Aaron Moore - Helping Styles in Cybersecurity

talk about helping styles in cyber security. So Aaron, take us away. >> Thank you very much. >> Well, good morning. Great to see you all for day two. Uh for those I haven't had the pleasure of meeting or haven't read the speakers notes because they're just here for the CTF for the swag. My name is Aaron. A little bit about myself, I'm part of the application security team at Korea where we build cyber safety software for children. Uh before that I was a software engineer before making my way into AppSec. uh mainly web apps and all the fun stuff like that. Uh before making the internal switch to security within Korea. Uh and now I am currently studying

chapency uh which is a great thing to do when alongside full-time work as I'm always got all the time. Uh but this is where the idea for this talk came from. So I'll touch that in a second. Uh and finally this is my first time speaking at conference. So any feedback after the talk after the conference would be great. Thanks. Thank you. So uh as mentioned I recently started studying chapency uh because it is kind of relevant to a lot of the volunteer work that I do and I admit it's been a major shift from sort of technical knowledge to how to care for people. Within the course content, I've been introduced to a concept called helping

or the helping styles inventory which was created by Peter Vancwick. Um 1988 it was created and refined in 1995 and it's basically for carers how to provide or framework how to provide care to people that are in front of us. So it's a model to help carers such as chaplain or counselors or whoever uh helps workers uh to care for them. Um, it kind of describes different ways that we are able to try and support someone. And everyone has a default style that they may use or may have, but understanding how you can switch your style a little bit allows us to help serve people well. And now I want to see how we can apply this to cyber security.

At the core of the model is the idea of self and relationship. In pastoral care and counseling, we are the resource. And I think this actually really maps well to cyber security as well. Us as cyber security engineers are subject matter experts. We are the resource that we can provide to others. So to understand how we can apply this to security uh let's construct the model step by step. On the horizontal axis we have what is called the focus of attention. Our attention can fluctuate between being focused on a person and then or person experiences or being focused on a task. In counseling uh chapency would cause tasks like a problem such as anxiety, depression. On the vertical axis we have

the use of power which on one end is being directive so instructing and telling and the other end we can be facilitative emphasizing the person affirming them and allowing them to draw on their support networks and experiences. Now each of the quadrants have a defined helping style which we'll dive into in a sec and each style has certain elements or actions associated with it. So in the middle here these are kind of the actions that you're taking from here. Let's dive into each style. Starting from the top right and going clockwise, we have the guide. This is the person. This is someone being person oriented but also direct. They are the ones informing, coaching, directing

others. A few examples will just be Dumbledore and or Alfred Alfred Pennyworth. Uh both directed people that they care for. In this case, Harry Potter and Bruce Wayne. If you didn't know, be surprised if you didn't, but they rather guide people. For example, Alfred reminding Bruce of his humanity and his duty. The celebrant is someone who's all about connecting with and supporting and empowering people. Phoebe friend Phoebe from friends is an example of this. But I think the best this is best sed by by first the first talk jud this is best summed up by Mr. Rogers. He connects with and affirms every person. And just as an aside, because I really love this example, um when African-Americans were

not allowed to swim with white people, Mr. Rogers invited France Clemens, aka Officer Clemens, you can see down the bottom there, uh a black man to cool his feet with him, tackling racial inequality by connecting with and affirming Clemen's value as well as empowering him by assisting with his musical career. But I digress. Moving on, we have a consultant who is focused on the problem but helps others by attempting to empower them to make a difference. Uh they talk things out. They help explore and collaborate with others. Lucius Fox from Batman is a good example. He's task oriented so he's focused on the problem while providing Batman with the abilities to solve the problem. Another out there example is

Dr. House. his differential diagnosis in front of the whiteboard sessions where he explores diseases with his team uh and kind of finds the solution to the problem aka the diagnosis is a consultant style although I don't want to hear from anyone complaining that HR got annoyed at them because you just you just belittled your teammates while trying to do this don't copy house be nice and finally the manager they focus on the task and are often instructing over facilitating so they suggest advise and at the extreme end instruct others what to do. You got Nick Fury at the top there telling people what to do in order to complete the task at hand or a real

world example would be Gordon Ramsay. He uses highly directive albeit colorful language to get the task of managing a kitchen and serving dishes accomplished. So that's a high level overview of the model. Now that we've defined it, we can start applying it to our relationships within the workplace and cyber security. However, this is where the usage between carers and engineering start to split. In pastoral care and counseling, in one conversation, we may flick between different styles. An example of this, just to give you an insight, is an example we were given by um our lecturers of a counselor making eight statements back to a client uh scored all of his statements like this. I think

that's outside of scope for this today. Um but I do want to talk about how we can use this as engineering managers uh working in the workplace. So focusing on us as engineers understanding that we are the resource that can be used to help others allows us to become force multipliers. If I'm the only one that knows about SQL injection and please forgive the bad example. Uh if I spend my time reviewing code and adding prioritized queries, I would spend most of my time at work doing this. However, choosing it instead to share my knowledge means that vulnerabilities are not written in the first place or that others can fix them when they find them. A much better use

of my time. I've managed to take my resource and multiply the effect. Now, I just want to stop here to clearly articulate why this is important. If you are in a small team like I am that has a lot of stakeholders, you have developers to train and coach. Uh you have managers that you need to help understand the risk and the effects of uh exploits and vulnerabilities. You have to understand how to engage with these stakeholders effectively. As a security team, our goal is to manage risk. It is less of a burden on yourself when you bring others along with you. So when when we remember Van Catwick's model as we create programs and engage

with stakeholders, we can take a step back and choose how we want to help. I think a few examples will help with this. So I am responsible with a couple responsible for a couple hundred developers myself. Unfortunately, our team is quite small, so it's not reasonable for me to be very hands-on when it comes to patching or fixing. I find a lot of my time comes from to providing information such as secure code guidelines or patterns for security uh for developers to follow. So, the style that I would just be stepping into here would be the guide. I am informing, I am coaching, I am directing. I also meet with managers and developers to help them with security related

projects. This is a very conversational approach and any issues that arise we explore and collaborate. This is a consultant style. This can include things like threat modeling or working through designs with team to make sure they're uh shifting left and writing secure code in the first place. But we need to remember that a particular helping styles may come more naturally uh to people. You may find that stars that may come easier. The above two are what naturally or what comes naturally for me. The next two I have to make a conscious effort to step into. The cbrant would be most likely to get involved with developers and championing them on. I think it's due to the fact

that I am a limited resource and I struggle to find a ton to be involved. I have 200 developers to look after um I struggle to take on this style. But a consultant compare, sorry. But if a consultant compare, yay. But if a consultant cares about empowering people and being person orientated, they would more likely ask open questions to help developers get to places themselves. Think questions like, well, what should we consider as a mitigating control here? Why is this secure? Empowering developers to discover things themselves and facilitating their growth. This can allow people to feel more accomplished as they are empowered to uplift the security control of their code. And finally, the manager. They may start

with suggestions, but I think this can easily progressed into advising and instructing. This can be mandating security controls, setting standards, or rejecting designs based on security. or when we have something that requires security to take control such as you know the scary words like incident and breach then a manager has to be put on pretty hard and security is instructing because you got stuff to do and you got to get it done now time is critical. So this model also applies and I think it applies a lot better um to a manager and an engineer relationship. So thinking managers how you interact with your team of engineers. You can utilize the different styles and relationship with your subordinates. Now

remembering that we have a default style of helping that may not be the best for each engineer. If you have a bunch of engineers who just like to get stuff done, just give them a jury ticket and they'll go away and come back with a solution. Manager style, great. But if you have a junior that is kind of just starting their career, um you may need to flip between say the guide and the cbrant to help them learn to encourage them and be very oriented on their growth. So coming to the end of the talk, I feel like I've rushed through it. Uh understanding how we can employ different styles of relationship, styles of help in our workplaces allows us to

work more effectively with others. Now this is not a model. Sorry. Now this is not the only model that you would use. However, I like applying this model because it comes from the basis of relationship. When we are the resource and that resource is limited, it is a relationship that is most powerful. It means that our effect stops being from what we do to what we help others do, which is often more than what we can do ourselves. And when we're a team, we're security, we are focused on reducing risk. If we can empower others to help reduce that risk is a win for us as well. So, this is just a tool I have in my

belt, so to speak. uh remembering it can allow you to help others in the best way possible. Uh now that you may know this model um you might be able to use it or you may choose to use it. I hope that you're able to utilize it uh in your roles no matter what they can be. But knowing this model can be used anywhere is great. Whether to be caring in a caring role like potentially myself in the future, a management role, an engineering role or even outside of the workplace like think of you got kids stepping a different style might really be beneficial to them. So, I absolutely feel like I've blasted through that, but that's all I have for

today. Thank you.

>> Finished so quickly. He hasn't realized >> questions anyone though. It's not the most technical talk, but I en enjoy the content. >> Go. Where did you get inspired for the the model at all? Like because often people don't come to these things when they're in ancient role. They've had to come from an entirely different. >> Yeah. So it's because I've started studying chapency. So caring for people. Um so Van Peter Van Catwick was a therapist. Um so that's where he's kind of developed this from and understanding how I walk into a situation to care for people to help them um in whatever you know distress or problem they're in. It's seeing yeah from that content

seeing yourself you have a default style that might not be the best and if you really want to care for someone well understanding you might have to switch styles is really important >> I think did I see another hand um I'm sorry I don't know your names go out the front first >> what's been the most interesting style that you've come across

>> yeah that's a great question Um I think the most interesting style and the one that I personally love is the celebrant. Um and I don't get to do it much as mentioned in the workplace just because of the time but in my volunteer work really caring and empowering people because if you empower someone they take that positive effect and can uplift themselves versus if you say manager just saying get this done get this done get this done you kind of make someone just feel like a a yes monkey just get stuff done. Um, but I come to the massive conclusion that people matter more. You empower someone, they do better work and they reduce the risk

better than just, you know, making sneak work. So, I saw a question up the back there. >> Yum train to your team. >> Um, I haven't yet in the workplace. This is uh this is speech or presentation I've come up for today. I have thought about, you know, how would I disseminate this further? So, um, once I figure out how to add this to my blog, it's the slide deck, it'll be up in there. But I haven't really thought about doing inerson training for anything like that yet. >> Oh, I think Cole was first. >> Sorry. If someone's incredibly unsophisticated in any of the four categories, what would you get to work on? >> Yeah, that's a that's a good question.

Um I think the work has to be just the realization about your default style first like you you find a lot of like say counseling and therapy. It's bringing the unconscious into the conscious. So being aware of your unconscious tendencies like you might not be aware that you take a manager role so you just barkers or barkers is the wrong term but you very instructive. It's like you need to do this, you need to do this, you need to do this. Um, but becoming aware and becoming aware that the other styles exist, so all four of them allows you to say, "Okay, maybe this style isn't working. How can I best empower the team?" And it's actually

changing yourself instead of saying, "Joe's useless. He's not learning because he won't listen to me versus, okay, Joe's not listening or he's not learning. What am I doing wrong? Is there something I can be better at?" So it's takes the onus off of I guess the best thing is to take the ownus off the person that's in front of you and ask how can I be better which is I think a very uncomfortable thing of you have to admit your own flaws there which not many people like doing I don't I think your hand up there >> yeah um I think when you are learning a new way of doing you need to be able to recognize the

context to be able to then switch. >> Yeah. >> Um what are some of the signifiers for you that you might need to use a different approach different situations? >> Uh I think the first thing is try and understand the situation before you enter into it. Um yeah it is taking a step back like what's the goal here? Yeah. >> Um the example I gave of like me being the guide for developers is as much as I'd love to come alongside and celebrate them and encourage them and be very relational. Um I can't like I have developers in all the time zones which means my sleep and schedule is just non-existent. Uh but then it is when you're in the

middle of a situation and you might be asking you know why isn't this working? Why aren't they responding the way you expect? taking that step back and um some people actually remain like don't really do this in a work from home environment but taking physical step back and like okay what's going on here how can I be better what do these people need because at the end of the day we are the resource in relationship with the people that we're trying to empower it's not about so much about us it's about them so empowering them to think about security and managing risk again is makes us a force multiplier over just I'm in a terminal I just get stuff

Yep.

>> Uh I think the stars that come from each other are kind of ones on the same axis. So to me I like to be very person orientated. So I kind of want to fit in the celebrant. mainly my volunteer work and then the guide as well knowing that um I have to give the resources out or empower others um so I think yeah it's understanding the accesses here so focus attention person task so so consultant and manager task oriented I think that would work very well depending on the context but you kind of if I go back a little bit uh this thing you kind of the way you interact kind of fits in one place and

then you might shift a little bit and say, "Okay, they maybe need a bit more direct action saying you need to be doing this versus, okay, the direct approach isn't working. How do I empower them to lift them up?" Um, yeah. Does that answer your question? >> Cool. Thank you. >> Yes.

>> HR financing. technical people which will be more fun. So how does it work when you're working with executives and you work into the leadership that have a different role then you switch how? >> Yeah, good question. Are you asking a question like how do you lead up the chain? >> Yeah, because you use different you like when you're talking to the people you're managing. >> Yeah. towards like focusing on the person. When you're talking to the leadership, you focus on the task. >> Yeah. >> Because talking too much like about the they might get like a talking. So you you basically like focus on different audience or you try to keep yourself. Uh, I think I would switch styles based

on the context of what I'm trying to do and then after that map a certain style to a person. So you're talking about um how we manage and uh expose vulnerabilities up the chain and work with executives to reduce risk. Um I think most executives I've encountered they're very task oriented. They have metrics to fill. They have shareholders to report to. They have the board that they need to respond to as well. So being very um like manager suggesting and advising saying hey we got this vulnerability it's going to cost x hours to complete I advise we fix this because the cost is going to be this. So you're being very direct and you're solving the

problem. Um I think the other way also as a a consultant is again conversely exploring. So maybe they're not so direct, but you can explore, okay, we have this vulnerability. What happens if this happens to the company? Like if we have mass PI leak, what's going to happen? Share price tanks. We lose a bunch of customers. So you're taking on that exploratory and you are kind of facilitating their understanding of the risk and the issue there. >> No more questions. I was surprised there was one. Uh, >> cool. >> Thank you very much for your time.