IATC - Building Ambassadors to Reduce Friction, Drive Change, and Get Sh*t Done - Katie LeDoux

I'm gonna quickly introduce myself I want to get right into it I really want to leave as much time as I can for you guys to share today I'm the manager of trust and security governance at rapid7 here are some of the things my team works on in order of coolness security audits just down in the bottom corner hanging on by a thread so who actually can you guys hear me okay okay great who actually took the time to read this right on the front of the b-sides website okay well I that's pretty good I am in governance I am very detail-oriented and I follow instructions so a conversation is exactly what you're going to get today

and I just want to mentally prepare you so that when when I do ask you to share your you're feeling ready hopefully it goes without saying that ambassadors are a really powerful tool when we are trying to get things done I personally rely on ambassadors when I'm trying to roll out a new cross-functional process when I'm trying to change user behavior and especially when I am trying to get money for a project given the track that we're on today some of you need ambassadors who can help you convince giant fortune 100 companies to refrain from putting out products that could put our privacy and safety at risk so those are pretty big stakes and I do and the

more info SEC ambassadors we can get on our side and that endeavor the more successful we're going to be so we're gonna have a conversation about these four strategies for building ambassadors I'll share some examples I've seen of them in action and I will ask you to share some of your own examples as well we'll move through as many of these as we can I really want to prioritize a conversation over hitting every single one of these points so if we go down a rabbit hole that is totally fine let's get started with this idea of increasing visibility that animation is different than I thought it would be up in four times the first stuff to

getting others to be representatives or promoters on our behalf is to give them visibility into the work that we're doing they can't be an ambassador for us if they don't even know who we are what we're doing so I'll start with the most obvious way to build visibility for yourself your team your work and that is building interpersonal relationships I know that that sounds painfully obvious but I really don't think we can overstate the importance of building these personal relationships when we need to get things done it would be wonderful if everyone just inherently understood why what we are working on is important in matters but unfortunately the world rarely works that way so let's

dive into our first case study Colin Morgan who some of you probably know is the director of research and development and product security at Johnson & Johnson security went from being Colin side project to his full-time job at Johnson & Johnson in 2016 and just a few short weeks after he made that transition Jay Radcliffe who was a researcher at rapid 7 at the time disclosed a vuln in be one touch paying insulin pump system after he discovered that an attacker could potentially trigger unauthorized insulin injections again Collins program was totally brand new and there really weren't a lot of people outside of Colin and his immediate team who understood this concept of Vaughn disclosure and a lot

of people initially saw Jay as an adversary they didn't understand why he was doing this they they felt like he was working against them and not with them so very sensitive subject situation there's a lot that could have gone wrong there so I talked about this experience with both Colin and Jen Ellis who is the VP of community and public affairs at rapid7 and something that really stood out to me when I was talking to them was how much they talked about each other Jen could not say enough about how responsive and effective Colin was throughout the process and Colin was very appreciative of Jen's input especially on the right way to disclose obviously when people's health is at

stake we want to make sure all of our communications are very thoughtful and strategic and that is Jen's specialty so they work together really well as a team it was really clear that Colin and Jen and Jay all really respected and admired each other and they were great ambassadors for each other throughout the whole experience Colin was able to quickly get other leaders from J&J on board with remediation efforts and he really helped all of them understand that they were all working towards that same goal of patient safety he really you know instead of just making sure you know you need to prioritize this we need to do this made sure they really understood where Jay and Jen were coming from why

this was happening why they really all had the same goals and when it came to communicating with the public I was really struck by a section in the phone disclosure called researchers note regarding mitigations which I have used to help people write Vaughn disclosures and I have never seen a note like this included in one before it's very very personal it really shows how much empathy Jay has for not only the people who rely on this product but also the people at Johnson & Johnson who are working so hard to make this right he explains the risks in plain English he's urging people not to make any rash decisions that could have a negative impact

their health and he explains why he's doing this research again that's probably obvious to the people in this room but it's really not obvious to everyone and it's great that he really took the time to spell it out I mean this third line down if any of my children became diabetic and the medical staff recommended putting them on a pump I would not hesitate to put them on a OneTouch ping like that is very it's it's very authentic it's very personal and he really is building a relationship with the readers of the disclosure rapid7 does a lot of security research but i have heard of johnson and johnson cited over and over again as the gold

standard for full disclosure partners and i really do feel like this interpersonal love fest had a lot to do with that colin was an ambassador for Jane Jen he built more security ambassadors at Johnson & Johnson and then together they built more ambassadors in the public who understood through this experience their mission of making our increasingly connected world a safer place at my old job I as I mentioned I used to help people write valen disclosures and I cannot tell you how many times I would look at their timeline and it would say well we DM them on Twitter and we called the 1-800 number and no one responded so we're gonna go public and I hear some sounds

of acknowledging that this is not the best move and I do I mean I I understand being really excited about this phone that you just found and you can't wait to share with the world and also you know the the assumption that the person on the other end of that communication knows what they're looking at and decided to blow it off I would suggest that that's probably not what's happening I would suggest that the people on the other side of that communication probably don't know what they're looking at and that if we take the time to get a hold of a real person bill a real relationship with them and try to tackle this problem together we're gonna

get much better results like we did in this Johnson & Johnson situation I will acknowledge that building interpersonal relationships while important can be kind of intense and especially for introverts you know it can be exhausting but there are plenty of other ways to increase visibility sometimes we just need to write it down at rapid7 the InfoSec team reports into the products organization which is pretty unique and in the products org we have something called project central so when we kick off a new project we create a page in project central and we have to answer these questions about our project and this gives us visibility it gives other people visibility into what we are working on and it forces us to think

through every single one of these questions which is a very meaningful exercise is you know some of these you can tell this is geared for a products organization and not all of them will apply but some of them definitely do and some of them are often things that I haven't thought through myself so once I go through this exercise I'm always able to articulate what I'm working on and why it's useful immediately at the drop of a hat and even if you don't have a project central to host this type of information there's tons of other ways you can share it I'm sure a lot of you are already sharing updates on your work on you know in a newsletter in blogs on

Twitter and and if that feels sort of you know icky to you I know like thought-leader has been feels like an icky word to me if we reframe it and just remember that this isn't so much about Tooting our own horn as it can be about getting ambassadors and building visibility into what you're working on and getting more people on board maybe it will feel a little more natural at rapid7 we are an agile company most of the engineering teams do biweekly demos so it does make sense for us to give people visibility into what we're working on with a similar bi-weekly demo if you don't have that format at your organization a more informal Lunch and

Learn might accomplish those same goals and I'm gonna stop talking for a little now I really want to hear from some of you who is your ambassador and how did you connect with them if you're just thinking about like who is that person who helps you get things done whether it's a project that you work on with them how did they find you how did you find each other does anyone have anything they want to I can stand yeah classic Nick Davis breaking the ice yes a mic for Nick Davis hi Internet people hi I'm Nick I also work at rapid7 I promise I'm not a plant for this yeah so so I work in product management for our

sim solution inside er and what was really challenging for me in my day-to-day job was making sure that we were evangelizing exactly what that product does and why it's useful to you guys security operations teams etc to people who don't get that and I don't want to like burn anybody but it sails and and this is a safe space right right no yeah we don't like sales knowing like anyways so so for what I what I end up finding was I found this this guy who's a sales engineer so more technical who actually like really really enjoyed security and we just got him using the tool like we got him access to whatever he wanted to do whenever he wanted to do

it god I'm talking to penetration testers security researchers just learn as much as he wanted and he really really developed very quickly and what was great about that was that that passion and knowledge spread to the rest of his team way quicker than if I tried to force it down their throats myself was this someone who you knew through work who you had a friendship with and then how did you identify like this is going to be the person literally met him at a bar yeah does that we had a beer and I realized that he had really loved security and like the next stake like woke up and I like waddled to the office

and and I sent him a message on slackers like hey man you still want access to like our testing environment because that you can have it and we started working together and now he's our like senior specialist for sales engineering France at ER so it's pretty cool a non rapid7 person yes but I'm actually the ambassador I used to be the community manager for a major security vendor who live will not name at the moment cuz I don't work for them anymore but I actually accidentally took over the community I was actually the platform manager and accidentally answered a UNIX question and what I found going back to the bar issue as much as a lot of people

say we really don't want tech and alcohol related I had a wick weekly whisky meet and it had three really simple rules and it's like show up even if it's for five minutes you don't have to drink bring the legal advice of your choice and be responsible those were the three rules and we got all kinds of people from across all different kinds of organizations in the company to come and just if nothing else introduce themselves and say hi so that was the number one thing is in going to those building those interpersonal relationships if you are the ambassador there's some really simple things that you can do for that and then the second thing is on the documentation and PR

yourself for Community Managers or anyone in marketing who's writing these blogs who's writing this stuff say thank you a lot of these guys or girls who are doing the tech and her helping you write this material they don't know how to promote themselves and it isn't native to them so call them out on Twitter call them out in your blog call them if they want you to and say hey thanks to X Y & Z for helping me put this together and that became really powerful I of that I also think you should thank the people in marketing who are helping you articulate your thoughts it is really wild to me everywhere I've worked this this resource of marketing we think

of them as just like you know putting up the ads in Vegas that were walking past but they really can help you articulate a project that you're working on you know even communication throughout the organization they can be a really useful resource but definitely yeah buy them whiskey after they help you with that those were really great examples does anyone else want to share one we have more oh yeah I thought no one would talk today maybe my story's a little different but it started when I saw this bumper sticker that said no one's completely useless they can always serve as a bad example the issue I was having was we would we do phishing campaigns an

organization and I started noticing a trend that the same small few were the ones that were always clicking the bait and instead of just sending them to training and chastising them I thought maybe just a light-hearted fun approach to put up my own version of a wall of sheep but have them teach training fishing awareness training to other people and started using them as small unit trainers for over their own division and it not only did change their minds using those trainers as little ambassadors for my program sort of helped so so much I love that idea of I feel like we always think of ambassadors as the people who naturally are inclined when I think of security

ambassadors I think of that engineer who's always asking security questions and always speaking up when they see something fishy but actually leveraging people who are struggling with security to be your ambassadors accomplishes that goal of having ambassadors and we all know that you learn more when you teach it's the best way to learn something new so yeah thanks very much for sharing your thoughts I was at a an event yesterday and I was sharing some information about how individuals can protect themselves against ransomware and there's a person in the audience who told their own story about how they themselves were affected by ransomware and and so to me what the opportunity is is as we speak and engage with with

various communities and in folks in our lives for people to feel that they can share even a bad event without being shamed because who wants to be shamed not me you are plant that is literally my next topic no I'm not a plant but I'm telling you that for a hundred bucks you can buy a four terabyte removable drive at your shop of choice so that you don't have to be a victim and so that was the pro tip it's not like super hard and this guy in the audience he's like yep that happened to me nothing turns you into an ambassador like well I had this experience and I do not want it for you

so thanks that's brilliant okay I'm gonna move on because that was iconic Wow really killing it this morning so the next topic I wanted to address was creating positive experiences for people as a way to you know retain them as ambassadors and a couple ways that we can do this one way is to eliminate blame language from our vocabulary this honestly gets right on what you were just talking about I first came across this topic in a blog post by jacob kaplan moss in which he explored the blame ful culture of InfoSec that focuses on individual failures instead of systemic ones so if we look at a specific incident let's say a user you know clicks a phishing link for example

that the not supposed to a bad apple or I'm sorry a blame focused security team would call that a bad apple like they just aren't doing a good job it's something about them that is causing the issue and maybe you even you know get sassy with the user and you're like you need to you know it's it's your problem you need to fix it yourself that creates two issues one our engagement with that user can leave them feeling crappy and then they are less likely to reach out to us again if they have an issue that is very much the opposite of an ambassador if they start avoiding us and avoiding anything that has to do

with us and - we didn't force ourselves to explore why this actually happened we may have missed a systemic problem the a less blame focused InfoSec team will team up with the user and zoom out and consider alright how did this slip through the cracks in this case of the phishing link maybe we need to change our spam filters maybe there's more user awareness training we can do maybe we can have those who are clicking the link teach the user awareness training there's all sorts of systemic changes that we could put in place instead of just you know investigating the incident closing it out and being like well it's that that person's fault we don't want

to create opposing sides we want to have this mindset that something bad happened to us so what are we together going to do to fix that it helps us build the ambassadors and it's just a more effective approach Claire tells who I think is here like iconic I've quoted her in literally every talk I've ever given I'll give you a minute to follow her on Twitter take your time has my favorite blog on the Internet she has a background in crisis communications in PR and she looks at info suck through a social sciences lens and I have learned so much from it I have especially appreciated her ability to use research to demonstrate why InfoSec communication

needs to move into a more positive and proactive place did you follow her yeah [Laughter] you can always find her at the end if you haven't yet so on her blog she noted that and I love this study because it's one thing to just say oh you need to be more positive it's another thing to have research that backs that up in a 1999 study beachgoers were presented with informational pamphlets and then they were given a coupon for free sunscreen people who got pamphlets that focused on the benefits of wearing sunscreen were more likely to use the coupon and go buy sunscreen than people who were given pamphlets about the negative outcomes of not wearing sunscreen there is a lot we

can learn from that my takeaway is you know everyone in this room knows that the consequences of ignoring security hygiene can be really devastating but when we have the opportunity to do so let's focus on the positives and make people feel good about engaging with us and engaging with our work and engaging with these complicated issues this year at rapid7 we built a security awareness training module for employees and it was you know we were writing it from scratch and it was so tempting we had to keep going back and revising because it's so easy to default on these scare tactics of here's what can happen when you're not diligent but there really is a lot to

gain by following security best practices here are some of the ones that Claire listed on her blog but I'm sure that you can think of a lot more and we definitely included a lot more in our awareness training okay so we already got started on this subject of you know using positive language being in rusev actually both of you hit on great ways to include people who might be struggling with security issues and turn them into ambassadors I am interested to see if anyone has stories of when they've used this positive communication effectively or times that you haven't used it effectively and what happened

well first of all great great message I think it's very useful to do I think it's very hard to do and I think our industry is growing very rapidly because of the use of fear and so therefore it is very hard for vendors to back off from the scare them into using it verse encourage them to use it but there's a it's a very hard to read book but I got some great concepts in it by Searson and Hubbard on how to do it all in terms of economics instead of fear and that we really should be making economic risk decisions as opposed to do this or you're gonna get fired or whatever so I

at least found that useful in trying to convince vendors to stop using fear and they're selling and try and convince users I used to be a canteen chief architect so I would hit by a lot of vendors I'm buying stuff and they should be showing me the economic benefits instead of trying to scare me into buying it yeah it's wild how that is I honestly hadn't even thought about wishes insane being in Vegas this week you would think that would be the first thing that would come to mind as I am literally surrounded by vendor security vendor advertising using fear tactics but I hadn't even thought about that in the the advertising perspective and that is

really interesting yeah sure hi so this one's a little bit of a fail but I'm trying to bring secure software development concepts at my work and I sit right outside the conference room where the developers have their daily scrums so I hung one of the sans posters on the secure software development lifecycle right outside - can't miss it never one comment one question on it I change it and put up some Firefly swag that so a student gave me and immediately start getting comment so they saw it they just didn't care but like I said it ended with a fail but I did try was that you know was it what was the message they're just simple

instructions or I didn't expect them to like stand there and read through it I was hoping to at least get a question that I could start the inroad cuz I have several different documents I could point into that says you're supposed to be doing it so it's not you know the one cybersecurity person trying to just by their job but I was just trying to introduce the the topic yeah I actually okay so this is a wild how this keeps happening but I actually feel like that segue is really well into this next concept I really thought animation is not working for me I should have done a run through this this topic of how we get

feedback and align incentives and I actually think that you know implementing an SDLC process it's kind of a perfect case study to dive into there and there's a lot of I'm gonna write that one down because I wanted to write down people's ideas anyway but but we I mean you know we always say we don't want to be the team of no and we want to enable people but we ask people to do things that make their jobs harder that we ask them to take an extra step I too have had issues with with the sdlc process and you know we have we have conflicting objectives I want to make sure that it's going through every

review it needs to go to and they want things done really quickly so yeah I want to get back to that one let's actually think of some other I'm gonna write these down but what are other things that we as security people are doing that you know make people's jobs harder and create an extra step for them and take extra time I feel like you can just shout these out and I'll repeat them phone scanning yes that definitely takes time patching the things that that we find takes time what else Oh compliance my fav um what was the first word you said oh hardening yes yeah right a lot of a lot of compliance frameworks require additional steps that

you know maybe if we were just looking at things from a risk perspective we we might not necessarily take that step but as soon as auditors and customers have visibility into whether or not we're following that process better be following that process password expirations yes that is a hot topic at rapid7 right now new NIST guidance says we maybe don't have to our customers say no keep doing it so yeah that's a great one password and for passwords I mean even just thinking about conversations you've probably had with family and friends about not reusing the same password everywhere in setting up a password manager these are asking people to take extra steps in their lives you know

every time they log into something they have to go their password manager first like I think of my password manager as something that enables me but for people whose the alternative is using the same password everywhere that's an extra step for them in their day I will repeat that one password managers all can be hacked it's a really bad idea I am ride-or-die team password manager I their their encryption and notepad is the thing as well that's about that's the password manager that's valid what yes what if you have two-factor authentication on your password manager I do you know exactly this is all their password managers are not real rabbit holstege here I don't think that they

are a foolproof option but when my alternative is my users if I give them no patent encryption I am still worried that they won't it's not user friendly enough for them that they will still take risks and keep using the same password everywhere for my personal use case but now I agree that what you have built is is its own maybe more hardened password manager so what were we what's happening what your sir okay so very very I'm gonna what oh okay well cuz you guys are telling so many stories this is great okay very quick story about a challenging cross-functional project that required a lot of buy-in we needed to formalize the process around

inbound security disclosures at rapid7 so how we handled it when we were notified about a Vaughn that impacted either one of our products or some other system that we rely on and our team needed a lot of ambassadors to get this done for the sake of time I did build in more content in case no one talked but I'm pleased that that's not the situation I will just focus on one group of ambassadors and that is the remediation team so these are often engineering teams whose bonuses depend on their ability to get features out on schedule and we are throwing unplanned work at them so it's you know but we can't do remediation without their help

we really need them on our side we need them to be part of this process you know we're competing with other priorities we need to look for opportunities to get feedback from these people who we need on our team and hopefully align incentives wherever we can so we decided on the security team that remediation SLA is we're going to be based on CBS s scores does that make sense basically can you think of any reason why this doesn't why this wouldn't work yes the importance of the asset may be different so I am I'm fairly sure that gets calculated in as part of the CBS s scoring calculation yeah that's um yeah well you may be encouraging the

engineers do not find things that they can't control that external researchers are finding things yeah no that's not even supply I thought of the engineers were very quick to point out a complexity that I had not thought of and that is that the severity of the vulnerability that has been discovered and reported often doesn't have anything to do with the amount of complexity and work required to fix it so even if it is you know the most severe vulnerability of all time us coming up with an SLA of five minutes doesn't mean that they're going to technically physically be able to get that work done in that that SLA that we have set I genuinely had not

thought about that issue so but we did we heard that feedback and this is just a little snippet from our larger phone disclosure standard operating procedure it's probably not visible at all but I'll just point to the sections I'm talking about essentially security team is throwing this fall over to the remediation team we've calculated the CBS s score and they have visibility into all of those inputs so if they have a disagreement about the CBS s score they can argue with us in the right in the calculator and then they just need to acknowledge that they've received it they basically agree with our CBS s core calculation in our SLA and if they don't there is a process for them to say hey

this SLA is not something and in our macros that we use to okay to make sure our communication is consistent we do have we we reiterate right in the ticket if you need an exception if it's not going to be feasible for you to remediate this within the SLA you can write in the ticket just explain why and that'll go to the head of InfoSec who 99 percent of the time will look at that and say yeah no that makes sense technically it would be extremely difficult or impossible for them to remediate it within this SLA we can take on you know that's an acceptable level of risk for us to let that work go on another five days and

give them the time they need to fix it if there is a situation which we genuinely have not had yet where the head of InfoSec just says you know what like you just have to do it you have to prioritize this you should be able to get it done we talked to the leadership of the engineering organization and they said yeah at that point like we would want to again we reporting to product so it's actually the CISOs boss who would be able to make that final decision he's representing the engineering perspective and the security perspective and he would be able to make that final decision about the timeline that this work needs to get done in the metric

that we're interested in at the end of each quarter is was each product remediation team able to meet their SLA s so now what we've built is a process to extend that SLA when they need when the complexity makes remediation and that timeline unrealistic and these remediation teams can rest assured that they're not going to get screwed over by this complexity not equating to severity issue the only way they're gonna miss that SLA and look bad in that quarterly business review is if they just ignore it and they don't respond and they don't ask for an extension so it's been really successful our remediation teams were very appreciative that we took their feedback into consideration when we

showed them what we'd come up with to address the process or the the issue they were pleased and hopefully they feel an increased sense of ownership and investment in this us that they really actively worked to shape with us and this metric that we're reporting on helps us solve this issue of misaligned incentives this is no longer an issue that's distracting them from the work that they actually get credit for that their bosses have visibility into and instead it's now a part of their job that leadership sees this metric at the end of each quarter and if they do a great job they are they get positive feedback for that so it was a crafty way to align those incentives

so we talked before about a few things that we do that make people's jobs harder and I'm wondering if you guys have any ideas about how we could get feedback from other stakeholder groups that are involved and maybe realign incentives so that they are incentivized to follow the process that we think is right I would love to start with that sdlc example because I think it's very complicated you know we are asking engineering groups to take extra steps and spend extra time so does anyone have any ideas of how that's worked successfully or not successfully sure first introducing static does a number of years ago first introducing static code scanning and there was a lot of

resistance from the developer community because also none a was extra work and be it and it was noisy because this number of years it's not that great now but it was the even worse back then but the reality is when you get right down to it what it was doing was finding bugs so we learned over time to introduce it as helping them do their job better and finding the bugs that in the long run is better for them to find them not it's security making you run this tool right and did you get positive feedback from that yes it was in general software developers want to find bugs that's right they generally want to do that

they generally don't want to get told to do things so it's more a matter of helping them do what they want to do and presenting it that I love that very crafty um and you know anything else we talked about too whether it's volunteering and patching how we align incentives and I mean you know we definitely have a lot of dashboards that people the amount of leadership eyes we have on those dashboards often makes a big difference in to the amount of patching that's actually getting done and even you know whether it's password expiration or password managers even if it's conversations with like your friends and family how have you aligned those Assent Azure got feedback okay so

keep thinking I'll be right back yes okay so I'm sorry that none of my stories have happy endings but so another approach I took at a different organization was I provided all the developers with a link to sans had a like self-test on what is your secure development of knowledge and most if not all of developers went and followed the link and they took the test and I got a lot of feedback they thought it was really interesting and it basically did a survey how interested are you in additional training on this great response from them I think it goes to what the person said that vulnerabilities are just another bug another form of quality and so they were

interested in doing that and then whenever there's a dad and I'm sorry it sounds so hopeful yeah it sounds hopeful yes like I said I'm you are over here it's going to write it's gonna rain today so I presented this to the manager and I swear I'm gonna have a poster made of this quote because he said AIA software to deliver I will worry about security later let's get that on the t-shirt yeah that is that is a verbatim that is emblazoned on my head and you know I I could have when when the software wasn't accepted by the customer later because it wasn't meeting all the compliant scans and at the time it probably all

worked out but so the yeah I think it's the developers are usually on board it's the schedule and the and the other resource problems that they have that you know and I'll point to management saying you know you're you're putting something you know we're saying we're making the job harder we're also saying it's gonna take longer for you to do something potentially right so I if I come up with a happy story I promise I will raise my hand well that's our next EF f fundraiser is gonna be selling shirts with that written on it so that's our happy ending we're gonna raise sons and money it'll be great well I guess I'm gonna be the troublemaker so

what do you do when you find a problem and you contact the company and nobody will talk to you at all and nobody cares I do this all the time ninety-five percent of the time this is what happens then I go full disclosure right what else can I do nobody cares so I but I don't disagree with that approach and there were plenty of people that I worked with when the who were disclosing vulnerabilities who did that they very very actively tried to hunt people down LinkedIn Twitter phone calls emails you know explaining I'm looking at their communications they are writing out yeah I just wanna say after practice I completely abandon all serious hope to

reach people and my point is is just a matter of compliance I want a paper trail that I did make a go for my attempt to reach them and then I dumped it publicly because I know nobody cares that is wild that it when you when you're doing that outreach you're thinking well I need a paper trail that shows I want on a gap I mean you know I obviously am spoiled working at or security company like that sounds so for a little bit seven they would answer my emails right yeah yeah right right but it no and I think that is that's also different than than these examples of when I'm looking at their

paper trail I'm seeing a very half-baked message that to me doesn't clearly articulate to someone who's on the other end of an info at email what they're looking at here in the action that they're asking them to take and they you know maybe sent it to info or may be sent to you know called the 1-800 number totally different than like I am I clearly can show you look at how I've tried to reach out to you and at that point I mean that's why public disclosure exists and then they're gonna care about it a bunch probably so yeah no I we're totally on the same page you are not a troublemaker what do you do when you have companies

that have vulnerabilities I'll I'll disclose something right now I've been trapped I've been following the information that's available for all of its sons for sale meaning the marketing lists American Express removed almost all of their card holders from open sale ISA is currently the antivirus company currently has their entire user base for sale by marketing companies Symantec removed there's McAfee's is was up for three days and now it's gone Bank of America cardholder list comes and goes from various companies how do you keep these things away I don't think I have a good answer to that maybe someone else will but I don't know I mean I guess that's kind of an could be a bit of an alignment an incentive

misalignment where they have to invest in removing that data and it takes work and maybe the reward isn't I'm just trying to bring it home you know I I don't have a good answer to that I think we how are we doing for firt we've got like 2 minutes let's kill it alright this one is maybe controversial maybe not so think about the best ambassador builder you know if we're thinking about out these these areas that we've been talking about communication interpersonal relationship building cross-functional project management just think about who that is there's no like right answer it's obviously gonna be different for all of us and now let's talk about yield skills gap because that is such a hot topic for

thought leaders right now I my hot take on the skills gap is that we have one in part because we have a narrow understanding of what an information security professional is my personal experience is that we don't all need to be clones of mr. robot to be successful InfoSec professionals and I have some stats to back me up on not to this chart shows the disconnect between what members of the workforce think will make them successful and marketable in the InfoSec industry versus what hiring managers are actually looking for and the very top skill that's being prioritized by hiring managers is actually communication followed closely by analytical skills meanwhile the workforce is prioritizing a slew of technical skills above those

communication and analytical skills and yet we as an industry are very quick to devalue anything that isn't a stem degree I am definitely not advocating that you build your security team of exclusively recent grads with sociology degrees but I do think that we should remind ourselves when we when we're talking about the importance of building ambassadors especially that diverse teams are great teams and if we can put people there's a so much work to do I am so tired like there's no shortage of work to do it InfoSec and if we can put people who have those ambassador building skills in roles where they're going to get to use them they're going to be getting cross-functional projects

done and and you know building ambassadors in the organization outside the organization it is a skill set that we should take as seriously that's not to devalue technical skills we need technical skills and security obviously but I do think that we tend to not value these as highly as we could or should it's time when we think about how important it is in getting work done this is that English major helping us close the skills gap look he's killing it does anyone just want to share like a quick story about someone who has a who you know your person you work with who's great at building ambassadors who like drums up sure the the ambassadorship on your team

so on our team we recently brought in a technical writer that also helps all the marketing in the communications for reaching out to the company and everything else and since it come on board the level communication has gone out I've gone up I've got a lot more buy-in it's been really helpful that is yeah I mean I I realize we talked before about how heavily we our team our internal security team relies on marketing to help us articulate we're updating our trust page right now so people can have visibility into our internal security controls because they want to know we know what we're doing before they give us their data and we could not begin to do that without

marketing anyone else I feel like we've guys thank you so much for talking in the morning when you're hungover I real I appreciate it so much this is really great thank you [Applause]