Business and the Beast

[Music]

never spoken to the conference looking at your slides is like a cardinal sin so you know having a monitor spring we can actually see your slides and know what's going on is awesome all right our conference our second here at DTCC it's it's great as you can see we have lines of people here we're feeding everybody stop right now there's still plenty of bagels and Danish something Quito and proteinaceous they have and all that good stuff scans and volunteers people from other conferences that showed up just because like yeah what the heck we'll give it a shot we have amazing technology and we're a conference about but above all these sites Delawares and conference about being together and

learning and learning from each other you'll notice on your badge and it doesn't say attendee it says seeker because what we want is we want people that are seekers of knowledge we want people that are here to learn and people are here to collaborate and coordinate and networking and be together we made a conference that actually Janice myself built this conference on the premise that we didn't want to drink the thought we wanted the conference that would be family-friendly we're one of the conference that people would feel unafraid to come to and enjoy the heck out of and I think we've really succeeded in blowing another Park I brought my newest toy to spawn camp

upstairs which is five pounds of Legos did you know anything like a bulb like those of the eBay and like one kid does when all that we're good you know I succeeded that was success and along the way we've made a lot of good friends and done some amazing stuff and one of the good friends I made along the way is a gentleman named Brian and agape now he's probably not going to tell you very much about himself and most of this because you can't a lot of this history is literally not able to be talked about unless you have this magic thing called clearance or need to know or why do I have a gun pointed in my face anyway so

I talked about those moments so but he's an amazing guy and an amazing speaker and he's got a really interesting for you on how security business and all the work together and so we asked him to be a keynote speaker really excited introduce it now so

so first things so hello to everybody here at besides this is actually my third year here this is a really special place for me this was my first security conference three years ago believe it or not I've been working in some form of security for a really long time but this is my first time actually being in a true con right and but also this is my home conference I you know live in Delaware lived in Delaware I live in PA this is this is home for me so I love it I've got friends I've got family I've got colleagues in the audience which is awesome so I'm just really excited to be here what is

this all about so if we talk about this concept of the business and the Beast I don't feel kind of a very good friend of mine he was like this is a discussion we had a couple months ago and this was designed to be a co-presenter kind of talk but unfortunately he wasn't able to make it down for this today but I want to talk about the two sides of business which is we and we call it this concept of business and the beast and it's the business is the current state of where we are and the Beast is the future state and then we get into this question of what the heck is the beast what is it

that I'm talking about and the Beast is is the challenges and the way that we're doing business challenges in the way that we're doing security or the way that we're doing our jobs and what we as we discussed through this what we talked about is is constantly taming the Beast right if you can tame that beast you're gonna get consumed by it for large companies that means one thing for small companies it means another thing for company or for individuals ryan tedder that are working industry needs something a little bit different so just a little bit so I want to tell you about me so I'm the director of cybersecurity risk management at a company called thermo Fisher Scientific

we are a life sciences company two great coming to the workforce but this is not what it's about a little bit about just what I do I do all the things in security that people don't think about my team is responsible for developing and running policy which heart organizational maturity we do compliance assessments risk analysis all those things that when you come into security guard well the problem is those things are the fundamental underpinning of all the work that our architects our engineers were doing we work hand in hand with them but so a little bit about me like how did I get here this this journey is important because it is very odd to say the least

I started off as a self-defense instructor right after college I know my father was very proud that after four years and five years and way too much money spent I decided to go punch people for a living I did that in two different states it was great I loved it what about the cavities I took a little bit of a divergence I went into Federal service I was a federal special agent for the Diplomatic Security Service yes I get accused of it all the time I was accused of it last year walking into 'besides Delaware duh so in my facebook you were fed was anyway so I know I kind of stick out like a sore thumb when I go to these

things it's just but that was an interesting experience because what happened was I learned a lot about physical security but really don't do for five years and ran physical security programs I was dealing with locks and doors and Delta barriers and you know things that cost millions or billions of dollars to build so I had this huge the kind of just foundation hundreds of thousands of dollars in time and training to spend on me learning about physical security okay this is pretty cool and I always kept my my technical side but I was definitely not would you consider myself an IT person from there is where the divergence started happy and I started going in

different places different ways my wealth and financial services that was very very different that's where I actually had my first true quote unquote IT job whereas actually working an IT project management I tried to get into security I was actually looking at physical security and before I knew it a couple turns later I was running our global vulnerability management program from there that led to me being at thermo Fisher so why is this important first off I think that probably should justify why I'm here sir well yes you guys know a little bit about the person in front of you but more important and I'm going to talk about this in a second if my journey was anything but lennier

it was I mean that's the Mac right it just curved and went around and I went left and right in sideways and that is the most important thing about this industry most of my friends most of you right your journey was not lennier you didn't start thinking you were going to be a security person and ended up as a CE so you started playing with computers or working at Best Buy or you know doing fine art history in college and you found something that you liked or you were passionate the home then you hardly that into something else you went to a conference you met someone you learned about forensics or machine learning or whatever that's a good thing that's

something that we need to embrace in this industry we do but we need to embrace it more we need to bring more people into the fold so I said this is up about business and the Beast so business is the current state beast is the future state that changed so we talked about people why are we talking about people though that's what we do right we need people you can't do this job without us so you are very important companies say that people are most important resource and unfortunately companies that's aligned your a number your a button to see the what we need to do is change that we need to change the way that's done what I've also seen now

is there's more talk to more conferences nowadays that they're actually having Derby Khan had a whole like kind of mental health section to it joke slides gonna be talking about recruiting our job seeking later today we're talking about this more as an industry so it's really really important let me talk to the things that might go like about where we are it's open August plain thing we work they'd Open Office plan it would work yeah and see couple cans all right I can't justify this in any way whatsoever in the interest of collaboration and maximizing spades we turned what should be a pretty nice place into like a barely livable working condition a teeth fair you'd be working

in a coal mine or something else or it is a lot worse but what it's just ridiculous I mean we took what should be getting people together now who sits around with giant Bose headphones so they don't have to listen to the neighbor that's not collaborative and also cheapens need space the worst of the worst actually get a ticket in the morning you don't have a place to sit you get your stuff out a walker you go sit down what I just don't care so for me as far as I'm concerned this is a travesty it needs to go away we don't have it thankfully where I work I would fight against it and whoever

whoever architected this kind of in craziness there's a special room down below for that person looking at other areas of how we do things so working out several few hours we know this guy's right you're in a date you have a smoke break or a coffee break at 10:00 you've got a bunch of twin oh you have another break at 3:00 and beeping offices huh we've been following this model for generations Wow eight hours a day forty hours be I have no idea who came up with that it's just it's just what we do so in many places this is absolutely required right how many of you guys work in a stock or you have kind of work right you kind of

can't get away from that because you have to have coverage but most the rest of us we don't work in that we don't we don't have that so if you come in at 7:00 can you be before you come in at 9:00 can you leave insects what if you were Berkeley on Thursday night you spent 4 hours at servers down can you come in late on Friday morning the answer in most cases is no which is utterly ridiculous pto accrue I have a huge huge issue with the PTO approval mainly because of why is there first off you go you um you get recruited for a company we have four weeks of paid time off yes come work for

us oh and I'll tell them you sick time no that is actually built on a fundamental distrust of the worker that's why the same time and PTO are separate you have a lab that's sick time you could what can you do a sick time you can call out we only get a couple hours of that right - 385 days PTO you get two weeks three weeks four weeks it's built on the fact that if you give people freedom they're gonna take advantage of the company this goes back to factory work and the tens and the 20s and so we're still doing this to people we don't trust them so if we don't limit you you're gonna take advantage of me as a

manager or of my company so therefore I'm just going to put the restrictions on upfront when we talk about talent so we buy talent in this industry right now so for those at the top that's awesome if you are a top-tier cybersecurity cloud engineer with AWS certifications you are writing your tape that's awesome rapid salary increases that's awesome as an industry we have one of the highest median income across our industry that is all great for us and if you're at the top it's good for you but the problem is the vast majority of us are not on the top we're the ones in the middle of our careers or the beginnings of our careers

and it creates a lot of other problems because companies are only looking for these top-tier people so if you've ever heard of nice it's the national initiative for cybersecurity education they chart job so as of August of 2017 there are 280 thousand job openings in our industry gone munzo which I have an issue with because how many of you in here are actively seeking jobs or good activity good job if more than one hand is raised what's what's wrong with that how did 280,000 open jobs with people out of work every conference I go to every talk I did every place I go and meet people that are clamoring for jobs no wait good experience is that 15 years

in IT the only thing you don't have is maybe some experience in cybersecurity you can learn this stuff so it's frustrating for me when I see that because we're creating the jobs work and then the last piece is more around the management other people so I am a people manager I do leave teams I have five three to four to four different teams under my purview right now and I'm part of like the the leadership team of my see so but when it comes about with the people we focus on management managers it's an administrative function right your entire job is to make sure people show up on time they deliver something they do that and you do it right and

repeat rinse and repeat we very rarely give people the ability to build and develop people not only from the perspective we don't train the managers to become leaders we don't give them the resources how many of you have been given training as a reward how many of you were actually get training with me those raising it there all right but for you you're granted trainees on board right you are so lucky you gets it in an industry that is moving so fast and technology is so it is it is moving and outpacing us you it is a privilege for you to go get training i right so how do we change this what can we do so when

you talk about people we talked about set working schedules and so on let's talk about remote employees for for startups remote employees are a way of life right you've got a small little 2/3 person shop you need a really awesome developer and you live in Wichita Kansas can't help where the ideas come from so you may need to find someone that's not in that area but most companies a lot of waste in Frederick Maryland but so far so good right my team is phenomenal some of them are here today and we seem to figure this out they get to work from home every now and then to seem to figure that out to the world has not burned

down my company has not burned down because we give people some some choice talent also has twisting weight if you're really good breather marginally good you can find the companies that are willing to support this so for those companies that are unwilling to support it you're shutting yourself out from really great health or potential talent and that's really what's important as well you need people that are willing to learn distributed teams are an option if you can't support so I get it collocations but it's nice to have your team you know if you can get places where you have like clusters of teams you know if you're larger company you've got an office of a West Coast office on

the East Coast with the teams let them sit in both offices give them the option because it can you open up your town pool but there's so many of us that can't move for some reason or another right maybe you have older parents that you want to be in here maybe all your family lives in one area maybe unfortunately you're divorced and you've got kids need to be around from a previous marriage there's a hundred more reasons why you should support them but again distrust of the worker right we're thinking that people just want it cuz they want to lazy lazy around all day and sit there pajamas flexible schedules this one is really one of the simplest

things to do but companies don't like doing it because you can you can do what I call poor working hours this is really easy your core working hours let's be honest not everybody's in the office at 8:00 not everybody stays till 5:00 anyway as a company or as a group if you said hey we're going to work for hours 10:00 to 3:00 you can flex on either side of that if you schedule meeting at 8:00 you better make sure you talk to those people a bunch of people may not show up and but so if you come in at 9:00 you leave an hour later if you come in at 6:00 you can leave a couple of hours earlier and

there's plenty of reasons to support something like this what if you're seeing it's good another woman takes the kids to the bus stop and they're sick today and you need to do it but the bus comes at 8:00 but you need to be in the office a lot of people actually to take PTO video which is which is unbelievable to me so we have to be willing to provide that little bit of flexibility because it provides work/life balance you don't feel like you're a slave to your job you'd be much more much more willing to work better for time off so again when I talk about time off PTO right that was all about distrust of the

worker now we can go the far other side which is unlimited time off and there there's pluses and minuses to that and there's there's research and there's articles that suggest when you do that that people actually won't take time off they feel guilty about taking time off so that doesn't work one of the things that I like the idea was having minimum amounts of time meaning yeah you have unlimited situations come up that you may have to be out for more than that four weeks or three weeks or two weeks it may be given but you know what as a mentor I'm going to make sure you're out of the office for three weeks a year and

as a manager I'm going to fanatically track your time not to make sure you're staying in the office but to make sure going months entire person time off go take that Friday I have team members we had we come coming out of cybersecurity Awareness Month to my team members run a lot of that so after a month are doing events every single day they are so at the end of it we're going to take off if they hadn't told me they were taking off I was probably to say we go please do they take some time it's really important because again people feel like they can't do it that's the teams are not willing to support it and that's

what changeup we need to make as managers but as as if you're not a manager you need to push that issue right that you need and if you're at a place that is not going to support it and you have an option find somewhere else right find the place that's gonna support your way of life that's going to be comfortable for you we talked about buying talent what we need to shift to his building town I have so many point if you were involved in the hiring process at all whether you're a manager leader and HR rep or anything for the love of everything that is holy stop it with the BS job requirements stop putting in

there that someone needs to have a bachelor's degree in information system for information security stop putting on there that someone needs to have their CISSP they do not need those things to do most of the jobs in this industry most of the people that I consider to be the top talent that I work with or that I trust do not have degrees the other ones I don't know if they have degrees nor do I care and that's not to say that dication is not good I want people that have degrees right it's important it's important and to kick your something to learn but you know what what if you just didn't have that opportunity but you took it upon

yourself to learn these things you did things like Coursera or other online training options you go to conferences you network you meet people you're part of groups why should that shut you out just because of a student piece of paper makes no sense to me I started taking them out of my job requirements GB ferret sometimes put them in there just to get the worst of the worst of people that are just like spamming by my appearance but I own the recruitment process for my teams I tell my interwebs give me the resumes first I will read through MIT I will tell you through the screen oh I don't let them free screening so when I've done that this is

what I can tell you there is no talent shortage of my organization we sometimes take a little longer than we want sometimes it is a little harder to find that right person we're being a little piggy but we've grown fivefold in two years as a cybersecurity organization and we have not had a problem finding Talent why because the hiring manager and our teams aren't involved in the process I get referrals from my team members on a regular basis and I get them when hiring and when we're not hiring hey this person is great I used to work with them here awesome let's talk to them let's talk and see if there's something that maybe might work maybe I don't have

something for me but we can find another place so when groups stop relying on Jeff's HR and talent acquisition or whatever they call these days you can actually find people and guess what if you talk about these other things you are a little bit more flexible you talk about good ways and how you handle PTO and things like that you will attract good talent because it will be exciting last but not least as managers that we not all manager to make good leaders and not only the managers one is administrative what is motivation though those are really the two differences between managers and leaders so if you are a manager or aspire to become a manager think about it this

one's you're going to be a manager to focus on boss as far as I'm concerned so a couple of pieces up there so risk registers how many of you actually know what a risk register is okay how many of you have ever seen the risk register related to a company there's a problem with risk registers most people have never seen them they're pretty static you go through this process you get some type of a finding your report right audit comes in or someone comes yelling you got a problem and you get it get a finding you have to go fix it and then it goes what well did you fix it all the way I do only kind of fix it

depending on your audit teams of you know there's more of a process to it but what you don't see is all the other risk out there do other groups have the same problem with you have you fixed a problem that can maybe be used to fix someone else's problem no frigging idea this process is so impatient that's on us that's on risk teams to fix this policy is another area of major pain you want to use policy to drive actually because that's the for some teams is the only stick you have you didn't meet policy go fix this problem but here's the problem that's what kind of policies we've right current state policies you write a

policy that you can meet right now so at best your company or your group is going to get just to the point where you're kind of okay with it and that's it regulators they're the reason we do this they come in so you get an internal audit an external audience they say you're not meeting your policy there's a finding okay well then why would you ever write policy that was just a little bit better or more to them you're not going to so what you wind up getting out of this is don't write policy you can't meet to policy is no longer a driver of change it's a driver of paperwork and pain for for the risk teams themselves we tend to

be pretty segregated how many of you actually know people on the risk team how many of you actively avoid a blend of red tape all right we're not really helpful I will admit that we are purveyors of pain I give you a problem you have to do a whole boatload of paperwork to get past that problem and I'm not offering any value to you I'm not offering really good guidance I'm just saying you have this problem oh hey guys you know what you do not have an SSL implemented across all of your sites you need to get back down well then you have a team on the side going we don't know how to do this can you help no just

get it done that's your final round so maybe just a quick story about this this is the work I came into a team at one of my old position and we had an audit finding around meeting attendance and we just we didn't have good backup of our meeting attendance okay fine so we fixed it a little bit of process couple file share is good to go so I had meeting agendas for six different groups of meetings going so I go from there to a year later I have to go through my validation audit which is basically the audit all over again to say that I did the thing I said I was going to do pass my validation on it not

a problem there a year later now I'm gonna do your audit cycle which is a lie because I just went to an audit but you're later with what validation all right now I'm back to audit again so I'm just kind of continuously being audited and they're not supposed to audit you in the same areas multiple years in a row because you should have fixed problems so guess what they bought it at beyond meeting agendas okay so fine not a problem I got this wrapped up give them all the information they come back you have a problem what is it you're missing meeting agendas okay who and how many four over what time period cuz they'll

do sample thing over the year to weekly be two out of 52 weeks I'm missing four agendas and one of your guests that's a finding yes why your procedure says you have whatever week sometimes you can't Olivia to have a record of that policy on show me the policy that says I need to track when I cancel the meeting right it's just a process which is my last piece complicated processes risk is actually kind of complicated when you really get into the nuts and bolts in it I originally had planned to go get my C risk solely so I could bash the see risk so I bought the book it's actually not that big about 120 pages it's kind of

like really really do it some more it was good somehow though we took this 120 pages of really good of a framework and we turn it into from a perspective the housings of pages of guidance of workflows and diagram and it's insane I think I did the last count if you take all of the NIST Freight with the risk management framework and put it all together it's almost a thousand pages now I'll keep that so now my job is to implement all this so companies will say go do the risk management framework from this cool got it thousand pages later you're kind of like your catch to him and you have no idea what you're doing and you're

trying to put this in so what you wind up with is overly complicated processes in the interest of clarity I have to make it very clear exactly what's going on so when I do that I create a bunch of processes so you get a body finding and I'm already you get a risk finding right so I go to my team okay you're finding it it's risk related and I've done the analysis here you go you need to make an action when it cools they go to make an action plan well maybe they get busy with something else they forget about the action plan then they give it to me and if they pass their action plan beta guess the entity

now they have to pay another action plan with the new dates and now my team's tracking the new days and then they're planning and they're replanting and so on we've created this scene left set of processes that what no one wants to do people actively telling me here that you're avoiding your risk teams because we're not provided out and that's a problem because the whole purpose of a risk team is to help reduce risk in an organization and in all honesty all we're doing is we're creating toll gates we're creating unnecessary work and we're increasing risk because the reason is that while risk is moving at a certain thing it's kind of at a certain

level right new risks are coming every day we're not even helping to drag down the baseline so it's just getting worse and worse because we're barely moving anywhere so how do we have me change this first is what I call this concept of operational and risk this is where the ideas of my agile and DevOps methodologies which I'm not going to say too agile devops servitor the best thing in the world but there's three elements in the DevOps handbook that they talk about which is fast flow rapid feedback and continuous learning or continuous improvement so we need to turn risk into that right it needs to actually be done in a way that's that is

fast low rapid feedback and continuous learning so one those risk registers need to come to the forefront you need to see them all the time if we're a manufacturing organization they have these big dashboards that are digital they're always running you should have one of those with your risk register on see every single risk as it pops up no true to form we don't get risks every single day but when they come up they should go up there now we shouldn't hide them people are afraid of their missed registers because it's like it's like it's the skeleton in the closet no you need to be looking at it because you can't fix it otherwise risk teams should

be communicating with you they should be coming to you with problems proactively saying hey I was we're talking with some people we did a presentation and we found out that you guys have an issue with part of your setup and then this is what everybody else is why are you looking at my stuff because we come into it with the wrong schedule and in the wrong way so we need to partner we need to engage we need to be presented in front of people talking about resumes educating people about risk and get it for some folks you take engineers and bring them in the room and you talk about risk to none immediately but when

I tell them okay yes but my risks are going to drive the next project that you're going to do so if you're seeing problems help me tie your problem to the risk explain it to me because at some point I need to sell what you're doing so if you need a million dollars five hundred thousand dollars or a thousand dollars to do a project you need to explain why you're doing it and that's where the partnership starts to come in the registers themselves need to be actively managed like I said my team right now we're actually working on doing just that going to take our risk we actually have taken our risk register we turned it

into something that's publicly available to the company internally and it's dynamic they can click on it and it tells them things they can drill down through for policy the way to do this is so there's there's two ways to go about it but good policy should be a framework right it's something that you change over time and you can add to it delete from it because guess what what we're doing daily changes but what happens in all reality is like concrete policy sets over time and it gets super hard and because I've changeable your framework has turned into dogma and before you know it you have these fixed policies and then they're just useless I'll talk about

passwords in a little bit but that's that's one example of where password policies are a problem so we have two options so option number one which is the object a penis I have written that we are we are rolling up all brainy policies target state I am writing policies I knowingly am NOT me and that makes people very nervous but my way of explains it but I'm writing the policy where I want to be but I'm charting against it so this control of 25% across the company this controller 50% across the company I have something I have a stick now that's actually driving us to improvement with our groups and I'm talking to them we engage with our

systems administrators we engage with our IT partners our business continuity disaster recovery partners we are talking with them all the time again it's this concept of having an integrated team from companies that can't do that usually in financial services but some companies can't do that right you you're just too heavily regulated fine you raise your current state policies and that's a paperwork exercise for you what you do take is the policies you want and the controls that you want and in chart against them so and not not the organizational maturity of stuff where it so here are the five categories and the five levels they're really broad like you each heart how well do you have

do you communicate rest no one understand and some I understand you have to go a little further than that you need to chart a few more controls unfortunately my team tracks upwards of about 700 total controls it's a lot I'll fully admit it but you don't have to go that far I'm a big company we have 70,000 animals so I can kind of get away with that critical security control right there even if you don't even dive into the sub controls there's 20 of them so if you can ask yourself do we have a good asset management critical security control number one the answer is no good now dive into the controls to figure that

out and don't bother with anything else the hard part is explaining about how do we do that from the streamline process perspective that's the thing that we need to figure out and that we need to do is we need to cut out as much process as possible and it's really hard to do especially in really large organizations government organizations even smaller places are starting to you know we have all its process we spend money on consultants and they come in and they do all the stuff shadowy streamliner well I have one way that I've done it with my group and it's it's simple everything we do must reduce risk everything every task every initiative every project must

reduce risk so if you're doing something and you cannot tell me how it reduces risk stop doing it I won't tell you for not doing it so if you need to stand up and do tax tracking systems so we're gonna we're gonna start using JIRA awesome how is it helping you reduce risk right over just sounds like a really cool idea and they'll do it come back to me when you can explain how it helps you reduce risk oh well actually it's gonna make us more efficient in tracking our work we're gonna be able to have that fast flow that we're talking about we're gonna be able to see where everybody's working we're going to be

able to tell if people are over task we're gonna be able to follow up better with our with our partners awesome great and then you move on this one's a little harder for teams just because it requires you to look inward we're not very good we like blaming other people for our problems right so there's a risk team it's really easy to just go hey you back there you didn't want to talk to me that's your fault that's why I got messed up no it's it's a dual thing right you need to be you show me by you show me yours I'll show you mine right everybody needs to be really on the table which means one it needs to

become a new fault zone so you need to be willing to have that conversation be like you know I see team so company so um how are your password policies on that system okay why aren't they very good well the system is 20 years old you can only support a maximum of 8 characters and only also ok that's right can we mitigate well this is what we're doing we only we literally have two people that have that level of access to the system it's a conversation it is not a dictatorial you go do this I do that in many ways risk teams are the security teams of old and the way that we are approaching that all right now

let's talk about actual information security right so the business of it the current state so I have firewalls and VPNs out there and but I'm not actually saying they're bad they're the classics though right it's the classics of security any any rules failed key exchanges between BPM appliances and nothing works who remembers those days you know the server that you can't physically fit into the rack because you're going for you you're doing like forget you need math to get these things you know that's what we grew up with there's actually a reason for it there first off there's nothing wrong with it because this is technology where idea that would live with us firewalls whether their appliance based or virtual

based in the cloud and things like that you're always going to need these things but they tend to me they represent a traditional way of thing which is that we tend to explain things in concepts we understand just the word firewall a firewall is a thing that stops fire from moving from point A to point B right a fire on your card at the front of your car underneath your feet that is a firewall so the engine lights on fire the cabinet is not supposed to go up in flames as well that's what a firewall is prevents things from going that's what we call it a firewall because people understand it however the world is getting a whole lot

more complicated and the technologies that we use do not fit those paradigms anymore sometimes you just don't have a physical analogue to explain so we have to figure that out I talked about password complexity because I think this one points to a lot of issues so for anybody who's been doing this for a long time passwords represent the number one pain point for decades right how many of you have dealt with the I grabbed my password 90 day password expiration happens and you have enough 300 people on the same day getting the password expire how many phone calls do you get to tell that 500 because the 300 200 the forget the password that you just gave

them over the phone so so catchwords are kind of emblematic of security some of the stuff we've been doing for years they have resulted in nothing but bad behavior increase to our helpdesk increase in pain to our teams and then when we try to change it people hate us for it so all this work is like the time we've been the number of conversations I have to have about passwords I have little pens it says you know gives you all these things about your strong password three or four characters said you can't have repeating numbers you can't use real word no human being to remember this stuff next has seen the light their new password guidance came out which was

great and it was awesome it was really hard - and they talked about to FA they backtracked a little bit on SMS they were gonna say no SMS but what I can tell this is what's really funny that password has secured season security professionals in a tizzy because they're arguing against it actively arguing against it if I see another xkcd comic about entropy first when you talk about entropy it works on the assumption that you actually use the entire P space of the character sets so if you're saying four or four read special characters alphanumeric non-stop entropy assumes you're capable of using the entire key space which humans do not do there are certain keys on a keyboard

we do not press there are certain things we don't use so entropy characters have complex you know stuff that's kind of out the door at this point but it's so this actually came back and said listen if you get past a certain point you're using other - if they or MFA a lot of people's hair light on fire and I think part of it was there was a reaction to well we just spent the past 10 years breaching password complexity now we're going to say that we're wrong yeah and that's the fundamental difference in what we need to do so IT versus security so that's what is one that I was proud to be on so security grew out of my team

right the security teams who didn't grow up in a flowerpot one day is like hey look I'm a security guy the IT people became the security people but over time we diverged we got more silo because we got more specialized and then the shenanigans began the team from which we came suddenly doesn't like us anymore they view us as an impediment we get in the way of their efforts what is the purpose of most IT functions it's to support an enable of business through the use of technology but the IT teams in here going no can't do that okay we're going to use this product no can use that that's not good and so we

become the way or we've become the land of none and our IT teams hate us for it we tend to forget that we came from the same place so how do we move beyond that one of the things that if you ever get into this argument one of the things you really look at is the technology that we use as security professionals for many many years and in certain areas now it's very immature you know the technology as you looked at what firewalls were and what firewalls are they have come a very long way and before yes it was a yes or no thing my other it was odd it wasn't off couldn't really do a whole

lot that's that's gotten better over time but then the new thing comes up right the new the new areas so SAS application is the area that we're dealing with now most companies do not have a way to deal with that how do you eat how do you assess the problem so we'll talk about that in a second but really we have to figure out is how do we take the two disciplines and bring them back together so we can stop fighting with each other like we're we're like long-distance cousins right now that you know you kind of don't like them see you once a year at Thanksgiving and for the most part is if you can come out without you want

black-op we feel good security as overhead is is a major issue because it dependent manifests itself in two different ways if you're a well-funded team so I find I will fully admit funding is not a problem for me because we have spent a lot of time really working with our executive teams that help us unhealth them understand the problem but funded teams are now coming under scrutiny so the companies that were spending 50 60 100 200 million dollars on security their board to now start asking why am i spending all this money with what's happening what's the value here underfunded teams are continuing to be underfunded not unfunded teams are continuing to be non funded the problem is that many

companies just do not have the in-house expertise right you know how do you get a security person in-house if no one cares about security so you take the two or three IT folks that you have and you're like so I'm gonna Street together five grand that's all you how do you take that and some help build a program it's not viable and but then you also you have no way to justify what you're doing it so security teams are going to have to start earning their keep meaning we're actually going to have to talk in the language of business we're going to have to start justifying a little more than just so the world is

burning down doesn't work so what's the beast what are the changes that we have so does your trust networks so you've got the whole Google beyond cork that idea but services like G suite office 365 those have completely transformed our environments right so if you've got a company that's using that before was simple it was simpler you have a little area where people what everything was on the inside you never let them out you didn't let anybody in now you took some of your core services that are the most vulnerable and you put it outside that's that sphere of control sense platforms are everywhere and newsflash they're really pretty good I use so many different sized platforms because they

are these great point solutions that I can roll out to a subset of people the costs are lower I don't have to worry about the infrastructure they're secure we assess them so how do you do that though you had all these core services that used to be inside your control and now you've got one to ten 20 50 services that are everywhere so we have two choices we can go back to where we were landed no don't can't do it financial services that's how they did it that's nice to need but for other companies especially smaller ones where funding is a problem you have to let these things happen the question is how do we let it

happen in a safe and secure couple ways couple bits of guidance on giving us what is you need at an assessment program which means you need a way to actually assess the SAS applications of SAS software that your teams are going to use right you need to know the data that's going in either that's coming out you have to have some level of understanding just because it's an application from Microsoft do not assume insecure just because it's JIRA or anything from Atlassian oldest human secure at least ask the questions there used to it at this point believe me the second is you have to move to centralized authentication of some sort it's a bunch of different ways

you can do it but you because you have all these disparate services you have to get them all under one roof from an authentication standpoint because when John or Sally the company you need to be able to shut off their access a lot of companies right now are in a position where someone leaves and no idea what's access they have and they want to maintaining that access for years all it's going to take and it happens all the time but for you or your company right all it takes is one person to steal data grab data crash the system or something like that you're gonna be answering some really really tough questions the last is you need some type and I'll

use the term Enterprise Architect you need a person or a team that's in charge of figuring out which services you should be using there's too many options right so groups going to company I want to use Dropbox okay another group how would each box the other one well we have office 365 let's use one girl someone needs to adjudicate that front you need a referee there all of them have their pluses and their minuses but it's going to come down to buddy and features get the most security features for the money does it do what you needed to do so what happens is we kind of become more planners right you're going to be part of that requirements

conversation well I need the ability to share files with external customers cool that your only requirement you need to be able to share a file with an external company yes well there's a lot of services that will do that in security and then but that the requirements keep that you have kind of prod and poke them a little bit well I need to do is share with customers but need to go to do any group so maybe multiple people in turn oh now it's a different conversation you need to be part of the country multi-factor authentication alright if you use a sass service and you do not have that method turned on go turn it

off I just it's silly that you know if any of you in here have sass based email services office 365 Gmail and you are not using to FA pick up your phone right now and call your boss your CEO your Caesar and start complaining about this the number of email compromises based on just the fact that people are not using to FA on these is in same and the amount of loss that we have this company because then is insane so if you are not dealing with account compromises everything and you don't have to obey one of these services I can guarantee you you just don't know about it absolutely can guarantee you larger companies that are using - if

they are dealing with the day and guess what they do which is insane me going back to that streamline process thing I'm a process person at heart think you gotta fix that problem when when we look at that integration of IT and security right I think as an industry we're kind of at a crossroads right now and a couple of things may happen in some companies you're your security teams are getting really strong and powerful and they have some of the brightest talent in some places I think they're gonna consume the entity departments we're gonna they're gonna suck them in right because you're doing so many things that cross over like like Identity and Access

Management well you've got your architect that does idea better than anybody else but the IBM team is being run out of security they're out of IT there's good let's just take in the idea to you why bother asset management fundamentally the asset management is it is a core IT function but security needs it - I'm just going to suck it in that's hot - one the second option is we bring new organizations back together and you create that hybrid model if you can do that and you can start looking at your functional roles networking as an example so you have I bet some enterprise architects that are just absolutely freaking phenomenal don't know anything about security but man and

they architect you need a super clean super efficient network across 10 or 20 global locations they're awesome but they don't know security so what should be who should be sitting next to them the network security architects and they work together why are they in separate teams just put them in the same team work together okay check my work on the security side and the security guy make some changes that fundamentally breaks this wonderful beautiful network this guy put together and they figure it out between the two of them they shouldn't have to keep throwing it over on the wall which is ultimately what we're doing from an operation standpoint large operations typically on multiple command

centers so for those of you that work in a song do some of your organizations have a separate operation center for IT yeah right and then other ones will actually have a clue separate operations for global security well these things should be combined they absolutely should be combined our our operations should be much more NASA flight control than its these siloed groups so yeah you have a seat for the security team give a seat for the IT ops team you have a seat for your hatbox team if you're still doing that you have a secret global security team and the newsflash they don't have to sit the same place they just need to understand that they're working as a core cohesive

unit so when you have an incident that happens right networks with your network link goes down which be two sites that hits everybody's looking at it so they can kind of wave off and say not you know not us so Network link goes down Network team says hey we have a course which go down we got to take care of that security teams going do any indication of a breach or some type of an attack no apparently internal networks out of the way global security do we have a problem at the site did someone break into the something do we have a fire at the site no looks like it's just just a hard cool global

security steps out of the way well now you've just completely D conflicted to potentially major problems in minutes and guess what now the network team can just focus on fixing the network partner the last piece is security driving business so like I said we're not really good at this we are we are we are nerds and we like security tools and we are much happier behind the console that we typically are in front of the board of directors when you need to figure that now this is where the CEO role typically comes in you know your CEOs are zippy supposed to be the ones out in front but they can't do it by themselves I spend so much of my time

going out and talking about security and educating about security and trying to get people to understand it because I need to justify our existence beyond the next breach yes the old adage never waste a good reach but if that's what I'm waiting for word of hope I get a little bit for money I've got a problem so the key is taking every effort you do and walking that all the way down the line how it impacts your internal customers your external customers so if your career of generally doing something that's an internal thing let's talk about MSF as an example rolling out FFA can be very very painful even just getting soft tokens on people's phones

duo or Centrify or anything that accent that's heavy that's hard on people for the really technically booth climbing it's basically Intermountain so it takes a lot of time and effort to get it going but so then they complain about it they're going why do I have to do this well now you need to start talking to that end user what does this mean for the end user it means a couple of things what is what we're going to protect your data no doesn't matter is company data don't care if I lose my company data okay you do realize that your payroll uses the same login to dream oh right yeah can you make changes to your bank

account information through your payroll account yeah so this can impact you can oh yeah so suddenly there are no turbocharged me now that they're investing for for a 90 operation seem like guys if you brought MSA we're going to support this or help desk calls are gonna go up how we're gonna manage this well the the answer to that is yeah but think about how much time we're actually going to save for the end user for you because they're not going to have to change their passwords they're not gonna get their accounts compromised we're going to shut them down for four hours while they want we have to do some issue or god forbid they have to lose it for

two days we have to do forensics on their account that goes away users are happy you get less calls suddenly ninety dollars go that's a great idea I love it so you can have your users happy at least someone happy you have ID opps happy and you get what you want from a security standpoint and you've positively impacted multiple teams everything we do can positively impact the team we don't have to be dissipated alright so what does this mean now what do we do right what do we do as an industry what do we do as a group so the first thing is we were talking about that beast so change we must be capable of

tolerating and priming and change that is what is going to make us successful as a group as an industry you need to embrace that team to become an agent of change we need smart people that are intelligent driven passionate to challenge the status quo do not let your companies just slide your at you don't have to be a manager a leader or a C so to make change in their organization most of these changes don't come from them anyway because they're not in the weeds doing this stuff you need to question the status quo just make sure you do this if you have a complaint have a solution to back it up never go in just complaining you can

complain at my team they complain to me all they want if they bring me a litany of potential solutions now I they shoot down every single one happens at times but at least they're thinking change also doesn't have to be cataclysmic it's a process of continual an irritant if your change is cataclysmic you screwed up that means something that's so bad you have no choice but to scrap it throw it out and do something different if change is gradual and you're slowly fixing problems that's never going to happen you're not trying to boil the ocean you're trying to see the ocean for what it is and you're going okay I see it I'm going to take a step back and

figure out the small iterative steps I'm going to take to make this work so for us so what I what I kind of implore all of you regardless of what you do where you are where you work be an agent of change you differentiate yourself by being in places like this you differentiate yourself by coming to conferences and doing more learning more educating don't waste this momentum taking everything you can at this conference other bloggers v-sign self there are some great people here and what's cool because it's abbé sieyès the talks are all over Alex there's some really cool talk being presented that you don't see at other security competence ask questions Network look for ways to initiate changes someone has

a great idea that you're hearing talk to them about it grab the speaker at the end of the talk and get some get some more information find out who they follow find out what books they're reading you can be you need to be relentless when there's something that you need to see changed you need to be there and be the one changing it and it is just this ferocity of what you're going to do and how you're going to address it so really really good friend of mine who many years ago gave me this quote so the question was concept of IT person security when I talk about cybersecurity generally yes I use a shorter slide by

but your security of your physical security teams are part of this conversation as well so it is important to to have them as part of it and sometimes physical security does get in the way of the others all right please feel free to describe me at any point thanks everybody