PG - Hacking Trust Establishment

hey y'all out of all the fun amazing things going on here today thank you for coming to my room and uh listening to what I got to say I am a senior security consultant uh with about 14 years of experience um locally trained in Oklahoma uh recently got my sspy if anyone wants to talk about study materials those are fresh on my brain most of my experience does come from public sector where I spent about a decade working in Oklahoma state government my last role before joining the consultancy side I was the CIO for the state Department of Education I'm also a co-founder of bides Oklahoma and a founding member of techlahoma which is a nonprofit in the state of Oklahoma

bring different technologist together besides Oklahoma 10 years strong y'all year 11 is next year come on out and see us in April we've got a great con um I work at go security pro here's some of the things that we're good at they're helping cover my travel check us out if you're interested so today y'all we are going to talk about trust being trusted usted trusting others this is a massive topic that could easily be a two-day training session one day I might turn this into a workshop it'll be really really fun um but my hope is that by the end of this talk you're going to understand some different types of trust and how to establish it quickly with

others keeping in mind all things security we got black hat we got white hat there's going to be good reasons to establish trust with others the same way as there are black hat reasons so please please please let this be an experience where you let your mind Wonder to all of those Evil Genius scenarios for how you can bend trust to your advantage so we're going to start with some basic terms trust and psychological safety these are two different things and it's important to understand the difference between these terms trust is individual how do I trust you how do you trust me psychological safety is a group phenomenon it's something that we see in maybe your Issa chapter maybe your

workplace maybe if you're on a soccer team or a sports team how do you differently in that group if you're part of that group are they going to look at you weird if you didn't share your ideas or are they going to look at you weird if you share your ideas and Innovation do you feel that you're in trusted environment in certain places that you can take risks and bring up things in a safe space so our types of trust we got cognitive trust we have effective trust short version Bob has his sspy and 20 years of experience I can trust him on this project that's cognitive trust effective trust Bob's got a nice smile

he kind of looks like my cousin I think I can trust him when I gave you guys my intro credentials I attempted to establish trust with you you should trust me because I have this background when I gave you the talk agenda I set the groundwork for consistency am I actually going to follow my talks agenda we're going to roll a D20 and see about it y'all but that was my goal I'm going to establish trust with you you here's how I'm capable here's how I can be consistent most of us here probably rely on cognitive trust in our day-to-day jobs do our end users our constituents our clients do they trust us to build

maintain deploy their systems but at the same time do they have effective trust with you when you push out changes on Patch Tuesday it's like oh man the system's going to be broken again it's that time of month it's going to happen or if you're able to maintain your systems in a productive environment do people begin to not only think that you're capable but you care about the business and because you maintain their systems you care about their Bion their mission statement and how it actually affects the business because at the end of the day security is there to facilitate the business and protect it if the business isn't running we ain't got nothing to

protect so another thing is with the cognitive trust think about if you had an entry-level position open what if the candidate that hires and starts their first day is a 60-year-old pensioner what if that new hire is a 20-year-old both could be fresh out of college one switching careers one starting their new one what types of inherent different types of trust would you have in each of those people what types of capabilities or consistencies would you expect from them moving on to effective trust humans are naturally naturally emotional creatures we have a lot of chemicals that affect our emotions effective trust is Trust of the heart it's empathy it's trusting in someone's capacity for caring it's less of a

science because what inspires me to trust is going to be different from everyone else in this room but there are some core principles in human psychology that are standardized across the board um but you know that change manages example how does different things affect your trust that you have in your organization do people do you can you reach that true trusted advisor estate if they trust that you're capable and they also trust that you care combining the two different trusts together can have huge impacts on your goals just depending on what you're wanting to do and if you're in a client relationship or you're in Social Ops you can use different tactics for short-term or

long-term trust like okay Carrie that's great different types of trust why should we bother the answer is we can't help it from birth we are hardwired to form bonds with people we are dependent upon others to take care of us it is hardcoded in us and when I first started writing this I'm like I really want to connect with people I'm a huge introvert so like after today I'm going to go back to my room and like no one talk to me I'm going to be completely drained but I love this interaction and it's because we want to connect it is there um but what can we do with trust it can help you go go from

an interview to a job offer how hard is it just to get that first interview then are you going to squander it are you going to waste it how quickly can you help that hiring committee no you can trust me not only am I capable but I'm going to care about your business can it increase Innovation among your staff you build that trusted environment among your staff do they begin to feel psychological safety that they can bring forth innovative ideas and they'll take risks in the environment that'll improve and increase automation increase efficiencies across the board um it's also going to help complete Ro specific tasks and jobs um clients trusting sales staff sales staff can completely uh

establish trust they're going to sell more stuff longterm they're going to upsell uh social operators getting ringcon data and exe getting executive leadership support of your projects so let's look at some tactics effective trust tactics or how to manipulate uh we're going to go through some nonb or verbal one of my favorite things up here is can you help me with with fishing pretenses call on the phone start your conversation can you help me I've been getting the runaround I've been transferred so many different places every single person in this room every single person that you might call has had that experience they don't want to be the cause of that experience you're going to invoke guilt you're going to

invoke empathy in that person that answered the phone on the other line can you help me is the strongest phrase that you can use starting a vising pretense um the other thing is like if that person doesn't respond hang up call back try again till you get the right rep who does respond to your pretense um if you have staff what are your plans for the weekend or holiday this is something that you should not use casually if you're using this like because you know you're getting ready to ask somebody to work over time or work over the weekend no this isn't how you're going to get someone to trust you this is something that you need to do

long term show interest in your staff outside of the workplace um mirror communication styles for the love of God if you ever meet William Shatner please do not mirror his communication style but when you're talking to your leadership or you're talking to people their Cadence their inflictions how they talk your physical presence like this is a superhero pose and like shoulders up back like military marching band people here you know that stance um all of those things convey and I'm going to touch on that more on non-verbal I'm getting ahead of myself um but the other piece is an honest story have you gone through some type of incident response that's similar to your client or the

person you're talking to even if it's not your story can you tell a story you know as yours black hat white hat remember and invoke empathy and that person's like oh that person gets me and people don't remember most of what you say when you meet them they remember how you made them feel so how can you make people feel way that when they think about you after meeting you for those 5 minutes 30 minutes an hour that you made them feel respected valued in a way that you bring in effective trust that you care about them uh nonverbals these are things that are going to be pretty standard interview tips eye contact you're interested in someone genuine Smiles

don't try to do creepy Smiles if you're on social Ops and you can't do it please y'all it is you are going to make it hard for yourself look in the mirror practice your stuff know what works for you um something else lean in when a person is speaking uh this works really great at conference rooms and tables you are naturally drawn physically to the things you're interested in so let that body language reflect it whether you mean it or not let that person think you're really interested in what they're saying um other things handwritten notes uh I'm from Oklahoma and in the South when we love people we feed them it makes them content and they're happy my

three-year-old says mama if if that person's cranky I think they need a snack and a nap and damn right baby girl anybody that's angry give them a snack and a nap and they're going to be better um if you're in sales point out you're doing something special maybe you've got leeway Grace to give somebody a 10% a 15% discount that client doesn't need to know that hey you know you're so special I really enjoyed talking to you I think we can work this in for you tell that little why lie why are those effective trust tactics oh I'm so special they're doing something special for me um also own your own mistakes and apologize if Integrity is huge for me in in any

environment I believe that if you can't establish and maintain your integrity you're not going to be successful if you make a mistake like crowd strike come out and apologize for it you all own it I'm not going to speak to the things that are going on with a threatening legal suit but I like that they publicly apologize and own their a mistake um so M you know Own It Up don't try to make excuses explain your validations but let people know especially your leadership you mess up own it I messed up here's how I messed up here's how I'm going to make sure it's not going to happen again if you lose integrity reestablish it

immediately cognitive trust or how to manipulate it verble y'all be yourself and remember this is capability and consistency how capable you are and are you consistent and being yourself sounds lame it sounds like I've throwing a kitten poster meme at you but it really means being introspective and being open about your capabilities where are you strong where are you weak this is how teams Excel if your teams are honest about where you're strong and where you're weak you're going to come together and you're going to lean on each other to create a better product and a better deliverable um you know and it's everybody hates the interview question what's your greatest strength what's your greatest weakness everyone

hates the I'm a perfectionist be real like I got audio issues man I'll Zone in on a project and somebody can be standing next to me talking and I will not hear you um be cognizant of your tone of voice and your inflictions I'm a natural pessimist I'm sure everyone here is full of skepticism and stuff too and it carries through in your voice if you have problems at work and you're talking to Executive leadership that pessimism might come through your concern might come through and they're going to feel your words before they hear the meaning be cognizant of how you talk and even the the trick the mind the me the mental model that works for me is instead of

being concerned about the problem stay focused on the positivity that we have a solution we may not have remedia full remediation plan yet but we have a remediation plan um and let them feel the positivity of explaining the solution uh non-verbal again make eye contact dress for the part I absolutely hate but it is one of the easiest ways that you can influence how people think that you may be capable if state capital in any state in the United States I better go in in business formal but if I go to Silicon Valley for an executive leadership and I to show up in a three-piece suit I'm going to get laughed out door Goodwill is a treasure

Trove for social operators go in get yourself a FedEx FedEx or UPS logo walk into a place with an empty box and a clipboard and just see how far you can go walk in like you own the place and you know exactly where that delivery is going nine times out of 10 you're going to get straight past that checkpoint um facial expressions I'm also terrible about resting face um so uh be cognizant y'all uh I'm not saying you got to know how to play poker and win in Vegas but but you know keep that in mind um for long-term trust I mean again y'all Integrity take action if you said you were going to do

something do it if it's something as simple as you're passing someone in the hallway or they send you a teams message and say hey I'm I'm really busy I'll follow up with you later next thing you know it's almost quit in time and you still haven't followed up with that person shoot them a quick email send them a message hey the day got away from me I'm really sorry own your mistake apologize right off the bat but I'm going to come see you first thing in the morning or hey can I get 10 minutes on your calendar I'm so sorry we're going to fix this address it be on time I'm also perpetually late I'm telling you

guys to practice what I preach not what I do so coming on time to certain things being prepared um and then reverse engineering what others needs that sounds really sexy and cool but that's really just being a good human and being good to yourself stop and think about what someone else needs your projects aren't getting funded how are you presenting them you got another Department their is getting funded go talk to them how are you presenting your stuff go talk to the chief of staff talk to the CFO what did you like about theirs but you didn't like about mine any new IT director CIO best advice I can give you make friends with the CFO

they're going to fund your stuff granted they don't want cyber security fallouts as much as you do same thing if you got a separate procurement officer um also um your HR make friends with HR um we're going to make rules for security but HR is going to enforce them um so when you think about reverse engineering what others need whether it's in an Enterprise environment a workplace or social operations or sales think about what those people need and how can you change your delivery to focus on how your solution fits their needs furthers the the business mission statement whatever that section is lowers a budget saves money um gets the information that you need makes them

feel a certain way there's a lot of um fishing engineering tactics going on where malicious actors are establishing care with people they're going through long series of text messages and different on messaging platforms establishing friendships with people and eventually getting them to send them money reverse engineer what people need take that how many different layers can you take that to places to be more successful in your endeavors so one of the last thoughts that I want to leave you guys with is maso's hierarchy needs so we think why bother with trust it fulfills a need whether it's your staff your engineers your targets your victims they have needs that they need to have fulfilled so it's a human condition to want to

connect with others using these tactics are going to take practice some of them you might be really good at you're naturally good at other ones you might have to work on but if you use some of these tactics to make sure your boss knows and Trust in your capabilities could you get a raise or a promotion within the next year if you start a security awareness campaign at work does it become more successful because the end users don't just trust that you're capable of safeguarding their systems they trust that you care about them can you throw in little tidbits to your security training that it's not just about Safety and Security at work but it's their iPhone it's their home

computer I care about you not just you at the business will they actually start reporting suspicious activities I mean granted we all don't want a 100 emails saying we got this fishing camp P please stop telling us we know we got hit but they'll start telling you things maybe it's maybe it's we got this business process and we've been sending this an email wait what and you know you have encrypted email right so how can we get in depth embedded into business process and secure everything um it's also it could change the Dynamics of your team if everyone felt trusted or psychologically safe enough to bring up ideas what would happen um I made um my

team everyone had to have a side project and I didn't care if they made progress on it but it was part of their performance evaluation you had to have a project and make some type of effort towards it I get it if you're busy whatever but make some type of progress towards it and I had database developers come in my office one day and they were so excited Carrie we just found a place where we can automate a thing that takes us 15 minutes a week okay show it to me and they didn't think it was that big of a deal and they're like yeah we're going to automate this yada y y and I'm like do

youall know what you've done and they're like yeah and I'm like no you just saved yourself 15 minutes a week multiply that over a year I was able to take that information to the CFO and get those database developers AR raise is you do the math on their salary and they saved 15 minutes a week take that information take it back into the business show your staff that you care and you appreciate their efforts and what they do to make your business better so one quote um i' like to challenge you guys anybody can go hack a system but can you hack a person besides black hat Vegas I challenge all of you guys hack a person while you're here not

just a system um if anyone wants to connect uh here's my information as well as my company information uh I'd love to hear from you guys or if you guys would like a copy of the slide if you want to know more for me I've got some business cards up here and I've got some stickers um do I have any questions from the crowd anybody want to share something they learned or uh a new evil Insight that's yeah I'm going to go hack a person doing this keep your secrets don't don't share them with anyone keep your tactics to yourself don't be like me don't share your tactics all right thank you guys you've been lovely

[Applause]