Cleveland BSides2011 Talk1 Ghostnomad

that describe me probably not all of them but I tried to pick out some uh relevant ones you can kind of see Chris will jab me about this but uh auditor is up there and yes I was an auditor for 14 years way bigger of course Chris would say that um I stopped being an auditor back in August and went into in information security I do have that a little smaller than auditor but the reason why I don't have that as a as a bigger word is because I think that that geek ghost Nomad husband father haou are more important uh than being an auditor although an auditor has played a big role in what I am today so in thinking

about this talk today and what I did as an auditor when you have an auditor come in to look at your education system as part of the audit they want to see certificates that people went to talks or seminars that they know what they're doing and so to me that kind of seems like uh not the greatest test that an otter can do because just looking at a certificate or just looking at a list of cpes that you got for the year doesn't tell if you really understand the information the other word I have here is father and the reason why I use that to describe me especially for this talk is because I have four kids ages 2 to n

and I see how they learn every day they bring home their homework which is always a joy to get done and I see how they learn and how they pick things up and I try to mimic that in the way I learned because they have a very fresh perspective they they still have a lot to learn in life and they haven't been Jaded by a lot of things we may have been so I try to take that into the perspective that I used Hau I do write Haiku it kind of started out on a whim but what I've learned from Haiku that teaches me about education is that sometimes you need to simplify to get the message across at

first but then you have to go more in depth to get the complexity around that and so I write ha cou I try to do it every day I've been really bad this last week because I've been trying to get my slides ready so I do apologize if any of you do follow the blog that there haven't been as many Haiku but more importantly for this talk is the word husband my wife is a school neuroschistosomiasis

and so that approach is actually what has driven a lot of what my talk is about here today and so her her work really plays into this so being a husband is probably one of the more important things to this talk that I bring okay so we all as security people we all like to draw pictures on whiteboards and so this is my picture as you can see this is a Traditional School perception it's the black box we send our kids in they come out with the diploma so we've got the little kid on the on the left hand side he's getting ready to go into the school and of course he comes out with a

diploma but we don't really know we don't really think about what happens when they're there we just we know that they bring home homework and we got to get it done and they got all these projects that they always like to put off but to us school is a black box now we can go back and think back to when we were in school and the different things we did but a lot of times we don't think about that anymore more and a lot of things have changed probably since most of us have gone through school and that's a lot of what my wife has been driving in her District so before we talk about

education we have to talk about intelligence and I got this uh bell curve off of Wikipedia for proper attribution but the reason why intelligence is so important is because we're all intelligent people here right I mean we wouldn't be in information security if we weren't so we like to put ourselves at the top of this list but what's important to understand about intelligence is that the majority of people you can see the two two dark blue areas make up 68% of the population so 68% of the population Falls within one standard deviation of of of average so if 100 is average that means that within that standard deviation each way you have 68% of the people so 68% of the people are

of average intelligence and then on each side of that you have about 13 14% And those 13 to 14% are your above average and your below average and if you really look closely you've got about 90% of your population Falls from that two standard deviations below average all the way up to the top now again in in our organizations we might like to think that we're dealing with the top-notch people but in reality if you you look at this thinking about 68% of the people are normal intelligence we're we're dealing with a broad range of people so we can't just say well why aren't our users getting it they should they should know this they're in business they should be able

to get this but really intelligence is a broad range and the other thing of intelligence that we may not think about is when you go to school to determine your intelligence they give you an IQ test we all like to talk about IQ what an intelligence test tells somebody is what's your abilities what what's your potential to achieve there's another aspect to intelligence in schools that they talk about and that's achievement and when you have a disper a disperate um intelligence to achievement then you have what's called a learning disability and so you may have a high potential you could be up in that top tier you may even be in the normal tier but if your achievement is below where

your intelligence is that means that there's something impeding your ability to learn now in schools what they do is the traditional role was to have the school psychologist test the kid find out if they were having a disability if they have a problem learning and then place them in some type of program to help them learn better um and sometimes that's a good thing and sometimes that's a bad thing but you could have somebody at the high range who has a disability and so they they go they get helped with that disability and they're able to graduate and when they come into the business environment we we say Well they're above average intelligence because they graduated and so they

should just get this and we don't deal with the problems that they've had to deal with their whole life so we assume that everybody learns the same and we assume that we're all of above average intelligence when in actuality we have a broad range of intelligence and the other important thing to think about is that we're not just talking about in our organizations the employees that we deal with anymore especially with security we're also talking about customers and customers go even beyond the range that's probably within our organization so we may have standards as to who we hire and those standards may have some bearing on intelligence although as we see most likely the majority of our population is down in

the average range which isn't a bad thing we also have to deal with customers who can be a broad range and so the important thing to get out of that is we're all unique Learners we all have our own strengths and weaknesses one of the things that they found with intelligence is that there's not just one number you know you hear people say well I have an IQ of 119 and that's above average but what's important is that within that IQ number there's different components that make that final number and so you may have a strength in mathematics but have a weakness in English you may have a a a hard time remembering things but you have an

ability um to do other things so what we don't always talk about those unique things within our intelligence that make up that final score and so we just want to say well I'm intelligent so I get it but in reality there's different components to that and there's different ways that we can have difficulty

learning and so I'm back to the bind Aries again when I talked about the traditional role of a school we send our kids in to get to that diploma our kids have to pass so it's a binary thing you either pass or you fail there's no middle ground now of course you say well you could get an A B C D or an f and if you get a d all the way up to an a you pass and if you get an F you fail and that's true and that's important when you go through school to know where you in where you're in but again it's a binary system it's a pass or a fail and

so what the schools and what my wife has been trying to do is to try to step away from that binary way of pass or fail and take a different approach to how they educate students and so we have our kid here and he's getting ready to go off to school and we've kind of peeled back the black box and now we're looking inside to see what happens besides just going to classes and learning we need to see what happens within the black box that makes a tick because ultimately some of these go these strategies that are used in the schools can be used in a business environment and so the first thing I want to talk about within that black box

is called response to intervention or RTI now this is a program that my wife was handed six years ago and uh there wasn't a lot of work in it and so she had to go and create a manual from scratch and it's a challenge because when you talk about the way education has been for many years you get a kid in you educate them you put them out if they have a problem you let the school psych test them you put them in a special program that gets them through and that way of thinking you know you can only have so many people doing so many special things and so what response to intervention said was let's take

another look let's take another approach and see how we can intervene in the kids daily lives and something that may benefit more than just that one student so instead of identifying one kid putting them out there let's try to help everybody and so the goals of response to intervention are these three right here to identify to Monitor and to intervene identify means identify kids that are at risk now we may not know it but you may be mildly at risk and there may be a lot of people in the class that are myy at risk but because it's not severe enough normally you wouldn't be identified to be sent to the school psychologist because again we go back to

this what I described before and I'll call it now the discrepancy model of your intelligence is here and your achievement is down here if it's not big enough Gap then we can't necessarily do anything about it because there's federal guidelines as to who gets identified a special ed but in RTI the idea is that we don't go straight to the psychologist first first we identify the students at risk and that may be the entire population or that may be a few kids in the entire population but we can come up with an intervention that helps everybody not just one kid and so maybe it's better to use our resources to intervene across the entire classroom as opposed to just

pulling that one kit out so that's to intervene is that intervention now in between identifying intervention is monitor what does that mean and this is big part of what I want to talk about today monitoring progress monitoring what that kid is doing to see if those interventions are actually helping because if an intervention isn't helping we need to change the way we're going otherwise we're just spending our Wheels we're not doing anything more than we could have before so response to intervention's goal is to identify to Monitor and to intervene and on that intervention side they've come up with this thing that's called a three- tiered model and what the three- tier model does is it segregates out where those

interventions should be placed and so again I talked about maybe the whole classroom is having a problem and so we want to intervene so that's your tier one that's your general interventions these are things like um if if you have students that have difficulty reading having extended reading time for the entire classroom because May not everybody's getting it and so you extend it for everybody and that might be enough to help those kids that are mildly at risk it might not be and so what you do is you go to the second tier which is called the specialized tier specialized interventions this is where you may have a group a smaller group out of the general population that

you pull aside to do some extra work with again you haven't singled out one kid yet and you haven't sent them to to the psychologist yet what you've done is you're trying to intervene before you get to that point and so we've gone from having the whole group to having a subset of the group and again it could be extended time doing reading it could be extended time um doing many different things and then if you've gone through tier one and tier two and you still have a kid who's having difficulty and you know they're having difficulty because you're monitoring their progress you get to the Intensive tier this is your tier three at this point in the education system

this is where you say okay we've done a lot for this child now we think he really needs to go through to see the school psychologist or to be tested to see if we can place him in a special environment and that doesn't always mean they're going to be taken out of the classroom but it may mean that they have intensive one-on-one training now the interesting thing here when I talk about the school psychologist in order to get get special services in schools you have to be labeled as technology people as information security people we've always had labels like geek nerd all those things and sometimes those labels can hurt us and so think about the kids who

have to go through their school age life with a label on themselves now not that it's shared with their classmates but if you think back to when you were in school you can think about the kids who had to go off to that room to have their special time whether they were talented and gifted or whether they had a learning disability and so it's not you know it's it's not that these kids are being identified in classes saying well you're special you're special you know but you see them at at recess time they're not out there because they're in the room with a tutor getting uh some special help or they get to go out to the trailer at a special

time to have some help um so that's a label that that has to be with that child to get those services and so that's why the tier one and tier two are so important is that that gives us the ability to to reach out to those kids before they're labeled to try to help them and maybe not even put that label on them but the tier one and tier two people may not qualify for a label to begin with and so we've gone from the the theory of let's just test and place those kids that really need it and then everybody else is just kind of on their own and if you get an A or a d that's up

to you to Let's really try to help everybody and so we've gone through this three tiers and the glue that holds it together is the the idea of progress monitoring and I really want to talk a lot about progress monitoring because this is a key to a lot of things now um part of progress monitoring is that you have to give an assessment to all the students across the board and you find out where they're at and that that way you are identifying where there's weaknesses now I went back to I talked about binary education in a progress monitor setting it's not a binary education you don't give a kid a test and say Here's a quiz you're going

to pass or fail it you give them an assessment and you say I want you to fill this out as best you can you may not get to all the questions but it's important that you try your hardest and you give that assessment to them now we're trained to think in a binary fashion we're trained that when we're handed a what we call a test but an assessment we think okay I got to do my best I really got to do this and and I can think if any of you have kids I know mine just went through this they um often times have things like the Iowa Test in school and as parents we get these note homes that

notes home that say hey there's going to be this assessment coming up you know just want to let you know and as parents we want are like well I want my kid to do the best that they can so you need to eat a really good breakfast that day and you need to go to bed early so that you're well rested but it's an assessment it's an assessment of what they know it's not a test to pass or fail them and so what's important in progress monitoring is that we do this assessment we hand it to them we have them do the best that they can now of course we're going to have the results

of individuals because we need to know what your strengths are and what your weaknesses are but as a as a class you get an idea of not only how well the students are learning but how well the teacher is doing and how well the curricula is designed and so it's really really critical that we progress monitor another aspect of this is that it's a feedback loop again I talked about how well a teacher is doing and how well a classroom is doing you may get a progress monitoring uh an assessment back and the kids do not even line up with where they're supposed to be but so the first thing to do is say well the

teacher isn't doing their job well what we need to do is we need to look at the teacher to see if they have the proper resources see if they have the proper time to cover the topics because one of the biggest things that's coming out of a change in our education system is that we have this idea of um of testing a kid to make sure that they know what they need enough to pass and so not only do you have to pass your classes today in school you have to take this um I'm losing the name of it right now but there's an assessment that's given to all students in Ohio and you take it in the fourth grade the n9th

grade and then in the 12th grade and if you don't pass that test oh how proficiency test if you don't pass that test you don't get the diploma that says that you should graduate you get a different kind of diploma and so it's an assessment but to an extent there is a pass or fail and so what happens is we're teaching to a test and we don't want in progress monitoring to be teaching to the test what we want the the assessment to be or the test is a true measure of where we're at and so we go through this big thing and hopefully in the end instead of having a certain population of kids

graduate now we've extended help and now we have potentially more kids graduating or at least the kids that are graduating that have problems that um will be with them for the rest of their lives have had a have had more help to have a better understanding of of what their educ ation is but these kids graduate and where do they go they go to college and they come into or they may not and they may go right into the workforce and so when you talk about education in the workforce you're getting all these kids and we're just assuming back to that intelligence that they have a certain level that they're coming into business with what we're not

looking at is the fact that everybody is coming in as a unique learner everyone has their own strengths and weaknesses and we forget that and so for businesses it's really important in stepping away from a binary educational system to know that everybody is coming in in their own unique fashion and we can design our education programs and business in one way for one group and we just say well you should get it because you work for us now or you should get it because you're part of this organization or you should get it because you passed a test to get a certification and that's another aspect of this that I want to briefly touch on

with business is that we have these certifications you know I have a sis if you saw that on my tag Cloud the thought is that we study really hard and we go in and we take a test and that test says that we're proficient enough to get this designation and then each year we're we're ask to get continuing education I mean we all go to conferences so that we can get those C PES or cus or whatever you want to call them but going back to that that audit step what do those certific what do those cpes what does that continuing ed tell about what you've learned it may not tell you anything except that you went

to something and you got the certificate afterwards you may walk out with no more knowledge than what you walked in with that could happen with this talk you may walk out without anything more than what you walked in with but the key is that we've just been given a certificate now saying we got it and those cert your certification then says well do you have enough of those cpes Check Yes and we move on and so in one aspect that's where education equals compliance we've complied with the the rules of what our certification asks another aspect of Education as compliance in business is that we probably all have an annual security training that we have to do um

if you're in a regulated organization your Regulators probably require that you show that you have done that security certificate or security training along with many other trainings that may apply to your organization whether you're in health care you may have to show that you've had Hippa training if you're in banking you have Graham Lee Bley and all sorts of other things if you're into manufacturing you may have to have people who are doing certain tasks be certified you know to show that you're in compliance with regulations so in business we've become to look at education as a means to compliance and that's the same with security if you want to look at security a lot of people complain about the

different regulations like PCI and things like that and they say that just because you're PCI Compliant doesn't mean you're secure and we have to stop looking at compliance as the end game compliance is just a step somebody's going to come in and check that box what we really need to do is to to make compliance a byproduct we need to develop our systems whether they're they security or education so that when you get at the end of the day you're done you've got an educated Workforce or educated customer base and you meet compliance requirements and so we have to ask what is the goal of our education program in business now there's two terms that get

thrown out awareness and education and for the purposes here awareness to me is making someone EXA exactly that making someone aware whether it is giving handing out Chach keys that say be secure remember to change your password whether it's a poster on a wall um that's that's making you aware the the idea behind awareness to me is that you bring it to someone's attention and either you're reminding them of what it is or you making them want to go learn more but awareness in and of itself doesn't educate you and so if we want to educate people and I hope that we do because through education I think we can become more secure we have to ask

ourselves is the program that we're designing for compliance is it for awareness or is it to educate and through that education we become compliant become more secure and so I'm going to harp on this again Pastor fail binary thinking we we we we go to that we we do that annual assessment and we have to show the regulator some way that that people did that whether they have to sign a form whether they have to take a quiz we have to do something that shows that they passed it or that they failed it but is that is that our goal as security people I mean I I would hope that our goal is to be to have security

right so we we're not concerned about pass or failing I mean we are because we want that checkbox but we're concerned about security and so when we design our Educational Systems when we think about how we want to educate people we have to think about Security First and so we have to ask ourselves is that once a year training enough and I would say it's not because I think if you follow Twitter if you read any blogs if you follow anything people are always complaining about how users don't get it my users don't get it they never do this right they're always losing their passwords there's Post-it notes everywhere you know it it there's always something that's not being gotten

well is it their fault I mean yes they should be able to be responsible people and and not do these things but do we remind them enough do we educate them enough to understand the risk of what's actually happening and so what do we need to do in our educational system once we have a goal if our goal is security we need to design a program about security and it's not just those big topics that The Regulators want us to teach about it should be everything I mean we should go through our policies and design a program that educates our users about our policies but not just our policies because we're not just talking when we say users we're not just talking

about employees we're also talking about customers and it's beneficial to not only train people about what our organizations want what we require from security but also how they can be more secure outside of their work or outside of doing business with us and so if a user goes home and writes down all their passwords for all their internet sites that they get on how can we expect them to come to work and not do the same thing it's a trained Behavior if if you want to go back and say well it's you know Pavlov's dog the idea that we get in such a routine we can't break out of it because it's been ingrained and so we

need to not only educate for security in the workforce but we need to educate for security outside of the workforce and so we need to design our programs so that it covers not only the security that we want them to get but how to be secure in general the next step in any educ program is to deliver the training deliver the education you know so if you want to think about this in the three- tier model to bring in RTI we have our general security awareness program right and so that's our tier one we're giving everybody an intervention as to what security is as we go through this we're going to see that not everybody's going

to get it and so once we deliver that program we need to progress monitor now this is not pass and fail again we're stepping away from that binary way of thinking what we need to do is we need to assess instead of test what our users know what did they get out of that training and it's not just a once a year thing what we really need to do is to design a system that on a frequent basis whether it's every quarter every other month monthly whatever you decide is best for your organization to go out and to ask our users questions to see if they understand what we've taught them this is our feedback loop this is the

most important part of an education system if it comes back after our first training that 90% of the people don't get what we said we've failed we failed because we didn't educate the users and so we're complaining that our users don't get it they don't get it because we didn't help them get it and so for Progress monitoring we know they don't get it and we can quickly go back and refine what we're doing and so if you really want to talk about it we go all the way back to the design phase and we design a new program based on that feedback we've gotten not all elements have to be thrown out maybe more elements have to be

emphasized and then once we do that design we have to deliver it again it's important that this becomes a loop it's not a once a year thing education is a loop and after we give it we test them again shouldn't say test we assess them again and hopefully after the next time they're getting it now if we're giving them the same thing over and over again we should expect the same results now you would say that doesn't make sense they should get better at it but the point is that we're not making them more secure we're just giving them the same information over and over and there's a reason why they're not getting it and so

when I talk about refining it's important that you go back and you change the way you're presenting what you want them to get because if you're not changing it they're not going to get it and it's not their fault even though we would like to think it and that may be a very unpopular thing I I may be getting daggers thrown at me right now which is fine it's not a popular way to think but the point is is that if we want people to be secure we have to teach teach them how to be secure and we have to understand how they think remember each person's a unique learner now if we go through this and we see

that after the second time we give the the um awareness program or the education now only 30% don't get it okay well there's no reason to pull everybody back in and give them all that same information let's take that 30% let's take those people that are still having difficulty and not look at it as them failing but look at it as them needing that second tier we need to move them up we need to pull them aside as an individual group and don't send out an email saying well due to your inability to pass the first two times you need to now come in what we need to say is that we've identified you as a person who we

feel would benefit from extended uh security education and so we want we would like for you to come in and join us so that we can help you better understand certain things it's all about the way you frame it when I was in audit I had to deliver bad news quite frequently because I audited governments for a long time and unfortunately governments don't have a lot of resources so they have a hard time doing the right thing even though they want to um and so I had to go into a post audit or I had to go in and tell a client you're doing this wrong now if I walked into a client and said you're

doing this wrong how do you think they're going to react to me they're going to look at me like I'm from planet Mars and that all I did was come in with a checkbox and what do I really know about the way they're doing things so it's about how you deliver the message so going into a client if I was an audit I would have gone back into a client and I said you know I understand that you have limited resources I understand that doing these things are very difficult but these are the things that I identified where there may be some more risk and I think in order and I know that you want to be more secure and I

know you want to reduce your risk so in order to do that these are the things you need to really think about and need to focus on now not all Auditors do that I know a lot of Auditors may come in and just slam down the report and say fix it and that's it and that's not the right way to do it but that's not for this talk so as we go through this progress monitor we get more and more people that should flush out that understand it that doesn't mean that we should stop educating them we should continue to educate them well what we should do is then increase our intensity of focus for

the people that still aren't getting it and ultimately as we go through and we progress Monitor and we refine we're going to weed out those few people that are really having trouble getting it and those people are the people we really need to bring in and do some one-on-one time with and try to understand where they're having difficulty don't make it a you don't get security make it a I want to understand why you're not getting security or why you're having difficulty with this and it may be something as simple as well you tell us not to write our passwords down but I do it at home and I don't know what to do at

home okay well that's something simple we can fix here's some resources that you can use at home to keep your passwords instead of writing them down on a piece of paper and so really that response to intervention model that three- tier model and that progress monitoring can be incorporated into the way we do education in a business environment and it's important that I think that we take a look at the way we do that and so we've got our security person here and we know he's security because he's thinking about OD day right this is the way I drop OD day in a talk um yeah I have to Trump I have to Trump Kennedy before he gets here so here

here's me dropping OD day right okay so we sent we got our security guy and he's going into the business the business's job if we go to that black buck and we're talking about education the business's job isn't to take an employee in and produce a graduate that's not what we're in the business for we're in the business to produce produce a product or a service and so the reason why we bring that security person in is hopefully as the lock shows us to be more secure now we can think that our job as security is just about doing those things that we like to do in security those geeky things but in reality we Al

have to focus on the people that we want to be secure because ultimately we have people process and Technology right so security people we like to focus on process let's call that documentation and standards and policies that's our process those are the things we put in place so that we're more secure and we've got the technology we've got our fancy firewalls and our fancy uh things to detect intrusions and things to prevention intrusions and and we've got all the blinking lights in our in our in our um data centers but the question is people what do we do about our people because in security we all know that our the strength of our security program relies on our weakest

point and since we complain about our users so much obviously the weakest point is people but if we don't educate the people how can we become more secure how can we call ourselves security people people if we don't cover all three PE processes now I'm not saying that each of us should go and talk to people because we're not all people people kind of redundant but we don't all know how to to to educate people but what we can do is know that that process needs to be in place and as security people as we see events happening if we're if we're that operational person if we're down in the weeds and we see these things happening we need to go

back to our education people and say hey I'm seeing a lot of this stuff happening obviously our users aren't getting it we need to do a better job educating if you're responsible for educating end users then people is your thing once we educate people once we strengthen that part of it then our process and Technology are a lot stronger because we've hit the weak point now again this isn't in a business environment this just isn't the users within our organizations it's our customers because most businesses nowadays have some kind of webfront whether we're providing Services through that webfront whether we're selling products to that webfront we're taking in information from customers and that opens us up that

opens us up to the oday that opens us up to all those things that we already know is bad and people aren't getting and again education doesn't just stop with end users we also need to educate developers if we have developers in our organization or if we're deing we're dealing with organizations who develop our products we need to make sure that they're educated on security and so the population of who we're educating is Broad we can't just think about I'm in security or I'm in technology and these are the people I deal with we have to understand that our organization goes across all employees and also deals with customers and so the education program needs to be designed

around the people now I've thrown a lot of stuff out there and I've focused a lot about psychology mostly because my wife's a school neuroschistosomiasis

and so when we go try to take this to the business environment it's not going to be easy there's a lot of people who are going to say well why do we need to progress monitor let's just get the compliance done and we'll deal with those security issues as they come up the point is that education like security doesn't have a direct Roi we all love that word we all love that phrase return on investment what's what's the return on investment of putting in a firewall well if you don't get owned then you don't get sued right so what's what's the value of Education again people process technology we have to invest in each and

every one of those maybe not equally but we need to make sure that each one is strengthened because without that strength in each area we're as weak as that weakest point and so what I may say here isn't may not be popular you guys may get it but your organizations may not there's a lot of people who may not understand this but if if you want to do it right I think that this is a good start I'm not saying it's the end all be all but it's a good start and it gives us that feedback to understand why our users aren't getting it and where they need the help all right so as I said before I I

do Haiku and in the last couple talks I've given about audit I haven't done an ioup and I've caught Flack from Chris and Tom and some other people so so I wanted to do the Hau just a box designed to protect must configure properly otherwise useless now this is technology and you know if you have a firewall and you don't configure it properly you got nothing you know you got a big truck can drive right through your security well it's the same with people if we don't configure them properly if we don't give them the right information it's useless security is useless because we're asking them to do something thing they don't understand so whether you're talking about a box in

your data center or a person sitting out in your organization or in your customer base we have to configure it properly and that configuration comes in people through education and I don't believe that a once a year thing is good enough to educate I think we need to make sure that we're doing it something throughout the year to continue to enforce those things and I think that using that three- tier model to intensify the the message that we're trying to get across instead of passing or failing people we'll get a better feedback than just saying take a test pass or fail or here's a certificate that's your pass you came to the class you pass you

didn't come to the class you fail you don't get that certificate you don't get your cpes we need to have that feedback loop and so when I first wrote this this was about a piece of technology but as I was looking through it last night I realized this actually deals with people too so where can you talk to me at my emails ghost Nomad ghost nomad.com Twitter I'm at ghost Nomad and my blog is Ghost nomad.com that's where I write about semi- related information security things and then it hiu I have I think about 587 hiu now when I last counted so you can interact with me there and I really would encourage you since I've been talking about progress

monitoring to give me feedback send me an email hit me up on Twitter and tell me what you got out of it what you didn't get out of it send me an email same thing I'm hoping to post a blog post about this put a comment up there and be honest you know as an auditor in the past I had my heart removed for a while I had to have a put back in and so I can take it so you know give me your feedback anybody have any questions I sure everyone in the room will agree that you know when it comes to security security is more of a a cost center than a profit Center the question

is is how do you at the same time convince and especially as the organization grows larger the company to invest all those extra dollars on something that's so abstract that's not really tangible and kind of hard to beant modifiable when they could just say oh we'll just go buy this latest piece of Gadget that we can stick somewhere in there and that makes it secure because it's you know it's been certified by these people to make us secure right yeah that's a good question um the honest answer that I would give you at this point is that I think a lot of people look at those boxes those products that we can buy as as obscure

you know they don't they don't always see the value in that education is a really hard thing to sell I'm not going to say that here here's the thing that you can go in and tell your your ciso or whoever I I guess what I would say to them is that if we don't measure what our education program is doing how do we know if our people are getting it and if we're constantly having issues and this may be a better point you know the way you sell a product to your to your organization is to say well we got breached or this could happen in a breach so we need this product I would

say the same thing we have an education program and still users are writing their passwords on onst poed knows that's not something that's easily quantifiable as you said but it's something that you almost have to create a culture around first at a low cost or no cost and roll it out and then get the buy off to make it bigger that would probably be my best advice at this [Laughter] point yeah they said risk management yeah yeah you you talked about the the intervention process as a way of sort of avoiding the labeling um but I've also found that labeling is a good way of helping people to understand that they have those deficiencies so how do you

deal with that situation yeah you know labeling it's it's you know six of one half dozen of the other um like I said in schools if you don't have a label you don't get that that special ed special ed assistance from the feds and so then you don't get that assistance at all same you know you have to be able to deal with labels I have a label of an auditor Chris will never let me live that down even though I'm not an auditor anymore but that's a label it's a word it does it describe who I am well it may describe my past or experiences that I've had but if you ask me who I am I

tell you that I'm a father and a husband so to your point how how do you deal with labels I think you have to give labels in some aspects go ahead not necessarily that you're in a in a way you're you're hamstringing the person that that might deserve that label by not allowing them to understand they have that deficiency well and that's why that's why you go through when you talk about the three- tier model if they really need that label you'll get them to that label you know you're not going to you're not they're not going to be resolved in the first or second tiers they're going to be pushed to that third tier so if they truly need that label

and if you see that label as being beneficial push through to the top tier you know make that label stick because in the end what we're in the business of doing as Security Professionals is being secure and so if it's going to make us secure let's make the label work does

that any other questions for Jeff all right if not you can catch him in the hallway track over there to uh harass him thanks for listening guys all right thanks

Jeff okay a couple logistical things uh