BSides Lisbon 2017 - Interview with Javvad Malik by Vítor Domingos & Tiago Henriques

so today we've got two family khandvi throat rings in our episodes Javad thank you very much for joining us thank you for having me are you enjoying besides Lisbon it's fantastic it's my first time in Lisbon and to be honest I did not expect the city to be so charming it's got so much character to it and like you got the old and the new and it's it's a wonderful place so um during your talk I actually got doing through you and I I mentioned to people that I believed it was important for you to come and talk to them today not because of you know your typical technical talks but actually because of the message I transmit then it's

important for them to know how to talk to sea levels how to manage and how to transmit the information they're trying to can you give some hints like how you got to this place how you got to this and this type of talk because it's kind of your thing right here do your new Tube videos you talk about this stuff which is not technical but yet helps a lot the technical people so I think when we look at security and if you look at where some of our challenges are always some of the failings are it's not because we don't have the right technology you know it's like everyone can say oh if you got hit by X Y Zed

attack you could have deployed this technology to fix it or if you'd only done this processes or if you'd only follow this standard you know so the technology isn't the issue and we have a lot of really smart people in the industry so it's not like we've got lack of talent so where it where are things breaking down and I think historically when we look at that it's we haven't been very good at sharing that that knowledge with the wider people who really need that knowledge in order to be it make the right decisions and to implement it so at the moment when you look at sea levels or people who are in position to

make decisions they're not really properly incentivized and they don't really have the understanding so it's like it's like that I just accept the risk that that's the joke yeah so you're doing a bit of PR but just for security is that it yeah you could say that it's it's PR we and I think as security becomes more mainstream and it is mainstream all of us are in this unique position what we really understand that issues very very deeply and technically now the challenge is like if you're sitting around a family dinner can you blame those issues when your family's saying hey I saw this on the news what is this ransomware why are my Hospital yeah why should I be worried

about it and can we condense that into something that's really simple for them to understand rather than going oh well it's it's like you know it encrypts the files and then like you know there's a Bitcoin exchange and then there's all this and then like people don't remember that they just need to know why is it important to them what should they do when the cry active for me was one of those examples because at least you know in my lifetime and then I've been doing you know for about ten years it was the first time my mom actually called me I was like okay this happened at my work can you explain to me what they say so

what a cry in a way I've had this discussion with other people I said when I cry in in a very weird way was actually a positive for security like it enabled us to do a lot of other things that we weren't able to before because he had such a direct impact like NHS in the UK you easily adverse yeah yeah yeah yeah so if you have to be with say three or four recommendations to security people what would those because you gave them in their toll yeah like five or six of them right yeah yeah there's like those are like some tips to like tell a story better I think if we want to break

it down distill it into a few key points I'd say start with putting the audience first I think that's a key thing like you know why is something important to them just because something's important to yourself it doesn't mean it's important to someone else so if you're speaking to development community why should they you know sanitize their inputs or why should they make sure that the web app is secure in in this this this way if you're not if you're not conveying that to them properly then you know they have no incentive they're not good they've got no reason to do it so always put your audience first make it about them secondly I think it's all

about following on for that like we need to break out of like the kinda like the echo chamber so to speak and we need to take this message to people outside of security because they're the ones making the changes they're the ones like you know with with the influence and you know ultimately if you're an entrepreneur and you're setting up a business and you know you you it's it's rolling you it's an expense you don't want the hassle why and so it's like how do we explain to them like you know this is important for you it's like you know yeah I know brakes slowed down the car I want to drive the car fast but you know you need

them for a reason and that that's that's one of the injuries interesting things because we at this moment at the same moment we have the Web Summit just around the corner over here and I see a lot of startups that right so everyone is pitching their new product a new idea the new stuff that they're just doing but the thing is my understand is that they don't care about security because they just want to push things forward and to that and and to get more even more revenue or more users or more stuff but um for them security well it's simply something that we want to take care of afterwards yeah write about data privacy and our

users and and he's the endpoint secured do we have the proper certificates that's the kind of stuff so the message is IIIi as I understand is put security first and then try to what to get yeah yes it's not so much so I think the change in mindset we need is rather than us saying we need to push security first we need to convince them that it's a good idea for them to put security first for their own sake and I think that's kind of like the minds mind shift change we can't force it on people we've been trying to do that for a long time with very limited success but if we can convince them that this is the right

idea and for that we need to just be imaginative we need to use language that they understand we need to position it in a way that they see the benefit for it then there that's how they're going to use it I gave this example in my talk today it's a quite a non known story about girls in a school they were they put lipstick on and they you would kiss kiss the mirror to leave an imprint on their cuz they're just always cute and the principal the way he got them to change their behavior he said this is really difficult for me to clean and he got the caretaker to get his mop stick it in the toilet and then going with

clean and then after that they were like you guys like it's just difficult for me but it's your choice I'm not going to force anything on you it's your choice and I think if we can do that a bit more of that insecurity say look this is the good and the bad that can happen it's your choice you're clever you're businessman make the right decision and I think that that's what would be more powerful okay because really complicated position because it's very very hard to show a direct return on investment unless you know you don't get hacked for X amount of time and at the same time whether we like it or not it does delay

shipping any feature amid a code review you need a pen test you're still talking a day or two maybe it's an optimal team so it's actually a really hard position now how do you see that you know it's a good selling point for that to kind of fight that so again I think what it is at the moment with the current model people see as a another hurdle they need to cross and you get the pen test done late in the stage and then it's like oh we can't fix it because we have to recode anyway of you so we need to go further upstream or downstream whichever way the stream is going but you need to

get people right the beginning to say okay we need to just bear in mind security as a requirement at that stage and then it becomes a lot easier because then when you do do the pen test further down you only got to pick up some minor things hopefully or just like you know and so it streamlines the process so the idea is like convincing others that is an important thing rather than we need buy-in at this late stage of course I was actually told about two days ago I was having lunch with author flake and it was actually telling me something pretty interesting that kind of goes against this topic which is security has a problem which is no one gets rewarded

for cutting things down but you always get rewarded for adding a new feature so no one is gonna get rewarded for taking code out even if it's bad code but if you launch a new feature you'll get promoted and all of that and again it's about probably having security of course yeah interesting really I just want to do short episode so well can I can I continue then so because one of many of the the yo-yo well you you did the keynote your main theme was how stored eleme made me a medic a sec professor yeah so um I'm a nympho SEC professional well assume that I'm just a curious guy but um how should I

tell my story better then for people to take me serious seriously as a Yeti professionally so some of it comes down to the audience you're speaking to because there's no one style that will work in all environments and you know appeal to all people but it I think it becomes very easy because if you're doing say the same job regularly and you come across the same issues it's very easy it's just human nature to fall into the trap of just explaining things in the same way you you know and and I'm guilty of this as well you just will go to previous reports you copy and paste the same errors in like you know what

have you so I mean and that's fine fulfill about that you know the main concept is like how do you make it something that's impactful and interesting for that person how do you make it relatable to them so someone that's in health care will have a different driver or motivation than someone who's in finance very different from someone who's a small business selling tires so it's really all about understanding the the business side of things that's what a lot of it comes down to and and one thing I I stole from my friend Tom Lankford is ask sometimes in the company ask them how many of you security professionals actually listen to the shareholders caught do you

understand what the business has committed to the shareholders do you know what the drivers are if you don't then you're probably going to be telling a very different story to what you know they want so you know if the business have committed say we're going to complete and into an acquisition and integration of this company in 12 months if that's what they've committed they're not want to change that yeah so then everything that you're doing needs to demonstrate how you're supporting that and not trying to derail that because as soon as you say oh this can't go live they're gonna like I don't care we've we've committed the shareholders so I think it's like understanding the

motivations of other people is probably the key key key aspect there in crafting your story all right well I work in communication in the past so for me to do a started telling will be about the the so what question right yeah so we have about yeah so what we can have a security breach yeah but so what what's going to be the impact of event and I do believe that if they're going to listen for them to the shareholder a financial call then they're gonna have a lot of answers about those so words because they need to they need to commit commit to those to those things all right excellent thank you very much

cool that's right yes nice choice