Security as a Product

I hopefully are weak after lunch so first thank you very much for the invitation to speak here today it's my first time in Knoxville and it's beautiful here at so security as a product security is the product from the treated more like e-cigarettes readable grill preserve unblemished by the sublunary needs and users you know we wonder why defense remain stagnant well they fail so consistently progressing towards the glorious ideal of a secure organization whatever that means will continue to fail unless we treat security as a product are we trying to respect the phantasmal of elder entities intercept and their stringent doctrine are we trying to ensure our organization can still thrive while operating in a perilous digital

world one definition of a product I prefer is something created through a process that provides benefits to a market security as a product therefore is created through a process and in benefits of market which is your organization does someone really just believe I hear espoused is that designing security to benefit your organization will results in some sort of black blasphemous mimicry to your security but that couldn't be further from the truth it's a mimicry of your duty as a defender to follow your personal beliefs rather than pursue strategies that benefit your organization maybe right under your like really skeptical I'm doing good for lunch you don't believe me you think there's some level of objective truth that it's

foolish to discard in the name of benefiting your organization whatever that tree is that's now your product and if it doesn't benefit your organization you're basically a toughy sell a product into a market that doesn't actually want it I'm often left a little perplexed at how some security professionals could see victory in forcing through a change that users miss early dislike as if their dissatisfaction of some sort of like cool blood sacrifice I personally don't think that could possibly be success success is solving a real problem in a way that delivers consistent value success is fostering consensus so that you're supported by your organization through meaningful change even if it's painful even if you implement something

that's adding to your customers burden for example they were present for multi round hashing regulator on credit and plain text they must be included and they have to understand the significance and the value it would need for their own sacrifice you'll fail if the security their organization rests on users adopting a strategy that might provide some value nor is one they've supported the other day sorry Jimmy Lewis is a security researcher - did Mary our software security use it correctly means our software is not secure similarly your organization is secure as long as losers follow your security policies to the letter your organization is not secure maintaining the dogmatic view that users must be wrong within their organization rather

than accepting the situation from what it is a failure of your security program is why we continue to fail how many more years where we're going to lament that our users avoid security before we actually start working on pragmatic solutions pragmatism doesn't require security sacrilege all products including security our shared problems within an organization each stakeholder must feel they have a personal stake at whatever the course of action is that's taken a process that's called building consensus as a product manager I've had a bunch of times including recently where you'll be releasing changes or new features maybe contentious it may like impact your end users by pursue a strategy without regard for health my colleagues

the ones interacting with customers will be effective and how they'll feel the product won't succeed in the market because they won't be confident in it they won't have the confidence to sell it I come to my colleagues with evidence for why it is necessary describe how it works in the broader product division and actively listen to their concerns we can design a strategy collectively in which all parties are confident even in the face of uncomfortable change security as a product doesn't require the wearing down of strategies through compromise until they're rendered ineffective it requires a purposeful strategy through an overarching vision of how security can support the organization's survival and lights the fact that computers are frankly somewhat

garbage but necessary for success in our modern image at this point I feel like I've mastered like the perfect wave face expression for when the security professionals very nonchalantly explained the improvisational nature of their security strategy making most assume I'm asking whether they have a strategy for a specific project let's say no like implementing some sort of app sect tool and they seem surprised when they ask if they've defined a longer-term vision for their overall security program sometimes they would blink leave my name even mentioned an overall security program in the same conversation the seaso or security engineer or circuity architect with whom I'm speaking with Alisha very fiery and passionate rant perhaps you've heard

some of these grievances or uttered them yourself things you sometimes story of get accomplished but slowly we don't ever actually make process of progress we're just running around we keep making the same mistakes over and over it doesn't get better I don't have any time to do research I'm constantly in meetings where we don't actually get anything done I just don't even give any no anymore nothing changes I really do feel for your plight but it can get very very tedious after a while there's clearly something amiss here that better or more tech or better or more people can't fix they'll simply be like words wasted I hear these remonstrance is nearly everywhere in InfoSec from the smallest of teens

birthday fortune 500 to even fortune 100's sprawling over multiple functional areas their countless passionate people in our industry that are working tirelessly because Sicily feel like they aren't accomplishing anything that is meaningfully improving security but perhaps even worse is hearing that security teams have adopted agile methodology then I'll discover that their tasks are based on the whims of the individual performing the tasks or their epics are still defined and based on functional areas and no one is ever looking at the higher level of what resources are being used towards what projects what's even more jarring is when I play this or like surrogate therapists and listening to their day-to-day plates I'll ask probing questions to try to

figure out why the teams are so inefficient at a macro level they somewhat unabashedly disclose that their teams don't have any originals find let alone metrics to prep track progress then we remain shocked that we aren't progressing of the three pillars of InfoSec which are considered people processes and technology I believe processes are most ignored and undervalued I've grown frankly exhausted probably you have to buy the amount of articles about the cyber skills shortage or you know I've even spoken about this that somewhat pernicious complexity and misguided myths of the security technology space which was unsure art saying earlier this year yet I don't really see the same volume of firing headlines and hot takes on Twitter about

how processes are failing us despite the fact that processes would be under underpinnings and how people work together with people and how they work together with technology as an example from my work I've actually been amazed what our customers can accomplish in Excel like two people they can manage a vendor risk program over a thousands and thousands of vendors with just that but it's raining common with all those customers is that there are people and Technology constraints they can very easily articulate their process and their methodology it's because they've comprehensively defined it a process is a series of actions or steps taken in order to achieve a particular end you can have the best people and the best

technology that you can't define to what end they're working how can they be used and success is unlikely to manifest you also have to determine what's before the how it's prohibitive to determine the steps necessary until you define what the particular end should be I believe there's insufficient attention paid into 3d program as to what particular ends are is just oh yeah making Company Inc secure really the best that we can do is earnest defining security goals the foundation for any product is to understand the goal for the product fundamentally what is the product's purpose what are you trying to help users accomplish viewing security is a product forces you to define goals and come to terms with your team's purpose

it also ensures you're prioritizing actions appropriately honing in on what will actually improve the product in your customers experience if your phone company is publicly traded or even if it has competitors that are publicly traded have you read their annual report can you summarize the risk factors the outlined in the 10k which is an FCC required document the risk factors section is literally a cheat sheet they will stack rank a list of risks that they think are most material to their business you don't understand the risk to your business's ongoing operations from the organization's perspective of priority how can you possibly understand what is most essential to protect I assure you you don't have to dive deeply

into the world of product men and in order to improve your security program the upper mention ran spice of my friends that are on blue teams are painful primarily because the include examples of what you definitely shouldn't do in product management you want to continuously create successful products so you can just not doing those things will show progress let alone news right things what lurks beneath the frustration I think expressed by so many in our industries ultimately in a sense of helplessness we don't feel empowered we feel stifled and downtrodden I would argue in any profession where you would spend a lot of intellectual effort and time capital into improving a problem only to feel

like you're running in place you'll see a lot of burnout and then post that despite a common understanding that reactive approaches independence or misguided to be maintained reactive processes security teams are accustomed to receiving Direction externally feeling burden with priorities that defy their beliefs of what is important as if some sort of secular organization like capitalistic business could dictate the priorities of such a sacred order and security once you adopt the mindset of securing as a product you can begin to take control one of the basics of product management is that solely delivering exactly what the customers demand or asked for without understanding the motivation behind their demands believed to poor outcomes and potentially monstrously disjointed

user experiences that are basically customized with individual features for each individual customer you have to proactively understand your customers perspective and look beneath the surface of what they're requesting to deserve the underlying challenge of desire how many of you here have worked in retail or food service or another service job lot of you I've - I worked at a department store in them of Froyo shop and I think if security people think they're treated badly they have never worked in one of those jobs but on the happier exchange which department store might have been cleaned up for you thrown by a three year old one method by which a little higher Scoob merchandise but by

learning a bit about the initial customer ask questions about why they were shopping and what frustrates them start too early speaking was the time when customers were women generally they were preparing for an event a date a gala whatever else I wasn't carefully to pick up any clues that can indicate their challenges for example when to which I deeply relate or I hate wearing dresses or I'm gonna be on my feet all night and I'm gonna feel uncomfortable even a morsel of that sort of data was enough for me to find additional options for them beyond the items that they chose perhaps a dress with pockets and elastic waist spreading the dress where's here like that looks chic while

maximizing comfort but there's also the benefits of for example a maxi dress so if you don't know what one of its is it's one of the ones that reaches the floor but it's not a formal gown and if it there is you can actually wear flats Andriano so it still looks fancy even though your feet are comfortable so I'm aware that I'm basically describing a really robust recommendation engine I think humans can excel in that effort too it's not just Netflix Amazons is pretty bad but let's take likes but I think all of us can agree we had some sort of office fairy godparent anticipating our needs and then making our lives easier all without having to

request her now it may be pretty happy where did the cover because I'm a product manager not being strictly speaking a security professional I can attest that security kings are frequently considered the exact opposite of this something like some sort of sulking demon that seems to relish like making their lives as hard as possible and decrees that you're forbidden from whatever you need to do to get your top job done seemingly not even caring about what those things are security teams both relying primarily on directions yet also resents this dependence but ironically when I speak to security they also for grudge the notion of reaching out proactively to their organization's stakeholders to deserve what needs to be done this intensity of

thinking leads me to somewhat believe that many what many security people want its to dictate what's important to the company from a security perspective based on their own opinions so it's disturbed when I call it the elder InfoSec deities frankly at the time this takes considerable effort not to have my best like reaching to George being neurolytic face after listening to them kind of opine about their blue team utopia or blue topia as I call it with friends and then asked pointedly like have you considered that your opinions need to be wrong I don't really need help in being socially awkward and that would just implement the larger part is I also don't think it would be that

deterred even if they're Indians are called wrong like a conclusion is this is because what I call the Steve Jobs myth for full disclosure we don't like Steve Jobs was a jerk and I think these are really wretched role model for leadership on a variety of levels but I do recognize that he tends to be idolized by the type of people that prioritize their personal opinion over what their organization actually needs because of this job Smith this is back through the spellbinding imaginative you know jobs gut instinct to find all user evidence market research wherever else Apple torched at the iPhone II completely revolutionize the way we do anything but not what actually happened but actually happened is there is an

experimental project initiated without his knowledge which was the lukewarm reception by him once it was presented to him because something sucked but he trusted the team to work through all the technical details and allowed the head of the project to actually hire other engineers with an apple torque on it what he insisted in return was seeing an interface that is intuitive and exciting too late users not tech geeks before he be convinced so the chief job Smith perpetuates the idea that Jobs gave minimal thought to user needs which generally means that some people feel empowered not to care about other people's needs either they think it's the only way to possibly conceive brilliance and leave users truly

awestruck jobless turn turn concerned was actually that you can't simply ask people hey what's the best next good thing like what would you really want to buy next that market research is insufficient to conceive a product that customers will love he did however view user research as essential as soon as isn't his requirement for the iPhone what do you understand people don't always say or frankly even know what they want but for your user research you can see which preferences they truly hold based on how they behave but then make a girl economic sigh which if you've seen or read any of my talks obviously I focus on a lot there's a very clear hierarchy between the stated

first revealed preferences humans can be proficient in fooling themselves and what their preferences are or if they're being made or if they want to save base so as a self-deprecating example someone asked me are you more inclined to have like a wonderful you know chicken and broccoli spinach dinner during the week or a can of tuna like sloppily mixed with mayo I'm not inclined to necessarily reveal that I have a lot of similar behaviors to a cat right so I'm gonna insert chicken and broccoli and spinach and that's my ideal self in mind if you actually observes the dinners and maybe it's like a can of tuna sometimes without the mayo if I forgotten to pick it up or just not even

dinner we're busy and that's a vastly firmer source of truth of what I would actually do than what I say

for an example from InfoSec if you ask people in your organization do you find it SSO easy-to-use you may discover a variety of answers maybe the answer yes because they don't want to feel less intelligent but not finding it easy or they use it so infrequently for whatever reason they just don't use technology or their services your organization they forgotten the frustration they have the last time they did use it maybe the answer no because in the customer meeting an hour ago it totally screwed their demo and now they're really really mad you might even find that people's answers will switch one week to the next depending on what their most recent experience has been you can examine

revealed preference as instead looking for the number of customer support tickets related to SSO the number of multiple push notifications like if someone's requesting a push notification like 20 times in one minute it's probably not working right for them the number of password reset requests or how many people we entered the URL of the service after being directed to the SSO page these metrics are more likely to tell the truth of how users actually view and are actually hindered or helped by SSO another issue arising from the so-called jobs myth is that believe believers of it use it to justify proceeding with their projects generally with the assumption that only the users will learn to love it because they

believe job societies were so productive and out there too progressive that even if users didn't love it at first they would grow to love it because they would see the vision that's also fairly inaccurate as Johnson was all stated you've got to start with the customer experience and work backwards to the technology you can't start with the technology and try to figure out where it to sell it simply because you personally believe something is valuable or important doesn't mean it is you have to understand the problems that are actually meaningful and work backwards to have some fun this isn't just an issue with blue team's it's a symptom InfoSec market as a whole which pleadian

Kosek startups it's a classic blunder of creating a hammer in search of a nail your job is not to prior determine priorities and kind of this sandbox night space and convince the organization that securing something it's a vital importance but it doesn't actually presents material business risk your job is to determine priorities based on what veritably helps the organization and explain why your solution is the right one to help them an extension of the salah' sees also be reversed but security people can be presented with a valid solution to the organization's problem or reject it because they personally don't believe the problem is important so it's a real world example somewhat recently a security professional I know who pushed

for a specific product to be purchased in their organization they presented the Ford figure cost which is you know forestry products that's pretty good an operative variety of use cases where it can be used throughout their organization such as simplifying the ability for engineers if you went to early detection and warning systems in the company's infrastructure they shop the idea around tamam security people groups on its usefulness and gain their buy-in as well however the person in charge of procurement security procurement specifically held a personal opinion that this type of product isn't useful and constantly pushed back on the request again a fourth bigger request versus the typical like six figure blinky boxes we see I see this so bright

really in here about it so really that I began calling it security morals but I now really think it should be called security dogma but I mean by that specifically there are somewhat rigid principles common among security professionals that are treated as dogma as a prevention versus seemingly insatiable desire to satisfy the elder InfoSec deities by strictly adhering to your doctrine as if it defies the organization or even if it defies the organization organization's needs in a SAS product for example if an engineer abuses do you add a print button because they personally think it's useless because you can just right-click and hit print despite user research showing that everybody's confused about how to actually print the page their personal

opinion will be demoted in favor of the concrete evidence they did this regularly enough they'd probably be placed on a performance plan security similar community of your own listings rewarded as if performance as measured by how steadfast your belief is in the security dogma how rigidly you adhere to the security morals such behavior wouldn't be reported if you've used security as a product when speaking with defenders engleson on sharp aim at bristle at the notion of even having customers that there's some sort of neutral force above the fray akin to the Federal Reserve it was in thinking through by so many defenders hate the concept of having customers that my notion of the security document really

solidified that their principles of security treated is incontrovertibly true and mandatory to implement regardless of the reality of the organization what determines the organization's fortunes are what endangers its continuing operations security professionals may view themselves as some sort of like heroic named it others and the organization they're going to come across like some really freaky and really weird Knights Templar as in the trope even minor security fences it's super critical everything is really high priority enforcing justice is paramount sin uh negotiable and the egotistical complex emergence of interpreting any resistance to your so-called noble intentions as evidence of principles in need of correction while you are not in fact a knight although I would also like to be at

night you do have the opportunity to be some sort of kind of small-scale hero but it's not my rescuing with someone who is not actually in this grass distressed just because you believe they need rescuing again distressed your customer is your organization imagine if you attempted to order food in an app and it's let you know but it's a thought the food was like insufficiently healthy but they never really explained what healthy means and what those metrics are which you enjoy the app I would be pretty pissed at it I mean I make the gradually admit like they had a point about like midnight pizza but I still wouldn't enjoy it and probably something else

this is more about that not being likable it's also about respect likability isn't necessary for being effective you need to be respected instead you're perceived as dogmatic I promise you that you will not in general a respect you need to be effective I'm usually a bit astonished at how little security teams work on cultivating organizational buy-in since it's a corporate my job as product manager like I would not be able to ever release a product without it I personally also believe those security program here really to succeed without it it doesn't mean everything becomes watered down and you know fair text creds are totally fine that's not the case you don't need to have a perfect agreement that says

the names insuring the organization kills us if it's a stakeholder in security that it's along for the journey that security is not their adversary but a fellow team attempting to fetter the organization just like they are you could actually never implement things that they asked for or request or propose and still fought us or foster a sense of consensus just by presenting your point of view with some sort of sense of empathy I personally struggled with him.the often thinking in books like a lot of people are somewhere on the spectrum as am I so practicing and you can feel an unnatural but I assure you it's not impossible if I can do it you can definitely do it and

your job will also become substantially easier when you really actively listen to people and ensure you're understanding their point of view rather than trying to dismiss them and just RAM your point of view down your throat active listening in general I think is one of the most useful life skills so I recommend googling it but cultivating customer empathy is the first step you should really take in transitioning security to a product example method is the five wives some of you may be familiar with this the goal is to dig deeper into why something is a problem and identify its root causes you may have done it on the technical side before but it's an example why don't you

want to implement two-factor authentication process course why do not want to add a step for salespeople to log into Salesforce why can't the sales salespeople afford the additional time why do salespeople needs a lot of their culmann's immediately after a call why do salespeople need to transfer to a through Google Docs to Salesforce the root cause is arguably that there is friction between the notes salespeople take during the call and when they're meant to log the call the solution might be to integrate Google Docs into Salesforce meaning the user has to only log in once sir during the course of the work which also means that implemented q-factor will be a lot more palatable as in this case you

make your answers that don't actually seem like they're security related and thus they're irrelevant to you but your role is to connect the dots between business operations and the security risks that threaten them I strongly believe that your highest values of security professional is perhaps in emphasizing when the organization's business risk and then identifying where digital risks arise that amplify or solidify that business risk your customer knows what in dangers their operations and their longevity as a business but they don't know how that danger manifests and the digital domain once you feel you truly understand where customers are struggling you can begin architecting your vision consider your vision for your security program and as its story that will unfold over time

themes started as the heart of stories many of you took English you probably always have to in life themes maybe heat it but they do service kind of the ingress stories they're the foundation for the central idea of the author is attempting to convey the plot or the events them in full within the story support the theme and then carrying the story towards its goal in the security at the product model you will also have themes those things will also have plots courses of work that drag towards the goal and they were actually that you need to take for those courses of work before defining anything work however you have to envision the overarching story few people are naturally

proficient storytellers I don't necessarily think I'm one of them but one thing I do like doing I like being a little cheapy and cheesy and getting a little wild and crazy things so you can create this sort of weird fairy tale narrative through spinning broken so here's one of mine the thumb of the year our end up here is embarked on their quest to and gene yourself they heard the cries from the local farmers of meager yields and slow harvest foods bugs imagines like Gerald earlier something like in one of the very muddy towns would not simply suffice for the heroes to kill all bugs as they appeared after all of their many quests elsewhere to complete they knew

their noble purposes now to help the farmers in sure about Ebola they should harvest that they could stain on their own our newest first goal was to reduce the amount of time it took to squash bugs spotted in the fields as the buzz could hurt the harvest they were left alive Tom sprang his first blossom er who has transitioned to their second goal ensuring fewer bugs were being introduced into the crops they helped the locals map out how their fuel architecture would look ahead of planting to determine where Bucks could spring up as summer began sizzling they toiled to ensure that their tools could be used by the locals as well not just the heroes for getting the work on

crafting one master tool but locals could use that would automatically determine which of the specialized tools was best reduce reducing bugs the types of fields being sown the first leaves of autumn fell our he was tested this magical tool and led a small group of locals carefully analyzing results and finally releasing it to all of the locals so that they could begin their next year empowered to have a bug-free harvest this also meant the heroes would have to do even less work of patching and helping locals tend to their fields allowing them to focus on new quests a wizard hat is always the optional but recommended if you're doing this and it can be a fun team exercise so in that

straighter or there really any security principle is being violated or sacrificed the overarching goal is to reduce the number of vulnerabilities in production ultimately as in this story there may be multiple themes that are part of the same story reducing the mean time to fix vulnerabilities adding threat modeling in the design phase to introduce your bugs and creating an automated tool that abstract some multiple security products away from the engineer so they can test their code and efficiently during development the goal is still fundamentally a security goal but the user customer empathy the engineers want minimal friction in their workflows as close as you can ever get to like push button get security they will absolutely love it your team as a

stakeholder is also not ignored in this the two initial themes are enablers to longer term goal reducing the current workload off of your team to support progress for an even more efficient solution that will reduce work when it's further it's essential to view it as a full story not be disheartened that your Intel can't become be accomplished immediately setting themes and dreaming up your vision can inspire you so fully perhaps that you find yourself with a full cornucopia of ideas but unless you're exceptionally unfortunate or fortunate you won't have the resources necessary to pursue all of those different ideas so you have to prioritize them prioritization is one of those tasks that's really easy to say

and really really hard to do in practice when I build roadmaps of my work a lot of times I'll put a ton of stuff on the page and I'll have to really think when it gets down to the this or that decision that requires me to push back work on something that still would really benefit customers just not as much as the other thing my first word of caution to you in this is avoiding prioritizing things based on what you feel is most important waging a work of pinions is one in which everyone loses that's ultimately what you'll be doing listed for for a dictatorship style if you use your personal views for prioritization instead you again have to

return to the perspective of your customer but you may personally believe that the theme of reducing the volume of emails with malicious attachments is the most important one your organization may have to decline frequency in lead time metrics currently hampered by security measures which more tangibly affects business performance how do you differentiate which these prioritize you collect and analyze data with qualitative and quantitative a good engineering program will arm to be tracking metrics such as availability customer tickets deployment frequency error rates lead time meantime detection and TDD mean time to repair recovery MTR mean time to failure there's some contention there so I won't cover that but they say ask engineering how those metrics are being impacted by

security requirements today similarly if you aren't tracking metrics in your own program you really should be because it's necessary for measuring progress and a product that includes your own MTD and MTTR such as how quickly you've remediated product security tickets also include measuring the frequency of configuration management changes such as firewall rules updates matching pardoning anything that measures the tempo of your program can also measure how resources specifically your security teams time are being used are they spending half of their time extinguishing fires is 1/3 of their day or a third a third month dedicated to working on your scene and maintaining it dignities a week each month asking routine questions that they repeat over

and over to threat model with the engineering teams these all represent opportunities for automation as theirs benefit and reducing the cost of your recurring security tasks and bring up resources for more impactful streams of work to your organization should also pull how your team wants to spend their time to ensure if you retain your talent and you avoid needing to worry about the pipeline problem in the first place beyond this you also need to quantitatively measure how your organization assumes the efficacy of your program if you're familiar with and yes that's Net Promoter Score is pretty simple you ask the customer like break me or rate these zero to ten and then there's fancy calculation that then shows like

how many more promoters you have tractors so conduct the unit load an NPS surveys for the security organization where teens who think when they interact with security great how satisfied the armed the security program I'd recommend keeping them anonymous cuz street people can frankly be a little scary they don't want to like have to pack them if they say something bad about your program one identity quantitative data doesn't always tell the full picture though politic data helps fill in detail it may even expose concerns that are difficult to discern from quantitative data talk about the selection of individuals across different roles and levels in your organization to hear their feedback on how security can better meet the needs

of their work you should also ask people on your team not just senior people also junior people to get their feedback as well again anonymous surveys can be your friends means people are more likely to be honest my security fairytail above could be an example of hitting the Nexus of what your data is telling you which with the strides in priority let senior engineers are dissatisfied with having to wrestle with security testing products themselves and their feet and employees suffering half of your security products team is spent on patching and last-minute security testing before a ga probably some of you who dealt with like development team being like oh yeah are releasing tomorrow can you do a security group

which like no one wants at Riverland and that would be because engineering finds it to ownerís right now to actually keep up to earlier in the process and maybe you have three product security people making let's say I don't know 100,000 each of the primocane and you're spending than 12,500 a month something the customer doesn't like anyway perhaps as a last data point your product security team has expressed the desire to do more research and build custom tools a project then to build a custom tool that lets engineer self-serve their security testing in the development process and to standardize that threat model for the design stage would improve all of the data points you collected it also happens to be

straightforward to measure which makes the likelihood of success even greater since be more easily determine like which aspects of the product aren't working there also a few economic angles to consider here versus opportunity cost by supporting legacy technology with time and money from what else are you taking away resources some of my favorites Usos share coincidentally or not the trade of thinking about their programs in terms of mostly monetary costs of work this important includes pricing the total cost of a security product which includes the amount of time spent on maintenance tuning tweaking and troubleshooting that your team will have to perform on an ongoing basis when I did like a very very like non scientific and informal Twitter poll

asking about maintenance costs of different security tools I assumed that the most would be 35 hours per month so I just had 35 hours plus ting and everyone he was using his team answered through by plus hours a month like are you including that in your evaluation of whether to renew with that product in that total cost an extender any expenditure of effort by your security team on an action is directly taking away your ability to invest in another action the second is the sunk cost fallacy with which some of you may be familiar just because you've invested a lot of time and money into something already doesn't mean it's still worth pursuing through strong resources at weak

purposes will deteriorate your product as in the information example of opportunity cost but legacy security products require substantial ongoing maintenance to perform as you need prioritizing a theme of moving to newer and less partisan products may be necessary ELISA may add some sort of a short-term resource allow the plots in your story to ultimately move forward rather than stagnate but the product management process doesn't stop with even the pink prioritized it has to be stressed that any security initiatives will inherently be shared do your nature of affecting the organization your customer has to be brought along in the journey feel like they have a stake in your story when you're still listening that feedback I mentioned from other people

it's an opportunity to grow a working relationship and ultimately to engender trust rather than mixing their ideas on the spot which is like frankly a huge temptation of mine but again I promise if I can do it you can definitely hold your tongue too if you don't think are worthwhile usually we're like oh I haven't considered that my team will have to look into it you don't want to promise that all suggestions will actually be implemented or your results and a lot of disappointed people but you do want to make people feel like think than heard in if you do end up implementing something that they suggested or requested or that means their pain point they're going to be

really happy with you also be transparent in your story to start Jeremy doing the right stakeholders are in each organization and ask if you just bring like coffee your doughnuts or something else when you present your story to them ask them what they think of it are there any assumptions with which they disagree are there any risks that haven't been captured how do they feel it will impact them ask open-ended questions so it's not to guide them for trust is established phrasing the question as how this help you or not may compel them to be supportive rather than expressing how it won't actually work for them someone working on our product for the third part of the risk

management use case I can tell you no matter your industry someone on your sales team is having to deal with questions about like how good your security is they have no idea what the answer is so presenting your vision in your progress towards that vision gives them a differentiator to reference to show that you're truly thinking about security even if it's spar removed from whatever the primary use case that you're selling is also connect with product managers like me or whomever is designing whatever your organization offers even if it's a service not only will you benefit by receiving feedback we're there to prioritize are also deserving than like how to implement it it'll also inspire them to keep you

abreast of their own roadmaps that also benefits you because you'll get like heads up oh yeah we're about to release this like new API publicly and blah blah blah we won't be finding out about it at one day before TA as far as how you present your story I think some sort of visual aid is generally advisable because then also they can look at it later if you see my slide presentations before so you don't have any today but if you like the guests that I intend to expend some sort of effort into visual ideas and how they're presented I can tell you that like the slides that I normally do for conferences or or like a

different level than what I'm presenting internally like you have to be efficient about it you always have to bear in mind what the listener has to take away what's the point you're trying to get across and leave whatever else for voice over bear in mind also that well the technical need people like a very delicious thing for you it may be very unappetizing for other people particularly if they're not technical your goal again is to cultivate consensus around your themes around the journey of your security program not and the intricate details of the plot need to express in accessible terms what theme is the value it brings to the organization and any risks or consideration

we'll be shared challenges across the organization returning to our fairy tale a slide that can be presented as follows our vision is to reduce the number of ulnar abilities in production our goals are to reduce the lead time to deployment mean time to patch and security team time spent on security testing the primary benefit to organization Inc it's less friction for engineers to test for security vulnerabilities allowing for our products to be released or quickly the secondary benefit to the organization is reducing the cost of security testing helping with scalability as well as freeing up resources to accomplish other security goals we will need to partner with engineering to understand their workloads and ensure a security testing

Orchestrator is deployed appropriately into those work lives we will need to partner with product managers to introduce threat modeling during the design phase which will require a near time trade-off for longer-term cost reduction you begin by inspiring stakeholders than end with what you need from them to accomplish your goals this has another benefit of putting those requirements on the radar in advance of when they'll need to execute upon them resulting in a quicker turnaround time for you by the end of this prayer in ization process I hope you would feel emboldened by the knowledge which teams are most important to accomplish and in which order now it's time to execute and that means defining what steps you need

to take to reach a goal you have a program manager this is exactly where to leave them in you can't like even run one from another team just to help out at first don't pretend to be one you shouldn't assume you understand the abilities and the constraints of your team members and assign tasks to them without checking with them first I didn't meet the charge on the what you have to include two others figuring out how look to the reelseat jobs not the mythical like fairy Prince Steve Jobs recalled how he trusted that iPhone in the project fleet to actually figure out all of the how around it as long as it met the overall goal for the

project depending on the size of your team or perhaps the only one or two individuals on it I know a lot of y'all are the source constrained but where I see is pretty manners fails they vacillate between my zero direction and feedback and like really obsessively getting into the weeds through the process I outlined you already actually defined the requirements of the project so you need to present it to the rest of the organization so there isn't necessarily a lot more work that you have to do before people can get started on the how you want to really make an impact begin tackling your security debt I'm assuming some of you are familiar with technical debt which is when

essentially most the time quality is sacrificed for speed typically with the false promise of like oh now we're going to totally fix this later once we have time which is never ironically by not treating security as a product you're much more likely to fool a security depth as part of here and crusade to integrate your gospel but bursting security as a product involves treating it almost like a living thing be nurtured one which decays and also requires that sort of like nurturing and growth is actually to stay alive for each shortcut you take are you concerning what challenges will be created later did you document why you can't address it now for example is it

because there will be get a superior way to fix it later on how frequently are you returning to these shortcuts in that documentation and paying down your debt there's power in ownership the endowment effect is its discovery from behavioral econ that people ascribe more value to things they own even if you just give them let's say a coffee mug they're gonna value that more than like a coffee mug on the Shelf and that's far more than they actually should your security program once it's a product because something that actually it's your vision and it's your story in a fashion you can consciously sort of nug-nug or trick yourself into a mindset that will inherently encourage

you to take better care of your security program because you own it I stress this because a lamentable consequence the nihilism might see in defenders is that they cease to care about the security of their organization on a time horizon that is beyond when they know that they're gonna leave the organization with the generally kind of tumultuous turnover that we see in the security teams like sometimes it's even less than a year generally two or less if their strategy is security Dogma devotion to it dives whenever the believer leaves whatever new is down that comes in its gonna implement whatever they want by creating your vision for the security program again as a product if you're

just writing the Mac for the new security programs journey for that quest forward an incoming hero unburdened by geometry can see where they are in the journey and where they're supposed to get to reach the destination it's unlikely that they stop on the journey like every stop on the journey will actually be completely discarded they may change a few things and modulo the fact that if there isn't a lot of evidence that you kind of like budged evidence and you still did you like prioritizing their own opinions maybe they'll cut it out work what's more likely is that they will change the how the underlying methods for reaching that destination so the overarching question which is your vision and to

some extent frankly your legacy remains intact

speaking of switching your chocolate syrup mm-hmm the product process actually helps you with your searching jobs what is changing is actually the end customer not the process even so it dresses when I helped women pick out dresses there will be customers with characteristics in common to each other right during your Maps meaningful beyond whatever the initial customer is if you want to write us in the right kind of in a security team or just in general in your security career the practice of articulating a clear vision and fostering consensus will only just serve to demonstrate competency and demonstrate to your executives or to your board of directors that you understand them as a customer will

nourish their trust in your ability to definitely manage risk in a way that supports the organization's success so this is the happy ending to my own vision I've shared with you today that you can write into the sunset knowing you are hero in a way that actually helps the damsel in distress or man in distress its 2018 so the fanatics who sought to serve spurious justice instead will never reach their dream of some sort of security Urbana they'll just kind of whale relentlessly the wind like they do it today or when you Twitter about the persecution of the hens of the locals who just sprinkling want to prosper inspiring your organization with your story of how

security can allow it to thrive and make them feel like they have a part to play in it your band of Heroes can and should include your colleagues outside of security will be far more willing to aid you in your quest however longer arduous it may be if you take the time to discuss its purpose to them from a position of that customer empathy security is a product based on the definition of a product and reluctance to abridge that fact to me is like rejecting the scientific evidence in favor of cemetry there's a wait horn that doesn't actually rely on the blast the elder InfoSec today and east through enforcing security dogma which I also

think that happens to be path of least resistance despite being less dictatorial so Rick's autism in the name of security purity will crumple as any sort of foundation for that blue topia I mentioned but a preventive pragmatic approach the supports have devoted followers the people in your organization in a visionary quest might be the right start for our collective journey thank you [Applause]

[Music]

as questions will have to be after whenever you learn it I think we're good does anyone have any questions I think we have like 10 minutes

yes definitely as you pointed out it is nothing basically we're an inlet in depth just ranting about how annoying security is and blah blah blah what you it's far better to understand what their general challenges and get your job done it's almost stopping them in this example again like oh yeah just really annoying when the sales feel like we're trying to just like logger calls we have to introspect on vacation it's like okay well is the time a problem really digging into like again the end result may be that there are different systems for both of those and that if you just unified in one platform like you're finding music you factor I was I think

it's again it's you have to have some level of patience but I think you can also express one trick and I do is if you kind of want to cut off a ramp before it happens to be like wow that was a really important point or a really important thought like can you explain more about that to me and so you cut off like them just continuing to ramble and you're really getting them to dig into okay why is that actually a problem sometimes frankly I think without asking the Firewise you'll have people that say like oh yeah I hate doing this but then that's kind of the best way they know how to do it that it could be only that

one person like has that result so really digging into again like the root cause is more likely to hit on what all of their colleagues have happening to them yes exactly you can I mean I have to think it's unique approach again it's like you can kind of be a jerk in some ways and like cutting people off as long as it seems like I don't think that's it I think it's also it's almost like in your relationship like a lack of communication on your first week they're definitely very simple in critical infrastructure some of the consulting I've done what I walk through through that prioritization exercise they realize their company actually really doesn't cared for customer data gets

exposed like the client is so minimal compared to all the other risks they face that like the fact that the security team is like well we can't likely discuss where data expose like this is essential because it is everything they've been taught when one of the other risks happens and the company loses a lot more money like what were you doing what security I think failed to do is because again you know it's almost one of those when these truths to be self-evident like security people know and again these doctrines so deeply that they don't understand how other people couldn't know and it's even sometimes when I presented for example ideas through product management or even

finance to security people I take for granted like what I already know and meaning to you justify and explain like why some things so again it's it's being able to articulate why even it matters to you rather than treating it as some truth everyone knows the second thing is I think frankly if I mean I think a lot of people have the luxury that again there is a talent courage but if you are working at an organization that you know doesn't have customer data as a risk but that's really important to you I really think you should consider if that's the right organization to you it doesn't sound like the right fit if you know

protecting like their oil rates is far more important to them and like your gapping like all the rooty systems is what ultimately is the best value for you you don't want to do it I would say maybe look for including somewhere else cuz ultimately if you're going with the fact that you believe very deeply what's the right thing to do is protect customer data they're not going to be happy you aren't really serving the business you're kind of serving growing sense of morals see five minutes anyone else also be around Oh

they don't understand understand

[Music]

so one thing I'm working on um even like on my own personal product roadmap is I fundamentally things like the language of business is money and speaking in terms of money and I do think we can help the way I would phrase it to you if the overall finally I think HIPAA fines are what kept it something it's low of seven figures which to some organizations is a kind of low but saying like okay you're one minute of not bothering to do this is now cost four million dollars like do you really want to think of it that way so I think trying to I mean I think we all know kind of in the news and everywhere else

that people massage statistics and they make statistics work for them I would say do the same thing like big scary numbers like in red like this is the law single experience based on like this particular action think is useful again might cause an effect I think what I see way too often the security people will say kind of like the general security risk of this will definitely result in a breach that will cost this it's like no tight to specifically like we're in the workflows like exactly what they need to do in order to reduce that risk so again using two-factor like making sure to use a password minute you're like make it very specific and very straightforward

things they can do not just like always considered security when you're like printing something yeah exactly because you will understand if someone says like oh yeah make sure your security advice you're like that I can assume like it's this number of steps they're gonna have no idea but if you tell them like make sure to have like a password on boot like there and find some way to help or something else like it'll be a lot easier

yeah there's like sort of this might keep sinking down there's sort of another top like secretly embedded in here which is that I think at some point that DevOps is treating movements are actually going to intersect because they're all trying to measure and improve the same things often fundamentally and the same sort of processes benefit both so I think they are using different language right now but fundamentally are often trying to optimize for the same things that's security problems particularly any disruption to like uptime it's going to be horrible for their metrics again I do think that security people you know there's no real I feel like standard ontology and security but again we think

about it in terms like what's the risk like what's the potential impact when it's it's rarely in again in financial terms and rarely like I feel like truly in depth first probabilistic so for example like there's recently some vulnerability and like I think it's anger electric like an enjoyment system or sucking a journalist about it the business impact especially like yes we gain access to the system but you still have to understand how to blow up an oil ring like this doesn't help you figure out how all of the complex protocols to both whatever you get just helps you get on like their system and then you find a way to maybe pivot on to the oil rig

itself what it did is basically provide away in business systems so security people be like it's an RCE this is absolutely critical like it allows access onto our networks from the business perspective it's like through which so did this other hurdle before it really causes damage to us so I think again going back to the monetary risk is really where you will convince it's like this universal language if you're like across all teams that's why I emphasize that now we're going to say like if you have a like DevOps or engineering like try to talk to them explain what your problems are be like how do you describe and just try to learn and vice-versa I

think there's is that zero or one minute to one okay it's 30 like sexy ladies what any final questions that I don't your own awesome thank you [Applause]