How To Win Users And Influence Boards: Tales From A Pro Stalker

my background is ethical hacking architecture I actually got into technology about ten years ago through network architecture and so I like networks more than I like people or at least that's how I started and actually through security I learned to understand and enjoy people and my most successful achievement is I have a favourite mum yes those are my two favorites they're absolutely beautiful um and I did a Venn diagram to understand which ones you may want to cut on which ones you don't they like biting toes and that's about it um okay so today we're going to take a little bit of a different approach than I traditionally do when it comes to talking about cybersecurity um it's not

gonna be a highly technical talk it's actually gonna talk about humans because what I've learned in my 10 nurse know odd years of experience is we build programs and solutions for humans but then we actually forget the humans and it doesn't actually work for them so we're gonna try and reset that and approach it from a different point of view so we're gonna start with the brain how it develops we're gonna talk about how we go from learning a skill to being skilled and we're going to talk about types of learning our motivations and how to keep people motivated and then building the holistic meaning the overall program that actually incorporates everything and then I'm

actually going to touch on traumatic situations only because it's actually really beneficial when it comes to building your Incident Response Teams is actually choosing the people that work in those situations because nothing worse than having a brilliant team that's highly skilled that then has to deal with PTSD after the incident has occurred so keeping that in mind so my talk I developed through I've done a bit of research in the last year on how we function we develop and how our brain works mainly because I wanted to get to know myself and understand why I am the way I am David David Eagleman created a brilliant book called the brain so a lot of the

content that I'm bringing up today's from that book and he's quite was them as you can read it basically your brain the way it develops is the synapses of the connections are strengthened through repeated connections so as you do it it's continuously strengthening those synapses and so actually the way you are is based on what you're not doing because that's what's getting removed from your brain so the way the brain develops when you're born you're actually born with a very simple lacking of connections in your brain and and I always thought growing up that horses map must be more intelligent than humans because they're born and then they can walk right away whereas we're quite

pathetic for quite a few years and the truth actually is is they're they're pre fond to the pre connected and so they actually have a limited capability to grow versus us which are born with a very boring lack of connection pain gives us more opportunities to grow and change and create different solutions for different scenarios basically it makes us different based on our experiences and then that two years old that's actually the peak so you have an exceptional amount of synapses so that's connections see it's up to I think 100 trillion is what you said in the book and that means actually then you're going to start scaling back and by the time you're an adult you actually have

50% less that are repaired off and again how it strengthened is repeating how its weakened in and then eventually removed is you're not doing it so for example like if you to just play screamed

I'm going to top that slides and I'll give you slides after and Twitter but basically the way are this is not your work okay the way our brain works is as we repeat something connections are strengthened as we don't do it their weekends and so that's why we all have different skills when people tell me you know users are stupid they're not doing something or they don't understand something the reality is it's because they haven't repeated that thing over and over again to create that connection I'm going to use my phone for my slides so I know where I am give me one second apologies yeah don't like me that's brilliant I've actually never had my computer

freeze competitive and it's amazing it's my work computer to you I'm gonna complain universe I promise I have actually quite cool slides probably my password so um before I continue I'm just gonna say that I actually bought prizes if you ask me questions so you kind of have to pay attention because the prices are kind of cute and hey I don't know if that's gonna work so I have a pretty cipher to show you in a minute but basically when you're learning a skill your brain is in something called the bait of wavelengths frequency and then when you're skilled is in the Alpha and the difference there is a base a wavelength means your brain is constantly

troubleshooting is expanding a lot of energy and it's it's trying to visit like manually think through each step that looks good and verses in the Alpha wavelength frequency your brains actually at rest and so think of it as when you're I think of it as when you're learning a skill and it's really challenging it's really tiring and you feel kind of clunky if that makes sense so I recently picked up something called Brazilian Jujitsu I'm absolutely terrible but it's a lot of fun it's like aggressive cuddling you end up with a lot of bruises but when I started and I am I mean I'm still but I was really slow and everything I was doing help Mike I mean when I say I

started I mean a second of January so I'm really experienced at this point but I would do something gonna be really slow arrest as my partner he's black belt and he'd do it and he'd make it look really easy and I just get really angry at him mainly but um it's because in my I'm thinking in the face of wavelength I'm manually thinking of each step on counting okay this now this now there's not this versus him it's actually in his subconscious and he's not actually thinking about it and so he's at rest he's very relaxed and he can do something without without thinking and that actually opens more opportunities for them which is why when

you come to cyber security and you're training people they get frustrated or they're really tired at the end of the day because they've been thinking about every single step that they have to walk through mass is you it comes naturally you don't even think about it I think this is going to work now I'm and so one thing I like to remind people is when they are doing that is this gonna work amazing when they're teaching you have to give them you have to be patient with people and give them the time to actually develop that skill and slowly think about it and understand and make those connections versus just being like okay drop you in

the deep end just know how to do this and do it within a certain amount of time and if you don't do it properly you're going to be punished because that's just going to create a lot of anxiety and a lot of stress and a lot of actually we're gonna do it our way and find ways around your solution so again when you're learning think of it as a software-based process your brain is making these connections and strengthening them but there's nothing hard-coded in yet versus when you're skilled at something it's actually a physical change in your brain and there's actually it's almost like it's a hardware so it's working without you thinking it's in your subconscious brain

and it's a lot quicker I'm in the learning you're using your prefrontal cortex parietal cortex cerebellum the cerebellum is a it's basically the flow of movement accuracy and perfect timing if your man will be thinking through all of this is using these expens and like I said it's a lot of energy versus in the hardware it's actually below your subconscious and it can be so hard coded in that it actually is making the decisions in your spinal cord um they unfortunately did an experiment I don't know when years ago where these cats had a massive amount of their brain removed but they still knew how to walk and that's because it wasn't actually the brain that was doing the thinking about

walking it was their spinal cord think of you're walking upstairs and you're talking you're not thinking about each and every step each and every movement to get up the stairs you're not thinking about how your tongue is working you're not thinking about how your lips are working you're just doing it and then the last thing I want to mention on this side was a lot of times when I go into an organization people that are maybe are from the older generation or maybe they're they've been doing what they do for a very long time and they say you know what I'm too old to learn something new I don't I don't know how to do this

I don't understand it then you can refer them to London taxi drivers and learn the taxi drivers if you don't know they have to memorize an exceptional amount of routes in London like common attractions where tourists may want to go to and they're learning that as an adult and in their brain it's actually physically changing there something called the hippocampus which is for your memory and your it's your spatial memory part of your brain it actually physically grows in size so that's an exceptional talent if you ask me because I'm at remembering things but the fact that they can actually do that as the older as their brain has already fully developed means that somebody

learning how to create a secure password or use a VPN service for example it is possible for them to do it you just have to support them in that process types of learning so I like this because I am NOT a traditional way of learning I ia I pick up things I really like and I mimic people or I do this or do that and I learn random skills and so in my opinion I don't feel like I'm overall really skilled but I've got a lot of random things I'm good at and it's because without realizing I'll pick up these different things depending on my motivation and then I'll actually memorize certain random processes if

that makes sense but anyway classical conditioning this is what you think of in training so you think stimuli one and I to create a relationship and so that actually at at the end of it because it's such a strong relationship you can do semi to which will actually produce Errol I one think of Pavlov's dog if that makes sense so he would feed them and make a bell sound and so the food stimuli one the Bell was stimuli to and then he would ring a bell and their saliva glands would start to produce extra saliva because it's in their brain it's made that connection that that Bell means food I'm not saying train your employees that

way but I mean you could people like food but that's one way that we learn another one is operant conditioning so this one to me I thought was quite interesting because it's actually talking about positive and negative reinforcement and positive and negative punishment which in my mind punishment sounds negative but actually isn't necessarily so again it's association between behavior and consequences so positive reinforcement for example is when a favorable outcome event or reward occurs after an action think of if anyone that has children or maybe younger siblings and that and they were going to learning how to be potty trained I'm I know when I taught children how to be potty trained I give them a little gold star sticker because

I love stars and all I love stickers and in my mind that makes sense but every time they would go movie in the toilet they get a star and that was really exciting so they'd be really excited and start bragging about going to the washroom which is interesting but they get to stuff I think of providing a treat for a dog that's done a trick so after you have associated that you say roll over they roll over because they know that that's gonna give them a treat negative reinforcement is actually strengthened by stopping removing or avoiding a negative outcome or adverse awesomeness think of when you are teaching your child again potty training because that's an easy example you know they

wash they were going to wash your hands and hands are wet how do they dry it so you say okay wash hands your hands are wet you can from a tower they rub their hands in the towel and then they have dry hands I don't like having one hand so that's me is a negatives tonight and that's removing it so in the future when they have wet hands for other any other reason to actually rub them because that is that association to that's going to remove the water think of crying and when you don't want to do something maybe I'm like really and angry at you and I cry you probably leaves me alone so in three that's a way of asserting oh

wow I don't want to talk to you or maybe I don't want to eat mushy peas so I mean that makes more sense for children but maybe I'm really emotional and so that stimuli would then be removed and then I could be happy again now thinking of punishment so positive punishment is adding something unpleasant so I don't know if we're allowed to spank children anymore but that's an example um or think of when somebody commits a crime they get a prison sentence maybe it's I don't know or they get me a sentence necessarily prison so maybe they get a fine or something and so they're adding in a negative punishment the positive is actually not being positive in happy

positive in adding the negative punishment is actually taking something away that's a negative such as you're in jail but you have really positive behavior you're being really helpful or something they'll reduce your sentence sorry I'm a bit sick and and then observational learning that is where you you view an action you store it in your memory and then you mimic it and the reason you continue mimicking it is because after you've done it it becomes a positive outcome for you so think back to my adventures with jiu-jitsu I watch the instructor present something to I'm a store it my memory and then I mimic it on the person that I'm rolling with and if it's successful I'll then

continue mimicking it later on when I'm doing more sparring personal experiences I think the guy tripping is a brilliant icon for that because it's how we perceive them and react to the world think of a situation what you that you've been in where it's had a negative outcome or it has a positive outcome and you've either repeated or removed that action sorry now I'm going to talk about motivations quickly and then watch the fit into the fun stuff of what the hook like this talking is but yeah so intrinsic and extrinsic motivations so how are you motivated think of when you want to do something why do you do it there is something called extrinsic

which is an external thing that I want Mickey you want to do something like the example I think that's supposed to be money so maybe you'll get a reward for providing inflation or maybe it's you'll be punished for not doing something such as you know falling victim to a phishing campaign maybe you get punished for that or maybe you forget to enter your time sheet and you work for one of these big force that announcer if you don't enter your time sheet you get docked at that verb 100 quid that's a point negative so you probably enter your time on time or one company I work for if I sent a name to them and they ended up actually

hiring that person I would be paid quite a large amount so I'll likely add a lot of names so that they don't have to go through recruiters intrinsic motivation is as you can imagine internal this is feeling a part of something bigger feeling like you're making a difference in the world it's it's what's motivating you inside I speak out and do talks on domestic abuse and violence helping the victims and survivors abuse I'm intrinsically motivated because I have been that survivor I've been in that situation and I want to make a difference in the world and so generally I don't get paid for those talks but I still am motivated to do it because for

me it's a it's a big part of my life extrinsically if I was paid awesome but that's not actually what's going to motivate me in the long term so how did we get here in the world of technology that is more of a field by design than security by design so now we're going into actually what the point of this talk is and why we've talked about motivations learning types and how our brain works you probably know all this as of what you guys do in your field but when I do this talk at more corporate events the c-suites are like ah that makes so much sense why didn't we think of that and the thing is we when we buy

technology we employ software when we buy hardware we generally want to spend under certain amounts or you know within our budget but we want the best of the newest and the most exciting well that kind of motivates the organization's to say okay well we need something quick to market that is affordable and everybody likes to buy which actually leads to our forgetting or not incorporating maybe security controls reviews validations throughout the development process and so that it's like the quick to market you've to market and then we have these failure by design technology IOT that is more successful as a botnet than camera the reason I bring that up is in my mind the future is actually moving to a

situation where you have two outcomes you have the organizations that care for their users and when they're breech for example and it's okay because they put motor mitigations in place and the users worst they may be still impacted it's not as exceptional as something like Equifax and then you have the second situation where when an organized station is breached they didn't put any controls in place and hello Equifax and and that's going to make a huge difference in our world because if you were a British citizen you might not understand but I bring up a Koufax because in the US and Canada I'm Canadian I don't sound it but and if my social insurance number is taken or in

the US I think it's social security number my life can be ruined and there's children in the u.s. that are bankrupt and they're not old enough to take out a credit card for example and it's because their family had that number that social insurance number or the Friends of somebody had that number and was able to take out credit in their name before they were able to walk for example and so in that situation when that company was breached for the people that you know are older that's rooms that that ruins their lives so if you look at my future images world if Equifax had put those controls in place and maybe prioritized those that

data effectively those people wouldn't be as impacted versus they were the cause weren't in place and that's changed their life for quite a negative situation that's kind of how I see your responsibility as the tax in industry and the reason I say that is because you're the person at the front minds that maybe you're developers or your network architects or your I have to know whatever else there is out there other things that I'm not skilled in um you're the one that has the ability to say wait this isn't right we can make this change it's simple stuff from the beginning let's make a change in their architectural design before it goes to production because think of the very

first vehicle I think it was Ford they built a car they realized after mass production that people die really easily when they get hit Ford was like or it might not be a Ford I might be saying wrong company say don't cut me a letter it's actually cheaper for us to pay the lawsuits of the people's horrendous deaths than it is to change it's just like a software and a hardware if you don't start from the beginning it actually can be cheaper to just deal with the consequences and it is change it so it's actually your job to then incorporate security by design and the culture and awareness from the beginning so that's why I think this is very

important top creating a holistic program in three steps what time is it how much time do I have yes lovely okay perfect yeah fair enough so step one have the right people step two is speak the same language and step three is maintained your program so step one have the right people I attended it well I guess I spoke at a conference last year a belief and I think she was the keynote this lady can't remember her name but I wrote a blog post on her so asked me after but she said we need to stop hiring in our own image I'm guilty of that and I think network architects are brilliant I think people that care

about the network awesome developers are cool Oh network architects they're brilliant and that's really unfair and can lead to really really really insecure environment because I have sand bits of the architecture I understand the physical layer also great ah the other layers because I prioritize my things accordingly when I hire in my own image I look at people that focus on that maybe not so much on things I think are boring and I become very focused on one thing and forget everything around me which as you command is not very skill diversity in skill sets and points of view in culture that's going to make us more secure so hiring the right people is meaning not just gender and although

you that's important you know hiring people that are male female and non-binary that's going to make a difference because they're going to have a different point of view as well but also hiring somebody with a different skill or a different point of view different life experiences going back to how we learn our brain is physically different from each other and so having that layered approach not just in our technology but also in our humans going to make a difference and when I started I had this short term project years and years ago at a software development company not a developer I don't know how to do that to me it's magic um but they hired me because I was in the interview

and they're like okay here's your really really really challenging technical questions say you're in a situation or your switch dies just like okay and they're like and you only have two switches to replace it but they're small so you have to use both of them and also okay so do you have the configuration backed up do you have spanning tree protocol turned on and they just looked at me and the eyes were like a glass seven they're like that's the solution has took us three bloody days to solve that that was my technical question and it wasn't because they weren't intelligent they built this amazing software they could do things that I could not even imagine and without even

thinking this how do you think googling I mean talk about skill but is because that's what they understood they didn't understand the physical layer and they hired me to fill that gap um and in my opinion that was a really simple technical question but his took as as you said as I said three days for them to solve it's not again because I was magical I was quite new to industry but I had a different point of view different experience of different talent as well hiring the right people is awesome maybe you hire a diverse team you know you hire a diverse skills you hire I don't know really cool exciting people but you don't support them at all and they leave

that's not having people you need to invest in your talent so maybe you're a team lead and you have the ability to tell your senior leadership we need to pay for this map training we need to invest in this person in this skill and this person in that skill because that's going to make a difference because they're going to want to continue staying with you because again you're extremely motivating them in the sense that you know you got to pay them properly but also intrinsically motivating them in the sense that they feel like they're making a difference and they're learning and they have a sense of mastery and think of gamification principles one of those things is mastery and it's you're

learning a skill and you're getting really good at it and that's a great way to motivate people and a great way to even retain your talent speak the same language this I feel like you've probably run into a lot I know ideas especially when I started I still do and I get annoyed but it's really simple and when I look at solutions I say oh you know this is the solution I looked at the budget I looked at the you know key points for success at this organization I looked at our challenges this is my solution but I don't give them that whole background I just say this is a solution give me money and they say no

and it's because I'm not speaking their language I'm not saying this is my risk based approach this is how I approached it this is my evidence and this is why you should trust me to give me a heck of a lot more money this is why I view the budget as two million versus one million and you view it as five hundred you have to speak the language that they understand you can't expect your senior leadership if they're not technical to understand the technical requirements you can't expect them to trust you right off the bat you have to look at it from their point of view you have to provide them with your background because as you

build that trust they're not gonna have to see as much evidence over time which is fine but they'll be more confident when they're making their decision but you also have to think of it from a risk point of view because as I see in the bottom one of my colleagues created this slide it's beautiful not my typical side because it makes more sense but he said that a lot of executives say are we secure and there's no attack in the right mind that would be like yeah totally work - oh Lisa care because no you're not you never will be there's no such thing as perfect security it's just not that simple it's well I mean kind of

secure but if you say that to an exact they're gonna be like well I mean you don't really need that money I'm you have to find a solution that's going to work for the execs work for the users and actually you know allow you to sleep at night step3 for maintaining your program and it's all fine and dandy if you create a solution has proper metrics it has a baseline it has a solution that actually works for the organization and then you send it to the people and then you walk away because that's not going to be maintained and that's actually not ultimately going to be successful and then it's gonna make you look a bit

foolish because you're like I've got the best solution and then six months downline it doesn't solve anything and you end up where your company has received phishing email or victim to the phishing email and not investigated for two months I've been in that environment I've seen what it does to an organization and I've had to help them afterwards and they're like you know we invested so much money our budget went from here to here and it keeps going up and I dunno why it's happening and it's simply because they weren't maintaining it they weren't maintaining their skill of their employees their technical controls they were spending a lot of money and they said fancy sexy hardware

that worked about 20% of its requirement um and they didn't actually know if it was working because they were actually monitoring the performance or the success and failures so whenever you add a solution you build a problem a awareness program for your company you build a program that works with the controls and the people and everything brilliant you have to actually seek assurance and what you're doing is it done correctly and is it actually as lining with what success means to both the text and the high ups that maybe aren't necessarily as technical and is the training you're providing is that actually addressing the human behaviors that we need to change and is it motivating them to

continue again the monitoring performance build proper metrics and actually baseline your organization because how are you going to know if you're succeeding is if you have no idea where you're at and then continuously improve the goal is actually to just get 1% better every day you don't have to have the best solutions you'll have to have the sexiest tools or the coolest people I mean obviously you guys are the course people but um you just have to continue trying to be better than you were yesterday culture of security so this is basically what I just talked through um and I think it looks simple but I think a lot of people forget have simple debts so the first step in your I

actually have this listed really nicely in the next slide but basically what does success look like to you as the tech what does success look like to your business and what does success look like to the execs that maybe aren't as technical or aren't focused on security and you line that all up and then you build your solution around that and you monitor it and you build the metrics in and then you raise awareness because if you try and focus on raising awareness first and don't actually know what success is you probably won't get anywhere and if you do you won't actually know and your budget won't continue being funded because nobody knows if you're

succeeding or not dan reason why owners do different channels create creative content and don't shame people because if you want people to shut down and not focus tell them that they're stupid tell them do fear-mongering tell them that they're not going to succeed and instead they're using the social proof in a positive way of being like you know ninety percent you fail in my phishing campaign because that in their mind that's going to say um well they failed and they failed so I'll probably fail - versus saying ten percent of you succeeded in catching the phishing email ten percent of you actually knew what to look for cuz then in their mind of like bloody hell that this is not that's why

I could do it and oh you know it I have C I can I can succeed because that person succeeded and it's actually think of it as using social engineering in a positive light to you commit to people to actually care and understand and grow influence behavior and a big problem I have with organizations is they say you have to do this this and this and then I go and do a passive crackling exercise and realize the security team are using password 1 as their password you laugh but I've actually seen that on highly sensitive systems and you need to influence behaviors by being the example so think back to the different types of learning type different types of

learning types yeah that makes sense I am the one in the top right I can't remember what it's called but basically that one's the seeing and mimicking and their continuous motivation to mimic that is because that person you respect and it's leads positively to your environment if you're like oh don't you passwords but I'm gonna use password 1 because I'm lazy you're not going to probably have very secure other people because they're gonna see that and be like wow you do it so why do I need change habits um when we have a habit it takes I think it's two weeks to change that and the minute you fail at changing app it goes back to the way it was

before think for me and I as I said Saturday Jets ooh because of a person in this body and this is fault it's brilliant but sorry it takes effort for me to remember to actually go to class and build into my habit to eat healthy and eat one time and actually wash my ID to actually get to class and and I have to consciously work at that intel becomes routine for me I'm motivated to do it because apparently I like pain but but if it's something that I don't necessarily like it's even harder to motivate them now going into security in your environment if you're like okay make this change now they're gonna be like hmm no and it's not gonna be habit

for them they're going to find ways around it and they're not going to be motivated and it's going to be really really really really hard to change that that behavior if you encourage it by again focusing on types of learning focusing on motivations and actually encouraging and supporting it by saying things like if you attended the day of training maybe the next day you have a lighter schedule because that's a lot of energy being expanded or if you're going to training that day maybe you don't have to be on call that evening you know supporting them to actually be able to make that change and then in the end you just magically end up with this secure

culture um again this is something that you continuously need to work on and I've found a lot of the organizations that invest a ton of money into their secure culture into their holistic program and then they kind of just leave it to do its own thing and expect it to stay think of culture of an organization you have these people that think alike and as you grow you hire that one person that's completely different and maybe they're really negative for example that can change your entire culture so if you're not encouraging it through everyone and to every single part of your business and you know incorporating privacy and security by design throughout everything your culture is

not going to be supported in that and it won't be maintained again this is basically what I went through I made sure to change the coloring because the first time it looked like something really inappropriate yeah but so now we have blue and purple but again starting off I'm gonna keep repeating this because you have to actually say something five times before somebody learns it to find success for your organization build a factory affective metrics focus that syllabus baseline incorporate motivations and learning types and the last thing is definitely build an intuitive dashboard because your exact sar going to be like are you succeeding and you're gonna be like I think so and they're gonna be like well

I don't need that money I'm I knew what you could do actually is have this dashboard that works for the text so they can see all of the like the breakdown of anything from for example you're running a phishing campaign and you're monitoring things like people that fall victim but also people that fall victim and report it because not in my mind that's a success or people that for victim and don't ever report it because that is a huge failure or people that fall victim and continually seek for victim like those are metrics that you need to continuously monitor and put on the dashboard for the text so that they can kind of incorporate that into

the training versus you know the exact they're not gonna want to see those stats so you want something a bit simple eyes and pretty graphs and stuff that they actually care about and you know monitor culture and behavior and all that fun stuff so last thing I'm going to touch on is traumatic situations and the reason I'm touch on this is because I'm back in the beginning of my title it says professional soccer so the reason I say that is because I've done intelligence work it's bloody brilliant it's so much fun to stock people who knew and get paid for it but it can lead to some really negative in situations and incident response highly highly

stressful you know spray the moment usually in 3 in the morning on Christmas Day or something you have to deal with it I swear but um you have to have people that can actually grow from that and be able to handle that kind of stress and I was in a situation where as I mentioned earlier I'm a survivor of domestic abuse and [Music] sexual assault and I had to do an investigation a rape victim and it was an investigation to support this very victim it was investigation against her and I can't do that I can't because I've been that person and so for me that is not something that I can do so far never

in that situation I have to hand it off to someone and the only reason that I am able to do that is because my bosses or managers or wherever they know that about me and they know that they either won't give me that content or they'll support me when I say I can't do this and they'll hand it someone else and I've investigated possible suicides I'm investigated I've had friends I've not had you but I've had friends that have investigated child abuse and not preferable is the word exploitation and and for them they can handle that it sucks but they can handle it they were able to I probably wouldn't be able to do that children and animals abuse

against them I can't handle but I can handle like people hurting each other I don't know why I'm gonna weird but and what I'm saying is you need to know your people you need to know what environment you're in because it's all fine and dandy to train them but if they end up with post-traumatic stress from their work you're not gonna have a successful team you're not gonna have a successful environment and program get people leaving and you're probably gonna I mean you can actually cause damage to those people's lives think of social media sites that are like oh it's okay you know we don't need to care about algorithms we'll have physical people monitoring all these posts make sure

that they're okay well those people are gonna have to deal with that stress and that trauma after so when you build your incident response team when you build your people with highly stressful jobs you have to consider are they somebody that can grow from that environment or they somebody that actually can be Meg negatively impacted for the rest of their lives because PTSD is hard I was diagnosed with that in 2013 and to hype so based on an abuse of a I was in domestic abuse but I also had abuse as I was as a child and the first one I can deal with and get through the second one I've had to receive treatment on

building relationships and how I can actually function and connect with people because I couldn't actually do that especially not healthily and it's a long-term thing it's not something that just goes away and and in a work environment you might think oh well it's just work it's not a big deal but it is because it's a huge part of your life so if you're actually causing problems to your employees in the long term you're doing it wrong so again post-traumatic growth great it's positive it's stressful and traumatic yeah but you can actually grow from it I've learned and developed new skills and I did a talk last year in Sri Lanka for young people getting into security

and one thing I mentioned was the skills I learned for ethical hacking for swapping that actually I learned through my life experiences like operational security I learned from being in a controlling relationship I learned you know that point of view these different methods and grew from that truck plumber post-traumatic stress disorder is a very negative as you can imagine the sound positive and you actually kind of go backwards it's possible to have both reactions so building your instant response building your and your teams make sure to understand who they are and how to support them and if they start going into the negative support them further if there's somebody that really really does well in these kind of highly

stressful environments you know you still support them but have them also support their teams and monitor to make sure that you know it doesn't get worse again this is how you can do it you want to look for people who are putting a stick people that cope with negative events in a positive way and they can change and they're flexible and a big one that people don't realize is somebody that's able to ignore something and at that time like something really stressful or something really negative and just get something done and then come back to it after it's actually really positive for something that is I keep saying something and for highly stressful environments because you can't

focus on everything at all the time you have to be able to prioritize um basically you want to know who your teams are how they learn how they think but also most importantly how they react more wisdom hmm so do we cap this is what you learned today you learned how to support your users to learn new skills such as giving them time allowing them that to recover and allowing them to be motivated and supporting them you can you've learned how to incorporate a variety of learning methods and think of okay well how does this press alone how can I build the syllabus around that and and a variety ones because you know you're gonna hire

different people not everyone your own image and to do that effectively you looks at our intrinsic and extrinsic motivations and you understood what what successful look for look like for your business before you actually try and solve it and considering the budget in continuation measurements and the last and most important thing is understand your people and actually care about them because if you don't that is my colleagues yeah definitely so the question was them if you change how you think about other people and how you like instead of saying users calling them colleagues is that going to make a difference and yes that's going huge difference language is very strong and when when I was going to the hall

domestic abuse domestic like survivor and victim simply changing it from your victim to your survivor does actually make you feel stronger if you call people or yo just to user you know you're you're being condescending by default you're saying like in your mind you're saying wow they're not quite as smart as I am you know but they are they're just differently skilled so changing your perception of how you view your colleagues is highly effective because it will it's like think of it in war you know people can't hurt people but they can if they dehumanize them you know make them less than human less than you you know securities have a warfare and don't call them users Gotham colleagues

call them you know skilled people that are intelligent but have to learn these skills specifically so yes I think it's highly effective I would also say muscle memory is actually and when I talked about the hard-coated it's actually not your muscles that are remembering it it's your brain physical hardware and actually your spinal cord and I do that by searching your back but that's ok and it's not actually your muscles memorizing it it's I don't know for me that I like to correct those things but yes I think changing the way you perceive your colleagues and even just down to how you think does make a difference do you want a prize Oh a few

I like to motivate see in extrinsic motivation I even have a little like Guinness patch I came from Dublin I got you choose corneas things yeah yeah it's a it's basically books that every day you write something positive that you've done and it reminds you and it changes the way you perceive the world is brilliant any other questions I mean I've got one two three four five other prizes yeah

yeah so the question one is how do you change culture how do you go from having a very toxic environment to a very positive environment and there's a lot of different things that you could do one thing that's worked for me is hiring the right ahead of the person that's actually going to make the biggest impact is not necessarily the partner but its leader the person that actually works directly with the teams and changing the way they think like the way they think of users the way they think of each other and team-building exercises must sound really cheesy are actually really beneficial we need to have to feel connection to our team to work effectively with them we need to

build our trust with our colleagues to be like I trust you to do your work I trust you to succeed I trust you to be able to hand off my work to you and it actually to get done I think that the biggest thing is not trying to change culture itself all together right away is to change small behaviors as it happens if you not haven't noticed I am female and I feel I'm still female and I've found in security sometimes it could be quite negative I I interviewed at a place many years ago and they told me oh you know we don't hire women because they're distracting to men I don't have to stop

hiring it or boys but you know that's me obviously that's very toxic and you're not gonna change that coarser because that's the owner of the business but and if that happened in your environment for example and you had the authority to change that or you know you had the strength to be able to say action that's wrong and changing little things like that as they happen can actually make a difference making sure people feel supported so if you know doctor Jessica Parker on Twitter she's bloody brilliant but I one thing she said is she had a awareness program that she was implementing at this organization and this woman came into her training and said you know I'm really embarrassed

this is I'm the worst person for your training because I caused a breach it was really awful he took a really long time to get past it so I'm the worst person to be here and Jessica said actually you're the best you're the best person because you've you've been in that situation you have the personal real-life experience you know beginning to end how to deal with that and it was actually changing it from her coming in with a ton of shame embarrassment anxiety digested it being like no you know you know what you're doing you're good you're experienced this is positive and adding a positive spin to it and set people feel more motivated that also helps um hi I created this

awareness program that teaches non-technical people how to hack so it can better understand I'm not like I'm not building a mini hacker army I'm teaching people like foundational skills like how to use the social engineering toolkit like press number one press number two like very basic but it's just a demystify do you mystifying hackers and its really positive and had big change on culture because it took away the anxiety of the unknown it took away the negative and reset everyone on the same page and got them really excited because they got to talk about the sexy parts of security in a safe environment to ask questions that answers your question yeah lovely what a prize okay way back there today and so

question wise when you're talking to the board how do you create that Authority so the first thing is if you're the one talking to the board and you don't have that authority then maybe not at the right place not because they don't trust you but because if your job title means you're supposed to be making the budget and they're supposed to be approving it and they are like actually we don't give it what you say then anything you do is probably going to be negative but and if you're in that and you need to build the trust like set early of creating those dashboards creating that background information and speaking their language per se saying like this is why I need

this budget you know these are these are the things that we've fallen victim to you in the past these are the likely this is the trends in industry these are the things that are in our sector are highly important these are the regulatory standards if you want to talk to the board and get quickly talk about gdpr it's brilliant and for if they're in the industrial control systems are like critical infrastructure talk about the NIS directive also brilliant maybe not as publicized but basically it's a network information systems directive it's talking about security for critical infrastructure also important also has a lot of fees if you fail and you know incorporating things like these are

examples that you see in the news these are examples that actually happen for you and this is ways that we can make a change you know building that trust that you know what you're talking about actually will make it easier later because they trust that you OneNote you talking about and to actually are paying attention another thing I like to do is focusing on the personal side so when I do awareness training it really really really challenging places that nobody really wants to care I incorporate pizza because everybody likes pizza but also I talk about personal security how to protect you how to protect your children and maybe your friends or family because when people or and it's personal they

listen more and I talk about stories because humans are emotionally invested in stories and so maybe it's a big thing happen in the news or I'm something they've been through they'll actually follow that story more closely and be more positively impacted or negatively I guess because they're going to pay more attention and so building that trust doesn't necessarily mean coming in being like I have all these certifications they actually need to trust that you know what you're talking about and they can relate to it and again speak their language etc etc I mean I don't like to say fear-mongering but an interesting thing is that if somebody scared yes they shut down but if you're going

through an instant an incident and there's a lot of adrenaline in it like you're anxious your brain actually takes more details it's why we think our situation is going in slow motion is because we're taking in more details than we actually are used to and our brain thinks what must be happening very slowly so it's not the slow motion at the time but the way we remember it is kind of so I mean if you have an instant that's a great way to walk them through it because they'll be anxious and then maybe they'll retain more I don't know if that answers your question yeah okay cool there what's three more presents so the question is do I think that it should be

expected that tax should always have to be able to translate to the business language and not backwards or the business heart attack I think in the beginning to get them interested in it you kind of have to it's a bit unfair of requirement for them but over time what you'll find is as they build trust and as they kind of understand it and you've taken away that negativity they actually start to understand more about security in the first place in the ID ideal world and I should be able to go to my attack my exact can be like you know this is the situation these are the controls I want these are what I want and while

some incorporating risk I'm also talking tax stuff yeah that'd be lovely and whether that will happen or - no but you do have to remember when you're building a security solution and you're going to have to take a risk based approach anyway because at the end of the day budgets are not infinite in in it however the word they do end and so you need to prioritize certain things anyway so you just kind of have to think in a risk-based approach to begin with I think it might I think in the beginning it can be a little bit unfair like a one-sided relationship and don't break up with them right away kind of support them into learning how

to speak to you effectively and how you can speak to them effectively because it should be both ways definitely um but it might not be in the beginning does that make sense yeah okay so now I have two more prizes are we at time 1 minute Keo 30 seconds okay so I said we're in scooty there's a lot more stick than characters a lot have more punishment than rewards and going back to you that would program I built I I like to use gamification principles I like to motivate people to be motivated so extrinsic motivation great for short-term you know giving them prizes giving them like I'm basically extrinsically motivated you guys to ask questions and but for long-term it's

actually internal intrinsic so people will be motivated long-term because they feel like this sense of mastery they feel like they're learning something so and I think to remove the negative stigma of you know cybersecurity is just a negative and you need to create a culture like said short-term motivations with pizza money beer I'd be careful though I had a awareness program where I had beer and pizza and they drank a bit too much where the security team was entering the wrong questions and it was bit embarrassing for me but um be mindful that but yeah just kind of resetting the mindset of security is going to make a difference and making sure your policies address that so not

gonna name names but there is a big four that said if you don't submit your timesheets on time you get you it cost you a hundred quid that's me is a horrendous um and I just agree with it maybe it works for them that's fine I don't know the situation but kind of incorporating the culture but also the policies and regulations and the requirements to actually support that positivity he's going to make a difference having the top-down support and the bottom-up and another thing I did in that awareness program is I said it's not required to attend and I didn't actually say you you had to come I didn't ever make it required it was just a point system if

you did come you get achievements and tell me until you became a cyber warrior who doesn't want to be a cyber warrior and and it actually had people anywhere from paralegals to partners coming and because people saw their partners coming and because the partner saw their paralegals coming there was the perception that it was a it was cool and I actually it became hugely beneficial because people wanted to come they weren't required to come that makes sense I think that's all I'm allowed ok I'm glad my computer came back thank you