Being Right Is Just The Beginning

well thank you for uh for choosing me over lunch and or Docker um it's uh it's nice to see a reasonable crowd so this is beam right is just the beginning and it's a talk with a caveat um which I realized I needed to add quite late into writing this it's talked very much not about politics now that kind of binds some of you maybe because if you get up and walk out now we know you're a bit of fascist so sorry about that I came to the wrong talk I'm Lee Hall um three things go apart from that slide um one it's not a recent picture two darkness is my color and three what's that job title about um that's the full one um let's not dwell on that we'll stick with this one um I wanted to talk a little bit about our industry and don't worry it's not that talk I'm not gonna do that um I wanted to talk about um kind of the the the the superheroes within our industry and as Glenn introduced at the beginning of the talk uh the lineup today is incredible we've got superheroes amongst us today yeah we we are a reasonably Small industry and you know we've got the superheroes we've got the rock stars you know there's people I've just heard about the detail coming from the last talk about you know incredible things that have been written by people here today um you know the Keynotes that that the keynote we had this morning two more to follow today you know again incredible lineups that we've got um that's one of the best things about our industry actually is that because it's so small it's kind of it's kind of for us to do no one's going to come in and do it for us we have to we have to make the moves here you know we can make the changes we can see the problems and solve them this is all on us where that becomes a problem you have the superheroes that are obviously brilliant what superheroes they can kind of go wrong and it's when people see the behaviors of these superheroes and and they just see the smarts they see the people solving the problems they see the people giving these great Keynotes that explain you know deep insight into the industry and they kind of look at that and then and they kind of become partially inspired by it and they say I'm gonna be like that but they don't quite get there and they they kind of fall off the track on the way um these imitators effectively think that the smarts is all you need for this yeah I'm going to spend my time just being the smart guy I'm going to be the smartest person in the room and that aspiration to being the smartest person in the room is where we start to come a little bit unstuck as an industry and I guess the key thing to start with is that whole smartest person in the room stick doesn't work now I'm sure you've all experienced it in in your sort of respective Industries um it's kind of the archetype of the the curmudgeonly security person sat in the corner of the room giving out the smarts owning the room belittling the people who don't get it don't understand the security side of it everyone in the room kind of familiar with that that person as well and they despite all their smarts they broadly get ignored it leads me to wonder what it's like for them when they kind of when they leave those rooms and known a few of them myself kind of like to imagine that it it's kind of like that when they leave the room I'm smart I've done the research I know what I'm talking about but why am I being ignored and that kind of leads them to being angry at Bitter and that feeds back into the cycle now they're smart and great ignored and it just keeps going it keeps going it keeps going I did the research and I'm right and it's not that anyone's even saying they're wrong what they're actually saying is not buying your message so it leads to the the Unholy triangle of yesteryears fall and security super villain smart angry and ignored like I said I'm sure we've all experienced these people I've I've worked with many of them over the years and what's the missing piece to this puzzle for them why are they ignored leadings to them being angry because we're not questioning their smarts and it's fundamentally lacking that ability or awareness that they need to convince other human beings to see it their way as far as they're concerned they're smart they've done the research this is a solved problem but as the talk says being right is just the beginning so let's get going with it security costs money infosec costs money most of us don't work for security companies we're not pursuing perfect security if there were such a thing to pursue we don't have infinite money we don't have infinite time it's all about trade-offs ultimately what it comes down to is an economics problem and then it comes to this this crucial question actually that you know not enough people really consider as they work through their security careers in is it cheaper or more expensive to do what I say as the security guy I mean in most cases we're going to find that the answer is more expensive and if I weren't only six minutes into this that would be a really weird place to end the talk hey it's more expensive guys we can't solve this one good job but we can so how do we change the costs in the equation to our benefit now for the guys who couldn't leave at the beginning because of the caveat that slide as you get a jail free card I'm going to talk about behavioral economics romances when I joined Sky bet in gaming three and a half years ago um as it fluttered UK and I as is today one of the um one of the onboarding perks was that you got to select a free book from a pre-selected library and I selected a book called Nudge by Richard H thaler and great what highly recommend it um I seriously recommend people read the book what I'm going to do is take three of the messages from that book today and look at how they can be applied to the problem I've just described of smart and really ignored um three takeaways that can help us here number one choice architectures what we're looking at doing is nudging people towards making decisions crucially without taking away their freedom of choice without taking away their feeling that they are making a choice here now Choice architectures exist everywhere in day-to-day life this book has been very widely adopted globally and you'll see it in in government work Council work and in Industries across the world it's kind of when you see a price that ends in 99 4.99 that's a choice architecture at work you're not being told at five pounds it's 4.99 that feels cheaper that's a nudge that we're all that we're all familiar with we see that all the time what we're talking about essentially is presenting choices to people with the right choice laid out to be easier and that's what those Choice architectures um essentially boil down to the next part of it the next message from it is about the power of defaults now this was something that came up in the in the first keynote today around defaults on SMB configuration people don't change defaults by and large people don't change defaults this room is probably an extra an exception because you know we've got a kind of a hacker Community here we play around with the defaults and you know it's it's one of the criticisms that have been that's been leveled at Microsoft over the years for instance is that the the default settings for security out the box could be better and most people aren't going to look into them horror defaults is is massive actually and this is an example of what we've seen in in the government in in healthcare so if you remember back a few years open donation used to be opt-in so there was an action that you had to take to opt in the default was erupted out and however positively you thought about organ donation you had to take an action to be a part of it and some did some people did you know you know the system works to an extent well they switched it they switched it to an opt-out model people don't play with the defaults handful of people probably said this is no no organ harvesting or some kind of conspiracy most people just let it go in the background and now we've completely flipped the you know a problem that the NHS had for free by just changing the default people don't change their defaults and then the third one is making complex decisions easier so what does that mean we tend to enter the conversation too solve security uh if we were presented with a project business change whatever the challenge we have we go in there and we talk about solving the security problem that's too big for the rest of the audience in that room who aren't in security we're just being esoteric weirdos just indulged in in our own workspace that they don't care what we're talking about instead of saying let's solve security break it down into smaller simpler problems let's say we're going to solve for identity or better still we're going to solve for Authentication or better still we're gonna we're gonna solve the problem of the IDP that we authenticate against there are fewer variables further down the stack and it's easier for us to stack up what's happening with these choice architectures so that we get the outcome that we're looking for so what did we do so this is where we're going to talk a little bit about what we've done specifically at Sky Bet and flutter as is now security patterns so patterns not something we've invented very common seen across the industry for years there's an open Group documents standard documentation standard on patterns it's something I've been involved in a few times in a few different companies and if I'm honest they tended not to work every time we went through the process of trying to get patterns set up started with great ideas the reason for doing them made a lot of sense but they always became shelf where they always became theoretical constructs that you know again a bunch of smart people spent a lot of time working on but were broadly ignored because that's why so what did we do different so the way I talk about the patterns is it's the selective relieving of friction security is a problem it's a friction it adds friction to things that are changing in the business and to ideas that people want to implement security is hard we can selectively make the bits we're interested in a little bit easier and that's kind of the Crux of what we what we're doing with the patterns we're saying you've got a whole bunch of hard problems to solve why don't you do it this way where we've taken away all the pain and that just so happens to be the most secure way that we want it anyway that's kind of the Crux of it the second thing that we did that made probably the most difference if you think of a of a normal um normal pattern security pattern standard kind of states the problem it's solving goes into the detail about how to solve that problem perhaps give some options and Alternatives talks about the trade-offs of doing one or the other implications of making the choices what we added to the bottom of that was we mapped the compliance requirements for our industry for the area that we were working with into the pattern so what we effectively did is turn the conversation into you can do it your way and compliance is your problem I can do it our way compliance comes free so effectively we weaponized compliance that's a big deal because ultimately security can kind of be ignored there's not many examples where a security breach leads to a company stopping to exist and think of some pretty catastrophic scenarios where my company lost the ability to take a car payment because we weren't compliant with PCI that that would be existential lost a Gambling License because we didn't meet the standard again existential crisis the compliance levers are there for us to use and think back to my essay of a job title I've got both architecture and technology for technical compliance so that gives me the opportunity to kind of mold those two things together and start to take the advantages from doing that so if we summarize the three points choice architectures what we're saying is you can still do it your way but don't don't forget to solve the whole problem we've solved the problem for you in a way that we like but you're still it your way but don't forget to solve the entirety of the problem don't forget that this is not just a technology problem it's a people process and Technology problem it's got compliance elements to it solving the fun technology part of it as you know you know certain developers or engineer crowds might want to do doesn't solve the entirety of the problem we're working for a business we've got business contacts to wrap around this we have to solve the whole thing use those choice architectures and nudge the people towards the direction we want to be going Arrow defaults take away the tyranny of choice that's a phrase that I got from Professor Scott Galloway I think um it's a really really interesting phrase people don't want choices by and large was his theory I mean it kind of stacks up they want easy defaults they want defaults they don't have to fight they want the thoughts they don't have to argue with if the pattern represents the right choice the Easy Choice and you know maybe you know it's still important that we present the choices out there but if we've made the right choice for them in advance then when they ratify that choice they feel like they were part of that process and they got what they wanted out of it anyway make complex decisions easier so like I said don't solve security solve the next level down solve identity solve our authentication solve which IDP we use go down into the detail the current phase that we're working through in the pattern side of Florida UK and I is taking some of those patterns that sit in that Library going down to the control objectives level going down to the actual component parts and saying how do we solve each of these little bits that starts to become really useful for our front line for our Consultants who are seeing wave after wave of different solutions different business problems being presented to them instead of the they're being you know this this kind of preordained pattern that solves everything which you know we have patterns that do get reused quite often they've got a component library of I want to use one of these one of these and one of these and they're all on the Shelf but we can hand those over the other Advantage it comes packaged with that is that we just speed things up a lot yeah my architecture team it's not a big team there's only three Architects I can't scale that across a business of 20 000. with business with oil change at the time at least um we have to find ways of speeding metal [Music] back to the the idea of being right is just the beginning um this is something that um Glenn tweeted about a long time ago going back two years now and this whole smartest person in the room we need to stop being a smart person in the room start being the most helpful it's a good premise to start from instead of being the security commotion in the corner who's who's both right as well as being angry and ignored start trying to be helpful start trying to figure out what security can do to solve the business problem so that it's not an US versus that it's not can security get can security score some points in in the skirmish solve the problem with them move from the smartest person in the room to the most health person in the room or do it in a smart way do it in that way where we're still presenting the choices we want you to make the choices we want to work with you but we kind of want you to make the right choices and if we make that easier for them that's how we win this one thank you [Applause] any questions and yes I'm curious to the opinion on the ones who find problems or your Solutions or they don't see the whole picture in your opinion how have you battled that you like yeah and that's that's one of the challenges that we we've faced really is that those people are still in the room with us and they are still playing the you know I've got this figured out I'm the smartest person and you kind of have to solve that from my experience in in two different ways one is you can't throw them under the bus it's not not really fair to be um to be using them as your Counterpoint uh directly or you kind of can't stop them playing that game either so you kind of you entertain the amount of time they're going to get in that conversation and you you kind of take that and say you know this person is is right in what they're saying but and then you you kind of pivot that conversation into we're not tearing chunks out of this there's a better way of solving it and again back to that week and solve this problem it you know it's it's not a security problem it's not a business problem it's it's a problem we need to solve together you kind of have to let it play out a little bit and I've certainly seen it with I've I've had over the years um some of these smartest people in the room work for me as well and you kind of have to just take it as showing them a better way and you're being angry is no one's preferred State you know most people's first date it's not be angry um showing them a different way that can work where having done the research and been right and can convince a room of it that that gives them a growth path that gives them a way out of of that that kind of sitting in the corner sparing why you can't get your own way and that's the way I've played it in the past is you know just just kind of sort of gently put an arm around and and show another way and let them realize and come out of that and again that's that's kind of applying the nudge thing I'm not I'm not going to tell you to stop behaving that way I'm going to show you another way and it's the right way it's a better way there's less friction this way why not try it and see the results and you know 100 cases in some cases that's improved other people's kind of experience and outlooks as well [Music] Declaration of behind C difficult do you have any recommendation in terms of working organizations so he's saying if so is does that organization not have compliance required yeah yeah okay so in in almost all cases I would suggest that there is some compliance or legal framework that a company is going to need to to be working with it take the gdpr as a general catch-all that's probably going to give some leverage to to basically any conversation so I would I would start to look a little bit wider for that leverage and start to um to pin it to your industry specific legislation I know for instance well we've got the ncsc or publishing standards for small and medium Enterprises to work towards insecurity that can be a good place so again that's not saying you have a security problem and you're going to thank me about it that's saying this is government recommendation for basic good practice and that kind of um external leverage can help as well instead of it being a smart guy in the room says so government kind of say so and that separating you from from you know the black and white the right and wrong it's it's a third party kind of suggesting this is the way to work that can work in your favor there as well [Music] yeah yeah another great One Insurance you know we've seen I I'm not even not even sure why the insurance industry is with this kind of stuff at the minute but they've been going through some um some real problems recently in trying to to figure out how to ensure companies on the Cyber front it was you know it was the The Magic Money Tree a few years ago but I think they've more or less worn that out so that they're having to rather to crack down on that and get a lot tighter and then that's where you take it back to the previous question that's where things like I sell 27001 can start to come into it everyone's basically singing from the same empty everyone's basically asking for the same thing