HG - Hacking Office Politics for Cybersecurity Leaders - Caroline Wong & Robert Wood

so we're very excited this presentation was our number one pick from the community and we're very excited to have Carolyn Wong and Robert would sort of talk about office politics whoo take it away thank you so much is this is this on you guys can hear me so when you hear the word office politics what do you think of this is the audience participation portion of the top office space I thought about suggesting an office space photo for the slides but in your day to day work what are the scenarios that you encounter having to do with office politics

sorry so we have to implement a control that other departments are required to follow but not necessarily do we have to follow it and so it's difficult to influence them to follow it if they're in a separate should I say silo yeah thank you old staff versus new staff of the bad habits of the past or the bad habits of the present fighting against one another thank you okay so really quickly so who knows who this is any takers so this is what's up that is Machiavelli Ethan knows because I'm a big Machiavelli fan but Machiavelli or Machiavellian being Machiavellian is sometimes a term often times very tightly coupled with politics it usually dick specifies or describe

some kind of zero-sum game where somebody's being very manipulative and self-serving to get ahead of things we probably all know who this is for anyhow of cards fans Frank Underwood another very Machiavellian like character oftentimes also associated with in a very negative light with getting ahead self-serving in the off in an office setting so at the expense of others advancing their own cause but we want to try to use office politics and framing and a little bit more positive light so instead of thinking about it as a big zero-sum game where you know I or anybody else who is playing office politics or experiencing office politics where they are slashing down their their co-workers or their

business partners or their their boss or whoever instead we're gonna think about it as the strategies and the tactics that one might use to advance their cause and so the gentleman here mentioned a little bit ago when he thinks about office politics what comes to mind is trying to get in place some security capability or some security control to a siloed off department or business unit which is oftentimes very very difficult and we have to find ways to influence when we don't have direct control that is a great scenario that is a great situation we're playing some office politics in a positive light influencing in a positive manner can really really help and so why

do office politics really matter they matter because you know we we working in the security industry we want to see the organizations that we're working with obviously protecting themselves we don't want to see the data that we're responsible for protecting end up on pastebin or end up on a torrent site or end up you know being referenced in some front page New York Times article however this is oftentimes how you can think about an enterprise security team they have some great set of controls and capabilities there's a path from how things should happen you know how code gets developed maybe so somebody starts back there and they're supposed to get back here and they're supposed to flow

through that security gate or at least this is oftentimes how how things get structured in a typical process except because we don't have because we don't have really inclusive processes and because we're oftentimes trying to demand and dictate instead of influence and work together we end up in a situation like this where people are just literally walking right around the gates in which we put in place they're finding ways around a round process to just ship code anyways because the business needs to function regardless of whether security is there so what we do not want as security teams is to end up being viewed as perpetual blockers in an organization the second that you get

viewed as a blocker bad things start to happen for you so you again you start to get routed around there's a lot of communication disconnects I've like lived and breathed this stuff it's not pleasant you end up spending way more time fighting communications fires and misunderstandings than you do actually making things more secure because people are just routing around you you may end up with a decreased security posture so they may be shipping code that hasn't gone through proper testing proper vetting does not conform a security policy and because people are not engaging with you you may see a drop-off in security awareness or just general knowledge about what security policies are or best practices are that people

should be conforming to and so what we want to what we want to kind of plant in everyone's head through this talk is that security teams need to start to rethink what they what they are with to the business to rethink rethink their position so that they are framing themselves as enablers instead of protectors they are enablers to help people work safer to deliver safer more resilient code and to help them do it faster all right we can go to introductions so we don't really excited about this topic and we do fight in without introducing ourselves so we're gonna go back to the beginning and tell you who we are my name is Caroline Wong

I'm the vice president of security strategy at Cobalt and I've been in this industry for 12 years now I started out on the global information security team at eBay where I learned a lot about office politics because I couldn't figure out why people didn't just want to do the right thing as far as I was concerned I over to Zynga the farmville company and when I transitioned out of that organization I deleted all the games off of my phone I went over to Symantec at to do some product management did some management consulting at digital and now I'm at a start-up in San Francisco so have experienced and observed a lot of different conversations booked

successful and less than successful and so really pleased to have the opportunity to share some of those stories with you today all right and again my name is Robert Wood I'm currently the director of trust at a company called nuna we're a small healthcare come healthcare analytics start-up based out of San Francisco I've also had a little bit of experience both on the consulting side as well as the product side and have also seen a lot of conversations or political situations go horribly wrong as well it's very very well and so this is kind of a roll up of everything that uh that I've seen both set on fire and go smoothly all rights good getting back to where we

were cool so now bob and i are gonna kind of go back and forth and share a few stories of successful communication strategies the first that i want to talk about is one where when I was on the eBay team when it came to application security we were building this pile of vulnerabilities so we would do scanning we would do pen testing we had responsible disclosure and so we would find out about vulnerabilities through all sorts of different means and we kept track of them and every week maybe every two weeks we would go to the development teams and we would beg them to fix them and we would try our best to convince them that every vulnerability was

important more important than whatever it was they were doing we didn't necessarily take the time or ask what they were doing and what their priorities were but this was like a broken record it happened again and again we would get a new set of vulnerabilities we would beg them to please fix them we would return to our desks muttering to ourselves about you know our frustrations and you know and and it just wasn't working and we couldn't figure out why and working like that can become very tiresome it can feel like the work that you're doing doesn't matter because finding security problems is only one part of this you know one side of the coin in order to

actually make the applications more secure they have to get fixed too but we couldn't fix the code because we weren't the developers even if we had those skill sets it wasn't our responsibility we didn't have access and so what ended up happening was we convinced our boss the seaso to have a conversation with the vice president of engineering and we said look you know we've got to have this conversation at a decision-making level and so our boss the CSO approached the vice president of engineering and said look we run an e-commerce company that allows strangers to transact over the internet the security of our applications is as much your responsibility as mine and the vice

president of engineering couldn't argue with that and so they agreed we're gonna jointly own this goal of improving the security of the code now meanwhile the application security team went and spoke with the developers and we said what are you working on what's your day-to-day life like what are your priorities what are your quarterly goals that you need to meet and it became apparent to us once we began to have that conversation there we were we were just a pain that they had to deal with that that was getting in the way of them getting their quarterly goals accomplished and their bonuses were tied to those quarterly goals so no wonder they were shooing us

out the door every time we came and tried to explain how something could potentially be exploited so we talked to them and we said look our bosses have agreed that this is a priority can we talk about you setting some time aside to focus on fixing security issues that are found you know you have the bind from your boss he understands that this is a priority for you and we actually came up with the number 20 percent so we said across all of our applications you know on such and such date we're gonna take a baseline number of you know how many it was really a defect density number you know what's the number of

vulnerabilities that you have for a million lines of code or something like that and we took those numbers down and every every month we would check in and we said okay in q1 we're gonna reduce those by five percent by 10 percent by 15 by 20 percent and we were in we were actually able to do that now if it had been totally up to the information security team we probably would have said a number like 90 we probably would have sent a number like a hundred and we and we may not have gotten very far but because we were having the conversations both at the executive level to have decision-maker buy-in as well as the working team level

to understand really what was reasonable in terms of the bandwidth that folks could dedicate to this problem we jointly came up with that 20% number and both the teams and the executives were able to present that as a success by the end of the year so what I'm going to talk about is regarding building a security aware culture so this was one thing when I first joined Doudna I came in as a consultant initially and then made the transition to full timer and when I first showed up it was interesting there was a there was a security mindfulness but it was a very Shamy almost programmer like security aware culture so you know somebody left their

laptop unlocked they had to wear this god-awful itchy sweater that they called the security sweater and they had to have this big HIPAA hammer it was like Thor's hammer on their desk and it was a very very shame heavy culture and it also had people very much zeroed in on very very specific issues and not really the things that were like most concerning for us so building a cloud-based set of products you know things that are happening in the office are not necessarily the most crazy risky things for us as an organization for it for our particular threat model and so what we had to do is basically find a way to to break out of that mold still

of course that embrace the good things that came from that and find ways to build to build partners around the organization in in a more like social network Eli Quay and so what we ended up doing is creating and creating a very positive atmosphere around security so we created awards we would deputize people to kind of speak authoritative ly about about security if they had you know intelligent or correct things to say if they were working on security related things and their particular project we created an internal bug bounty to reward security minded thinking we would call people out in all-hands meetings in slack channels things like that we would really try to celebrate celebrate security minded

thinking in any capacity that that was you know furthering our particular objectives and one thing that I think really really really helped here is we were not necessarily the ones doing all of the work we were in we are back channeling a lot of this work but at the forefront of everything what we ended up doing is finding other people to represent our mission our goals and so that's what I mean by finding proxies in this case we had proxy individuals around the organization who were pillars of success and of you know security minded thinking that we could point to and that other people could look up to as an example because they're much more relatable from a security

perspective than we are those who are coming in from you know from like professionals from the industry these you know these Wizards of black magic and such who who can hack anything and you know blah blah blah we have a very you know whimsical kind of idea around us when we go into and start talking with engineers so we wanted to avoid that and make it more accessible to break down barriers I think we should probably skip over the last Orion yeah keep plugging these slides will be available so you can always you can always dig in later and you can always you know messages message us and we can tell you the rest yes so shifting gears a little bit away

from some some positive stories we want to offer some tips for actually managing office politics and we'll break these up into like three main sections so the first is when you're actually approaching somebody and starting to have have discussions around security or have discussions around your particular roadmap or agenda four main things that I that I want to really leave leave people with the first is come in seeking answers instead of knowing the answer a lot of times and I've been built guilty of this myself I'll come to it I'll come to a situation and you know let's say some code is broken let's say you know somebody mishandled data something like that if I come in and just start telling

them all of the ways that they are wrong they're going to instantaneously shut down not listen to me not engage they may answer my questions but it's going to be short term gain for long term sacrifice so come in seeking to understand why something might have happened why code is written a certain way you know maybe there's a library that that they're relying upon because of you know some piece of user functionality that hasn't been upgraded and forever who knows what it is maybe there's some lackluster process or old technology that they have to rely on that almost forces them to act in an insecure way or doesn't give them a lot of choices the other thing is or the

next big thing is showing empathy towards other team's goals so building off of Caroline's story other teams are there to provide the organization you're working in value in their own right we're there to protect things and to help make things more secure they're there to do whatever it is their particular function services so we have to show empathy to whatever it is other other teams are trying to do whether it's a finance team an IT team keeping you know keeping the lights on engineering teams building products whatever it is being ready to give ground in a negotiation so don't go in asking for you know asking for this much always you know like not leaving that

conversation unless you get 100% of the things that you want you have to be willing to compromise because you're expecting somebody else to compromise on their goals and so if you're always the one who is you know drawing a firm line in the sand not willing to budge you're gonna find yourself eventually over time getting blocked out and routed around and then the last thing is being ready to challenge yourself on the the means to which you are trying to achieve some end and I want to make a parallel into government military land being that we are having a politics discussion in that you can think about the US government trying to achieve some political

objective they have a number of different tools at their disposal as do we as security teams you know in the government's case they might use choose between diplomacy finding a proxy state of their own or sometimes using military force all to achieve some bigger broader objective and and I think it's worth always asking yourself if the approach that you're going in with force diplomacy you know finding somebody else to do it is the right way to do it I have some very negative stories where I've used my team my team's resources through in a forceful manner to just go in and get things done and while we accomplished our initial objective the aftermath of that was kind of atrocious

so I would be happy to share those stories afterwards so another tip that Bob and I thought about sharing with you guys as we were coming up with the slides for our talk is to try and speak your audience's language I remember that you know before I would go in for a meeting with a stakeholder I would look them up on LinkedIn I would search for their name if they had been talked about in the news and I would try to find out about them as a person and also about what they were trying to accomplish in the business so these are just a couple ideas about different audiences that you might speak to and different messages

that might be more or less relevant to those audiences if you jumbled this up then it might not make sense you know for example to talk to your CFO about vulnerability management that's probably not a message that's gonna really resonate with that with somebody in that role now granted every organization is different and it is really important to understand the roles of the folks that you're talking to sometimes you can just build relationships with people by meeting with them over a cup of coffee and simply asking the question what's your top priority these days that can give you some leverage because if you can figure out what their top priority is if there's a way to tie what you're

working on to that then there's there's natural alignment in your to causes so this is Oh No this is probably my favorite slide that we're talking about and these are ba this particular line is Bob's which is don't be a security person be a business person with the security lens for as much time as you spend reading up on the latest security news and trying to understand what happened with the last breach and trying to figure out technically exactly how you know the latest zero day that was released works spend that much time trying to figure out how your business makes money one of the things that I actually really like about working for a start-up is I've

never been so close to the business before and in one of our one-on-ones I said to my boss you know I really like about the money side of what's going on for us because that's that's really interesting and I have this book to give away to someone in the audience one of the folks who participated in our brief audience participation thing at the beginning and I'm not going to read all of the stuff that I was originally going to because we're two minutes away from time but I just want to say that so roughly defined a business is a repeatable process that creates and delivers something of value that other people want or need at a price they're

willing to pay in a way that satisfies the customer's needs and expectations so that the business brings in enough profit to make it worthwhile for the owners to continue operation something that I've thought about a lot is you wouldn't buy a two hundred dollar fence to protect a five dollar asset and the whole point of security is to protect the business so if we don't understand the business you know what is it that we're doing exactly cool so so wrapping up we want to leave everyone with four really quick things I'll let Caroline actually run through them yeah so when you're doing something you can think to yourself my priority is ABC and I need

to get all these other people to just step in line you know and there are different ways to do that and sometimes what is it like something about catching more bees with honey or something like sometimes it takes time right Bob has talked about when he's working with his team to do stakeholder buy-in activities you know sometimes an individual will say but that's going to make our project take twice as long as it would otherwise but if you really need them to buy in your projects not gonna succeed unless you have them onboard businesses are trying to do more than just be secure even when you work for a business that's all about security it still needs to

make money in order to keep going on be curious again for as curious as you are about security topics try and apply some of that curiosity to what's going on in your business and in your organization and finally consider the consequences of your actions because if you or someone on your team pisses someone off that's actually really important to getting what you need to get done done then you're gonna have to deal with that later down the road alright and that is all we have so thank you so much so I really appreciate all of the tips or the the items you gave for using to implement something so what I'm thinking of is a situation

where we do a lot of root cause analysis and when we do the root cause analysis you know that can be very political yeah especially when you're trying to blame games how do you not making a point it's a finger pointing game right yeah so we've gotten really good at doing the root cause analysis got past that that initial aspect of everybody trying to blame everybody else so getting that done is all well and good the the problem where we stumble is getting the that information out we don't want to send that information out for awareness and for learning for fear of as you said pissing someone off so how do we get past the I guess the emotional aspect of

getting root cause analysis out and this the second part of my question is when we do a root cause analysis we also have to do a remediation plan and a mitigation plan and a remediation is all well and good and it's easy because we now know the root cause and we can just get it done and it it's done but the mitigation plan is what keeps going on and on and on and on and so somebody has to take responsibility to do that and add that to their normal work how do you get over the political aspect of that in addition to sending out that information for awareness so I've got an idea and I'll run briefly so there's an

incident there's a post-mortem there's whatever you do going forward and there's a way to frame that that says we messed up here's how we're gonna fix it there's a different way to look at it that says here's what we want our future to look like here's what we want our outcome to be and therefore we're gonna do these things and maybe that kind of positioning looking toward the future and saying what do we want it to look like versus how do we not be like that might be one way to think of it yeah I would also say in terms of sending things out that relying on relying on whoever it is you're working with to distribute that information

become so we found this in enforcing policies at nuna where we don't necessarily want like we're not the developers of some policies we're not the critical stakeholders but we're left in a if we're the ones kind of communicating everything out we're left in a judge jury executioner position and so we've kind of got buy-in from other people in the org to have them start communicated like the other stakeholders in the process to communicate and so it it changes the the way that people interpret and internalize the information if it's not always just security coming down with the hammer on things so I I found that to be a really useful tip yeah just to add on to that

one of the things that we've been doing in our organization that actually did this is my former co-workers over here is that as we handle incidents and this is even with the regularity management's actually develop a communications management program tech people are really not great at disseminating information as you mentioned like you're really since you know you're trying to have some empathy and sensitivities about who the audience is we're really not good at it there's much better people that can do that and if you build that into how you are doing your work it actually is a lot more effective and you get over that political hump because you understand that you're actually crafting a message whether it be for an

incident or a decision-making thing that is specifically understanding who that target audience is yeah I think it's Spotify they released a really solid guide on doing blameless post-mortems I think it was Spotify but there's if you just google blameless post-mortems there's a really really good like right up on like one of the big tech companies did it and it's it's phenomenal so we also recommended and plug that do some we're probably at a time one more okay sweetly can you address the internal policy plus politics surrounding certifications both hiring hiring policies or makes teams where some have teams plus others don't have certifications because I have no search of a lose for twenty years and they call

me to solve their problems through my startup okay so so can I regurgitate the question and just make sure I get it so basically what I'm asking is there's people without certs right I've been in the industry for years yeah who are basically called to solve problems with people who have certs take this test sure n it's just a fill-in test but in a real world application they cannot do it they don't have the skills sure like I've been in meetings where you talk about basic reverse engineering things and they just don't understand what you're talking about it's like well how are you a CSO sure cuz you know I mean well first I would not expect any

CSO to really understand we're first engineering and I'm really like they should know what it is but but if you go talk to like any senior executive they're like and show them assembly it's but I would like the way I would respond to that like I don't have any certs for example and like I've done reversing I've done hardware hacking I've done I've led programs I've done threat modeling I've done a ton of things when I was consulting and now I'm running a team and like I I like to think about this purely and before in terms of merit like if somebody is like me as a hiring manager if if somebody has merit whether

they have certs or not a consultant who has certs or not like I go with the person who has merit and who has like a combination of soft and soft and hard skills so guy you know certs are great as in terms of like breaking down some hiring barriers for organizations that are really like that you know strict like that like the government is a good example of that they you know have certain boxes to check for certain roles but you know I like I would encourage any hiring manager to drop that from their requirements because I think there's plenty of good people that serve so if I can insert a brief perspective I was in a workshop the other day and it

was full of CIS OS and they were talking about how do we present our security programs to the board and one of the things that came up a lot is we really have to dumb it down for these people and I thought that was incorrect because these people didn't get on the board of directors by being dumb they're just not smart about what we're smart about and so I think it's really important to own your knowledge and own your skills but also understand that someone in a position of authority or power you know and not to say that sometimes people who maybe shouldn't be in a manager role or an executive role get there but if

someone's at that level you know you have an opportunity to teach them and hopefully they're not treating you poorly because of a lack of some letters after your title well let's thank Carolyn and Bob for a great presentation [Applause]