Aristotle in Security: How an Ancient Greek Can Improve Your Security Program

Hi everybody, it's Guy McDudefellow, one of the co-chairs of The Proving Ground Track here at B-Sides Las Vegas. Our next talk is Aristotle in Security, How an Ancient Greek Can Improve Your Security Program by Brendan Clark, who was mentored by Chester Wisniewski. Hello everyone, and welcome to B-Sides Las Vegas 2021, The Proving Ground. My name is Brendan Clark, and I'm the owner and founder of Triton Tech Consulting, and I'm thrilled that you are here with me today talk about Aristotle and security and how an ancient Greek can help you improve your security program. Now, we all know that security is on the rise and a very important topic. Executives themselves are fully acknowledging this as stated in Microsoft's 2019 risk perception survey,

but we don't always get the support that we need or get the budget that we need. And so even as attention spans for some of the executives, are maybe not as focused on the risks that they're presenting, we need to get better as a community at conveying the value and telling the story of security so that we can help get the budget and the executive support that we need in order to make our organizations as secure as possible. Now, in order to do this, we're going to be focusing on Aristotle's six points of storytelling or six elements of storytelling and really relating them to how we can transition from the ancient Greek theater into the modern boardroom. We'll start

with a spectacle and go all the way down the list each one of these playing a different role in the presentation or the delivery of the initiatives and of kind of your sales pitch, whether you're a consultant or a internal resource, just looking to build your program and make your organization stronger. Now, before I get too far here, I probably should talk a little bit about why I am qualified to actually give this talk. And that is that I am a consultant. As I mentioned earlier, I founded Triton Tech Consulting a couple of years ago. And before that, I was actually at PwC for about seven and a half years. Now that is my day job. And when I log off at five o'clock, I

do go on to my second job, which is as an author of science fiction, fantasy, and most relevant for probably a lot of you, cyberpunk. Now the parallels between these two, there is some overlap and I'll be happy to answer questions about either of them. But again, I am gonna be focusing on how we really take some of the elements of that storytelling and put it into more of a corporate environment. So with that being said, let's go ahead and jump into the spectacle of it all. And when I say spectacle, I think the thing that a lot of people maybe associate with this is the big explosions that we see or the intro action sequences of

movies like Raiders of the Lost Ark or the Dark Knight. I still love Heath Ledger as the Joker in that, you know, and yeah, he left us too soon. But for us to be able to take the Lessons of Aristotle here, when he was talking about it, he was referring to kind of something similar where he wanted to have people swinging in off ropes from off stage and really just trying to capture his audience's attention and imagination. And that's what we want to be doing here. When we talk about the spectacle, this is going to be vitally important for the first two to three minutes of our presentation or of our sales pitch, regardless of, again, if you're internal or external. The reason

for that is that just the way that I mentioned executives in the intro and how they have a lot of competing priorities, they also have the attention span that, I don't wanna compare it to a goldfish, because that feels like an unfair comparison to the goldfish, but you kinda get the gist here. We need to capture their attention and we need to be able to very quickly articulate the value of what we're providing so that an executive can get on board and start letting their own imagination run wild with what the possibilities may be. There was a time where I was working on a project with a sports apparel company. And for the most part, the client was on board, but we were having some issues

with stakeholders because we weren't able to have that clear articulation of the value and of why we were here. We were doing a threat model at the time and we had, you know, two or 300 different threat vectors that we were pulling information for and mapping things across. But when we got talking to this one stakeholder, we didn't again, really clarify that or kind of give him direction. And so when we started asking about things like the intellectual property and the importance of that to this company, he kind of looked at us and goes, we make t-shirts. spoiler alert they're plastic because we didn't really give uh that spectacle we didn't capture his imagination help him

understand why this was so important he wasn't invested in the process and he didn't give us the the type of information that we really needed and again it's the same way with the uh the executives and maybe some of the other stakeholders that you're going to be working with And so having that spectacle and throwing that out there is really, really important because it allows them to get invested and it allows them to start thinking about the possibilities rather than some of the obstacles that you may be associating with your project. Now, once we have their attention, the next thing that we want to do is really kind of build an idea, build a theme here and What I mean by that is that we want to

help set the expectations of our audience so that they kind of know what to expect out of our story, right? One of the most popular, if not the most popular way to sell things in the security world is by telling a horror story. is by saying this is the risk and this is the terrible bad thing that can happen if we don't go out and do this, if we don't implement this solution, if we don't design this new architecture. And while that can be very effective and we've seen it be very effective, it can also not give us some of the staying power that we may need for some of these longer projects. If you look beyond six to eight months, a lot of the time if you're

selling based off of a risk or of a doomsday scenario, by the time you get to that six to eight month mark, your audience has probably had their imagination or their fear caught by a different type of risk. We've seen this a lot recently with things like the Colonial Pipeline breach where we had a lot of people asking, you know, even just a couple of months ago about anti-phishing and some of the breaches that had gone on over on that side of the house from a data perspective. And then suddenly it transitioned into ransomware and, oh my gosh, the pipeline's been shut down. How do we avoid that happening to us? Now, I realize that there's some parallels there and that there are

some overlaps in that example, but it goes to show how quickly something can change from let's focus on phishing to let's focus on ransomware. Now, the opposite of this is the rom-com, right? And is the happily ever after that we could be selling. And that is going to be focused on really the growth of the business or the opportunities that we're able to provide our business because of some of the solutions that we're putting in place. I've seen multiple clients able to break into new industries or sectors because they're able to

ascertain certain certifications or just attest to the fact that they have done certain activities and that's won them large contracts. This type of thing has much more, I'll say much more attractive and long-term benefits. And so again, if you're looking to have a project that's going to maybe a multi-year engagement or a multi-year initiative, having something that we can build towards a lot of time is going to give us a little bit extra oomph when it comes to keeping people engaged and keeping this top of mind. And then finally, the last thing that I'll kind of say here is the inspirational team battle, big action sequence, excuse me, type of movie where we're all banding together and we're struggling and fighting towards this big goal. And

when we look at these types of movies, what I'm really referring to is things like compliance a lot of times because it's an all hands on deck scenario. A lot of times we have to work across the organization and we have to all be fighting together to end up with this in state or this, this big certification, or again, this big stamp of approval from the auditors. Now it's not to say the auditors are the bad guys, don't hear me wrong, but it does kind of give you that, that epic struggle in some cases. And so being able to, again, paint that picture and think about how am I going to communicate this can be

incredibly impactful for your audience. So regardless of how you're phrasing this or how you're framing this, I should say, be thinking about that tone and that theme that you want to be presenting. Are you wanting a horror movie that's going to be based off of the risks and all the bad things that can happen? Are you going to be painting a rom-com with a happily ever after based off of maybe the growth of the business or potential sales opportunities or revenue generating opportunities? Or are we going to be looking at the compliance and maybe a little, a big inspirational. And if you find yourself writing the fields with the sun on your face, forget not for you are in Elysium or however the quote goes, you get it right.

So with all of that being said, once we've actually gotten our theme, we have our spectacle, we have our imaginations captured, right? The next thing that we want to be looking at is the plot itself. And how are we going to be structuring this initiative in such a way that our stakeholders understand it and it makes sense? One of the things that Hollywood is often accused of is being creatively bankrupt because we feel like they tell the exact same story just with different window dressing. And there's a lot of truth to that, unfortunately. There's only so many ways that you can look at the hero's journey. And if you're anything like me and I'm watching the latest action flick, I can kind of

guess based off of where we are in terms of the duration of the movie, when something bad is about to happen or if we think that there's going to be the epic meltdown and that we have to, you know, then go into the soul searching and the, you know, we have to go find the magic stone or whatever it is. And then we have our climax and we have our big battle and then everything works out in the end. I understand that framework and I understand that... sequence of events in such a way that it's easy for me to wrap my head around even some of the most far-fetched concepts in stories in Hollywood. When we're looking at a executive and trying to help them understand kind of how

does this all fit together? This is actually a really important piece of it as well, because it can help them if they're not technical or if they're not necessarily the most, um, tech savvy user to really wrap their minds around kind of what we're trying to accomplish and how we're going to accomplish it. A couple of years back, I was actually working at a client and we were looking at doing a big PCI payment redesign. And as part of this redesign, we were going to have to interview a lot of stakeholders. We were going to have to go and actually really get into the weeds of the business. and then come back with recommendations, help design the project

and basically take it from soup to nuts all the way through. When we first pitch this, we ran into some opposition because people didn't quite understand why we needed to be in the business and really down in the weeds for a lot of this. And it wasn't until we basically put it in the framework of we need to do assess and recommend, and then we need to go through a waterfall development cycle and use some of those, again, structures and frameworks that people are used to, that people were really able to kind of have the light bulb go off and say, oh, Now I see what they're trying to do. Okay, I understand what's going to be expected of my teams. I understand what kind of budget we're going

to be looking for for something like this. Once we were able to do that, I'm not going to say it was smooth sailing, but it was definitely smoother sailing. And we were able to actually get the buy-in and ultimately start executing on that engagement. Now, the other thing that I'll say here is that this is definitely a rinse and repeat type of cycle in some ways because again there's only so many ways that the hero can go on a journey but there are times where it's important for you to understand when you need to break that mold and when you need to accelerate things or to put them in a structure that may not make as much sense at first glance think about westworld and i'm

not going to spoil anything for those of you who haven't seen it But let's just say that the way that that plot is structured for the first season does a masterful job of keeping you on your toes and helping drive the tension in a lot of those sequences. In the same way, we may be looking at it and saying, rather than going through a big, long development cycle, maybe we want to use something like Agile, get a prototype out and start putting things together and putting things in place so that we can be seeing how it works in real life. You need to understand your organization's community and culture so that you can understand when it might make sense for you to

deviate from what's expected or again, just be able to have a little bit more flexibility in the way that you're structuring that initiative. All right. So the next item that we're going to move to is the characters and the cast that we're going to be bringing to the table with us. And I think that this is something that a lot of people overlook in both sales and internal socialization. In most cases, when we have an IT initiative or when we have a security initiative, we bring a lot of technical people and we try to wow our stakeholders with how whiz bang awesome this solution is going to be. What we don't really take into account though, is that a lot of the time when we are

doing that, we're basically bringing the same skillset or the same perspectives to that meeting. Think about Batman for a minute. And let's be honest, he's the greatest superhero because he doesn't have any superpowers and that's awesome. But the people that he then surrounds himself with and who he then brings into or onto his team are also all unpowered superheroes who are incredible martial artists and have acrobatics and just gadgets and whatever, right? But they're all kind of in the same power set. They all have the same skills. So the way they approach problems is very different than for example, the Hulk and Thor and Iron Man and Captain America would because they have different skill sets and

they're able to bring different abilities to the table that allow them to tackle product, that allow them to tackle problems in a different way.

When we look at this from a real world or a corporate example, a lot of times we approach a problem as IT people just from a technology perspective. And you've probably heard about the people process technology and all of this and how we design solutions. And we really aren't that good at a lot of times at actually implementing that framework. So being able to take a look at that and really bring different skill sets and different perspectives can help us not only sell to our stakeholders more effectively, but it can also go ahead and give us the ability to look at a problem in a different way and maybe reduce costs or give the business a better experience, whatever it is, just by

having those different perspectives, again, bringing some of those different characters onto our team. Avengers Assemble or whatever, fill in the blank, right? Now, the other thing that is really important with characters, and if you are only going to take one thing away from this talk, it should be this. And that is that while you are an amazing superhero in your own right, You are not the hero of this story. Now, an example, the best example I can give of this is when we were doing a vendor bake off, probably about a year ago with a client for some different PCI solutions. The vendor came in and they had, I think it was, they had 30 minutes and basically they started their presentation and

for 13 minutes, they talked about how amazing their company was and how they'd won awards for best place to work and how they were certified and how their team was global and blah, blah, blah, blah, all this stuff. Again, very important information and very relevant to the conversation because we want to know who we're working with. But because they didn't even really get to the solution or get to the customer's problem and the customer being my client, Because they didn't get to that solution until almost halfway through the presentation, by the time they did, I was looking around the room. This was pre-COVID. I was looking around the room, and there was pretty much nobody that wasn't heads down in their laptop answering emails

or looking at other things because everybody just kind of zoned out. So you have to remember that you are not the hero, that your customer or your stakeholder is the hero. And when you're designing your solution or when you're designing your sales pitch or presentation, you have got to make sure that you are building it in such a way that that person feels like the hero and they feel like their needs and their abilities are being most considered when it comes to this type of work. Now, Again, that is absolutely the most important thing that I can probably tell you at this, but there are a few other things that we still need to cover. So I wanna look at one other

area that we as security people, I know that I am very guilty of this, and that is the diction that we're gonna be using. And I love a good acronym. I love the alphabet soup that we throw around when we get into meetings. I can do it with the best of them, unfortunately, and I show that superpower. probably far too often. When we're doing these types of presentations and roadshows to get funding for our projects or to be able to just, again, get people to care, if we lose them in the technical jargon and the acronyms, they will not see anything past the ones and zeros. We have to be able to put things in layman's terms and be able to

really give the customer what they want in a format that they understand. When I was working one of my first gigs with Triton, I actually made a bit of a boo-boo here and got overly technical on a sales call. And at the end of it, when we had kind of gone through our whole pitch and said, okay, what do you guys think? There was a pause on the line and One of the clients came back and said, I understood about 30% of what you just said. Needless to say, unfortunately, we didn't win that deal. And I've since learned that I have to tone it down and really be very careful about the diction and the word choice

that I use for a lot of these calls. So be thinking about that as you're talking through with these stakeholders. Who's in the room? Is it HR? Is it finance? Are they going to understand the technical jargon, the cross-site scripting vulnerability that we have to address for PCI and the DTMF solution for whatever it is? Just tone it down. You'll thank me later. All right, the last item that we have here is the melody. And while Aristotle was very clear in that the melody was the music and the sounds that were going on around us. I want you to think of it as the way that you are delivering your message. And so a lot of new presenters or people who are new

to the realm of speaking in front of executives or clients... They start talking really fast and it's really hard to understand sometimes and they maybe come across a little bit more nervous because you just don't really know what they're trying to say and it's kind of, it makes me nervous just even doing that. If you contrast that with just speaking slowly, making sure that your tone is varied enough to keep people interested and auditorily or I think I'm saying the wrong word there, but using the audio of your voice to help draw people's attention to the important parts, you'll be able to highlight those in a more important way, or I should say a more focused way. Now, one

caveat here and something to be aware of is that you can't make everything critical. And this is something that too often, if you have too much information on the page can happen. If everything is critical or if you're trying to draw attention to everything, nothing is actually important. Your audience will just basically put it all in the same bucket and just move on. So be very careful and very concise in your message and how you want to be focusing your audience's attention, both with the words on the page and with what you use in terms of the pauses, the highs and lows of your voice and the attention and the time that you spend on any particular item or topic. And then finally, if you are going to be

having a Zoom call or Teams or a virtual call, be looking at it. And if you have a big, important meeting, make sure that your audio quality is good. Again, most of us have had to deal with this for a year, but just something to be considerate of because honestly, a lot of people will start tuning out if they can't understand or if it's hard to really understand what you're saying. So that's the long version of this. If I were to summarize this, we have the spectacle where we're trying to hook people's attention, the theme where we're trying to give them an idea of what's to come, giving them the plot and the structure that

they recognize, characters that are varied and diverse to solve the issue at hand, our diction and word choice so that it's appropriate for our audience, and then finally, the melody that we're using to actually engage our listeners' ears and help them really understand what is going to be happening as we put importance on different areas and aspects of our presentation. So thank you so much for joining me. I really do appreciate it. If you have any questions, feel free to reach out. You can visit our website at www.tritontechconsulting.com to see some of the services and get in touch with our team there. If you're interested in picking up a fantastic, and I'm totally unbiased here, but a fantastic

science fiction or cyberpunk novel, be sure to go to www.cbrandonclark.com where I do have some free goodies to give away there as well. But that's it for now. I'll open it up for questions on Discord. Thank you so much. I appreciate your time. And let's continue to build this fantastic community together. Thank you.