TimMcCreight

foreign folks welcome to day two with b-sides everybody enjoyed last yesterday got something on yesterday yeah awesome awesome um I'm gonna go through a presentation on talking about risk so I thought today is going to be a kindergender Tim so this is why you got the Mr Rogers outfit today so I thought I'd serve it up the sarcasm and the humor is not going to get any better all right so Jack up on coffee now because it's just going to go like this for the next half hour or so all right so I got a couple things I want to go over I want to talk about our presentation but I also want to open this up for questions part way through I'm going to ask everybody here in the room and also in our other other side of the house to think about things from a different perspective yeah hold on to that one let's see what we can do first up so our journey this morning I want to talk a little bit about myself not a whole lot you guys you can get to my LinkedIn profile it's fine but I want to talk about our current state with cyber security where are we today where do we need to go as well into the future and then I'm gonna I want to discuss this concept of transiting what we do into risk and what's the benefits to you and more importantly how can you change along with the profession of security so we offer more benefits to the organizations we work with whether we're on staff or as Consulting teams and then open up for a question answer so far is it good makes sense this is interactive folks I need you to stay awake with me I appreciate what my role is here it's comedic relief for the next 45 minutes I get that but I need you to be part of this exercise with me so let's jump into this all right first up besides has everyone read this from the site please nod I'll be really good yeah that's true okay awesome so the concept of b-sides is something I really support it's an opportunity for all of us within the community to truly appreciate the skills we bring the things that we want to uncover and explore and more importantly how can we benefit the tech sectors in each one of our cities right everyone know the history of besides where it started anyone yeah where where'd it start who with foreign does get a chance to look up Jack Daniels in the yeah Nixon as well right so absolutely so if you get a chance look up the history of b-sides and see what the team has done and what Jack's role was initially and starting in somebody's I remember correctly somebody's house right in Arizona was the first b-sides so if you get a chance after 20 some years here's where we are today so we stand on we stand on the shoulders of giants who brought us here from the infosex profession all right history lesson over just in case I know I don't know when the hell the sweater is coming off but yeah no just from the head up yeah I'm wearing pajamas for those who can't see all right just so you folks understand right so yeah and that's a lovely uh CGI red just so you folks are aware right so all right let's move into this quick introduction so um yeah I'm not ashamed of this anymore I probably should be but I think I'm I've been in security longer than some folks have been alive in this room and that's disappointing as hell um I have been in uh this is year 42 in security for me I started in 1981 when I got out of the military I owed 250 bucks to the mess in Winnipeg because I drank so damn much when I was in and I needed a job and there was this PO I I do you remember if there's anyone put up your hand if you remember wanted ads in the newspaper okay just the old folks thanks everyone thanks Doug I'm picking on Doug lease when I see that right so so I saw this ad for a security guard in a hotel I'm like well this can't be that bad right and at least I could pay off my mess bill because I owe money and the government of Canada at the time was really good at chasing you down for the money yo so I took this job as a security officer Hotel and my introduction to security was kicking out hookers and drunk curlers from the hotel lobby not in that order but eventually and I went from being the security guard to being the chief security officer and that was a short period of time to get there but it was an interesting introduction to the profession of security man I love about this thing times this is awesome right so so from that perspective yeah I'm going to let the technical folks manage this stuff I got to keep someone along here so what I did from that perspective is I spent the first 20 some years of my career in physical security and I've done everything from managing an executive and getting him from the bar home safe and sound in the car to dealing with fraud files harassments helping out with law enforcement doing wiretaps and even working with homicide cases so it was a blast the first half of my career then I decided Well this internet's not going away I should probably do something about it so in 1997 I pulled myself out of the workforce for two years and went to Nate and got my computer system technology diploma and from there I remember I was I think I was the second oldest person in the class again second model is going to class and everyone's like I can't wait to program games this is going to be awesome really I wanted to learn how to break into a system so I could protect the system when I came out of that role then I became Chief Information Security Officer or chief security officer for I had to count yesterday how many companies I've been with do you guys remember the movie Soldier when he had all the battles on his arm yeah 18 companies I've been with is either an executive a VP a chief information or chief security officer so it works you just don't need to spend 40 years to get there folks you just don't need to get there so other things I've done in my career and what I'm really proud of is Enterprise security risk management I'm going to touch on it briefly here today it shouldn't be a new term to everybody but the concept of how we use it should be so I'm going to talk about that later on in the session yeah dog lover um this picture that you see on the screen this was the first year of the pandemic and my wife and I were out walking our dogs and I just saw this amazing picture that some of the kids in the neighborhood put on somebody's fence and I thought this was super cool it also is something that I'm trying to strive for in my career and as I'm sitting here giving back to you it's an opportunity to be kind to be empathetic in the world that we're in with insecurity and find that human element to the work that we need to do every day to keep our organization safe and secure plus I just thought it was a cool way to show my dogs in the slideshow stuff there all right current state so I'm not going to go through all of the different vulnerabilities that we have you guys were doing an awesome job with that I'm not going to talk about some of the different hacks and the breaches I'm not going to talk about that I want to look at things from a business lens and from a political lens so let's get into this first up blank screen no it's not James doing that that's just me I told you folks doesn't get any better sarcasm the humor don't get any better first up serious topic War how many people can honestly say that this is that they they have seen in your lifetime the use of cyber prior to a physical assault on a nation we're here now right prior to the conflict in Ukraine how many people were following what was going on between Russia and Ukraine what Russia was doing with its Army of of hackers and what they were trying to do to be disrupted inside the Ukraine but also other countries right this is now going to be the norm right for every conflict that we're going to see as it realizes prior to that you'll be able to see the escalation of cyber and the effects that they're trying to rain down upon the country that they want to invade or the army that they want to stop this is something now you in this room are going to have to deal with scared yet I am nation states from the last 10 years I have seen and all of you have in the room as well the escalation of the involvement of countries in the art of cyber warfare right their ability to spend an inordinate amount of time in planting advanced persistent threats so they can execute it at their Leisure at their time without us knowing anyone ever had to deal with one of those in your organization yeah scary as hell but it's something now from that perspective we are seeing more and more Nations getting involved in cyber realizing the value that cyber can bring and more importantly what if I could just damage some of the supply chains for another organization or a bank or critical infrastructure or another country how many people have all the money and time and effort they need to do their job every day hang on just just yeah same where the hell did all the money go and the people and the resources right resource constraints are something we have had to deal with for the last decade or more and it's becoming more prominent now as we face this next year coming forward and I want to talk about that point as well because this work from home work from your hotel work from Hell wherever all of this has been part of what we've had to deal with so when I was at the City of Calgary as the chief security officer one of the things that we had to manage was sending you know 15 000 employees home to go work from home in the middle of a pandemic yeah that was fun um but we learned like we learned a lot of lessons along the way I think all of us have done that right how many people now have a hybrid environment where you're working from home part-time or working from work office work how many people are just working from home great this in case you were wondering was to keep you awake right the questions are asking but you can understand now that some of the things that we have to worry about we didn't really have to focus on in years past now this idea of I've got somebody sitting at home who's going to be calling in with a security problem and it's because their kids doing something on their short Wi-Fi we didn't have that before we do have that now inflation and recession anybody follow Banks Canadian National Bank anyone yeah anyone figured out where where we're going the next six months not not good and my stock portfolio is showing it it's not good so and in times of inflation right and then in times of recession after that what's the first thing that happens to everybody's budget shrinks cuts and when people start looking at activities and trying to understand are they necessary do I need to do this do I need this many people do I need this much stuff because I'm asking that personally at home right now do we need this much and I was gonna what what can we get rid of our stuff here like how can I sell some of this stuff to make some profit on what we're not using so we're going to be seeing that in businesses and it's happening right now and that means there's a direct impact to the Cyber profession and to the Cyber Security Professionals in this room and the organizations you're going to be going back to on Monday so it's something we all have to be concerned about and we have to start looking more now to what's happening in the business environment more than just what's happening in the Cyber environment because you're going to see behaviors change as well and we have seen this in the past when there's been cuts to budgets and we're seeing changes to the security posture based on budget what's the first thing that a bad guys are going to try hack the hack the company with less money always because they can't afford the level of protection they should have and they're making do with what they've got because the folks on the other side of our line our patient is held they will take their time they map out what they want to explore and they're going to wait for us to make a mistake or cut staff or announce Cuts in the newspaper yeah that's the world we're in today supply chain instability this we're going to pick on Doug Leeson his Lego so I dug I got it right so how many people are finding now from your perspective when you order a part well how long does it take now to get gear and boxes and equipment you get it overnight anymore are you a Prime member you can get it tomorrow delivered on the doors now we're waiting right we're waiting because of what's happened over the pandemic the time it's taken for organizations to get their supply chains back into a stable order is impacting the work that we do and more importantly the equipment we need I was down talking to the folks at the capture the flag and some of the things that they've had to be fluid with to change based on part availability for the work that they're doing in the labs that they're running so it was interesting to hear from a micro perspective even just the that aspect of what Supply chains are doing for the training that we're offering here today for b-sides picture that now from an organizational perspective and the stuff that we're going to have to deal with moving forward we're almost to the bad stuff hang on finding people how many companies have everybody they need on board do I gotta put my glasses more importantly how many how hard is it for you to find resources to come into this world anyone found that magic bullet yep no right the last survey that went out was about we I understand it was between two to three million cyber Security Professionals we are short of so I'm just going to ask both Valley what are you guys going to step in to help out with that number right so just just picking on James yeah we're trying and folks this is across the realm not just within cyber but across I.T and also application development we're seeing that across the IT industry is that the concept of finding people is getting harder and harder there's a couple things I want to talk about before we end this slide as to what my thoughts are for part of it one of his legislation regulations how many folks have had the chance to review bill c26 were you that bored it's just not a character okay yeah and James as well so if you get a chance take a look at some of the legislation that's going to be impacting our environment from cyber security Bill 20 c26 and c27 here in Canada this critical infrastructure and updates to privacy if you have a chance take a look at some of the work that's being done in the United States there have been over five pieces of legislation at the Biden Administration since the time they came in their Administration put part of their uh their plank when they were being elected was on cyber security and strengthening it and they've done it right they have made changes to the Transportation Security Administration they've enforced cyber security reporting requirements for critical infrastructure they've made three changes from a legislative perspective to acts that they had within the us including the Homeland Security Act and my favorite the SEC so the Securities Exchange Commission and that manages all companies that trade on American stock exchanges they put I don't know if anybody read this or maybe I'm the only geek that read this because I like policy sorry about that but I like policy and structure it's the military in me um so from a policy perspective the SEC put out a proposed ruling on May 18th of this year and they identified that every company that reports on form 20 or form 40 and files it with the SEC annually must identify by name the Chief Information Security Officer you're programmed to address cyber security risks identify which board of directors has training in cyber security risk management and how the board of directors is going to manage cyber Security Programs moving forward and that thing is about ready to go into from proposed rule to requirement so how many com how many people here represent a company in Canada that trades on a Stock Exchange in the U.S yeah you have to do this now and the reporting requirements are becoming more severe and the concept of reporting a breach of failure Etc now has to be reported to Federal authorities in the U.S anyone looking forward to that one I'm not but we're gonna have to and the reason why is that we have not taken up that baton when we were asked to industry was asked over the last 20 years to get better at managing cyber security sharing information and providing information on breaches that occurred so that they could not only make aware of the government of what happened if there wasn't a cyber terrorist event but also to forewarn shareholders the statute that you have within your cyber security program we dropped the ball because we walked away from the requirements and said they weren't they weren't necessary yes they are and now unfortunately someone decided they're going to make us do it it's like Mom and Dad telling us what we have to do now because we weren't smart enough to figure out to get our own hair cut sorry I'm just picking up my haircut so from that pandemic recovery how many cup companies here in this room that you represent are absolutely 100 functional off the pendant yeah there's not many hands up right are you guys just you're not tired right you're just not why why is it taking so long right it's because we got comfortable sitting at home and now that we're past that recovery stage and we're in that awkward do I do I shake your hand are you okay if I hug you now we're into that space right and that's going to be here for the next that's just going to be here all right so we're going to have to deal with that and the next variant and the next variant and the flu season Etc and finally quiet quitting I love this term well not I don't personally love it I just I love the term of it how many people are starting to realize that there's something other than your desk in your life it's just because I'm old right I'm just getting older but so we're starting to see this now in the workforce where when we have traditionally asked individuals to step up and help us out and stay after four o'clock on a Friday it's not happening as much anymore and that's starting to have an impact on the work that we're doing and what we're expecting our employees to create and can you see now what happens when you have a group of individuals who may have been performers and cranking out 60 hours a week if they back that off I got to find somebody to fill in that 20. oh that's right we've talked about that whole finding people thing right you can draw a circle in this entire slide that I've just put forward of where it's coming back to so and the question that my wife asked this when I was practicing with her it's like so this sounds like a real mess right and then her next question why the hell are you still in this business because I can't retire yet but anyways that's another topic well look what if we looked at this from a different lens what if as cyber security or as Security Professionals we took a look at things from just a different perspective and I started translating things to risk I'm pretty sure that's an important message but I'm going to get rid of it anyway what if I was able to take all of the stuff that was on that screen and the things that we do every day and I turn this into risk right just out of curiosity how many people understand a really good definition of risk other than Doug because we do a podcast called caffeinated risk other than talking to anybody else what do you think of uh prior that results there you go that's good that's a very good one I'm going to give you something even simpler that I do with Executives because I use sock puppets and crayons when I talk to Executives and I did with a Premiere honest to God people were there um so the way I Define risk is if you get a chance and you have access to the iso 31 000 definition of ris