Bridging the Gap: Empowering Non-Technical Teams in Information Security

How do we bridge the gap between us and the folks that really are providing us great security all the other non technical human organizations in your households in your you know walk of life that you need to coach your mentor on why security is important number two help them understand the importance of not only complying but driving that into their day-to-day habits. My name is Stephen Olik. I'm a local San Antonio resident. Been here about almost four years now. Uh, a lot of my previous experience has been with the Department of Defense as a civilian working with fourth estate agencies, the Army, and then Air Force. Then most recently went over to the uh dirty side and became a

contractor. And obvious kind of things back to the DoD. Why is that all relevant? It's because I've seen the DoD take an approach to this. I've seen industry taking an approach to this. I've seen myself taking a push to this and it's really hard when you're trying to talk to folks who just can't understand what you're trying to say and and communicate to them and then getting them the why of like what's in it for them, what's their intrinsic motivations here. So that's what we're all going to talk about today. Um proverbial agenda, but what I want to foot stomp here is if you feel led to like raise your hand or speak out on a

topic, please do so. This is not a listen to Stephen for 25 minutes and then just, you know, walk away and hopefully take something away from you. I want this to be kind of like church. You feel the cyber security spirit in you like let you want to say something out loud, please say. >> Please do. >> Cool. Um but yeah, so the biggest areas that we're going to talk about, you know, we got to simplify things when we talk to our folks that were that were, you know, hope hopefully uh helping to manage, maintain, and also secure uh effective communication, right? Like you could take that all the way to your spouse if you happen to have a spouse.

Like you have to be effective and you have to be able to talk to your folks that way. Um behavioral change is something I've been struggling with myself with my nine and four year olds. So if anybody has notes on this, we'll talk about that one. uh interactive training. So, this is probably the one that was near and dear to my heart because I come from the Department of Defense and I have a lot of scar tissue because I think they do it wrong. And hopefully we'll hear some like good ideas in the room of how you think interactive training can be driving this mentality. Then last not least, I hope you walk away with like we need to build

a culture and we'll talk about what that means. So yeah, so the to lead off on all of this, security is really tough. You know, there's several tracks that you're attending here at Bsides this week. You go to DevCon, you go to KubeCon, you go to all these different conventions that are just security professionals trying to get smart on what's the latest and next best thing coming. I think you got to take that back and actually compare it and contrast it to how your organization operates and then give them the so what I heard this how are we going to make this into policy process tools you know uh procedures like all the things that drive your security

posture with your organizations how do you do that um it's really really tough some ideas here just to give a picture as we talk to this I think what's hardest for most technical folks is to use plain language instead of all of the jargon and hash this and buzzword that that is always inundating our day-to-day lives. We're on Slack chats. We're in different type of Discord channels probably. We're in different types of communication avenues amongst the folks that do the business of security that we do. But how do you translate that? Where's the where's the rubric out there that helps you? Where's the chat GPT for that? it probably exists, but are you using it like the

other person is using it? And are they communicating the exact same way back to the organization as you are? Uh, nine times out of 10, it's probably a no, which is why it's so important to bring the or organization to you where you're at. Come back back. Uh, you know, we've always heard the mantra of like, tell it to me like I'm five or tell it to me like I'm your grandmother. You know, those analogies work really well when you're trying to describe like these really, really hard topics of IT systems and now we just talked about AI and all these new capabilities that are on the horizon. How do you stay ahead so that

you're bringing back that communication back to the organization, getting after this mess of of jargon that they're saying to you from a business perspective and then you're trying to communicate to them from a technical perspective. So, communication, I talked about it with a spouse. With any kind of relationship, there's always a back and forth and a need to have validation and understanding from the other individual. When you're a security professional, it's no different. When you're saying things out loud, you want to hopefully get some type of validation that you're understanding what I'm saying, right? And this is resonating with you, right? Like all those cues that typically play into conversation. But you don't want to

be like this guy. Does anybody know who this is? >> Prison Mike. >> Yeah. Why did he do this? What do you think his reason was to dress up like Prison Mike and talk to his team? >> Scarra. >> Yeah. So, is that really the job of the security professional? You think it's our job to just scare people straight >> sometimes? Sometimes. >> Yeah. Absolutely. Situational, right? It's it depends. But yes, that was his tactic. You can argue because it's a it's a sitcom and the way that he went about doing it maybe wasn't the most effective. But there are times when if it's a severe breach that literally like rocked the core of the organization, you

got to be prison. But I would also offer don't be prison-like 100% of the time. I think that's when people in your organization tune out the importance of security because they only see this all the time. They hear this all the time. They hear the nose all the time. They hear the you're, you know, tomorrow, you know, the world's going to blow up and you have to be fearful of everything in the world. That's not necessarily true. What I like to approach with is, you know, there's a really, you know, big thought leader in the defense space. He's an authorizing official, specific title of the DoD, but he always has this like yes if mentality.

And I like it because it leads off with a yes. Number one, you're not telling someone no, you can't do this. No, you can't have that software. No, you can't go buy this piece of machinery. You give them a yes within cabinet. And that's based on the controls, right? Like we we you saw a slide about 10 minutes ago if you were in the room. There's all these frameworks, there's all these standards, there's all these big ISO this and RMS this and that. Like it tells you, it gives you the guide, the guard rails how to implement anything you want to get after. Yes, there's caveats to all of what I'm saying. you can't have the

world because some of those are truly insecure and you don't want to introduce those into your environment and enclave. But don't be like this guy. I think that is where we get in a lot of trouble. And then here's the other I think pitfall is you you the proverbial you all of us we think we're the you know Einstein in the room of saying all these incredible things and you know they're resonating and E= MC² like everybody knows what that means but half the time it seems like every time we talk about security they're not really hitting the so what >> and this is usually what happens they go they leave the meeting after you know

you have the session might even happen after thisession You might go out and be like, "What does this give you guys even say?" Which is valid because communication is situational and sometimes it doesn't resonate. What I will offer is try and be like we were talking about the simplicity, but don't get to an Einsteinian level. It doesn't need to be that complicated when you're describing the health of the business or organization and why things can be rocked and shattered because of one instance of, you know, a breach or a a secret being exposed or a password, you know, being, you know, written down instead of, you know, you know, kept in a in a password vault somewhere. These

are all things that we can and should do. So this is why I'm talking about being a parent. Not saying organizations are like children, but I think we can all have a little bit of shared understanding that people, you know, as much as you want to control the things that they do, they're out of your control at the end of the day. How do you drive behavioral change? This is very again rhetorical on purpose, but it's all about what we're going to talk about in a second here about establishing a culture. Because if you give them the the the communication we were talking about earlier with easy to understand technical information and not the jargon that we're all used to,

maybe they just do it for themselves. And then you have that proud parent moment where you're cheering them from the stands. Do we do we want to be Roy? Like let's let's think about this for a second. Has anybody ever seen the IT crowd? Does this resonate with the room? I hope yes. So what was his famous lie? Well, did you try turning it off again? That was his cop out like first, you know, first call resolution mentality, which honestly is the right answer half the time. I tell my parents this all the time. Um that's not to dime them out. It's just that's just how tech works today. But does he go into more thought

usually on the show? No. Does he go be empathetic with the customer? No. To try and understand and have empathy for where they're coming from and go see their environment and understand like what is their business process look like and why are they, you know, maybe communicating a vulnerability to the organization. No, he doesn't do that. And he does it because there's always been this natural divide of it versus the business. I'm here to offer and was been said at Nauseium and I'll just say it again. The business and IT are together and we have to be real about this and understand it. And hopefully you have thought leadership in your organizations that do try and bridge

that divide that may or may not exist for you all today. And this is my famous line when I talk to folks. It's usually an ID10 and they're like what do you mean? I'm like just go write it down. Let's have a chat in five minutes. Right? That's not the right answer either because what it does is it you know castigates the person. and it puts them in a defensive position. You're already judging kind of who they are as an individual because sometimes the tech itself is wrong, the security configuration is wrong or a plethora of other reasons that again if we get back to that compassion and empathy and meet the people where they're at, maybe it's something that we

can actually control so that they can drive this behavioral change that we're looking for. Interactive training. This is This was my favorite section to put together because I came from the Department of Defense. Has anybody worked with or around the Department of Defense, hoping somehow because it's San Antonio? Cool. So, the the guy on the next slide you're going to recognize. He doesn't exist anymore, but this is the dude. We've always known this guy. His name is Jeff. David drilled into our heads because he was the computer avatar of this ridiculous cyber security training that we had to take every year for compliance and watch him look in his 2000s era, you know, computer animated style trying to

teach us the so whats of security in the department of defense. I keep saying department of defense on purpose because it really is that important. Like there are severe gaps in security with those systems that are in fraud today. that we we proverbial may or may not take serious because we get this guy's phone in our face and they make it fun. They make it comical and I understand what they're trying to do. But is your training like this guy and is he impressed or not impressed? I think it should be more interactive. I think there could be more real world exercises. some of the ideas that I put together just to kind of read from my

notes here. You know, you can do gamification. I think one of the coolest things that Department of Defense has done recently, which again is a little bit controversial today because a lot of these organizations don't exist based on the Doge cuts and stuff, but they did a lot of uh bounty programs inside of the DoD where they offered money to come hack our system. I thought that was an incredible idea that defense digital service did this a handful of years ago. Will this come back in fashion? I don't know. But that doesn't mean that any of you in your organizations can and should not go through this as well. I think that's a really cool idea to try and

drive that intrinsic motivations in your organization. I think last to to to throw something else out there is like pulse surveys to the organization testing on you know latest you know cyber threats that may or may not be experienced by the organization or on the periphery. Um, do they understand things that have, you know, come out in the real world in public media and relations? You know, I heard a talk this morning about some of the platforms that our children are on. You know, you can do these kinds of surveys to pulse the organization to say like, are you aware of XYZ? Nine times out of 10, they're going to say no more than likely. Maybe they

will, and there's some like learning to be done ac across the organization. But it gives it a reality that then you can take that that motivation in that moment and drive it back to the business. So kind of wrapping up here because I am coming up on 10 minutes or so maybe we can open this up for some combo. The culture is really where it's at. And to take a step back, take the word security out of it for a second. Culture at the end of the day are like the norms, the principles, the things that the organization does when no one's looking. And if you took yourself away from your organization that you're part of, like

what are those behaviors that are always in play? What are people doing? How are they acting? Are they sharing things that they shouldn't share? Are they using capabilities that are not on an approved products list? Are they going through processes around the guise of governance whether they like it or not? Are you putting guard rails in to help them understand the why a request turns into, you know, a solution for them at the end of the day? Are you adhering to the SLAs's to keep them motivated to use that same process? This is all part of the culture that I believe is really really important to to put down and uh ensure that you're doing.

And something else that I'll mention is, you know, security, we're the warriors. We're the, you know, middle tier to maybe senior middle tier trying to make positive change happen above us and trying to make change happen below us. That's typical of any organization like y'all are the action officers at the end of the day. But it all starts at the top. If you can't convince your CEO and the seauite to do the things that need to get done, you're at a loss. You're not going to win. And I think that's one big thing is you got to find the champion. The sizzo likely is your champion because he or she might have access to that team that I'm talking

about, the seuite, your senior leadership, the board. But you're also going to need to find shapings within the organization as well that may or may not be inside of the security mission that are tangential to it that can speak to it and give it some business value at the end of the day. And I like the picture on the right because I feel like a lot of us feel this way even after like our first couple months on a job when we we take it, we're excited, we want to go crush things and and take take names and ask questions later. And then you start looking behind the curtain and you peel the onion and

there's layer after layer after layer of tech debt, security debt, process debt, fil like all these things that have been brushed into the corner because nobody wants to talk about it and and address it. And guess what? Someone has to be ultimately accountable and responsible for it. My call to action for you today is that everybody in this room, everybody in your organization can feel that sense of ownership together. It's not a racy where you have a responsible and accountable consultant and informed and typically one person's accountable. Everybody needs to feel that accountability. Everybody needs to feel that responsibility because it's important extremely important to the business. I hope that you got a little bit of that today. So last slide, the

same four kind of big big buckets here. You want to engage the staff with easy to understand jargon. You want to simplify the concepts that you're going to learn here at Bides this week and in other conferences that you attend, webinars you attend, things that you read on the internet and in other periodicals in your day to dayto-day. You want to promote that positive change so that you drive those behaviors. Then last but not least, build that culture. It's the most important thing you can do as you leave these arts today. Any questions comments?

Right on time. Yeah. Go ahead. >> When it comes to simp

It's very simple and it's medium and