Reserving The Right To Be Wrong by James Bore

so reserving the right to be wrong Comedy of Errors Shakespearean jokes there for anyone who spots it you have a mission during this presentation there are seven mistakes spot them count them there will be a test at the end there are no prizes for the winner but look for the seven mistakes okay so we have a quote no amount of experimentation can ever prove me right a single experiment can prove me wrong as Isaac Newton famously said and the point here is while we're working in security well it's a technical area there's still on any right answers you cannot be certain that what you say now will still apply 10 minutes from now six months whatever it might be or even that

it's accurate now you have to be ready to be proven Wrong by experiment by failures by all sorts of other things if you can't accept that you are going to have massive massive problems and it's not necessarily going to be career problems it's going to be dealing with reality so it's going to be issues around stress it's going to be issues with relationships all sorts of things will come out of that you have to accept a single experiment can prove you wrong as Isaac Newton said nice picture of him there and I'm going to now give you all a question am I secure enough until me the right answer to this is that no you can't tell me the right

answer or no I'm not secure enough does depend on my risk appetite but if I say it's within risk appetite then am I secure enough or outside it am I then not secure enough there is no definite answer more importantly am I secure enough to admit I might be wrong I told you this was a security talk another quote because I like quotes I don't like Perfection and this is true I hate Perfection it's dangerous because there's nothing after it there is no room to grow once you're right once you've mastered something you have to be able to be wrong to change your views and accept new information and this is this is the professional

argument for why you need to be able to it's because otherwise you are going to be stuck at that point in your career in your life forevermore because there is nothing better out there there is no way to grow or change without starting from a position where you're wrong about something and you can see the nice picture of Albert Einstein who famously gave that quote so why do this whole thing of reserving the right to be wrong why say to people yes I think this is the answer but I could be wrong why do that every time because it sounds like you're just hedging your bets well uh we have on one side security you have accountability if you can admit

you're wrong you can be held accountable for things someone who can't admit they're wrong can't be and we all know that accountability ownership is absolutely vital to security if you haven't got ownership if you haven't got direct ownership of assets of risks of everything else you do not have a secure organization at all uh there's growth if you can't admit you're wrong as we've said you can't grow you can't develop you can't change you have to be open to making mistakes and accepting them and learning from them even if it's painful communication if you're always right what's the point of anyone talking to you because you're just going to be right they can just ask you a question and

walk away there is no conversation there is no negotiation there is no exchange of information I mean information theory is one of my favorite hobbies and it's all about that exchange of information it's not about someone being right and acceptance if you accept that you can be wrong about things life gets a lot less stressful I guarantee you when you're trying to be right all the time when you have to be right all the time it is painful really really painful I speak from experience here years of experience before I learned that lesson and on the other side we have insecurity so what do we get under insecurity well we've got denial we've got people saying no there's no

way I can be wrong no I don't own that system because it's got problems and I don't want to deal with them so it's not mine we have stagnation that's the I have reached Perfection there is nothing more I need to do yes I got my ceh certificate I am now a master of pen testing and there is nothing more for me to learn conflict instead of communication because you've got two people who think they're right it's only going to end one way that's with both of them dead and stress again guaranteed if you're trying to be right all the time if you hold yourself to this impossible perfect standard then you are going to be stressed constantly

you may have heard about imposter syndrome there's quite a lot of talk about it you know what imposter syndrome really is is holding yourself to a standard of perfection that's all it is it is holding yourself to a higher standard than can possibly exist If instead you're saying oh I can be wrong and it's fine if I am suddenly it all goes away so how to do it we have five stages first one self-reflection you have to spend time considering how you feel about things why you don't want to be wrong but even though you can say to yourself yes it's fine yes it's okay no one likes being corrected absolutely no one likes it it's built

into us as humans that we do want to be right and it takes a lot of work continuously to say it's all right if I'm not right and always every time you feel like you're being definite about something consider that you could be wrong you could be making a mistake it is always an option I mean everyone here has got to be a fan of Mythbusters yeah failure is always an option always no matter how right you think you are allow for failure now what happens when companies don't allow for failure they don't do a business continuity plan and then they go bankrupt and try to see mistakes as a way to develop and grow

not as something to be ashamed of admit to them own them grow and learn from them it's absolutely brilliant it's a brilliant way to improve yourself to improve everything around you okay and murder your ego it's not about you if someone disagrees with you if someone proves you wrong if someone screams at you for hours because you made some tiny mistake it's not about you the problems with them if they're screaming at you and if it's a more rational more reasonable discussion over something you did wrong it's because it was a mistake everyone makes them it's not personal it's really not okay next question how many mistakes did you spot so we've got four four

three okay mistake one that was Albert Einstein not Isaac Newton mistake tooth that's Leonardo da Vinci not Isaac Newton you may spot a pattern with these uh that's Mark Twain not Einstein they look weirdly alike it's disturbing and that was Alba elbez again not Einstein in case you don't know who Albert elbaz is I didn't until a few weeks ago when I was researching this he was a fashion designer so fashion gets it and yeah it's denial not denial it is more than a river in Egypt to do the old joke three is not equal to five I said there were three things there were five who's got the seventh mistake

there were six mistakes not seven except I just love a paradox right now I'm also going to say another thing to remember and this one is really important this is more uplifting than it looks I promise you no one cares no one cares if you've made a mistake no one cares if you did something wrong no one cares if you dropped the mic in the middle of your talk or knocked the laptop off the stand or spill Cola in some expense well okay Cooper might care but no one cares about these things beyond the immediate consequences no one remembers them except you this is down to a lovely phenomena called the spotlight effect some of you may have heard of it

you can also call it and my preferred name is main character syndrome we are all the main character of Our Own Story we've all got this wonderful narration running most of us have this narration running in our head telling us what's going on all the time but even when people don't when they're I forget the terminology but when they haven't got that inner voice we're still the main character we've only got one perspective to look out of and everyone must be looking at us because we're all that's real everyone's judging us they're looking at me I mean admittedly you are all looking at me and judging me because I'm on stage but that's different and once I'm gone you'll

forget everything but it's not as important to everyone else as it is to you genuinely if you make a mistake no one is going to remember for long and no one is going to care as much as you do so the fact that no one cares take it as a good thing you are much more worried about what you're doing than everyone else's they are worried about what they're doing right so any questions

I've been teaching with a training camp called caps lock for since it was founded three four years ago and I found that every time I was starting a lecture I was saying there are no right answers reserve the right to be wrong and all of these sorts of things because these were people coming into security and cyber security who were understandably worried that they didn't know enough that they wouldn't get it right and they were pursuing the right answer to a lot of things where they didn't exist so it came from that and it came from finally getting the fact that after 10 years I sort of implicitly learned this and then a few years later with that training and with

having to make it explicit to other people I started to understand it a lot better myself and then I started digging into it and the psychology and Spotlight effect and all of the other pieces that's around it and I think honestly it's just an important message I've got a whole other demotivational speech about how sometimes you should just quit and give up uh that one I'm still writing but I've got it

I I can submit that for next year you can do a demotivational track anyone else yes

you conveyed that steps

it's it's a tough one and there's various ways I've seen it done some of them is just slammed down from the top with a massive Sledgehammer of no you do own this it's not a pleasant way to do it it does work but it causes problems later on the other one is to point out to people or to get them to understand that you own the system because it's important to you you don't want me messing with your system and if you own it you can stop me doing that so accountability goes along with ownership

it's a common problem and most likely it's because they don't understand what security is of that system that you're not just coming in with governance rules and ISO or sock 2 or whatever it might be and dropping it on them so I normally go with storytelling and threat modeling work so getting them to sit down and do threat modeling and really think through what are the threats that apply to that system and what can they do about them because that makes it real or tabletop exercises are another one again it makes it real particularly if you stick the nice big ransomware slide up there and say right because this hasn't been done you now need to deal with this

so it's ways to engage them and it's it's gimmicks and it's trickery but equally it's a way to bring them along that Journey

um the smallest talk I've given had an audience of two so that that helped me with sort of exposure therapy but no the thing is if people are listening they care they might not change their behavior as a result which is ultimately what you are aiming for with any talk or any presentation but if they are listening they care at least enough to turn up and most likely that's because they care about you as a person if nothing else ultimately it's just deciding what is it you want to get from the talk is it to change people's minds to get them to think differently to behave differently or is it something for you to raise your profile

either's fine um ultimately it is just a case of you have to accept that you will never be as important to everyone else as you are to yourself and they will never be as important to anyone else as they are to themselves it's not that they don't care at all it's just that they don't care as much as you do unless you can convince them to which doesn't answer your question at all I know my best answer is remember that you are doing the talk for a purpose it doesn't matter whether that purpose succeeds it's fine to be wrong it's fine to fail you're allowed you're allowed to just try stuff and not have it work

and there's this amazing community but I do find the higher level off with more people with more letters after first video every big ego problem is that something that naturally develops or is that so I don't want to be like that but it's a certain type of personnel okay so if you look at my LinkedIn for example you will see there are no letters after my name on LinkedIn if you go and look at the license and certifications way at the bottom you will see I could do the full alphabet soup if I wanted to the issue with people putting all of the let all of the letters after their name not just one or two you know some post

nominals are fine and tasteful in the right context but when you just start slapping everything in there it does show a certain personality and I may get flat for this but it does show I believe a level of insecurity and relying on external validation for what you're doing instead of being willing to say yeah I'm all right as I am this does not apply if you're doing something like filling in a CV or arguing with a chartered engineer where you need to bring credentials into it there are times it's appropriate but when it's just that long long list to impress everyone it's not very impressive

this this is pretty Universal I've yet find anywhere this doesn't apply

and a lot of the mental health sector so a lot of this is taken from that not the self-help positivity side but the genuinely helpful yeah it's not that bad side of things so as you'd expect there's more of a handle on it there but generally speaking no there are sectors where you do have support available and they handle it better we don't have that generally we don't have that there are companies who provide it for their own staff but people very rarely take it up even though they should um the state of mental health in this country is not great in terms of care available so it's not handled well there so the answer is I don't think there's

any sector who've really got it thank you [Applause]