Psychological Safety: Why Security Is Digging A Hole - Rebecca Markwick

thanks much um so yeah so this is a slightly more unusual topic but it is very technical in just a different way and it does cover a lot of security things so I hope you enjoy it and it helps you think about things in a slightly different way uh this is all of my details they're on the last slide as well so no one cares what is psychological safety first of all you probably hear it a lot in like HR training and no one really pays any attention because we're all cool insecurity and we like everyone right the Amazing Amy Edmonson has a wonderful book called the faist organization it's been out for quite a

few years now and I highly recommend if you haven't read it go read it and this is how she defines psychological safety the belief that the work environment is safe for interpersonal risk taking now we work in security we know what risk-taking is do we know what interpersonal risk-taking is though with security what does it mean it means that you have trust and respect Not Just Between the co-workers that you work with on a daily basis but with other people in the environment so for example those people working in HR those people working in R&D those people working in coms in the areas of distribution if you're a manufacturing or the people that work the robots it's between

everybody not just the people that you work closely with now most of the things that you hear about psychological safety really focuses just on the team that you're in it's done as like a leadership thing so people who work for you feel comfortable talking to you and your boss's comfortable talking to you but I'm talking about it organization wide we're talking about a culture here that spans an entire organization and it means that people are empowered to speak up and be heard that's the really important for not just speaking up and then people saying shush don't talk now now is not your time or saying sure sure sure we'll never finish it yeah we're carrying on as is people

listen to you people go H that's a little bit of a different take on there that's a different perspective we hadn't thought that through we hadn't thought that's a really worrying aspect of this idea that we had thank you for sharing that and then the ability to sit back and go maybe we should change what we're doing and that person that speaks up hasn't been yelled at they haven't been belittled they haven't been told off they haven't been fired for those of us that work with American companies they have no fear of of raising different views of challenging people's attitude challenging their behaviors and asking for feedback and getting real feedback I'm sure there's quite a few people in

here who have asked for feedback from someone and they've said yeah looks great and then you've gone on and it's actually really bad you know because that person's too afraid of all the Myriad things that could go wrong if they gave you real feedback right and when we're talking about security we need to be able to say no and I know we don't like saying no because we don't want to be seen to be blocking but there ways in which we say hey that's probably not the best way to do it should we try doing this and the people that you're working with going okay yeah that's a valid reason for security purposes or for privacy

purposes yeah okay we'll do it differently as opposed to you being so afraid of you say no that the entire organization is going to come down on security and say you can't say no it must happen even if it's accidentally breaking the law because they don't know right so it's being able to feel safe in your space across the organization to say the things that you need to say or that you feel you should say even if you know it's not necessarily going to change anything but you want to have said it you know site safety for example construction sites if you see someone not wearing a hat most construction sites have a safe space now where you

can say hey you need to wear your hat because you could die you know and they've worked for decades to get people to a place where they feel comfortable saying hey you haven't got your high Vis on can put your high Vis on or hey you can't put that there because it's dangerous you need to put something like around it or you need to put your flags out or your cones out you can't just put it there and that didn't used to be the case you know think of all of the air crash stuff over the years where people have said hey I don't think that's safe I think we shouldn't we should delay the

production of of this new door you know and we've seen it with all the Boe stuff recently when they got bought out and the the safety has been slowly being eroded because the psychological safe space is no longer there when people speak up they get fired right so are people going to speak up no you see it in hospitals where a doctor may be going around really really busy and they may have forgotten to do a medication and a nurse will say hey should we just put that medication on because that's normally what we do without them worrying that the doctor is going to come and yell at them and say how dare you challenge my authority they're going

to go oh great catch fantastic job well done yeah these places where you have life and death scenarios I've worked in an industry where if you make a mistake something could die and if we go oh oh we shouldn't have we shouldn't have done that can we go fix it they're like oh great catch well done yeah because you're in a psychologically safe space where challenging and suggesting is recognized and rewarded and encouraged because there is no negative response to it doesn't necessarily always mean that what you suggest happens or that your suggestion is a good suggestion but it means that you are able to be heard without fear of reprisal and it means you can challenge bad behaviors you can

challenge bad actions if you see somebody being racist you feel comfortable to say hey that is not okay we do not say that ever don't do it you know without the fear that that person's going to come back at you whether that's a senior person whether that's a junior person if you see misogyny that you feel comfortable to call it out right there's no negative repercussions there should not be negative repercussions if there are negative repercussions it's not a psychological safe space and again I'm just bringing this this is an organizational culture type of safe space that I'm talking about and these are just really easy examples for us to hone in on before I start moving us into

the security Arena it's that power to say no I think that's a bad idea well no I think that's unsafe and failure is not bad failure is an opportunity to learn if you try something and it doesn't work you go ah didn't work or we learn stuff that's okay right people go yeah no worries crack on you know because you give people the opportunity to fail you have much more innovative ideas people grow better people learn better better we're going to dive into semiotics and people thinking why really really important because a huge amount of what creates psychological safe spaces is the language that we use the imagery that we use the facial expressions and the way

we build people into our groups and that is semiotics semiotics is the study of signs and by signs I mean pretty much everything the things that we see like a road sign but also the language that we use the words we use the alphabet is a sign pictures are signs everything that we see and we hear and we smell it's all signs when we're talking about semiotics we have the sign we have the signifier and we have the signified so we see the sign and it signifies a thing it is a signifier of a concept and the signified thing is what we get to so if I show you a picture of a cat that's the sign the cat image

itself signify and then it takes us through and we see a cat in our head we know it's a cat even if it's a on line drawing this is the fun thing that we always see when we're doing semiotics which is the it's not a pipe this is not a drawing of a pipe this is not a pipe is it a pipe mean it looks like a pipe but it's not really a pipe because it's a picture of a pipe at what point does the picture of a pipe become a pipe and not an actual pipe is it only a pipe if it's real you know and it all goes back to Plato's idea of you know one real

thing and then copies in reality but the sign is that linguistic unit so if I say cat you know what that is because you've leared that the word cat means means the animal cat and that signifier is the word sign in the symbol that that points to it so that's the the image of the cat that I talked about and the concept in your head and a fun thing for you to do now anyone that speaks two languages think of cat in English and imagine the cat and now think the word cat in your other language do your cats match or are they two different cats because depending on how you learned your second language your French cat might be a

black and white cat that you saw on a flash card and it's not a cat at all it's a fun one to do it works and how you learn languages you attach different mental Concepts to it and that conceptual landscape varies over time right so over your time as you age and as the world ages the things that we say mean different things which is why certain words change meaning over time as the the culture changes but it also means that the word orange didn't used to exist it was just red yellow and then all of a sudden the word orange existed and if you go back to things like the ilad and the Odyssey there is no blue so

all the see is green because blue wasn't a conceptual word at that point so we build things into our Linguistics as we go and words have meanings and some of us like me are very pedantic about using the right word in the right place because they have very poent meanings very effective meanings depending on what word you use it in and what context hearing secure we have lots of words that have different meanings to what the general population thinks they mean right so that's what the word relational is on we have subcultures if I say bus I mean a bus that has wheels and I can get on it and it's public transport if I'm

in networking and I say bus that is not what I mean right if I say fishing I'm going out and I'm catching fish right if I say fishing in the security context it's spelled differently it sounds the same but it means something else entirely so a big problem with security is we co-opt a lot of normal linguistic words and give them other meanings then get mad that other people don't know what they mean right is that psychological safe space no it is not so this is a little example of how semiotics Works audience participation time uh what is this can anyone tell Meer yeah timer is a fast or short time what would you use this timer for

yeah it's a stopwatch right we're we're probably timing maybe a minute or five minutes here is it the progression of time as well we can see that the filled in Orange chunks mean more time has passed right and what about this time is passing right because of the little animation it does the clock wipe as it's called because it's the clock We Know by that that this means time is passing we use this in TV and film you know where you see see the montages going we know that that means passing of time what about this one count yeah is this the same or different time than the stopwatch see different different time right so you're immediately able to from

these very basic icons identify that not only are these icons giving you time as the end of your signified but they're different type of time right this could tell you board game timer or this could be like life and death and hourglass death's hourglass could be cooking you know whereas the other one is more attributed to things like sport right it's fast time this is more sort of captured time this is counting you down your time right it's all time but it's different time and that's how clever our brains are and that's how semiotics works is the study of how your brain does this this is the hardest bit of the talk I promise it gets easier from here

on out if you type hacker or Cyber attack into for example I used unsplash cuz I like unsplash this is what you get it's men in hoodies it's not very friendly how many hackers do you know who are just men in hoodies that sit there like that over a laptop a black hoodie as well yeah and the scary mask I really love the scary mask it's not even the anonymous mask anymore it's just weird scary masks I was on a a call the other day and someone said that all hackers have mansions and Yachts because they're all financially motivated so they want to buy mansions and Yachts and I was like I don't know a

single hacker that has a yacht and I I feel like we should talk to our union rep and get us all Yachts right and it's it's the perception within and without all of who we're talking to what they see us as and what we like to be perceived as right how many of us wear lots of hoodies at work because are comfy and that we're allowed to wear hoodies because our teams are chill and they're friendly and they have good psychological safe spaces so we can wear what's comfortable to do our work and now everyone thinks that hoodies were teenage hoodlums then they were football hoodlums and now they're hackers right so that the public Consciousness and

those are the other people in our organization we work with they think of this when you say Cyber attack when you say hacker and obviously everyone here laughed because we all know that's not true right but they all think that's true so we have some cognitive dissonance here between what security thinks is real and knows is real versus what the public consciousness of the staff and the rest of your organization think and the media doesn't really help with the perpetuation of that but it's a shortcut right if a normal person who doesn't work in security sees that they go oh bad guy I know what that means so they'll keep using it because of the

semiotic Shand because it's much harder to say this person in a business suit or this person with this massive that no one knows what it is unless you work in security they're the person hacking you or it's this 25 people in a call center they're all the people who are attacking you you know it's much harder to get people to understand that because there's a lot more work involved even if we know it's true and we can apply semiotics literally everywhere but my main things to focus on are visual the things that we see the pictures we share the icons we use linguistic the language we use how many of us call our staff repeat offenders when we give them

really bad training we're calling them criminals are they criminals they're not criminals how many of us say that the users are really stupid and they should never have done that they should know not to download stuff off the internet they're idiots you know we do that a lot I personally don't because I fight against it but it's ingrained in security that that's okay to do and that's good language to use for people it's it's not we'll get on to that all Factory things you smell you know a lot of us probably go no computers and we smell the nice burny electronics like oh that's good you know things that you hear how frequently are people hearing

you making derogatory comments about them or using language in a way that you know they don't understand to make you feel smart right how many people have gone to learn a new hobby or learn a new sport and you have no idea what they're saying because all the language they're using super Nan custom they welcome you in and they explain it do we do that no we like feeling special and it deconstructs the signifiers of culture where you are in the world and what culture you're in they have different associations you mentioned the bus earlier for the network bus is different to a public transport bus but that changes depending on your gender where you live the culture you grew up in the

languages you speak the places that you work the industries you work those are all cultures that affect how you see and perceive things people who are subject to more things like racism or genderism or just sort of anything that works against you as a minority or a prejudiced thing you are more aware of it because you see it more and it affects you more and those of us who are more privileged we don't see it because it's effort and we don't like doing it because it makes us uncomfortable and there's a really important significance that is gained as soon as you start doing that you can make a really big difference to people because if you

understand the cultural context and the cultural conventions and you understand that red in the west is bad but red in Asia is good and good luck and promising and if all of your training says red is bad you're confusing a whole half if not more of the world simply because you can't be bothered to make two different versions with two different colors right and it's how people make sense of the world and if you are actively stopping people from make sense of the world because you like to feel smart that's not nice no one's going to want to work with you they're not going to want to be collaborative in with you as a security

team and also just a fun fact how advertising works it's how it makes you want to buy things and some advertising campaigns are significantly more successful than others if I say just do it you know exactly what brand I'm talking about great semitics so what about security we' touched on that a little bit we are really bad at making security a psychological safe space for non-security people I'm not going to touch on the internal security stuff too much because like all places and Industries there are problems but I'm talking about the the problem with organizations not wanting to work with us because security causes harm a lot of the time and the actions that we make

and the words that we use and the behaviors that we perpetuate some of it's unintentional harm some of it is very intentional harm every time you set up something like a fishing simulation that's really really cool is not good because you're purposefully tricking somebody knowing they're going to fall for it so that you can yell at them and you can tell them that they're stupid and you can tell them that you are superior and that is fairly intentional harm I have other talks on that if you want them they're on my website we can create really bad environmental harm how many of us have got really high friction security ways of getting into things how many people

have seven steps to change your password or seven steps to log into a new device because it's more secure yes it's more secure but is it easy to do are you alienating your users by making the security so impossible to do that they're just not going to do it and and then you're getting mad at them for not doing it we have lots of bias in security towards different variations of things you see this a lot in physical security where a lot of the scanners only work if you're white but they like get door scanners that go on veins in your wrist doesn't work on anyone who's not white like that's not okay and we

have microagressions I've mentioned before calling people offenders and repute offenders and we say they're stupid and we do that within our teams the end users may not hear but they probably will hear because of the way in which you speak to them in your emails or your calls or your slack messages or your team messages the tone that you use creates microaggressions and we're really aware of microaggressions when it comes to things like misogyny misandry and racism but we're much less aware when it's things that we're calling people criminals it's like they're not criminals you know if I I've used to work in prisons and probation and the M Ministry of justice and stuff if you say

someone's a repeat offender that's a very specific meaning of somebody who's actually in that prison right now or someone who's out on probation why are we calling our staff that none of them are criminals they've just failed bad training that they were never going to succeed at in the first place we have quite overt aggressions in security we often tell people that they are silly and that they should know better has anyone ever tried telling them in an easy to understand way why they shouldn't be doing something or making that high friction security I mentioned gone maybe they're doing that because it's too difficult how can we make it easier can I make that really

heavy door into the Secure Vault an automatic door so that once they've swiped their credentials it opens for them and then no one's going to prop it open because if they're carrying stuff and that door is really heavy and they've got lots of stuff to shuffle are they going to prop it open 100% of the time they are going to prop it open are we going you're an idiot or are we going hey we can fix that still secure can put it on a timer we can give it a door assist but we're making security accessible for people and we're making it accessible for everybody we're making it accessible and nice and we're not telling people to their face that we are

that they are stupid because we can't be bothered to put more effort into making it a better piece of security how many people have got a really nice fishing button that they've trained their people how to use and how then have a really nice good job have how many of you then have a really nice template that says great job we really appreciate the work that you've done in reporting this fishing simulation that's two people that's two that it should be everybody right how many of you have really nice templates for your socks that have been made by people like me or you've pulled in someone from comms or you've pulled in someone with skills and those soft

skills to say Hey whenever we get this kind of alert this is the way we're going to ask them because we see that scary alert every single day every single day to us it's not scary we know it's not scary that person this is probably the first time they've ever seen you go hey we saw an unusual login from your device is it you are you on holiday have you taken your work laptop on holiday yeah we're coming for you we're stalking you we're watching you right that person's probably absolutely terrified because they're at a conference they're supposed to take their laptop they're they're doing their job why why are you you making me feel

like I've done something really bad have I done something bad I don't know I I thought people knew I was here at don't work conference right you can very EAS say hey we get these alerts quite often usually it's if someone's gone on holiday or they're at a conference and we just want to confirm that it is you and if it's not you then we're going to sort it out for you right that person goes oh oh they they're helping me they're not they're not stalking me they're not big brothering me that they had to help right we have a horrible way of lacking empathy and simultaneously liking to feel Superior sweeping generalizations I apologize insecurity

and is a problem because it makes us aggressive even if we don't think it's aggressive because we're not thinking from the other person's point of view we aren't going hey you just broke a privacy thing you're an idiot I hate you this is so much work for us to fix we're going to have to report this I can't believe you did that you know did they know had you done work with those project teams to know that if they're doing anything with this kind of data need to work with your security and privacy teams have you got really easy user guides on how to do it when to do it what counts you know you go hey we

see you're doing this we can help and then you won't break any privacy things and we won have to report anything and that's good for everyone right you know it's the way in which we do things the security we sit here in our little Tower and go you're all stupid and we are God and everyone's like yeah we're great right oh I saw what you did with that thing over there that was really cool I really like that you should do that at a conference that's great that user you see they just downloaded a template off the internet what idiots you know that kind of thing really not good we all started somewhere they're still at the basics if

anyone asked you to sort out your your PA could you do it no I couldn't definitely couldn't I I can barely manage like doing my own accounts when I was self-employed like it's hard but there's a whole group of people called accountants that's really easy for them and they don't come across telling you you're stupid because you made a mistake in your your accounts right they're like oh no worries really easy to do you know it's really complicated or your tax stuff or law things you know they they come across they're smart people we're smart people they're just much nicer about it we really like Scare Tactics we really love Scare Tactics insecurity we love telling people the world is going

to end if they do something you know if someone downloads a temp off the internet you should probably you probably do have a bunch of stuff that goes hey there a malicious file we quarantined it we're all good and yet you still feel the need to tell them they could have destroyed the company you know that's not good they feel bad they're never going to talk to you again they're going to try and work out how you found it and do a different way so that you can't see it you know we use really negative language we've talked about the repeat offenders already but the way we call people stupid and we have all of the lovely the problem is

you know between the computer and the the see all of the acronyms we have for calling people stupid without saying they're stupid outright and then thinking we're smart but no one can work out acronyms they're not good we love sharing War Stories and there are places for war stories but those places aren't telling people I did this really cool thing and the whole thing went and exploded and you shouldn't do it because you know I I did a thing in a virtual environment that I dis disengage this control so I could do it you know great talking about stsn how is that going to impact most people's lives it's not relevant you know we got loads of

ransomware War Stories most people at the end of the day sitting at their desk doing their job is there anything they can do about it no is it useful to scare the hell out of them no if you scare them and you make it seem like you are people who are capable of doing those scary things are they going to want to come and talk to you no and we have really negative interactions if you deal with research and development teams or you deal with like logistics companies or you're like manufacturing and distribution anywhere where you have a direct sort of project work with these teams the interactions get really negative really quickly because they're

doing really stupid stuff if they knew anything about security they wouldn't do it it's like okay let's let's unpack that a bit do they know anything about security no is it their job no do you know something about security yes is it your job yes can we work together in a really nice way and security go no not going to do it it's like why you know it's going to involve talking to people and we as an industry have a really really even worse than the tech Bros the security Tech Bros don't talk to anyone because don't have to I just do my stuff on my computer and I don't have any user interaction right and then everyone else

goes yeah but they're really bad at talking to users so that's fine you do realize that there are hundreds of qualifications out there in soft skills for communications People for People in HR for people in public relations for people in advertising on how to communicate better how to get people on your side how to do well in difficult scenarios and situations how to deal with like hostage negotiation in high pressure scenarios how to do high pressure negotiation in like procurement and stuff there's lots of qualifications out there and yet security like it's not security certification I don't need it and then continue to have really bad negative interactions and then one wonder why two years later those teams

don't talk to you at all oh they're probably fine they don't do anything and then a year later something goes boom and you go why didn't they talk to us we would have told them that was really bad it's like yeah that's that's why they didn't talk to you can we can we see what's happening here you know we have lots of coded language and I spoke about this throughout this to get it to get it going but we use lots of language that's really difficult to understand because security much like when you play D and Dragons is a very specialized area with a lot of very specific words that mean very specific things and lots of very

technical sets of things that require very specific knowledge much like if I was to show you a page with an editor drawing all of the symbols you would have no idea what it meant unless you have been chained in publishing as an editor that's what security looks like to everybody else and we make very little effort to make it easy to understand for people to instead of giving them a a five-page technical blob say hey this is the thing and this is a fixy thing you can do and then this is the solution and people go oh I understand that's great we don't need all of the background we love showing off all of our knowledge we don't need

to do that we can just say hey I see your problem I have a fix and this is what we need to do to do it and make it as easy to understand as possible people love it people appreciate it people will want to come back and work with you and we use a lot of negative of reinforcement um I do a lot of talks on security awareness training education where most of it's not actual training it's not very good and people love negative reinforcement uh where you just yell at people for getting stuff wrong and not actually training them but again we have that reinforcement in how if someone reports an incident instead of saying

thank you so much for reporting that incident we're going to look into it and we might get in contact to get more information we go I can't believe that happened you were so stupid how could you let that happen you know or if they lost sensitive documents didn't you know you're not supposed to you should always keep them with you all time so someone had their laptop sto and I can't believe you go on a train and let someone steal your laptop right no one gets on a train and purposfully has someone steal their stuff right most of the time if it's a work thing much like in businesses where they say if someone comes in to rob the

thing the the till that's the word Rob the till they're like just let them take it because we don't want you to die right and whereas we're here saying oh that was that was really important it's not like we can just remotely kill the laptop and wipe everything off it at the Press of a button you know we have to make you feel bad about it you know we should be saying oh thanks so much for letting us know we can sort that out really quickly the fact that you told us immediately great they're not going to get anything well done reward people they're going to go oh what a great interaction if I see something else I

might report that as well and the more you have those positive interactions the better you have the more you have those negative interactions the more you undermine not just the security team but the security of your whole organization because if half of the organization won't talk to you won't engage won't collaborate and won't tell you if something goes wrong how is your security good just because you aren't seeing it doesn't mean it's not happening and security for years and years and years has been digging itself into this hole where if we can't see it it's not happening everyone else is stupid we're great we don't need to put any effort into fixing any of that into creating a

psychological safe space so when someone says security they think all those people that are there to help me they keep me safe they keep my company safe they keep everything secure they are there to help us rather than going security they're those really horrible people that I don't like talking to because they make me feel bad and every time I've ever interacted with them I feel stupid and they yell at me I don't I don't want anything to do with them so this this horrible incident I've just not to not going to say not going to say anything just pretend it hasn't happened if I can't see it no one knows right and we reinforce those

negative stereotypes every single time we do it every single time someone in your team does it and every single time you do not call out someone in your team doing that you are reinforcing that that is the correct Behavior we don't build those skills because as an industry we don't appreciate them we don't give them value if people started giving value to those communication certificates that say Hey this person's really good at talking to people this person's really good at presenting things in a clear and concise manner if we start valuing them are people going to go and get those certifications of course they are security is a horde of people that love shiny certifications

right just put value on them and they're going to go and do them we don't use very nice language we alienate people with those coded languages those highly technical languages with the negative words that we use without calling ourselves to account and saying hey we shouldn't be calling them offenders or repute offenders or idiots you know they're just people have we given them enough to succeed have we made mistake could we make that door easier to open and not leave proct open and then automatically shut behind someone so they can't make the mistake of leaving it open right and it all feeds back into this superiority complex and the more Superior we feel the more we undermine

the concept of security because not only do the organization not want to work with you but I'm sure you all know someone who you go are that arrogant guy I don't really like don't really like having stuff with him we go oh it's that person on that meeting really don't want to go I'm going to have my camera off or we go oh I was going to go to the pub but I don't like that guy's friend and he's going to be that I'm just not going to go right that is the person that we are as security through everybody else we need to fix that we love leaning into the mysterious that comes back to like

the hoodie you know the secret secret dude in The Mask doing more cool things you know people love Angus people love Angus Angus is our security mascot he's cow He is wonderful he has his own mailbox people love asking silly questions to because I tell them that even if it's a silly question Angus loves answering it right Angus is friendly and lovely and has a little picture and his email signature people love talking to Angus right Angus is security oh I love those they're the really good training yeah yeah know I talk to security right you can tell who has done an Angus training and who has not done an anguish training right because they feel safe to ask a

cow question right that's where we all need to be and if your staff won't collaborate with you and they won't with you and they won't talk with you then you need to do something about it instead of going oh they won't talk to us you know and it just leads to loads of unreported incidents I've got loads of stats from lots of different places where as soon as you make it a psychological safe space people report more and you got to go this isn't more incidents are happening this is we find out about all of the incidents that have been happening and no one's been telling us about right there's a difference if you know about it you can fix it and you now

know about it we can fix it stop using horrible language call it out if someone says aeat Fender say hey no we don't we don't say that here that's not that's not an acceptable phrase that we use whenever you see someone in your sock saying that person's OT no they're not an idiot they've made a mistake they didn't know any better they're new they are not us we think that's easy that's not easy for them they are not us they are not security call it out challenge people on your team when you hear them using the bad language tell them it's not okay give them an alternative you know tell them to change how they think about the

people they interact with because that builds empathy we sit on a side of a computer and people sit on the other side of their computer really hard to have empathy when you can't see someone if you see someone on the floor in front of you in agony you have empathy if someone is doing that and you can't see them much harder to have empathy so you have to work hard and build the empathy and as soon as you start putting that as a priority in people like the sock teams or the people that work with your developers and say hey have empathy with them they have tight project deadlines they have annoying things in their life that they

can't deal with they probably have annoying people that they work with every day that are pushing them to go harder maybe they're understaffed they are trying to do their best don't make their day any worse be there support them help them security is here to keep people safe to keep people secure in order to keep the companies and the organizations and the data and the product they make safe and secure the people are the ones that do all of the things no one would have any of the products any of the data the organization wouldn't exist if we didn't have all of those staff members working tirelessly even if it's just for the money every day we should be there to be

like we're supporting we're helping we're helping you we're supporting you we are here for you if you need us tell us we will come flying to your Aid on the back of a dragon and fix it if we can and if not we'll find someone else to fix it right because that is empathy and that is support and that is how you create a psychological safe space across your organization to say hey we're here and we're going to help we're not going to yell at you we're not going to call you stupid we're not going to call you repeat offenders we're going to challenge every single microaggression that we see in our team to stop that

from coming to your team so whenever you feel like maybe you should be making a template for people so that everyone has the same tonal response to the same alerts do it get it checked over by someone from comms if you don't have a specialist and say hey we're trying to give this tone and this information does it do that they have huge numbers of qualifications professional cons people they're great and you can say can you look over it they'll go oh yeah yeah maybe change this maybe phrase this a little bit differently have you seen our style guide our style guide has lots of tips on how to write stuff and how to format things you can do that and it

makes a really big difference it makes such a difference if when you're investigating an alert the person is on your side and willing to help rather than you pestering them and trying to fight them for information if they feel like you're helping them they're going to give you everything you want if they feel like you're attacking them they are going to shut down and they're going to lie because they think they're trouble even if we know they're not in trouble we're just trying to find out if you know the computer's in in America and it's supposed to be in the UK I'm at a conference okay cool great no worries you know that person doesn't know that

we have stuff that automatically flags on the devices right they think you're there staring watching them because that's what people see on the computers on the TVs in the films where they go I'm in you know we need empathy and if we can change the way we react to people and we can improve the way we react to people and make it positive and inclusive and friendly people react differently and people feel comfortable and they feel safe and if we change those templates from being three words really aggressive into sort ofal paragraph of hey it's all good we're fine just check in you're good great and if you're not good we'll fix it it's good people feel much much

happier that the security team are there to help them and that they're not stalking them and trying to find a way to get them fired offer post incident support if somebody is part of an incident why doesn't someone on your team go and set up something with the Masters and say hey we see you've been a victim to this we fixed it all do you need anything from us would you like us to give you some extra training would you like some extra support feel free to send anything you're worried about to us we're here if you need to talk we've got these support systems for usually HR have a lot of you know employee support things tell them

about them you know say you want to talk to someone we've got a free counseling service through our HR team they're here for you make better training not just your own users but for the teams that you work with and for your actual team put value on those chiny Comm certificates put value on people having better empathy and soft skills and give actual training if you're going to do awareness and education make actual training not just like yell things again if you want more I've got more thoughts on that but give people actual training so that instead of going oh why didn't they know you can say oh our training must need updating because they have

done the training and obviously hasn't worked we need to fix that and hold your security teams accountable for being horrible to people and for using negative language and for not making the effort to improve their communication skills because it is not hard and there is lots of support out there for them to do it it is on those of you that work in teams and that manage people and that run systems to say it's important and say hey I asked you last year to improve the way that you speak and the tone that you use when you're talking to developers why why are we still having the same problem of you making them upset you know there's a problem here

fix it and then listen to people if you listen to people you can find new Solutions go back into that door example why is that person popping that security door open what is the problem there with your security how can you make it better how can you help them because the more people see you doing that the more people will come and say hey I think this is really frustrating for us as a team on the security side is there any way you think maybe we could we could change it here's our use case can we change it can we make it better you can't always say yes sometimes it's just the security is annoying and high

friction and there's nothing anyone can do about it but if they know that you've looked and you've tried they're going to be way happier to say okay I feel like you've made an effort here and you haven't just shut us down and you'll probably find a whole bunch of really weird things that you didn't even know was a problem that in you fixing you just made a whole bunch of people's lives way easier and they're going to say hey last time I worked with the security team they did this and it was great fixed it right up super fancy you should go you should go talk to them it's fantastic you know just making the

onboarding and off boarding process better you know how many people just send someone a laptop do they also get sent a little document which explains how to set it up separately or who the contacts are if it won't work anyone do that just me think about it little little things that you can do to help people feel like the security team is there for them so if we can make all those changes stop calling people idiots and repeat offenders how does that help the organization how does it help security but it builds trust not just between the teammates that you work with but with the people outside of your team outside of security it builds trust in all of

those chunks of the organization that are not security with security security is not blocking they're helping if we scheduling this much time they'll get their stuff done and they'll help us out make it better instead of going oh I don't like them we'll just give one minute at the end and then oh no we have to make changes no you suck right is that they didn't want to engage with you 3 months ago and they were building it you know you get more people reporting things you get way more reports and what you get is way more reports as well as near misses if people know that you like that and they're going to get a well

done for almost but not quite that's fantastic here have a sticker they're going to do it and that's great for your reporting stats and it's great for finding areas of problem in your network in your infrastructure and in the way that your security systems are built you have better collaboration across teams you have less of that oh this seems so annoying to work with they don't listen to me and you have better cooperation when you're investigating things that need investigating because your end users are happy to give you the information and they don't feel like they've been put on the spot and that they're in trouble they will work with you they'll interact they won't cancel

that meeting four times because they think they're in trouble and you're just trying to find out like where they were and they go oh this could seem they're going to yell at me I'm going to lose my job I'm just going to go to the meeting yeah that's fine no one's going to notice you know whereas it's where they go oh great yeah yeah cool yeah I'll do that here's all the information I have here's how I booked it here's where I was this is you know the hotel I was at and you're like that's way too much information but great they're they're giving it to you you have better well-being in your staff if there's

better psychological safety everyone feels better because people work better together people feel better people are more encouraged to do their job psychological safe spaces have got loads of studies that show that people learn better when they feel psychologically safe and that you grow things better because people ask questions people ask any question they like they stop going I'm going to look stupid if I ask that question they just ask it hence you know people Angus gets loads of brilliant questions from people and it works for your team as well because if they start asking questions or start answering questions that people ask it unlocks huge areas for you to go oh I didn't even know

people hav't a problem with that you know how many people have got biometric systems on their laptops that don't work so they haven't to type in all of their stuff but they never feel like it's something they need to tell you about right you can probably fix that real quick really easy right very easy fix but if they don't tell you how are you supposed to know so as soon as you start building that collaboration not only can you grow the products that you're doing and the security systems that you're building but you grow relationships and those relationships are really positive and people collaborate more and you end up with this wonderful thing where security instead of being this annoying

Gremlin at the company that nor one wants to work with becomes a part of everything and people talk to you early and they let you know when they have problems and even if you suggest something that can't be done because it costs too much money or it's too difficult to implement on the the stuff that's already here at our company well you know maybe next year at least you've suggested it and people have thought about it and then they've made the decision if people can't make those suggestions everything goes horribly wrong if we go back to those early examples on the construction site and in the hospital if that person didn't feel comfortable to say hey you should be

wearing your hard hat that person is walking around on a building site with no hard hat and we know people die because stuff falls down on construction cloths and that nurse saying hey I think you might have forgotten to assign this medication to that person they could die if that nurse doesn't feel confident and comfortable and safe to say hey I think I think we forgot something right and because we sit with computers we we lose that connection to how this impacts people's lives and we just need to work a little bit harder together so thank you we need to be the change that we want to be in the world and I say we

need to be nicer to people and build the psychological safe space so that instead of digging a hole we can start filling it in we can build it up we can be on the same field as everybody else instead of just mining towards the center of the earth for no apparent reason and it's small things that you can do and there's big things that you can do but just do something even if it's just stoping calling people repeat offenders um I'll be here all day if anyone wants to chat with me I have loads of talks on my website I have annoying ranty articles on LinkedIn and on my website and I do do talks if people want them but I hope

you've enjoyed it and found it useful I like I said it is technical it's just not the sort of technical that you expecting thank you

yeah at what stage would you consider it worth basically firing someone amount of mistakes that they make and be given someone training is what's the threshold that you Curr um that's great dependent on what they're doing like it's very easy to say if someone's being repeatedly racist or misogynistic the HR team will have a list of things right so I'd say work with the HR team to say hey here are a set of behaviors that we think are unacceptable how does that fit in on your Matrix and then that means that you have a really solid system so someone repeatedly is doing you can say hey here's our Matrix of unacceptable to acceptable behavior and

you're here we need to move you here or something's going to happen you'll get a warning or you'll get a science training or whatever so it follows the same process as if you see someone making microaggressions you know you assume that they just don't know they're making microaggressions and you give them the training to say hey microaggressions are a thing you should stop doing that we should be using block list not Blacklist you know and allow list not white list it's really easy to do as soon as you think about it and it's those sorts of things that if you treat it in the same way because it's exactly the same thing you know you're basically identifying

people as criminals when they calling Ines for no reason whatsoever right so it's a case of working with the people that have those Matrix of what is acceptable versus unacceptable and creating something that fits space more questions yes do you have any thought about do you have any tabletop exercises that helpy these there are lots of tabletop exercises um you'll probably find weirdly a lot of them in comms and HR departments and in hostage negotiation departments where hostage negotiation is very much built on de-escalating and having good clear communication so that people don't die so they they are around and about they might not be called tabletops they'll probably called hypothetical scenarios and you get lots like pages

and booklets of them say here is a scenario you are the manager what would you do here is a scenario you are the employee what would you do and you can just sort of swap sets of words out um especially if you're challenging language you can put up scenarios where you have someone who's speaking and be like hey you missed a chance there to call out this language yeah yes is there a good way of communicating risk to end users yes I love I have a really fun one uh most people don't know what risk is or risk appetite or risk tolerance if you tell people you have an insurance where if you break a bone you get money and

you're going to cross the road and there's a car coming are you going to cross the road people probably say yes what if you don't have insurance and you don't get anything if you break any bones are you going to cross the road if the car is coming up like no okay what if I tell you you're going to break two bones and you're definitely going to get hit by the car if you cross the road but you're going to get £100,000 are you going to cross the road a lot of them are going to say yeah what exactly what you find is some people will say which Bones and you say you're going to break your arm a lot of

people will say yes if you're going to break your leg a lot more people are going to say no and those tend to be people that need to do physical things like they' got kids or they have Partners or they have animals and having a broken leg is really difficult right you go okay right this time you're going to break four bones but it's going to be a million million pounds that you get are you going to cross the road and people kind of get fours quite a lot right and then you you see people start doing what you're doing like me I don't know right and you go that is risk right you understand that

if you get hit by a car you'll break bone that is the risk and the appetite and the tolerances is how many bones are you willing to break and how much does the money have to be for you to break them and that tends to get people on the idea of I understand what being hit by a car is and I understand the appetite and the tolerance like I might be happy to get £100,000 for breaking my arm but not if it's my back um guys we got short break now do you want to do one last one talk afterwards okay thank you all so much now