Radical Results: A Security Org's Version of Radical Candor

Good afternoon. Welcome to Bsides SF 2025. Right next to me, I have one of our headliners. Yes, Evan Johnson. Do you know which one? There's like 25 of them. The right one. I like that answer. Um, he actually has a very interesting topic today. I love it. Radical results, a security org's version of radical cander. Okay. So, right behind me there's going to be a huge QR code. There's something called Slido. You can participate, give feedback, ask questions mainly. I will read the questions aloud if time permits and Mr. Johnson will answer them. Now, at the end, if we run out of time for all the questions, sometimes there's a plethora of them. He's actually willing to meet

you at his booth, right? Yep. Which one? Uh, we have a booth on the fourth floor. The run reveal booth. Yes. He He's the CEO and co-founder of the company. Just saying. So, he's going to make himself available on the fourth floor at his booth if we run out of time for questions or just to connect with him. All right. There's the Q or the QR code. Did everybody get it? Anybody still need it? Are we good? All right. Mr. Evan Johnson, please take it away. Thank you all for coming. Thanks to all the organizers. This is always the best conference of the year. Uh not I don't know of any other conference where you

get to be in IMAX literally on a 50ft screen. So this is always the coolest conference of the year. Um my talk is called radical results a security org's version of radical cander. And by itself that title is a little wacky. It uh doesn't really say a whole lot. It's kind of interesting but uh we're going to really dive into it. And I promise by the time you leave today, you'll have a pretty interesting new framework that you can apply to anything that your security team does and help you kind of think about the way that you're perceived at your company. So my name is Evan Johnson. I'm a security engineer first. Uh I was the first security

engineer at Cloudflare and at Segment in a past life. Uh I am EJCX on Twitter. Make sure you follow that. I'm a security leader. I write a lot of Golang. I love Diet Pepsi. And I'm the co-founder and CEO of a company called RunRveal. RunRveal is helping every company solve their security logging problems, whatever they may be, from collection to storage to insights and fancy AI stuff on top of it. But that's not what this is about. This is about uh what is this talk? So, show of hands. Who's read the book Radical Cander? anybody okay about 50%. That's pretty good. Um the I won't bury the lead on what this talk is about otherwise it'd

be too confusing but uh the idea is that I took the some of the ideas from radical cander and I morphed them into something that you could apply on a team basis. So for an entire team, you can kind of use this whole new framework and um then I'm giving you guys a framework and some tooling that you can use to kind of uh see how uh you to apply the framework itself. The idea is meant to be uh gauging your team's effectiveness and how you're perceived at a company. And so the agenda is I'm going to do a recap on radical cander. I think I usually hit some notes that people uh different notes from the book that other people

may not remember. Uh I'm going to go over the quadrant system from the book because that's the whole point. And then uh I'm going to repurpose that quadrant system and then help you apply it. So by the time this talk is done in 25 minutes, we'll be we'll have done all of those four things. Okay. Recapping radical cander. That's actually less blurry than I would have expected the cover to be. when you blow it up to be 50 foot 50 ft tall. Okay. So, what is radical cander? If you have ever had a manager uh or a mentor or you became a manager for the first time or got a promotion at work, likely somebody's mentioned this

book to you at some point. So, the book is written by a woman named Kim Scott who is an executive at a bunch of really top tier um Silicon Valley, San Francisco kind of uh companies that were astronomically success successful. So, there's anecdotes in it from like her interactions with Cheryl Sandberg to time her time at Google, all sorts of stuff. And I think that the good parts of it is it's really entertaining because it kind of humanizes these people who you read about in the New York Times and Wall Street Journal or whatever. And uh in a way that you probably haven't seen them before with these anecdotes, but um it it's also like some of the anecdotes are

really really good, but also like it's not going to change your life. Like I put the mid here because nothing in it. You you'll read the book cover to cover and then you'll be like that was all obvious but it was kind of useful having it stated even though it was kind of obvious. And the biggest thing that stuck with me from the book and uh it's kind of the whole central point of her writing the book I think is that she created this quadrant system. And the quadrant system is meant for you to be able to have a tough conversation with somebody that you work with or uh I guess technically you could do it with

like somebody you're in a relationship, your partner, something like that. But I don't recommend uh uh using it in that in that situation. But the idea is that on one axis of this quadrant system, you have care personally, which means in this tough conversation, did I care personally about the other person? And on the other quadrant, you have challenge directly where when things are going right or wrong, you're able to get to give real feedback and you're able to write the ship or uh help them understand the way that you feel. or in in a lot of her situations, she's a manager and she's trying to do performance management with somebody that she's managing and or she's being

managed by her manager and that person's giving her feedback and uh and she talks about like where on the kind of cartisian plane that conversation ended up. So, a few points about this quadrant system. It's kind of like the magic quadrant and Gartner but for uh interpersonal relationships with your boss or or somebody you're managing. But the you want to be in the top right and that means you've been radically candid. And that's where the title of the book comes from. She says in the book that if you can't be in the top right, you want to be in the bottom right, which is sometimes you're a little bit of a jerk and but you are real about it. And

that's you know you you want to optimize for the top right. But she says realistically, you won't be there every time you interact with somebody in a tough conversation. And so, uh, you want to optimize for being real, but, uh, and you want to be in that top right, but if you can't be, you know, obnoxious aggression is sometimes where you end up. She has a specific story from uh an interaction she had with Cheryl Samberg that was pretty funny in the book where she says uh Cheryl Samberg gave her the feedback that she says um a lot in this really important meeting with Larry Page and Sergey Brin. She says, "You say um every three words, I think you should

get coaching." And she says, "No, it's okay. I've given a lot of presentations. It's fine." And then Kim uh Cheryl Samberg says, "Uh, no, I really think that you should get coaching on this topic because you say um a lot and it can be a problem." And she says, "Oh, thanks, but no thanks." And then finally, Cheryl Samberg says, "You sound dumb when you say um" every three words and you need to get coaching. I can tell that this is something that I have to be a little more stern with for you to hear the feedback. And in that case, she dipped into the obnoxious aggression kind of quadrant. She was trying to be radically candid. She gave the feedback

that she needed to give uh her and who knows if it was good feedback or not. I I didn't see her saying um a lot, but uh it's uh it's it's a funny story. Another one is that she gives us the Bob story from the book that's kind of famous where Bob is somebody who works for her and she maybe I don't get all the specifics right here, but he she cares personally a bunch about Bob. Very nice to him. he's not performing well. And so she goes a whole year never giving Bob the feedback that you're not performing and you need to be. Um I think his performance is pretty inconsistent and she ends up firing Bob. And at the end

of the year Bob says, "Why didn't you say something?" And she's she like doesn't know the answer. she she realizes she was in this ruinous empathy quadrant and uh could have been better if she just like gave Bob the feedback that you're not performing and you need to work on that. And then the last quadrant is manipulative insincerity. And I think that's the quadrant you never want to be in. That's like your backstabbing co-orker or you know super political situations that you're in that aren't fun to be in. it happens from time to time and you want to avoid being in that quadrant. So that's the general idea of the way the book presents this framework

that I always found very useful. So, I don't don't remember all the anecdotes or all of the lessons that she gave, but the I always thought after years went by of reading this book, I would sometimes have a tough conversation with somebody and leave it and think, okay, where on the cartisian plane was I? And uh sometimes I did a good job where I felt like I was this is totally fabricated dots. I just put a bunch of dots up here. But uh sometimes I did a good job and I was felt like I was radically candid. And other times maybe I was a bit of a jerk. Sometimes maybe I just like checked out and didn't care enough

to give the feedback that maybe I should have and I was ruinous. I was in the ruinous empathy quadrant. But the kind of mental uh tooling of being able to just plot how did I do there was always something very useful to me. And it's about at this moment that you might be wondering what does any of this have to do with my security team. Uh well I kept using this for like management reasons where I would think about this thing but then I also started to think about my team's performance like this and I was managing kind of a big team with managers and managers of managers and uh it was uh you know a lot

going on and lots of projects and you know people performing well people not performing well all sorts of situations like that coming up but I was generally wondering like how are we doing as a team when you comp when you think about how we're doing as a whole at the whole company. So, we're doing tons of stuff working with all sorts of different teams at the company. So, from finance to IT to engineering and I would sometimes I I didn't really have in my mind what the X and the Y axis were, but I knew like top right was good and then was it was was I in the top right quadrant or was this the team

not? So after some time I finally put together my own quadrant system. And to understand the quadrant system that I put together, I think that some this might come across a little bit like a rant, but there's a few truths about being on a security team. I think one of the biggest sins you you can commit as a security engineer or a security leader is you show up to a company and you just repeat what you've seen that works before. I think all of us do this to some degree because we do the things that are comfortable and you know we did something once and it worked and so we want to do it again because it worked

once why wouldn't it work again but your approach to security will depend on the organization you're in so like a bank security team looks completely different from a startups and that makes sense. I think another thing that might not be uh, you know, fun for us all to think about is on a day-to-day basis, it's not us protecting our companies from being on the front lines of the New York Times or dealing preventing these massive data breaches or whatever. We can work, do everything right, and we still end up there. We can do everything wrong, not end up there. So, um, there is correlation. you do the right thing security-wise, you can prevent stuff, but I don't think that we're, you know,

the uh sole reason why an org is or isn't like successful security-wise. And then um last is I don't really think a lot of what we do as on a security team is very measurable. I think that uh when you get down to looking at the way like a a sales team has a number to hit every quarter and it's like very measurable. An engineering team are you shipping product or are you not finance team they're trying to adhere to like GAP standards or whatever the finance team does. Uh I don't know. Uh but uh the uh security team, you know, they one team might have a red team and be super focused on one thing. One security org

might have a completely different take on things. And it's very difficult to measure one versus the other or the outcome of anything that we do. And I think that's the truth. Uh you might disagree, but uh would love to hear about it at the run reveal booth on the fourth floor after the talk. Um but uh so when I finally put the together the quadrant system, the very first uh axis on my cartisian plane was vibes because it's 2025 and vibes is close enough. But I think uh if you don't want to call it vibes, it's collaboration, your ability to collaborate with others at the company. So how collaborative you are and is that culturally the right fit for

your company. So, um, I have a great real example from a CISO friend of mine that we got beers a few weeks ago and he's telling me he told me that, uh, he needs to get his team to say no more. And I think that this is like besides has like the whole shift left movement, besides SF, especially tech companies, it's very much like yes, but is always the attitude here. and um he's saying I need to get my team to say no a lot more, not just a little more. He's he had hired a really great team that was super effective, but the issue was the company culture is very cut and dry and

very strict where a team will come out and say this is the way it's going to be. They lay down the law and uh their team was too nice and kind of getting shoved around a little bit. And so he re recognized that like the vibes of his team despite them being super good at their jobs were not fitting in with the company and he had to fix that. And I think that that's such a fantastic example of uh like understanding your what you're doing and whether the vibes are directionally right or not. And I mentioned shift left. I really think that shift left caught on to prominence because like the whole world embraces Silicon Valley. like

shift left uh like move fast and break things mantra and that's like a survival mechanism for security is oh we're going to shift left try to be as the smallest bit of a problem as we can tack onto the systems and processes that engineering wants to do and everything will be great and uh I think that's largely true it's it's not to you know throw stones at shift left but I think that that's where it came from is is uh a reaction to company culture. The other axis I put is effectiveness. I didn't know a better word, but your ability to manage risk effectively. Like the thing that we actually are supposed to be doing is has

to be one of the axis axes axises. Uh maybe I should have figured that out before I gave the talk, but uh it's got to be one of the axes. Uh so I think that uh there's a bunch of things that go into this, but the biggest thing that I'd say is tacking on to like the Silicon Valley mantra of move fast and break things is one of the beliefs that I have is you have to be not a clipboard holding security team. You have to get in the action. You have to own and manage certain risks and projects that you want to see completed. And that goes such a long way into showing that your

team is effective in addition to like you know the day in day out of uh yes but or no or this or that. So um I think that the vibes one is a little interesting but effective I feel like is almost obvious that that's the thing that that's the reason that they hire security team to begin with to manage risk and so you have to be doing that effectively and then communicating that on a way that makes sense to other people. So if you go to ejcx.devradical dev/radical results. It's a little difficult to see, especially when it's nearly a mile in the air, but uh I've I guess I vibe coded this like cartisian plane where you can plot your own things

and projects that you've done in the past year or two. Give yourself a score, think about how you've done and uh you know, just it's supposed to be a tool that you can say, "Are the vibes right with my security team? are we being effective? And I've got some real life examples that from my past that uh I'll I'll go through in a moment. But um one of the things that uh I think is really important with all of this is like the idea that more dots is probably better. So if you uh are managing a team and you're really slow at shipping things like you should have as many dots on the board as other organizations. And

so I think that if you're um trying to like be perfect with everything you do, optimizing for more dots is a great way to get the vibes right and your effectiveness right because you're making lots of small steps and and um like always doing things. What's the X meme right now? You can just do things. I think that uh yeah, you can just do things. Um, one thing that is I don't know if it's a flaw with my kind of model here, but Vibes does affect effectiveness. Like I've seen really bad situations between certain teams at a company where like the security org just doesn't get along with whoever else. And that can be hard to fix. But the reality

is um you kind of can't let that get in the way of your job on the security team. You have to work through it. But it can really impact your ability if you like don't fit in culture-wise with the rest of the company. It can really slow you down and make it impossible to do things. I've got a real life example of this. So, uh let's go to here. uh real life example from my past. Uh some people in this room were a part of both of these examples. So uh they they can gut check on how real these are. But at past job we rolled out web to the entire company. We were early

on the kind of hype cycle. I guess it's not trendy but it's uh very important. It's still not really caught on the way I guess I would have thought it would, but a lot of companies have gone full web

authent. And one thing that I wish when I got to the end of the project and we were all like congratulating ourselves, giving each other pats on the back, we were like that was great. Uh probably like six months went by and I was thinking about it and I was like we should have done that like 10 times faster. And uh the reason was the way we went about it. We had you know the effectiveness super great security control web authent uh the vibe at the company though in the company culture was that of super fast correctness was secondary to speed. And what we should have done was instead of the way that we rolled it out was we

started with one group of people and then we waited 3 months and we were like I wonder if anything will break and then after a couple uh we were pretty sure that like people would run into major issues on their cell phones logging into things on like different weird applications like you turn it on for some for like Salesforce or something and like will the IDP initiated flow handle build web a way that the app initiated SL flow will work and we thought there'd be like tons of weird bugs. Ended up there was maybe one bug in the entire roll out for like a multi,000 person company. And so we turned it on for one group, waited a

while, turned it on for another group, waited a while, and the whole thing dragged on for like 6 months until finally we were under an actual attack and we got a call 6 months into this project and from the CEO and he said, "Turn it on now. I'm tired of waiting." And uh like that should have been the red flag immediately that we should have done this way faster, but it took us a while to really figure that out. And we could have just said upfront, hey, we're gonna turn this on now. It might break some stuff. Let us know, you know, it's making us way more secure. Here's a sticker for everything. Like if we broke

something, like here's a sticker. You found a bug. That's great. You're making us way more secure. Thank you for finding it. And we could have just done it in a week if we had done that. And uh so I really wish that we had gone faster. So if you use my cartisian plane of where I would plot that originally I would have put that like you know maybe a two and a two out of five where I was like yeah that was a good quadrant the radical results quadrant but after further review I think it was like probably a two on the effectiveness maybe higher on the effectiveness maybe like a two four and then effectiveness I

think stays as a four but results-wise I got to give it right on the edge between uh maybe even slightly in the in the bad vibes quadrant. Uh this is another one from a past job where almost the exact same story. We get a compliance requirement. All laptops need to be managed including Linux ones. Many people have gone through this. Few have survived. Um, so we put together a focus group of like let's get the like kind of engineers with the strongest opinions in the same room and have them hash it out and then over a period of time we'll work on managing those Linux laptops. Uh they're they're going to that group is going to

pick the type the distro a bunch of things about it. So that's where we went wrong. What we should have done is gotten them all in a room for an hour and then uh said thank you for the feedback and then just shipped something and said we're sorry this is not going to be perfect. You're going to hate it probably, but it's something that we have to do. And uh this would have saved us a ton of headache because instead we had this like focus group that went on for forever as we made a bunch of decisions and worked through problems and uh you know the outcome was equally effective both ways but uh it like hurt

relationships with other parts of the company and we could have just you know blamed the compliance obligation instead and it would have gone a lot better. So in my company in a past life speed was more important than uh I think effectiveness was very important but speed was more important than people's feelings and uh like we didn't really always account for that build versus buy I think is inextricably tied to your company culture whether engineers are cheaper than actual budget. Um, but I'm running out of time and I think that all of us can I'll go to conclusion my conclusion slide. All of us can really benefit from taking a look at the things that we do

over a quarterto quarter basis over the past year and just plotting where we think it was. How is it received by different groups? You can plot how other executives, if you're the CISO, how other executives perceived it, how the engineers who were on the receiving end of it thought about it. And then you can also plot like how many how many things that we did really move the needle in terms of managing risk. And I think that like it's an incredibly simple tool just plotting on a cartisian plane how to go, but uh it's something that we almost never do and um super helpful. So I'd also say that the truth is like gray. So you might have one

opinion and it might change over time like you heard that mine did. So I think every audience like I was saying will have a different opinion on how certain things went. Uh but it's just a tool. It's not any uh magic thing. And then last, I think it's very important to optimize for more dots on the plot. I think that's almost universally true except in some very different company cultures that I've never worked in. Maybe the most conservative banks where you only get to measure 10 times and cut once. So, um uh but I've never worked at a bank so I wouldn't know. But I think that uh by and large like optimizing for more dots on a plot is way better. More

dots on the graph. Uh questions. All right, we'll open it up. You do have some, sir. I have questions. Great. You have questions. You have a plethora of them. I I'm loving it. I never would have expected. You're fancy, huh? All right. Are there any other books you would recommend for learning how to create an effective team with good vibes? Um, truthfully, I'm not a big reader. Uh, Radical Cander was good. What's the one with the blue cover? There's one with a blue cover. That is uh Oh, there's a manager's path. That's a good one as well. The manager's path, but also like there's no uh there, you know, there's no better learning experience than just by doing. And so,

uh, read that. And then the Mike Tyson quote, "Everybody has a plan till they get hit in the face." Uh, like that's a it'll be a uh learning experience once you're actually doing it. Having a good vibe may affect efficiency of current project, but may help you with collaboration with other teams on future projects. Any suggestions on how to draw the line there? Can I Can you say that one more time or can I read it? Yes, both. Uh which one this one hobby having a good vibe may affect efficiency of current project but may help you with collaboration with other teams on future. I actually think good vibes only helps ever um because like if you do something and you make

friends those people are going to want to work with you in the future and uh support like the next security initiative that you have. So it it only pays dividends to like have you know good vibes good collaboration with others. And then last is uh using radical cander, couldn't the company that needs more nos focus on its hiring practice to make sure they are hiring individuals that can reflect the core values they truly want? I think you're absolutely right. Um but I don't think that that's how it generally works. A lot of times you hire a CISO who the first thing they need to do is hire a bunch of people because something bad happened and

there's a lot of budget. And so like the reality is when push comes to shove, you do a lot of hiring quite quickly sometimes and you may not fully understand like how to express the company values and the hiring practices that you have. And so um I think that it can be hard but yes you're absolutely right. Last, do you think most security teams index higher on vibes or effectiveness? Where do most teams need to focus? Um I think that security does a good job. I would say like you've got based on the last few years in security you've got a lot of people talking about um making security more inclusive making security uh uh also effectiveness has

always been the other axes on the chart has always been something that like people care about at security conferences and I think that both are very important and I think like probably at finance conver uh conferences and stuff they're not doing that but like I said I don't know uh but yeah I think security does a good job with all of this. Last, which Linux distro has good vibes? None of them because I want to print sometimes and like good luck printing on Linux. I hear it's gotten better but [Laughter] Well, thank you so much, everybody. All right. Wasn't Mr. Johnson amazing? Please, huge round of applause.