GF - How to avoid being labeled a “Chicken Little” while promoting better security decision making

thanks everyone um I'm not usually used to the the mic here so um and I tend to my volume goes up as I talk so at any point I need to speak up or lower you know just somebody in the back give me a signal that way we can keep it comfortable for everyone so um welcome everyone uh today we're going to be talking about negotiating compromise um something I think is often missed when we're talking about infosec in general it's not something that's commonly taught when you're when you're going through a an academic course these are some of those kind of soft skills that uh I think is really important especially as we progress in cyber security uh so um hopefully there'll be a little bit of something for everyone here uh to start off I'll do the obligatory who am I uh and then I always like to have a slide of why this matters why am I talking about this why should you care and then the classic who's this for then we'll talk about you know what's the easy part when it comes to communicating security posture and security needs to an organization or to senior leadership and then establish what the challenge is you know from there then we can start looking at some of the solutions what my aim here is is to actually bring in common negotiation tactics that that you probably have heard of in different Industries whether it's you know putting an offer on a house or just other General negotiation tactics you see these sometimes in negotiating salaries or or other things the the idea is to use wellestablished principles and how we can apply them to cyber security because of the time I'm going to hit six Hot Topics then we'll go through some honorable mentions of some others that we probably won't have time for um then we'll go into some common pitfalls of just things that that naturally we kind of fall into as we progress usually in midal management having to speak to senior leaders um I'll go through my personal mantras that I have to repeatedly tell myself uh and then finally uh we'll end it up on a really high note and talk about the chance of failure so who is this is a lot of words this is all to say I currently work in financial services and information assurance I handle second line control testing and I also run the Cyber threat Intel program uh for my company previously I spent 10 years in the Air Force where I worked for a red team and I also taught at the weapons school uh locally here at Nellis where I covered topics like vulnerability management patch management uh minor attack framework my favorite course was on social engineering and uh open source intelligence I have my bachelor's in computer science and I have a sec plus certification I'm originally from Louisiana as you might be able to tell uh generally what I like to talk about is Game Theory and usually my talk center around strategic planning and strategic um operations so this is a little bit different from what I usually talk about more on that soft skill side and uh my LinkedIn and Twitter's here it's also at the end so the great disclaimer side so I want to start by really kind of setting the scene here the number one answer in any kind of you know cyber security infoset question is usually it depends right there is no clear black and white answer it's always dependent on an environment a budget this particular industry this particular person this presentation is going to be no different if you're looking to find a slide that you disagree with nine times out of 10 I'll probably have at least one that you're like I'm not so sure about that and that's completely okay in fact it's encouraged the whole point of having this conversational talk on soft skills is that it's going to be opinion-based it's going to be based on my experience uh and your experience is going to be different the idea is I don't think that this is a topic that we talk enough about that we have open discussions about and I want to help facilitate by giving this presentation so if you say no I tried that and it absolutely failed that's awesome I would love to hear it and I and I would encourage everyone for any kind of disagreements or agreements that you have that conversation let's let's talk about the different experiences that are out there and ways different ways that we've been able to problem solve and be successful or fail so that we can all kind of cross learn so that we can be more successful in general as an industry so why does this matter what I have found is going to conferences in the last couple of years and uh sitting around and just talking to people that's already established in the industry it's very interesting because there's not usually a lot of talks on the mid management level so people that are have already been in for a couple years they've seen kind of The Good the Bad and the Ugly there's not always a lot of mentorship and that middle management before you're getting up to Senior Management so that's one thing that I really noticed the other is what I'm seeing right now in the industry is a lot of people getting Masters in cyber security without having a traditional maybe computer science or um other kind of technical Bachelors um in a lot of ways I compare it to the NBA of the 70s and ' 80s as kind of a top off that gives you that extra Edge in whatever kind of field that you're going in cyber security has become that a little bit but it's a little against tradition usually your old security people were the people that were CIS admins 20 years ago they've gone through the trenches now they know from a security perspective exactly you know for that environment what works what doesn't work what makes sense we have a lot of senior educated people that are entry level on understanding how an i department works how it works within a business or company construct um and and so that is a big portion of why I think that this is important so we can kind of bridge some of that Gap also in my opinion a highly successful cyber security professional is one that people want to come to you don't want to be that person that's like oh gosh I'm going to have to tell Vanessa that we just introduced 10,000 more vulnerabilities in our system and she is going to flip out in my opinion that doesn't make a super effective leader what you want is someone that you know is going to be cool headed about it as much as to be expected but be able to help you problem solve and to help you be successful not be the parent or the manager that's like you suck and so I think that understanding some of these principles can help you do that and ultimately the goal is to make the business or the company or the Enterprise as a whole better so a lot of times when we're talking about negotiation it's me getting max value for myself but in this situation your end goal is actually to make sure that the Enterprise is as secure as possible given the challenges you're not always going to get what you want so sometimes when you're told no we need to figure out a way to still achieve those goals of reducing risk for the organization without maybe getting your awesome Gucci tool that you first presented and was told no you're not going to get that who's this presentation for it's for everyone I mean honestly these are these are common enough skills that everyone can gain some sort of insight or purpose from this like I said before though that middle management that's first now it's time for me to help make decisions I'm not just on I'm not just doing the decisions that other people made it's it's now time for me to be able to help promote better decision making this is primarily the audience for that so the easy part finding things that are wrong with processes um I'm sure that plenty of people if youve if you worked in it you show up to a place anybody that tells you that they have a well-run IT department is either woful ignorant or they're just absolutely lying to you so you don't run away like every it department is going to have that one Department maybe two departments maybe one team there's going to be something that they don't do great and maybe they don't even do well at all maybe they do terribly those are kind of easy to spot especially as somebody just walking in right fresh eyes you can immediately see definitely this is not how it's supposed to be um or and similar to that finding things to improve oh yeah yeah yeah this doesn't work quite right how about we do this or simply threats I work in threat intel if I want to to find threats that's going to scare the company that I'm talking to I can find those and I could probably find those pretty easily so it's all about how you're presenting your message what is it that you want to do do you want to scare them do you want to have the fud fear uncertainty and doubt approach that's certainly a tactic to use some people do find success in that that's the easy part the Doom and Gloom is kind of the easy part right the challenge of course is having a solution and then being told it's how much don't we already have enough security tools out there didn't we just buy one like two years ago like why are we buying another tool um why can't we just use what we already have we already have 10 tools you're telling me it can't do this one thing push back is going to happen it's a very natural piece of the process sometimes it's part of the defensive process but being able to explain why in a way that your audience understands so that you can be successful from a security posture perspective is is really where the goodness lies all right so here is the meat of the matter six techniques that I chose to talk with you today about um and we'll go through each and every one and kind of talk about them a bit uh like I said this is not groundbreaking this is not meant to be groundbreaking this is meant to be oh yes of course that makes sense hopefully if I've done my job right the first one being excited versus being anxious uh this one is near and dear to my heart because when I get excited I get loud my voice Rises people think that I'm yelling at them they think that I'm out of breath that I'm giving myself a heart attack because I'm I'm going to talk really really fast but I'm just excited sometimes I'm just passionate about the subject but if you go through yelling at the top of your lungs and looking like that you're angry that is going to possibly hurt you when it comes to you trying to actually promote good decision- making depending on what solution you're choosing so interestingly people care more about delivery sometimes than the actual message it's your body body language it's it's confidence you hear that all the time about people giving presentations and you need to be confident and and um you know your voice not Shake too much a lot of the delivery is very is very important part of that is actually being able to read the room being able to see if you go in and it could be that depending on who you're talking to they are very motivated by a threat of hey if you don't fix this vulnerability we could be hacked tomorrow um that could be very motivating but it could be that they hear that all the time anyway yeah yeah we're always about to get hacked so being able to read the room know your audience being able to read their body language it's like you're being able to read your body language then that's very important yes I just want to com your body language the way you're your is a very open approach I've SE other presentations where they look expensive thank you thank you I appreciate that at this point I don't know what I'm doing with my hands um and then the last point of this is reserving the extreme words for the extreme situations so you know log 4J we got to figure out if we're using log 4J on the system you know do we have it in in any kind of third party dependencies do we have it actually in our Enterprise by itself you know if if not yes that's a big thing that's going on in the industry move it is also a perfect example you know if I'm not using move it then I'm not using that extreme language I'm not I'm not promoting this as the sky is falling as a classic Chicken Little example because I'm going to reserve some of those extreme emotions for things like a ransomware incident in which we're actually being hit with ransomware if everything is up here all the time then how are you going to know the difference between here and here when things really are at the top of the line next is be cool and collected a lot of these are going to have similarities so obviously be cool and collected runs in very smoothly with being excited versus not being anxious right that's that's a part of it this I think comes easier with experience erience over time if nothing else because at some point you have heard pretty much all of the extreme things that have happened did you know that this worker is doing this that they were able to bypass you know this security thing here like it just gets more extreme the longer you've been in the industry the kind of stories that you hear um things that are happening that you're like no no surely not yes probably so so over time you're not as surprised when somebody comes to your desk or to your office um with some sort of did you know or I looked at this and I found these holes or these vulnerabilities so I I think that in the very leas it's something that comes over time but it doesn't have to it can be kind of a conscious decision uh when I was creating this I don't have any children but I I often hear parents talk about you know if if um their kids have an accident if they've scraped their knee or something instead of just being like Oh my gosh are you okay it's that cool and collected just asking them not freaking out so they don't freak out and so that's how I kind of equate this um also expectation management can be very powerful uh anybody that that knows me has heard at least once uh me tell them when they come to me and say I can't believe and I'm like repeat after me lower your expectations that sounds crazy um but it's powerful and it's useful make sure that you know you're going into an environment and you have a real sense of how the environment is operating and you're not expecting them at this level that doesn't mean that they can't achieve that level it doesn't mean that you can't push them to that level but you just need to really make sure that you understand the reality of the situation you understand that if this situation exists it might be because of things that are outside of their control and they're not solely responsible for that there's a lot of second and third order effects there and so by understanding some of those expectations it's going to allow you to be able to look at the situation from a higher big picture perspective allow you to look at it from a logical perspective instead of an emotional one as much as possible and help you be more effective at problem solving and then um the last one I put on here and looking at it kind of makes me laugh now I am a classic overthinker so I think of all scenarios all the time so it's it's from one to the extreme you know from I'm going to get into a wreck until an asteroid's going to like completely destroy the Earth I have thought it all and then at when I'm done I repeat them so I always anticipate roadblocks I think think I'm going to go talk to this person and I'm going to tell them that they need to do X and then I'm going to have all the ways in which they tell me in some form or fashion no screw you and are you ridiculous I have I have had it all anticipated out so then then I can have my counterarguments um and I find that it it helps me feel like that I'm in control of a situation um and it helps me feel prepared so regardless of what somebody said say I mean I still get surprised don't get me wrong but uh for me it helps me to be cool and collected if I feel like then I know all of the possible answers and I already have contingencies for those situations bring Draft Solutions not long ago I found out Cunningham's law and I find it fantastic I love that that there's a name for for this and that is is the best way to get the right answer on the internet is not to ask a question but to post the wrong answer and I've seen it I've seen it a lot Reddit is full of it it's fantastic um and I've I've definitely done that before when coming up with Solutions courses of action different things to propose uh even in my military time uh if you were going through and determining three or four things that a command or a senior leader had to choose from you know you had your top solution of of what you were going to do one of those was always going to be an absolutely crazy solution the you know if we had infinite money if we had infinite power this is the solution and it does a couple of things one is it allows you to all agree upon that dropping a moose from a helicopter into a building to destroy that building could be a effective but is not really a reliable applicable solution at least we can agree on that right like it's it's it's a classic social engineering we're just going to pick one thing that we can agree on we can agree on all of these things but we can at least agree that acquiring a moose and a helicopter and dropping it from the sky is probably not our solution today right it helps form you know at least if nothing else it makes everybody smile for a minute some sometimes it doesn't and that's super awkward but having at least a drastic solution often helps in my experience then you can say okay that one's right out it's kind of like taking a multiple choice test if you can mark off two of the questions and it be 50/50 then you you feel good about that right you feel like the progress is made I'm not completely stupid I can at least bring it down to two kind of a similar principle here if you can have enough Solutions in which you you can definitely Mark a couple off and then concentrate on a couple it kind of bridges that Gap helps with negotiation Define the non-negotiables I find this interesting because this is definitely terminology for what you would think of as more of a Strictly Business thing it's not something that you would normally use these words to describe in a cyber security environment but if you think about it as a security professional you do have some non-negotiables right you can't say I'm just going to turn off antivirus like that's kind of a non-negotiable generally speaking you know so you do have some things that you're not going to be willing to compromise on and you need to know those you need to know what you're willing to accept but more almost more importantly what you're not willing to to accept because I guarantee you the thing is is is a lot of times especially information security versus it sometimes it can appear adversarial right you know that they're you know the the old cliche they're just trying to get out of work they just don't want to implement it it's too much of a pain you know if something goes wrong with the network it must be the security tool like those are fun things that we can joke about and and laugh about and say oh yeah you know it's just it just trying to skate out from work but in reality it's a lot more complicated than that right it's a classic it depends situation usually people are not adversarial well if vanessa suggested it we're definitely not going to do it uh I don't think that that's very typical so you have to understand that this is more of a where can we reach some middle ground and to understand that middle ground you have to know your non-negotiables also I think that it's really important to note that the answer could be no but it also could be not right now it might be I use the example here of a data data loss prevention DLP solution right it might be that a business is like we definitely need a good DLP solution and maybe nobody disagrees with that it could be like you