Herbie Zimmerman - When a noob becomes aware (Rookie Track)

all right hey guys my name is herbie zimmerman um my b size presentation is going to be over when the new becomes aware basically what i've learned thus far trying to put together a security awareness program at the company i work for um just a little bit about myself my family and i we just recently moved here um from texas so on a related note feel free to throw some jokes out there about texas you know probably have some good laughs with you guys um you know like i said have fun with texas um i've been in the infosec world now formally we could say about two years informally though i've always been kind of around security as a windows system

administrator for the company i work for and ever since moving over to england my job has been kind of doing a lot of different things kind of jack of all trades as you could say but really one of my big focus areas is around um trying to build an awareness program so this is kind of where my story begins so about a year or so ago bruce schneier however you pronounce his last name released it released a blog post out there about what he thought you know or what he thought around security awareness and how he thought it was a waste of time energy money and resource and it really caused this kind of great

debate on the interwebs you know you had pros and cons people talking about points counterpoints this that and the other it was really one of the first times that i like really researched and dug into awareness and read everything that i possibly could points counterpoints everything and i walked away from this you know at that point i walked away thinking you know what i kind of really think that bruce had it wrong because for me at least i think awareness is just another tool within the security organization's tool belt but on the flip side it also really made me think how does my company do security awareness do we do it well and if we do it well great well how do

we make it even better but if we do it badly well why do we suck at this and how do we make it better so had a couple ideas try to get the ball rolling back into headquarters nothing ever came of it you know other priorities came up kind of died and went away so i moved here and one of the first conversations that i had with my manager at the time was like look i really want to get an awareness program out there try to you know get you guys the security team involved in projects stuff like that and i said okay cool this is not a problem we could do this so i went off and i came back a

little while later and i had a list and i referred to as my punch list and basically this punch list was my ideas or you know various ideas of getting an awareness program and campaigns up and running within the organization you know some of my ideas were you know how do we get users to create better passwords so do we get a password manager or password vault kind of tool for them to not only use that work but they could use personally at home um and we've all been through the yearly kind of stereotypical death by powerpoint um videos on security awareness training and stuff how do we take that and turn that on you know flip

it around and turn it on its head and push it out to the company um so everyone is motivated by it they see it they talk about it and it's not just another powerpoint presentation that security team does the other you know some other ideas were around you know the same kind of concept with security awareness program um but how do we package that up and move that into the the employees home life so now we're not only educating them at work but now we're educating family and friends and loved ones and raising their level of awareness too um and of course there was this stereotypical get the security organization out there shaking hands kissing babies kind of thing you know

because really what we wanted was the security team to be known and well liked and respected within the organization so when new products new you know projects applications came up at that point security was first of thought and we would be dragged into those conversations up front instead of being bolted on at the very back as the teams are trying to get you know the compliance check mark kind of thing and of course i come from an organization that is very technical have a lot of system administrators have a lot of developers and we've also embraced this devops model we really have fallen into this framework so how do we energize the base you know so it's

not just the same stereotypical death by powerpoint you know yes we realize security is everyone's concern but how do we get the the technical people involved talking about security and potentially helping the security teams fix security issues around the organization so i came up with this list i gave it to my manager i gave it to my peers i gave it to some of the guys back in the headquarters and everyone came back and said this is a really great list it's a good list you've come across you know it's not static it comes across different points frameworks viewpoints and whatnot it's great go implement it so all right cool so i started the implementation process

of some of the easy stuff the low-hanging fruit and the more i thought about it the more i kind of felt kind of weirded out it was almost like something was broken or missing and the more i thought about it the more i kind of realized yeah it was kind of broke and something definitely was missing so i went back re-read the blogs pros cons even read like nist and some of the other big publications on how they started and how they recommend starting security awareness programs and stuff like that and the more i thought about it the more i just realized it wasn't going anywhere fast so i took a step back and i said okay let

me not approach this from a security awareness program perspective let me let me approach this from a different perspective another vantage point and really that's where these three kind of came to mind because really if you think about it no smoking wear your seat belt and practice safe sex at a foundational level is just another awareness message it's another awareness campaign and the thing that really interests me about these three and really a lot of the other popular you know awareness messages and whatnot is the fact that one they had figured out the medium they had they have figured out the technology to deliver that message whether it was radio film print news you know

sending pamphlets with a guy dressed up in an outfit to you know primary school whatever the case may be they figured out how to deliver a message the other thing that they really figured out was the fact of how to communicate that message effectively so and not only effectively to a small group of people but to a wide audience a huge swath of people that learn and assimilate data in different ways and then lastly not only did they figure out how to deliver the message and the the actual delivery of that message being you know effective in communication but the emotional hook so trying to figure out how do you get users or in this case general people to

think about the awareness message in the awareness campaign not at a head level but more at a heart because we've all seen those ads regardless you know if it's these three or other campaigns that are you know make you laugh that are kind of funny chuckle to make you think to oh my god i can't unsee this there's not enough bleach in the world to get this out of my head so you take i took all of this and i went back to the list and i'm like okay what what's going on because definitely it's no longer missing something it's missing some things and the more i thought about this and reread again and started coming up with

new ideas the more i realized that i put the cart before the horse and really when i came to this conclusion the more that i thought about i was like yes the card is before the horse and i really had that homer moment that like kind of moment where it all just kind of fell into place because no longer was i baking a cake that was missing that one key ingredient i was baking a cake that was missing several and for me going through this process really these next couple points are some of my big takeaways as i've gone through this one is risk so it's kind of like a talking to a frenchman and they're both talking

to each other and their native tongues the end of the day no one really understands what the other one's trying to say and that's what this list was because i never approached this in the language of business which is risk second point and this is kind of three points here is the fact that one my list doesn't talk about who's doing this who owns this program never thought about it because really if you look at the list it's me doing everything second point is if you figure out who's doing it well what are we trying to change or what are we trying to fix so users and the user's behavior culture risk across the business don't know

never thought about it and the third point surprisingly enough the list actually addressed which was how do we fix it so all my ideas and whatnot was actually subconsciously fixing a part of this and then really lastly probably if you take anything away from this is management because really assuming really at the end of the day if you don't have management's buy-in so top-down into the awareness program and awareness campaigns it goes nowhere it falls flat on its face and it dies and rots within because look we've all been in the situation or we've had friends in the situation that you know you have a you know high level member of executives or one of the board members

at a convention on a friday night probably drank a little too much of the bar trying to get into his you know vpn or whatnot and he calls in the help desk and he's like look i need in if you don't get me access then xyz happens so what that demonstrates to the front line guys is the fact that upper management hasn't bought into not only the the program but any of the messages of the campaigns and it just falls flat on its face you have to have management not only bought hook line and sinker into the program but they need to be living examples of the program and all the messages within the program itself

so really i've learned a lot through this process and i'm still learning a lot don't get me wrong but really for me awareness you know the awareness campaign is not a hundred percent you'll never achieve 100 the keynote even talked about 100 and it will never be achievable because really you'll have those guys that continue to smoke regardless you'll have those idiots that don't wear the seat belts even though they know they should and you know that those are going to be people out there that don't practice safe sex but really for me learning through this process is the fact that you know the security awareness message like i said before is really another it's another tool within a security

organization's tool belt and really if you think about it it's just another layer within the defense in depth model and thus far that's what i've learned trying to create and build a security awareness program for the company i work for if you guys have any questions feel free to throw them at me my contact information is up there love to talk to you guys about this or anything else appreciate your time thanks guys

yes ma'am have you had any experience with any of the big packaged awareness programs just think privacy um we've looked at some of them or at least i've looked at some of them um there's been talk about how do we roll this out how do we do this i know this year we went in-house um but that may be something um you know down the line i know without having nba forms and everything signed with everyone in here we've approached like twist and shout um you know for their production line of videos and stuff like that so we're trying to think outside the box because like i said the company i come from it's a lot of outside of the box kind of

people so death by powerpoint and the stereotypical awareness posters don't work so we have to think of a new way of doing this anything else guys any other questions boom done