and if you do it before the design document even gets made when it's still an idea that you're talking out it's so much cheaper so how do you do this it's not just an idea it's not out of my head goodness no I'm standing on the shoulders of giants up here and these are the three that I'm

going to cite for this and we're going to walk through a little bit of the top two but mostly I'm going to focus on oasp because I'm an oasp member and oasp is everything to me so what is a Champions program I'm GNA quote Dustin Lear here Dustin made the five Tran security Champions program and then he open sourced it and called it the security Champion program success guide you can just go find that on the internet just type that in your browser again get these slides and all the links are there but that's a long definition but it the program spreads awareness to reduce overall security risk I'll get to risk that's a very

important topic we'll get to later very importantly these are non-security volunteers who represent Security on their teams so I'm not talking just in devops I'm talking accounting I'm talking sales I'm talking marketing because it's not a developer who's clicking that malicious link who takes down a whole system someone said recently from stage at show me con like if there's one person who can click one link and take down an entire system is that really a secure system we got to learn to stop blaming these people and start empowering them to do the right thing and make it easy to do the right thing and very importantly the system only works if a train goes by kidding uh

this system only works if it's a two-way conversation if it's just you saying do this it's we're just doing more of the same it's listening adapting and reacting to what's actually in the field the fact that hey everyone's working around this because this is way too hard and it's slowing us down and that's not what you're paying us for okay we can deal with that versus why is no one complying very different situation the department of no yelling at them versus I'm your partner working with you Tanya uh Tanya Janka um uh from the Weck purple Community Sheck purple is her name she was on her podcast she explains the backstory that's crazy story um but

anyway she says it's this and she has a whole series of blog posts about it and recruit engage teach these people recognize them reward them overc communicate with them figure out metrics and metrics is the one I'm going to skim today because I could give an entire hour just on metrics and how to think about metrics we're going to kind of skim that very very lightly talk about it and then we'll stop and then she says don't stop it's important that when you start this machine it keeps rolling otherwise don't even start my favorite Charles macowski poem is roll the dice and it says if you're going to go go all the way otherwise don't even

start oasp back to my oasp uh they roll a whole guide for you step by step how you do this but the thing I took from them that I think is very valuable and applicable across the board no matter who you are no matter what organization no matter what you're trying to build I'm building an EXT internal Pro program right now at get Guardian uh but I'm still basing it on these kind of ideas you need to be passionate I'm going to walk through all these start with a vision secure management support nominated dedicated Champion trust your Champions create a community promote knowledge sharing Ro responsibility invest in your Champions and anticipate Personnel changes that's directly copy pasted

that's I didn't write that so some things to keep in mind before we go any further this isn't a magic trick this isn't a magic wand this isn't going to solve all your problems are you still going to need an incident Response Team absolutely are you still going to need a governance team absolutely are you still going to need a ceso probably one size does not fit all what works for your team right now might not work for the next team you work with what works for marketing might not work for sales what works for company a ain't going to work for Company B maybe it will but probably not it's all about adaptability and listening and

learning she doesn't call it this but I going to call it this and now I'm saying this in on camera and be on the YouTube forever but Tanya Jonas law uh we will never have the staff budget or time to do all the security work we want to do it's not just a cat and mouse game we're never going to win it's not just a journey that never stops it's one that we're constantly going to be behind on kind of just need to mentally accept that like yeah okay and am I up for that challenge if not go work at a grocery store it's my boss told me one time a long time ago and it sticks with

me and that's the very first piece is be passionate if you're not passionate about this no one else is going to be and if they're more passionate than you about it let them lead this but you need to have a passion of like we got to be better at security if your passion is checking boxes and going home and saying compliance is security this is not for you if you get excited about maybe you can give UB keys to a new Department this is definitely up your alley there are two kinds of people in the room right now there are people that really really really wish they could have been the one that take this apart

raise your hand if you're that person and there's somebody in the room probably I'm guessing that uh wants to put this back together like right now anybody yeah yeah you can't teach that that is in you just it's that's who you are and somebody's probably completely horrified you took a camera apart but that's not what I'm talking about it's that inner drive that thing that is just in your skin you got to lean into that that's your passion start with a Clear Vision this is not as hard as it sounds but it's super vital that you start with the end in mind you don't start running a marathon thinking I am going to run 26

miles you think I am going to cross that Finish Line no matter what it takes I have friends who are long-distance Runners I'm clearly not one but I asked them like how do you how do you train for this like how do you get out like I just I can see myself Crossing that line and that's what I consistently hear from all my long-distance running friends it's like they they see themselves in the process of doing it they see themselves finishing they don't start out and say I'm going to throw up for the next six months so as I run continually longer periods of time and starve myself and eat way too many carbohydrates at times no they they see

this the most important lesson I ever learned uh I didn't really mention it my intro but I am an old improv producer from San Francisco I have produced well over 300 improv shows in my life I've been in M over 150 uh this is the single greatest piece of advice I ever got in that entire time I was doing improv was make the poster first because what does the poster tell you what's happening when it is where it is again this is public domain our Creative Commons I love this poster so much I would love to get an original um cuz these These are if you can't see the see the joke they're all cover bands um

doing covers of these bands uh but it tells you all the information you want to know and why someone would care I'm not telling you to literally go make a poster for your security Champion program but you might want to write something down with some goals in it I like writing blog posts that's kind of my nature that's part of what I do for a living is Right content so for me when I put together gcon when back in Old life when I was at get Kraken I literally wrote a successful blog post it was like this is what a this is what a successful event looks like and that's how I got people on board with it when I made posters for

shows back in San Francisco I was like yes this is what the show will be and I got other improvisors to jump on board with me so pick some goals do they have to be realistic no shoot shoot for the Stars even if you miss you'll be up by the moon or something like that but just pick some goals you think you can get through to your organization yeah we can get 75% of people on MFA yeah probably maybe okay let's go with that let's make that our mission once you have that like mapped out this isn't exactly in order for the rest of these they're all like kind of simultaneous but you're going to have to

get top down support uh These Fine old gentlemen are uh the people that ran the East German not Eastern Germany but the lipstick uh Railway company in 1889 I believe uh yeah this is a fun little picture but you're going to have to get their advice and they are not you uh this is a whole other talk one of my favorite talks I've ever seen in my entire life was by Walt Powell field ciso CDW it was given a tenant night at Cipher con 6 in Milwaukee and there were four people in the room and it was the best talk I ever saw and I hope for the few people in this room you're feeling the same but he

said in very simple terms in his talk called why your board of director deck sucks uh you're not talking to them correctly they don't understand risk risks aren't threats risks are not vulnerabilities risk are not exploits if you talk to your board about any of these things they have no idea what you're talking about they understand risk in the concept of what you are set to lose if things go badly or if things go wrong you need to lay out the cost benefit for them in their language how are they going to look good out of this hey how would you like to not have a giant incident probably if we could spend $2,000 on gift cards in a training

program that might actually work well that's an easy win lay it out for them in terms that we willon get this many more people on MFA no we're going to cut down fishing attacks by a lot and people are going to be safer all around it's got to be a win-win for Forum you're going to need somebody else to help you this is where you're going to need captains I used to run the WordPress community's marketing team uh make. wordpress.org marketing it's now being turned into I think uh Communications is the renaming the department but I used to run that with a woman named Bridget Willard shout out to Bridget and we were mirror images the

same way that Groucho and um Lucy are she was the cheerleader she could get anybody motivated just by talking to them for a couple minutes she just could like tap into that natural whatever they were passionate about and like draw it out and like hey you want to write a glossery let's write a glosser together that sounds really fun and I was the tactician I put together the Trello boards I made the training videos I ran bi-weekly meetings from people from at one point 19 different time zones uh it was crazy but it only worked because we were a partnership she filled in all the gaps that I was not great at I am somewhat a people person she's a real

people person she's not the technical person I'm the technical person and we made it work as a partnership find someone that that thing that you're lacking and you're just honest with yourself I need to get better at that find someone who's already good at that fastest way you're going to get there you're going to need some trust this goes in that both ways actively listen to what people are saying to you again this is a departure from the Department of no this is not I'm listening for the thing I can say you're wrong and a lot of us do that especially when it's security related we need to say like what are you actually telling me why is this hard why

do you think that your entire team is not doing the thing that we clearly documented as the thing to do and have some empathy with them and if you need jerk reaction to everything is just no start working some yes and into there and yes and is not just saying yes and agreeing with them that is definitely not what it is it's buying into their reality and building on it again comes from improv you can start with nothing and get to agreement on a reality pretty quick in a few lines from nothing so someone comes and says I have this great idea and it's the stupidest thing you've ever heard in your life uh the example I used to use

in my WordPress days where uh your client comes to you and he wants a green Green Tinted picture of his dog on the top of every website every web page if you just say no he's going to fight you as hard as you can he's a client and that's his dog and his customers need to see a green tent version of that dog but if say yes and we going to need to track and do some AB testing on that just to make sure that we don't hurt your SEO that we spent years building um and to do that we're going to need about another $10,000 and watch him back away and say well um let me think about that because

you agreed with them you're agreed with reality we're going to do this thing we just need this one little piece from you and if you can do that with everybody yes MFA is hard I don't want to do MFA okay we don't have to do MFA we could get you uh a UB key we could get you a a piece of Hardware to do this um hey your machine's got biometric on it like you got an M2 I got an M2 um you could just fingerprint in let's let's figure that out with you we'll solve the problem and if they're like okay may maybe I can't use my phone um create Community this will not work

if it's just you and them again that's back to the old Paradigm that's the old Dynamic of you are the person with the power to say no and they are the person who's kind of working around you it needs to be a fun community of like hey I have an idea I have an idea I have an idea and let's figure out what works together what community looks like takes a lot of forms the pandemic forged this idea that I've been living in for 20 some years I'm an old IRC kid uh Bowling Green State University IRC shout out that was my first social network um and then Discord came along not too long ago and

slack and all the other online communities I've been a part of and they all pale in comparison to getting together in person which is why I love bsides that's why I love conferences is there's nothing like seeing a person face to face and being there with them uh Demitri Martin the comedian once famously said there's no shorter feedback loop in the world than between a person on stage and Their audience because they'll tell you immediately with their face with their facial expressions their body posture if they care about what you said or not same is true in person you can get people in a room and start talking and their eyes glaze over maybe you need to tweak

something if they leave the room excited and say wow that was amazing I've never thought about it that way you probably did it right how do you get them in the room my favorite idea I've been discussing this a lot in the last four or five months of my life with people uh I want to be as inclusive and possible and I have this crazy idea for a candy party uh like hey let's get together for people that do work in the same office uh let's get together on Thursday and have this candy party and bring your favorite candy we'll share oh and by the way we're taking five minutes out of that thing and just tell you about this

latest update and tell you hey remember everybody if it's got a fishing email it goes over here get them together have them talked to each other share stories make sure it's a two-way street and encourage them to show and tell how many people work at a place where they encourage or you're encouraged to be like hey what's something about security you learned this week I work as a company that's focused on security and we barely do that we have a shared content Channel where we go out and find articles which is an important thing to do it's like hey I didn't know this hey look at this thing but encourage him to like make it

personal like Jason E Street once said actually no I'm getting ahead of myself I'll get to there later um we need to celebrate them more celebrate all of their accomplishments no matter how small no matter how minor like they updated their home password on their Wi-Fi yes we should celebrate that that's a very simple thing to celebrate they've changed their past phrase on their bank account to be at least 24 characters yes we need to make them feel like they're special and awesome because of that because this is what Jason E Street said you can't pay someone off to care really care about your data that link will take you to the podcast where he

says this it's my podcast Shameless plug but you can make them convince them to care about their work uh care uh you can convince people to work to improve security for their bank accounts and their kids like hey everybody how have you made your kids safer online this week the share stories why AR we doing this more because they will bring those practices in with them if they care about MFA at home they're going to Care at work if it's just a natural thing for them to set passwords that are memorable long and very secure that's that's exactly what they're going to do when they back in the office and you're paying them if it's a strict dronium

policy where you're adversar telling them do this or you'll be consequences that ain't a fun way to work promote knowledge sharing this goes back to the other thing I was kind of leaning into uh let's face it I don't know a lot of people who love reading 90 page PDFs day after day after day and guess what our industry loves producing 90 page PDFs that we have to stay up on day after day after day who's read all of the dbir from Verizon this year no I haven't you did who read the sofos report that came out their last uh H1 report some great stuff in there I skimmed it uh it's one of those things

is chat GPT at this point I'm just copy pasting into chat GPT like just tell me what's important I trust you enough that in this public data let's just go with that but my point is it's impossible for us who have Security in our title somewhere I am a senior security developer Advocate is my actual title these days um to care about this stuff and to actually go and read it someone that's not us someone outside that's you know their entire mission is let's make um the legal department better probably is going to be on top of the latest malware but there's a lot of resources out there where we can and if we go try

to read all of these by ourselves and listen to all these podcasts these awesome podcasts all day by ourselves uh we won't get our jobs done and no neither will anyone else but if we can train our community to be like hey here's what we actually care about for protecting you if you see anything out there and here's some great resources let's go check these websites you see anything in the mainstream news let us know that too and let start having conversations so if someone posts something like hey here's a zero day I read about someone can ask a questions like what on Earth is a zero day or they'll read the article and be like is this to apply to

us and you really want someone to ask is this even reachable is this exploitable in our stack maybe they'll say that I don't know that's what we we say internally orward responsibility I like hats I don't wear hats but I like them so Applause to Matt who thrown out hats earlier because hats are awesome buy some hats give them to your team they did the right thing here's a hat you get to be the security champion of your booth today you get to be the security hat wearer I forgot there was a company called Champion when I made this slide and I thought it was funny to include their logo not any way affiliated with

the company Champion um badges on LinkedIn why not they're free there's a bunch of guides on how to make them they're really easy uh anybody can print out certificates of achievement from the internet it turns out there's a website that you can just make them and print them why not Amazon gift cards cost money but you know not much $25 goes a long way toward coffee oh yeah and make sure that once you got the buying from upstairs from the uh upper management it's like hey just so you know this person did outstanding and here's the write up that we're going to give them to include in their annual review so their self- performance like yeah I was a champion

this year for security I help maybe save the company from a breach will that get them a raise I have no idea I don't know how your company Works can't hurt I would want that on my in review they part of the culture which is different than investing in them subtle change subtle difference but there's one rewarding cuz you did the right thing or you're on the right path hooray and then there the people that come up to you after the candy party and say I want to learn more or how how do I get on this path that I didn't even know incident response was a thing but that sounds way better than the help death job I'm doing or whatever

they're doing hey I would really like to be a security analyst now that I understand that's even a thing uh was that RSA recently and and uh what is it ins no not ins what's the company it's the three-letter acronym they do all the ceso research anybody Arn anyway um they showed the math as like hiring someone that is an I am expert for security that will report straight to a ciso is going to cost you like 300,000 a year on average promoting someone who is really really good at managing Security on their little team to handle I am across multiple teams is a lateral slide that will cost you about 5% more than you're

currently paying them whatever that is much different balancing act when you're doing this stuff but it does take investment it does take time so send them to places when I first ever gave this talk I gave it at Atlantic security conference up in Hala that's why they got their logo on there but maybe not Defcon not right away especially not this year when it's still all weird uh but send them to places like bides let them have experience talking to other people in the field how many people here are not develop or not security people I would love to come to a bsides where half the hands go up and be like I am just learning this that not half the

hands but uh a good chunk of the room at 312 in Chicago my hometown um uh and you go to some conferences and it's like literally half the room is like I'm a developer or I am in this other area and I'm very curious my some sent me here we should be doing more of that uh how I can tie this in and justify it as a talk related to my company is you realize like all your vendors would love to spend an hour with you at some point and just talk to your teams and say here's the problem set here's awareness we're not here to sell you you're already a customer we just want

to tell everybody like hey this thing called secret sprawl is killing us all and we have to solve it we just really do uh there's a lot of ways to do it your companies already doing the right thing I'm not here to sell you anything but here here's all the stats here's how you personally can go about doing this and it won't cost you any money just here's what you can do as a person sneak will do this for you cyber Arch will do this for you any vendor you have will do this for you they will come in and say here is exactly how you stay safe probably using our tools but in general uh CEUs I know is a bit of a

conversation people like like and don't like to have have we'll drop that one but if there search you can send them to if they really really want to get their um sisp or whatever CSP let them do it send it to them invest in them and know that your company's going to change over time uh average life of a ciso or not ceso a CIO is 3.8 years at this point maybe a little less uh that's a lot of change over there a lot of a lot of change up in in the industry so one of the things that might scare people and what scared me when I first tried to volunteer for uh the WordPress um marketing team

was how long do I have to do this for and nobody had an answer because we were the first generation we literally took it over from the person who worked at automatic uh who started the the team and it was undefined and I remember having the conversation with one of the other team leads from somewhere else in marketing uh or not marketing but the WordPress community and she's like you don't have to do it forever just however long you want to do it it'll still keep going we'll be fine you can lead with a small L and just still show up and teach people how to do things until you're comfortable stepping away but yeah

there's no Eternal Champions here if anybody remember this game my favorite Sega Genesis game nobody it's like this is a Legendary game nobody remembers it had like 16 different endings um and you can tell people that like hey you don't have to do this for whatever you want to step and be a security Champion 3 months that that just can give me three months cool 6 months and if they keep wanting to do it forever and ever maybe just hire them in security because that's the person you want to hire your captains they shouldn't have to do it forever either let them know that we're going to rotate figure out a way to diplomatically do that to

democratically do that elect new ones and listen to the feedback as you go cuz the only way you're going to know this works is if you're listening to the feedback and people tell you that hey I really like this aspect or we really have made a lot of people mad with this we should do this differently again no magic to this it's a lot of just find your way bonus advice those are the top 10 from oasp an organization that really loves the number 10 this is my only AI related slide in the whole deck I personally Love chat GPT I have come a long way from when I originally said that's a fat it's going

to go away it's just it's going to run its course and people are going to be it's going to bitcoin 2.0 uh and then someone at a conference said chat P chat GPT is not going to take your job someone that understands how to use chat GPT is going to take your job and then I started learning chat GPT and prompt to modeling and whatnot uh so you need an opinion like is this a good idea how would I explain this to someone that's not technical how would I uh what's a good idea for a topic to get people together for you know a lunch and learn start asking it just random stuff and it's at

least a jumping off point so you're not by yourself you should really do doing this with other people but not everybody's got infinite time to listen to all of your ideas this is the other place AI shows up in this talk uh you can tell because it can't spell design um but unless you're designers how many people have designers that you talk to from about security stuff Have you ever let me rephrase that how many security people in here have ever talked to any of the designers that work for your company about the secure security for the tools they use good good uh it's very few hands one one of back great awesome um they're using

figma canva these are extremely powerful tools with a lot of ability for abuse uh and theft so we should be talk to them about things but unless they help to design things I am a terrible terrible visual designer these slides are mine but again I stole all of the IM not stole I freely used all of the images under creative common license from the internet and appropriately cited where I didn't um and then this chat GPT made me this with AI uh they can help you design things that are pretty that people like to come to a party that has a good poster come to this thing that's like interesting looking use the whole team automate

things wherever you can and my first opening example of what a chatbot could do look at an image and say I think that's a fishing email there's a billion ways to do this picking on zapier here because I literally pulled this from zapier's website uh yeah you can make custom responses got to make it personal for people I love this picture uh putting together not just this talk but I I go through the Wikipedia and Creative Commons Commons a lot uh and look for things this individual made this picture for the community it's like 17 downloads ever when I touched it and just thanks philli like he just put it out there for all us

to just use freely under creative common so thank you but I think it does speak to it like Community runs on people's passions it runs on the heart all of it I have a friend right now who is at an anime invention I think it's over now cuz he's in Europe uh but he ain't getting paid for that nobody's getting paid for that except the artists hopefully the artists and the people running the convention but still hundreds of people there because it's their passion i' long for a day when security is the same way maybe def con is an example of that I don't know uh lastly and the most practical advice I can give you out of all of this I am

not a psychologist Dustin Lear is not a psychologist but shout out out to Dustin for introducing me to this concept um octalysis framework for gamification and behavioral design there's a link it'll take you to the website or just look up octalysis framework basically it's eight-dimensional way of understanding what motivates a person and they go through tons of examples if you go through the Champions guide that Dustin put together uh he uses this a lot a lot of examples but what motivates person one will not motivate person two for a wide variety reasons their childhood their personal experiences what kind of beer they like literally really hard to map that out this makes it a little easier to

understand like what that person needs what they're looking for $25 $25 Starbucks card might insult them or might be the greatest thing they could possibly earn you're not going to know until you have that conversation but this will help you map out how people kind of work people are unpredictable but there's only so many p you can go down you need to be inclusive and in every way possible yes people that don't look like you that people that might uh come from different places than you do people that originally spoke different languages than you do yes all of that 100% we need to be inclusive the more diverse we are the better we are there's tons of

studies that prove this but also be inclusive of people that might not be technical we know what MFA is we also know what cves are you're aren't born knowing that be patient again go back to chat gbt's like how would I explain this to a 5-year-old maybe make it a little bit higher level than that but you can get started with that part of why I love working where I work is I can explain exactly what my company does to a little kid uh we find things that shouldn't be out in public you need to be welcoming to everybody no matter what their skill level and meet them where they are and help Elevate them from there not just

throw extra work on them so I would challenge anybody in the room it's like yeah this seems like a good idea I I dig what you're laying down here people this is how I would start that email to somebody on the team somebody that is like hey I think I think this other person might be a good Champion or that might be a good Captain for helping me do this hey I want to do this thing remember the thing I said earlier write the poster first if you have that blog post that you like Scribble out you can insert it there or at least mock it out so you can insert it later so you

can have this in your drafts so you can just send it when you're ready hey can we meet meet about this that's this type of conversation this that simple to get started this doesn't need to be a massive undertaking that's going to involve the entire company if you have a security Champion with two people in it a security Champion program with two people in it that's two more people in the company that are learning about security and helping secure your company than you had before and what did it cost you whatever gift cards or incentives or hats you bought them much cheaper than another higher so in conclusion this is where we need to be as early as early as

early in the conversation as humanly possible how do we get there either we hire one to one for every new developer or accountant or marketing or salesperson you hire you have to hire a security person a't nobody got budget for that or we could Elevate all of our people to be like be on the lookout for these things and constantly train them in a a way that's not insulting or demeaning to them to be like we're empowering you to be a champion to be able to say maybe we shouldn't go through the mines maybe maybe we shouldn't go through the mines every team no matter what they are deserves to have a security Champion helping them stay secure can't just be a

department of no yelling at other teams otherwise they're going to keep going around you and we're going to have the shadow it problem that is literally going to eat Us in the next 3 to 5 Years cuz people just stop going through your application because they know you're a Microsoft shop they're going to fish someone to get into their Power Platform and see all of the databases that your employees created outside of your MySQL and postris accounts and steal people's prei that way again go watch that talk all you need is guests will keep you up at night make the poster first for what you want to build I say write a blog post make a

video whatever you do that helps you organize your thoughts include the five y's and the how because this is where you want to be at 3:30 in the morning asleep because no alarms are going off because you're secure because everybody did their part and made the company secure I'm Dwayne I live in Chicago check out the security repo podcast I'm serious you'll like it uh maybe you won't but you'll listen to it anyway uh hit me up about rock and roll karaoke anything else music related I love music and hit me up online and please uh connect with me on LinkedIn I'd love to talk chat with youall and that's my talk there's the slides thank you DNE