Red Teaming the Board

all set all right good morning everybody good morning um all right so this morning we're gonna talk about uh red teaming the board or bringing some red team techniques uh for those that are familiar with the process to the broader business perspective to the executive table to senior leadership to management management pillars throughout an organization and we're going to talk about why we need to do that what the current state of uh you know how security is is currently functioning within organizations and then some techniques tactics etc for how we can get to uh how we can start to apply some of these bridge the gap things into the business sense to get more of what we actually want to do

so really quick who am i so i run the trust and security team at a company called nuna we are a healthcare analytics company based out of san francisco uh and as of about two days ago i landed here in well drove here um from san francisco out here and just officially completed my move here so rock on and i was a former red team director at sigil so i used to do a lot of very hands-on technical red teaming where it was more you know the black mask social engineering break into stuff uh hacking a lot of things all of that and so i got a lot of perspective around uh working with a bunch of different

companies and seeing how red teaming works in the financial services sector to the health care sector to insurance etc etc to see what things are of concern to those types of industries and then i got to i got to start applying a lot of this to more culture building and all of that in my current role at nuna and uh for anyone that knows me or as you'll see throughout this i'm a little bit of a fanatic this is actually me in a in a full batman suit and uh one of my bosses or former bosses kids um i think weighs about 40 pounds for anyone who's curious all right so really quickly so agenda

for today so as i'm sure we all well actually really quick show of hands is anyone here familiar with or has participated in any kind of red team assessment in their current day-to-day work awesome so so for those of you who do this and for those of you who are probably just following along or who are interested in or reading with reading alongside red team like topics or social engineering topics we know that penetration testing of red teaming is a great way to just blow the lid off of some problem that has not yet been explored or hdmi i do have adapters sure uh well i don't have adapters handy alright standby

mac

it's all good

we're good

okay all right cool so um so we all know that red teaming and pen testing is a great way to call a lot of attention really quickly to something that has not yet been explored um but i have this i have this working hypothesis that one of the reasons that we continuously fall short in the organizations we're working with or in is that we end up using a very different language in the way that we measure risk the way that we test things the things that we're concerned about for obvious reasons you know we all work in security everyone else works in an organization in their own particular specialty assess risk what kinds of things that we

look at and so uh getting ourselves out of that bubble and really starting to expand our thinking is one is going to be one of the big themes of this talk and so one of the first things that i want to that i want to touch on here is figuring out what is actually important to the organizations that we're working with so everyone here has probably seen or if you if you have not seen these uh these particular acronyms kpi is key performance indicator and okr is objective and key results these are basically management speak for what the hell are we going to do and how are we going to do it and if we're not measuring things or

talking about things in the same kind of language or at least giving senior executives ammo that they need to achieve the things that they've documented and come out publicly saying they're going to do then we're going to find ourselves coming up short in some ways the next thing uh and this will be i'll focus on three particular tactics that i've seen applied successfully and have applied successfully in terms of actually bringing red team techniques into these management and executive circles and the first being business process reviews so you could think about this as threat modeling or some kind of adversarial analysis for a business process whether it's uh new user onboarding user off-boarding access management et cetera et cetera

there's a there's a million business processes that run the organizations that we all work in and then doing war games so a red team they're the way that information security the the industry typically thinks about red teaming i'm going to get a little mobile if i can so the way that information security typically approaches red teaming is more of a an active uh an active assessment or emulation of you know some set of adversaries against a particular system uh you know it's usually an organization or um or you know some big app like chase.com or something we're just gonna go after you know chase's primary banking platform um and what i wanna what i wanna introduce

here is basically bringing that same kind of adversary emulation technique to business strategies and getting getting senior executives to think about the same kinds of things that we think about and getting them engaged because when they're engaged we can start to drive our agenda more effectively and then the last thing is spreading the love that we all you know we come to these conferences we talk a lot we learn a lot and we are we're really quickly advancing the state of our of our internal uh state of security but at the same time we're not really doing a great job as an industry of sharing that knowledge outside of the outside of the bubble of security

profession professionals and so what i want to propose is that getting other people engaged and interested and involved in your organizations will help will help drive them to you for advice you know they'll start asking you for questions they'll start asking if this particular thing is okay et cetera et cetera and that's all of the stuff that we actually want it does take more time but it's all the stuff we want in order to make sure that they are thinking in a way that's going to protect you know they don't click on that link they don't do that dumb thing that ends up putting the organization at risk and then lastly uh and this is this is a

big theme that's been just emerging in you know security team agendas or siso agendas around the uh around the field is we want to be able to turn security into a competitive advantage for our organization most of the time as you all know

as you all know security is security and i.t and other internal service organizations are cost centers within an organization so all they do is take more budget they always want more budget because there's always more risk to reduce and they don't actually lead to any increase in bottom line for for the organization that they're servicing and so instead of being consistently being the team that is pointing out problems and saying no we want to we want to gain trust in the c with the senior executives that we're working with the other department heads that we're working with and we want to be able to help enable them to do their jobs more effectively so even though we're not bringing in

dollars we're helping them earn more dollars and more effectively and safely and so you probably all are asking yourself first off who really cares um so when i first came out of consulting i asked myself the same kind of question i tried to approach everything from a very technical perspective and i had this this reflection moment very very frequently about who really cares about all of this business stuff um it doesn't really serve my ends immediately um you know the means don't don't lead to the ends that i want and so so i had to really challenge myself to get to break that line of thinking and basically that what it the primary objective that we were shooting for here

is getting people engaged and interested and fascinated with security and they want we want people thinking about how security may potentially negatively or positively impact the projects that they're working on so for instance i'll use an example that we had at nuna getting some of our department heads or business line leaders involved and engaged in this you know through these kind of processes we have them coming to us at the very start of and not by some kind of organization-wide mandate but we have them coming out coming to us at the very start of their projects and they want to weave in to every single sprint every single story planning activity some kind of security requirement

they want to weave in particular security features along the way they want to make sure that they have all of the compliance checks that they need before the product goes out the door they want to make sure that they engage folks with or engage with penetration testers to get results and bugs and all of that and so ultimately what we're trying to drive for is getting our users and our department heads interested in what we're trying to get them interested in because at the end of the day a team you know most security teams cannot scale or cannot keep up to the kind of scale that we actually need to to service the organizations that we are

all right so really quickly reflection time where do we stand today so as i mentioned and as you all very well know security is a cost center i mentioned this before but we are very very focused on technology and social issues and social issues to the extent that people are clicking on links we know social engineering is bad phishing is rampant all of that but beyond that we don't really embrace the social factor and then in a lot of cases we we talk about and we frame issues as though ours should always take precedent um and so this is one thing that we've been in pretty heated debates internally at at noona in terms of i'll use an example um i'll

use another example just to drive the point home a few members of our team felt very uh felt very strongly that we should that we should completely block off any kind of work from international international locations um you know there was a there was a really big you know with all of the stories emerging about um uh like the cbp and and border protection uh seizing laptops uh forcing people to get into them et cetera et cetera um there was there was a lot of talk about well our you know our laptops anytime somebody travels they're automatically going to be backdoored et cetera et cetera and so we should just completely block off any kind of

international travel full stop um but working in san francisco and having a very diverse employee base as we do that would be a huge huge huge business disrupter and so we can't just full stop saying nobody can work internationally and so we end up having these kind of discussions that you know we have to start framing things in a business context in terms of how much is that actually going to cost us in productivity loss is there a better smarter way to potentially remediate the risk and so now we just end up giving people chromebooks and we let them have access to certain non-phi apps for for instance like you get access to your corporate services via chromebook or

something like that and that is the way that you work internationally and then everything else you may have to go through a bastion or something like that um but anyways this is basically how i ended up when i first joined nuna this was essentially how i kind of burst onto the scene in terms of there was it was a small startup they had a few products out there already there was all sorts of technical risks as you might imagine um with an emerging company and there was a lot of just technical risk to be remediated and unfortunately none of the vulnerabilities that i could really bring to the table could actually be remediated um if you

if you started to dig in and shave the yak if you will a lot of these systems weren't necessarily redeployable instantaneously they couldn't be maintained in a in an agile way in the sense that if we wanted to bring something down patch it bring it back up or apply some code level patch that we can instantaneously do that and so in order for the for the organization and engineering teams to to facilitate the requests that i had to start fixing vulnerabilities they would have to carve out weeks of their time to you know just to make simple changes and from a business perspective it really forced us to say well what is the what's the real likelihood that this

particular thing is going to get uh that this risk is going to be actualized and what if that risk does get actualized how much will it realistically cost us because this is this is basically what ended up happening to me when i when i proposed said when i came in like this i ended up like that um and i and i know that that has happened to a lot of um you know and talking to peers and all of that peers and friends in the industry i know that's happened to a lot of different folks especially um those working in a consulting capacity we have this tendency to just burst onto the scene like you know the

experts you know kick the door down and uh you know we start just like lighting up uh you know lighting up reports and shooting pdfs all over the place and we're saying you know all of these things are wrong and so go fix them all and what happens most of the time is whoever's running the running the show they'll start shipping said pdfs out you know around the company they'll say oh yeah that's great and nothing will end up happening with it which is really unfortunate and that's that is of course not what we actually want to accomplish we don't want to just find stuff we want to make sure stuff is protected and so i mentioned this a little bit ago

the language disconnect so um by people just shouting stuff out if i was if i was to say i had a high risk vulnerability or this sql injection was high risk what would that mean to somebody and please just shout out

okay so uh first one was highly likely that somebody would be able to use or exploit the sql injection anybody else okay so it might mean that there's some kind of data exfil there anybody else big impact on the company all right so um so thank you for those so all three of those things are technically probably right in this context however our counterparts in the in the organization um they end up using these kind of terms if you think about finance teams they use risk and threat and stuff in very specific ways and our industry is one of the only ones um at least that i know of um obviously because i work and live and breathe this stuff

but we we don't conform to the to the definitions that other other kinds of teams or other professionals uh have for these particular definitions and we also don't even agree on them within our own industry so um you know if we're if we can't agree on things within our own field and we have let's say five security professionals on a particular team and they're all thinking about risk and threats in a different way and we can't uniformly communicate that to an executive who we're expecting to allocate budget towards something um that's gonna you're gonna have a really hard sell on your hands give me one second

all right and so one way to get around this and i'll explore this a little bit more later but is to is to bridge the gap and say if finance is going to be measuring risk in terms of expected loss so combining likelihood and impact and do a little bit of modeling so you'd say that sql injection has a 25 chance based on where it's uh based on where it's located in the application and it you know either does or does not need authentication to take advantage of maybe it has a 25 chance of being of being exploited or utilized within the next six months and if that sequel injection is actually successfully used it could cost us between 50 000 and a

million dollars and with those three simple parameters you can very easily model and say here is the actual expected loss of a of this particular vulnerability and then you can measure that expected loss against some kind of proposed budget so if it only if it's going to cost the developer you know five hours of their time and you can really easily roll that into production then that's a really easy change however if that same thing like if you walked into a system like i walked into initially and you couldn't actually make a change to the uh to the application and let's say your expected loss was uh 75 000 after you know all things being modeled

and your remediation cost was going to potentially be you know several hundred thousand dollars then it's a more interesting business decision and we can't necessarily just come in screaming and saying my issues are more important than the businesses issues because at the end of the day it's all money all right so the next thing i mentioned this a little while ago but we're missing our macros so we hyper focus on those technology and social issues but in many ways we don't really consider tackling the problem of security within our organizations from these other potential angles so uh you know the way that we that we hack on office politics the you know can we integrate legal

into our uh into our discussions and get them on our side or rallying to our cause can we potentially like as i just mentioned with the with the risk scenario can we start to bridge the gap with economics and speak more to our finance teams who may want to allocate budget to our cause and then security is a business problem so as of right now um i mentioned this uh at the beginning but we have this emerging trend of you know cisos are demanding a seat at the executive table security teams want to be a part of the business discussion we want we're framing security as a business problem however our actions do not really support

what we what we say we want um you know we continue to to heavily support condone and and endorse very very technical um very very technical research we don't support inclusiveness in many cases and we're we're doing a lot of stuff in a security vacuum we're not doing a lot of stuff with business leaders you know hand in hand and if we want to be a part of their solution then we have to meet them where at where they're at or prompt them to come to us and so where we want to go um is anyone here familiar with peter drucker anyone read his stuff a few folks excellent so peter drucker is this management consultant guy

and he has this quote that i really really really like um it is the best way to predict the future is to create it quite simply so what we mean by that is if we want to be a part of the business the business discussion the business problem frame security is a business issue then we have to start we have to start creating situations within our organizations that allow us to do that and that's where i'm going to dig into these three particular techniques first one this is focused on the business process reviews so the cia they declassified this simple sabotage field manual a few years ago and basically if you read it it is it is

basically their their manual or their set of standards or guidelines on instigating a completely hellish bureaucracy um within some some system that they want to disrupt or influence or control or some things of that effect and uh when we started digging into our own business processes we ended up finding a lot of a lot of really wonky things like some of the principles in there are you know try to instigate as many meetings or get as many stakeholders in the room to make any any kind of decision possible you know has anyone ever been in a meeting where somebody wanted to pull in 30 other people to make a decision to something i know i have um and what happens in

that situation is you either never arrive at some kind of consensus and that thing never ends up getting done unless you kick it down the road and six months later you bring it up and try to you know you either hope that those other people are out sick or you don't include the people who originally proposed bringing 30 others into the room something like that so so by reviewing or threat modeling if you will business processes or the things that make our organization run we can get ahead of this kind of stuff we can stop letting these these messes happen to us and we also get a chance to have a lot of really thoughtful discussions with

the business process owners the next thing is we bring our red team hats into the board room so i can think of a lot of things at nuna in particular that could completely derail our company outside of you know hackers in organized crime hackers in russia or china et cetera or you know the run-of-the-mill script kitties there are many adversaries come in all kinds of shapes and sizes they might be competitors they might be regulators who are creating some kind of uh creating some kind of policy or or something like that for our particular situation we actually ended up wargaming uh wargaming potus before he came into office regarding uh healthcare policy and because that

impacts potentially impacts a big part of what we do and so we sat down and we we we red-teamed it and it was it was a really productive exercise we ended up uh you know discovering or identifying a number of different things that he might do relative to healthcare policy and mapping out our potential responses to those things and all of those things are risks to our organization and and i got a lot of face time or our security team got a lot of face time with all of our senior executives who were who are having that discussion who this is very very real and relevant to and then of course we spread the love

and so a few things that i think um that i think are really relevant in terms of spreading love are social engineering and threat modeling two of the two of the more fun things that we do as as security practitioners and i want to talk about and i'll highlight this later is engaging very specific um i'll use specific examples or teams within an organization but getting them on board with these kind of these kind of things and the point there being you can rally more people to your cause or even rally more people as supporters to your cause so that way when there's when there's multi-functional or multi-departmental budget discussions happening you can have folks

you know potentially throwing uh you know throwing chips in your corner and backing you up if you say you need more uh more funds or resources allocated to your uh to your cause so first thing first so figuring out what's important so as in any good security assessment we need to first get a lay of the land we need to we need to figure out who the key players are we need to figure out what makes them tick we need to map out where money is going who the influences are things like that and that requires reconnaissance so how do you find these things out here are some ways you know your org chart might be a good

start looking at who's making company publications or pushing uh pushing out new material or sending out the most company company-wide emails thanks to that effect or just being out and talking to people figuring out who is making the decisions and who is really driving things is really really clutch and you can just take notes of all those things map map those people out and then you start to use when you have that list of people their departments uh maybe who works for them who they report to etc you can start to pull together some of the things that are relevant to them from the things that they're publishing maybe that's okrs or kpis that they've

uh that they've committed to or that their team has committed to maybe that's um you know what their last 10 emails have been about thanks to that effect but map all of this stuff out as you would in any kind of social engineering or security assessment where you're preparing and doing your reconnaissance and figuring out what's relevant and where you actually want to test because you can't test everything as you guys know but you know you wanna you wanna spend your time where it's gonna have the most impact where you're gonna drive home the biggest uh uh the biggest uh win so next thing um you know that was quick and easy we know where we need where we

potentially need to start that was that was step one the next thing is actually digging into some of these business processes so the way that we started this and i mentioned this uh earlier is that this is basically threat modeling for business processes if you're in a map out flowchart style um you know a business process like onboarding a new user which is which is an important thing or providing a new access request i'm sure we're all quite familiar with with some of the breaches that have happened where somebody just has or some system has too much access to some set of resources that they don't need or they change teams or changed departments or

left the company and that access was never removed thanks to that effect and so mapping these things out very clearly you can see who's involved maybe what data relative to some classification is flowing through that business process what systems or vendors are involved you know maybe there's a decision point that needs to be made and how that potentially happens and you can start to overlay threats and controls and things like that on top of these business processes and let's say you have uh let's say you you know from your initial research you've identified you know maybe maybe your your time is best spent in one particular department like maybe everything kind of flows through there then maybe you start there

and identify maybe what that team's what that department's top 10 business processes are like what makes them tick what makes them run and from there start to map out map this stuff out and if if you have let's say their top five business processes have a lot of controls in place like not everything you're going to need to step in and swoop in and save the day but maybe their top five are very well guarded and maybe they're they're latter five they have one control each and maybe those controls are policies or procedures and i'm sure we're all familiar with uh with the with that oh so great feeling where you put where you publish a policy nobody reads

it nobody follows it nobody implements it and you're just kind of dead in the water pointing to the policy and saying well you know we wrote this thing it shouldn't function this way it is functioning this way so you're in violation of x xyz so ultimately what we want is to actually create tangible maybe technical controls or procedural controls something to that effect we want to codify in some form or fashion controls that get us above and beyond simple policies and when we did this at nuna we were initially really concerned this was more of an experiment for us but we were initially really concerned about inadvertently taking on a lot of ownership of stuff we didn't want to end

up owning uh user user onboarding and off-boarding we didn't want to own data access requests and approvals we didn't want to own uh you know system maintenance that for systems that were not even relevant to us et cetera et cetera but as we engaged with these people and we just helped them think through their problems we found that we weren't actually well a we as a security team we were wasting a lot of time and we did this uh you know when we did this on ourselves um you know we we were not keeping our house in nearly as proper order as we as we expected we were um but the the teams that were that were having

these assessments done to them they were also much more engaged and they didn't want they didn't want to give up ownership because they had a clear roadmap once something was mapped out and modeled in terms of how they could make it even better how they could improve et cetera et cetera so we got to be the ones coming in and helping but not necessarily coming in and owning and of course that that is not necessarily some kind of law that would be universally applicable but uh it is something that you would want to if you do engage or apply this tactic you would want to be very aware of not taking on ownership of all these

things because that will further overwhelm your team and that's exactly what we're trying to get away from we just want to be advisors and then uh maintaining the thing um so in our particular case we ended up just creating uh i want to say like draw to i o diagrams or something we're moving to something that is actually codified right now um and so we can we can script out what a business process looks like and overlay controls and such on there um but we publish we create it uh initially whiteboard it then model it overlay threats overlay controls overlay breakpoints and risks etc etc onto our onto our diagram and then we give it to

we give it to the the owning team the owning department head whoever whoever is in charge of that business process and and we keep record of that so we have just links to everything we have a little bit of an internal database and we would go through and um you know periodically like every six months or so we just ping them quickly hey just wanted to check in has this thing changed really critically um you know we know it's it's something that's really big for you guys uh let us know how we can help um and it gets them thinking about making sure that they're they're actually maintaining a process some things that we found when we went

through this this in particular like the the regular updates is that off-boarding user off-boarding for contractors or employees was something not being frequently updated and we had to uh we had to kind of insert ourselves into that a little bit and help keep that updated and make sure that all systems that were not integrated into active directory were being included in this off-boarding process because you know of course we don't want uh you know somebody leaving the company and them retaining let's just keep doing it um we don't want them retaining some kind of access after they leave the company that is of course a bad thing and in and in violation of some hipaa

and high trust uh compliance stuff that we're that we're subject to and as you have all of these risks um one of the great things that you can do here is going through that same kind of risk assessment process we talked about earlier however you do risk assessments at your organization but through this you will end up identifying a whole bunch of risks a whole bunch of potential issues and because not just like security issues are not the only things that can affect in a negative fashion are organizations you can you can walk them through the things that scare you relative to that business process you can walk them through how you would gauge how important

something is and have a really productive conversation about it all right so moving into wargaming um something a little bit more fun and exciting so the way that we the way that we approach this and there's a million ways that you that you could you could have more of a like a table top slide based exercise you can do full-on role-playing et cetera et cetera we ended up taking the role-playing approach um and found it worked pretty well and basically what we did is we took some kind of business strategy some kind of tactic that we wanted to uh that we wanted to apply some product we wanted to roll out something that effect or the

uh the healthcare policy situation that i mentioned earlier and we want to answer a couple of key questions initially who are the adversaries relative to this particular scenario that we're going to model and why might they want to like why are they adversaries um you know maybe they have maybe it's more institutional like a regulator is going to create policy and create legislation and such or maybe a competitor might be entering into a new market and you know they're just trying to expand their market share or roll in a new product or something to that effect what are they willing to do is a really key question so sometimes sometimes they might be willing to

create a price war with you for instance they might be willing to hire a bunch of your key people they might be willing to go to conferences and start uh kind of collect competitive intelligence from folks from your organization who are also attending that conference something like that and then most importantly what are we going to do about it is the thing that you answer through and after the war game so after you get after you model all of these situations you want to have some kind of plan so you're not caught with your pants down when and if something happens so in actually executing these things i would recommend picking a single strategy to model at a time these things can get

really really complex even in a more simplified tabletop exercise there's a lot of things going on there's a lot of people who are not necessarily super familiar with the with the security thought process or with these kind of uh processes in general and so you'll likely have questions you don't want that much complexity all rolled into one for instance you don't wanna you would you might to model how do we introduce this new market or introduce our product to this new market or uh expand uh our product with this new feature versus how do we make our company profitable that might be too big and grand because there's so many factors to to take into consideration

and then as you're building up your team of participants i'd recommend not picking super super senior leadership and the reason i say that is they're going to have a lot of position power they're going to have a lot of influence as you might imagine if your ceo walks into the room and they say something everyone is likely to jump when they say how high and so you want more middle to maybe you know middle between middle and senior management not like vps and such to be driving these things because that's where a lot of the boots hit boots meet the ground action is actually accomplished and so get a very diverse team of participants together maybe people from

product i.t recruiting etc etc and get them all together prepare them brief them in advance give them some kind of briefing for the the teams that they might play whether it's their role playing a particular competitor whether they're role-playing a legislator whatever you want them to to in a way get into character um and and let them act and play out actions as though they are that particular stakeholder or adversary in this case and when you actually hit the ground running the way that we've done this and again there's a million ways that you could structure this so pick whatever is best for you but we would start by having the home team or the nuna team present our initial

solution or present our initial strategy and then each team sits back they understand it they internalize it they have a little bit of time to plan because they didn't know what that was specifically going to be and then they put together through the character teams that they're in they put together their responses to that particular strategy and have each team go through and present a rebuttal in terms of how they would uh how they would respond to this particular roll out of strategy and and then you can do as many rounds as you want in terms of all right basically play chess with it so we did this this was their counter move this is how

we're going to move again and you can you can go back and forth i would recommend like one to two rounds and then you can start to uh and then you can start to talk about it and talk about strategies yeah question

uh and so the question was and and correct me if i didn't uh get this correctly was have i ever done any kind of war game with an angry uh network engineer in the room or

um i have not i can imagine how that might that could potentially get a little sticky um and and keep in mind that like as you're as you're picking these kind of teams or forming these kind of teams you would want people who are going to be engaged and not overly hot-headed etc i mean we definitely have people like that who are very passionate uh we'll use the we use the term but uh you would

okay so somebody so the uh the question was just a repeat for everyone um whether we had uh war games more of like an insider threat a disgruntled employee i see we absolutely have yes um i thought you were talking about a participant in the game i'm sorry um so in terms of uh like our own security team simulations we'll typically do this via um uh via tabletop exercises and complement it with um with like uh like scanning data and things like that so we could see just how um just how prevalent somebody's access is so we would we would get more of a like the briefing for that would be more geared around two minutes okay

all right we'll talk more about that afterwards but yes this next one so spreading the security love so i mentioned this earlier social engineering and threat modeling i think are great ways to uh to engage other people and basically this is all about uh you know getting them excited about security techniques security tactics etc and so one thing i've seen uh applied pretty successfully is open source intelligence um so getting people who are going to conferences prepped on how some kind of adversary might creep on them basically um you know and give them potentially those tools to creep on others if you're talking about sales people they use the same kind of vernacular that we do in terms of breaking into an

organization they'll say breaking into an account and so there's a lot of there's a lot of overlap in terms of what we can teach them about how to potentially do their job a little bit more efficiently and effectively of course ethically and all of that um and then if you are staying in line with the social engineering theme if you are um preparing people to go to conferences and go and start engaging with others how do they how do they frame their their narrative so that they can make you know the best impression how do they uh get the information that they want get to the yes etc you know you can have conversations with

them about body language about um like language analysis based on somebody's twitter account so they can send really effective emails that's basically uh basically a spear fish things like that my wife is actually in sales and we've uh we creep and do all sorts of funny stuff like this um i'll point you guys to some sites afterwards if you're if you're interested um and i'll i'll skip over this because of time um and if anyone wants to chat more about this stuff afterwards please let me know but concluding remarks um so none of this is um this is not necessarily a step-by-step play-by-play thing that is going to get you instantaneously a seat at the executive

or board table the real the real point of all of this is to is to change the way typically security teams work in a push information flow model we're constantly pushing stuff out pushing new policies out pushing vulnerabilities out and we want to drive change that way we want to be able to flip the script a little bit and change it into a push and pull so people are pulling us into conversations pulling us into planning sessions etc and how do we instigate those kind of flows of information and so really quick three quick things that i think would benefit everyone here and whether you're just getting started in your career and you do this on a smaller scale or

whether you're a senior executive or director etc and you're you're doing this across an entire organization but first thing set up meetings or set up some kind of discussion with people outside of your immediate purview you know set up one-on-ones take them out to lunch take them out to coffee etc and start to understand what is important to them um find a way to play some kind of war game simulate some kind of business process you know whatever whatever it happens to be find some kind of situation get people excited about it and if you can try something out even if it's not a big coordinated role play game even if you just put through like put a

couple of crazy ideas in a slide deck and walk through you know what happens if our corporate twitter account gets gets hijacked what next and just keep asking what next if this then what um and have people walk through those those can be very very informative and then i'm a big fan of the what gets measured gets managed so set some goals for yourself um when i first started this out i i made very small quantitative goals for myself so setting up uh meetings with x number of people uh outside of the security and engineering teams um you know play one game uh war game in the quarter that's more focused on a business problem versus a technical

a technical one excuse me and um and through that through that quantitative goal setting you have to be ready to at some kind of regular cadence uh reassess and analyze how you're doing and of course iterate on your own process so you want to be improving and figuring out ways that you can realign your goals reset your goals so you're always getting bigger and your presence is getting bigger and bigger bigger and you're pulling more and more people in and i'm gonna end on that um please come hunt me down afterwards i'll be here the rest of day and thank you very much