5 Metaphors You Wish You Knew When Engaging the Business on Cyber Security Omar Khawaja TRISS 20

Genting we were gonna get started thanks to Jacob for saving today thanks Jake appreciate it alright alright we're gonna get started to take your seats please and now our first presentation of the day five metaphors you wish you knew when engaging the business on cybersecurity Omar khawaja is a CIS o-- of hi mark and it was our first speaker last year our first speaker this year thanks Omar thank you John okay good morning so there's two changes to my presentation one is that I couldn't hold myself to five metaphors I think I ended up with six and the second is we're actually not going to talk about cybersecurity we're actually gonna talk about cyber risk instead because if

you talk to the business about security you've already started on the wrong foot the business does not care about security because security is the thing that all of us care about that you and I care about the business doesn't care about it the difference between security and risk anyone know what's the difference between security and risk

it's securities more black-and-white here's what I could do there's a gap here's a control I can implement I can address it risk is sort of it feels a little less tangible it feels a little it's harder to touch it's harder to point to it's just there it's sometimes it just feels like a feeling that we have and we'll spend a little bit more time talking talking about risk but the other thing that is notionally different between risk and security is simply that when we think about security we're only thinking about the things that can go wrong when we're thinking about risk we can typically start to do a calculation that says well here's what can go wrong can we also look at what

can go right and then compare the two and at the end of the day that's how we make business decisions isn't by saying this can go wrong therefore we shouldn't do it no this can go wrong but here's everything that could go right and here's the benefit that my organization my family my business my neighbor whoever would get as a result of doing so and maybe it's okay to do that how many of you in your roles have to interface with the business is it fun interfacing with the business yes for some of you good is it easy to understand what they're looking for do you feel like sometimes you're speaking different languages using the same words

any any particular scenarios that you come across when you have to work with the business and you're thinking I wish I could make this conversation go very differently

asking for budget that is a good one I hear that one all the time because we all want more money any other situations how much is this gonna cost is that when the business asks that question okay good other questions that the business asks that we feel like we don't have good answers for other situations context conversations we have with the business and we feel icky having them we don't feel confident having them where don't look forward to getting into a room with the business to have this conversation any others come to mind that you don't feel really good about

okay so quantifying the impact on the business so one is asking the business for money and two is quantifying the impact of what we do okay any others Before we jump in last chance but sales already promised it you know it's funny you say that I just had a conversation with one of my clients ten minutes ago outside the room saying hey we put this into the contract but I don't think it makes any sense can we work through this so yes that does happen all the time and so in situations like that you sort of have to get to what's the value of that versus yes you asked for it and yes we agreed to it so

that we know what the contract says but can we understand what value you're looking for and we can then explain to you how we can deliver that value and there may be a way of getting to the same objective using a different mechanism that both of us can be happy about and those conversations become extremely important to have to simply understand what's the driver right just to ask the wise and the more we ask the wise the better the sooner we get to the sowhat and the sooner we realize if we do this then we'll meet the customers objective or meet the business objective and it looks like a little bit of my slide is

missing so you're only gonna get 80% of my presentation today so something was lacking now you know why we started talking about risks what what risks should we take and when is it okay to take risks how can we do things that are risky right if you imagine if you were driving a motorcycle and someone says you're gonna have to go 60 miles per hour you'd say would you say yes to that yeah maybe depends depends on what under motorcycle where you're going what else does it depend on on the weather what else does it depend on on the road under comfortableness night you're not immediately gonna say what motorcycles are scary I'm not gonna get on a

motorcycle you're also not gonna say the opposite which is I love motorcycles sign me up you're gonna ask some questions to better understand the situation better under the sand the circumstances and based on that you're going to make a decision and you're going to make that decision very deliberately and so that's one of the most important things imagine if I came to you a hundred years ago and I said I'm gonna stick you in a box and you are gonna move 80 miles per hour in that box how many of you would have said sign me up none of you how many of you get into a box today perhaps even this morning to get here and drove 80 miles per hour

what's the difference between the box you would have envisioned a hundred years ago versus the box that you actually experienced this morning a little bit a lot thirty years ago were people driving as fast as they are now 20 years from now are people going to be driving as slow as we are now what's changing safety controls we're adding more controls we're making it safer the drivers are safer there's better awareness the cars have more controls we're better at navigating through difficult road conditions forty years ago I don't know if people would have been excited driving on a road at 80 miles per hour these days we don't think about it even if it's raining so here's

something interesting in the 70s is when the seatbelt was introduced do you know what happened when the seatbelt was introduced and people started wearing the seatbelt they started driving faster which you would think would be the opposite what you do seatbelt is about safety driving faster is typically not associated with being safer but people make risk decisions and they say I want to be this safe and I'm willing to take on this much risk but if I've added more controls my risk has actually gone down therefore I can increase my threat level and end up at that same level of risk I was at pre seatbelt while still driving faster so that's very important is to

make sure that we're making decisions deliberately so when you're talking to the business how are you gonna talk to them about risk are you gonna tell them about all the security controls that aren't deployed do they care about what those security controls are and what they do absolutely not you should talk to them about the risks that they are going to accept as a result of moving forward without the controls that we in the security team arrive ending the business doesn't care of our security control right I think most of you already do that the business point without the risk that they're going to pay and if we focus on what those look like and we explain it to them in

the language that they understand will likely end up with the results that we want if we start to tell them we need antivirus or we need EDR yeah well now we need er for it don't we already have hips on the endpoint yeah but this is how they're different well but isn't it all in cryptid anyway so why do you eat all these controls it's all encrypted nothing happened to it do you really think the business and everyone understand that is the business in terms of security experts do we want them to become security experts maybe we should stop talking to them about mats them because we're pretending we're thinking that they won't become security

expert but it's a fool's errand but we are having those conversations and it's up to us to decide whether we continue to have them and or not have them what percentage of snakes you think are poisonous maybe guess it's zero five zero well what happened to the okay let's turn for paranoia a little bit move in higher than five a little bit less than forty two so that's a good one that's the right answer 25% that's right so 25% of all snakes are poisonous the average person when they seized the snake was a safest a klutz a reaction it's poisonous in violence why do you think that's actually a very reasonable and appropriate reaction exactly you don't know

so it's 75% of snakes are fine do you think that 75% of situations we would happen upon the snake and say no big deal I mean let's just keep watch yet we all choose to freak out I mean we all gets here so I've been doing a little experiment I'm trying to see if I can convince my whole family to get a pet snake now the answer is absolutely not if this is your way of making sure I don't live in the house and tomorrow I promise I will be nicer please don't get a snake and I'm like you're perfectly safe they're docile they're not bad it's something I don't care what you say that

this living around doesn't why I'm like yes it's a snake we're not getting it does that happen to us often times we were talking to the business when we look at something and say this is bad this is scary this is horrible we will be the next target if this happened this will be we will view the next equifax as this happen and we just look at something and we pretty much get it just like all snakes may be scary to the average person but to the botanist the zoologist or to someone that actually understands snakes they will be able to look at them and say in this one you should actually be scared of this one you should be and

then you can move forward without freaking out 75% of the time part of our rope when scary stuff happens yes on the one end we go out and he's here in the business but do you know that's really really beautiful is once you're done scaring your business you go to them and say I hear that and at that point they are freaking out and we have the opportunity to say you're going to be going out there there's anything left of snakes but they may invite you and they can do this and they can do that and they're like okay we're sufficiently server no let's not do that we think we can keep them on we think we can even

book we think we could even Volvo Hall we think we can even destroy the IOT but not any power not any IOT 75% of IOT XMP 5% of cloud is perfectly hot huge histone only one we're going to help you figure out one surviving with a garden for the ones that are 5 we're going to help you apply the right control the right safeguards in place so yes you may be even able to handle a normal constrictor and not die doing that's part of the role that we have to play in security is not great we have brakes on a car when we have brakes on a car what is the function what is the literal

function of a break it's to stop its to slow you down now imagine if I needed at each of the Lamborghinis and I said we were going to get the drive this car for the next 30 minute we would all be excited now if I told you there's only one problem with this particular game anywhere let's say it's not how feel that it will be long how bad could you be blinking going on if you people I can go fast in a car if you think about it we want on the one hand the quite literal reason that a great exists it's just slow the car down but in fact the exact opposite is also

true if it weren't for the bridge we would not want to go back one of the one hand when we look at security we're often told you guys are slowing now and you know if you can say yes you're right we are slowing you down just like the brakes not hard but guess what if it weren't for us you would never want to go fast either okay this next one is this is the metaphor that I actually use with my team first and foremost and some of them are here so they can hopefully attest to it it certainly feels like this when they come into work every day and I stated that when you come into work you're working

in the information security organization and Highmark health you should imagine yourselves that they got an escalator every single day and you were trying to get to the top floor of this building there's only one problem with this escalator and it's going down so what happens when we stand still find that point backward so staying static is not an option the security program needs to be evolving all the time continuously add more control over find the controls add more slope make it deeper collect more logs review more logs do more vulnerabilities and do the more frequently to make sure you're getting all diabetes look at third party any part of the third month the security program to think about we need to ensure

that if we look back at the previous month with the previous tour at the previous here we can say with confidence it's better than it was before because that is the answer that I found 4d the best one to give when someone asks you probably secure and I get asked that question when I go to the board when I go to the president company that's the number one thing they're thinking is hardly security how do you answer that question and you say no we're not secure and then they're like what the hell have you been doing can you say yes we're secure and then they'll be local white people but then and if the dates that it happened or

incident it happened will be like what I thought you said we were secure so you telling us we can't trust you so yes and they are both wrong answers and don't work being answered that doesn't work is your to let I can cover I can tell you that every month every day we come in trying to figure out how we can place this morcín make this place more secure to a better job safeguarding our members day our patients data preserving the trust that we've built in this community over many many decades that is what we can commit to and we can show you exactly how we're doing it it's infinite enough I don't know I

think I know what threats are after me could that change that some of them you start the car because could there be a new piece of malware and you won't have le something out there that I didn't think about I think so it happens every week having a Monday you would have five last Friday that wpa2 delivered all of a sudden be considered mom right none of our assumptions are going to be valid for forever so this is important this is also true because when you talk to the business and they say well first you block our websites then you block USB and then you do this and you're adding somewhat friction we can't get

our work done when are you going to stop and so the answer is we'll stop when the native become face value or stopped when the data stop becoming work out won't stop when there's when they aren't new or pieces of malware the newer TVs being introduced into the model every single days it's semantics as a study that says eight hundred and seventy thousand unique pieces of malware introduced into the wild and free they don't think will stop when there's no more new owner abilities being discovered national vulnerability database says that there's about eight seven or eight thousand people and abilities that are disclosed publicly every single year that number by 20 or 30 percent right that's what

we'll stop that's why this escalator is moving backwards and if we go fast enough and we feel like we've finally made it to the top and I am sure most of you have experienced this in your life we put this project together we said we're going to put in these initiatives we're going to do this training we're going to deploy this control we're going to think these processes we're going to get the alignment and what does it feel like when you get down to that exactly none of you have ever experienced that right as you're thinking back to all those projects we started off people's very clear what does it look like but it never came you know why because that

escalator that's going backwards and when you get to the floor what happened they just added another form of development you thought you knew what doesn't look like something changed and now God is one floor higher than it was when you first started so don't stop moving forward or we will end up going backward okay one of the other things that in this so the fact that some of that some of the points a couple of you made 30 years I mean talk to the business how do you make sure that they understand what you're talking about and our line so that actually gives a complete sentence for those like how far are you have you

ever been asked that question have you ever went asking the question if not you definitely at some point heard someone ask that question that you've been sitting on the tarmac at Pittsburgh Airport it's headed somewhere on a flight when someone asks that questions let's say you're going to up nine it's a two-hour flight it's 1,200 miles away Rock and if someone asks how far are we what's the answer your expected

a discrete value okay well you're still on the tarmac he's not a limpet forget you're about to take off and they say how far are we that's not helpful how far are we going back three hours two hours what was the question is is that the same degree that is what we would expect in return is I'll be how many hours relay but what was the question what you need a measure that you literally asked you for this distance but what's the answer were expecting high doesn't make any sense do we go to the questioner and when you respond you say hey 1,200 miles imagine if someone says 1,200 miles what's the past that we're going to be thinking

that asks that question well that's either the useless and then the person responding is going to be could be thinking if you're super typing even though I don't think you can type a people would ever do this what would be saying but you ask me how far we are and I told you how far we are it's 1,200 miles well no that's not what I meant but that's what you asked me if you ever had that conversation with a business if you ever had that conversation with your boss we're like but this is what you asked me and this is like yeah but that's not like next war how am I supposed to figure out what you meant

can you just ask me what you really want and this is the best example I can think of for how we tackle conversations all the time we've all Steve quote-unquote the same language but what we mean in the words come out there it is a significant disparity between the two in why that disparity exists that the spirits exist because we don't understand the context within which the request from a mix that requested a place when we're sitting the passenger cabin in the plane and someone says how far are we we understand because we're at that same contact and we know that the number of miles is absolutely useless it doesn't help me with the objectives I have life

but the number of hours the number of minutes that's absolutely countable now let's take that conversation to the cockpit now let's say you hear the copilot and the pilot they're talking to each other in Milan said I robbed a farming what do you think is an appropriate answer this century and if anything even down to the 10th of a lot he may say were twelve hundred and six miles got point four away from the left is the battle program so same plane same source staying destination same question two very very different right context that so when you're thinking about metrics we're thinking about how to have a conversation maybe thirty one percent is why here at least now the passenger

capacity would never say full before I answer that question so you give me a feeling for why you're want to know about far we know but if you ask that question you would likely hear something like well I've got a wedding to attend to I've got a sick parent I'm going to a funeral I've got a business meeting I'm going to vacation I've got tickets to Disney something like that and then it went off and good luck okay with that but why does it matter how far we are well I want to make sure we get there on time I want to know how much extra time going to have to relax into my hotel

before I go to my friend I want to go now you understand the why and now with understanding that wide you would obviously say you care about time I'm not going to tell you about distance so understand the why asked why they need something that will help you understand their context look you in their shoes and help me out an inspection that will actually be meaningful versus one what are you saying for you ask me how far we are and I throw the Bible so it's obviously you're involved you're here or in mild so I don't know why you don't get this we have a politic here's another thing that I see happen often right and and by no means I don't want

you I don't want you to think that I'm sitting here and I'm standing here and I haven't been all these in this day I make these mistakes that only think all we do mistakes every single day and I catch myself doing it and I say well what do I need to do differently but that was not a fun experience I want to make this experience better smoother reduce the friction and these are some of the things that I've found have worked for me and I need to continue to do a better job of academic employing them here's the other thing that happened you know it was one time might indeed and the pilot came on and said

they were I think I was traveling to the Phoenix they said the pilot came on said it we are are traveling time the Phoenix is three hours and 35 minutes we're going to be there's going to be a little bit of turbulence the temperature in Phoenix when we land on the ground is going to be 92 degrees and we're going to be flying at a maximum altitude of 27,000 feet the time it takes to get there the temperature when we're there those things make perfect sense those things matter to me in the passenger cabin well they tell us about the altitude do we care about the other people I can see how somebody would care

maybe they're looking more than flying over a particular part of the country and particular landmark and they want to see if they can see it there too high mechanic there for the driver you know I'm getting a pilot out there could be some isn't that some of the caps of your catheter back in here but on this like the pilot proceeded to saying and our maximum air pressure will be belittling we to the psi and you don't love my first office are you looking for validation make sure that you want me to tell you tes okay or take a different route like why are you telling me and honesty the fact and adventure that may be even more nervous flying on that

plane so the more information is better more information can be dangerous now imagine if I went into the cockpit and I decided to look at all the gate and I said hey it's a 42 psi you look like it's hitting both of the read exactly not well yeah okay but why is it next to the wrap your what what about this date back like late game that doesn't feel right to me well but this is what you have cinder did that in the cockpit Wow I let his final play do you think we're safer than the result of that passenger may have good question Valentine from very very curious what is the rest of the rest of

the passengers finding life safer as a result of this one passengers curiosity's being oppressed as he hangs out as a captain to better learn all the gauges in there definitely not so when the business comes into our cockpit and tells us what to do and how to be a and asks us questions it doesn't help the security code it actually hurts with a security program so after 9/11 what was one of the rules that they put into place what happens to the cockpit door when the plane takes off you can't get in there now that may be because of malicious actors and stuff but even if someone was not malicious and just genuinely intellectually curious about how to

learn to fly a plane would it make sense for them to be in that captive that cockpit how often do we let the business a and say let us tell you about all these cool gauges because we're excited right we're really excited about this program that were writing whether you're running for voting at rather than that everybody saw three right then yes benefit all of you are genuinely passionate about the work that you do and if someone wants to come in your pocket and ask you about reflected the divided you're thinking this is awesome this guy's curious let me explain it to them but just to make sure you're mindful of if you're flying the

plane when they're coming in they are disrupting your ability to be successful to meet more objective if you're on the ground and there's nothing else happening yeah bring it in but just remember they're gonna start asking a question and start telling you what to do because he will nominate for the pot

so bubbles are supposed to be the safest cars in the world now imagine if I was a very conservative driver which I hope to be one day and bought a Volvo and I decided I'm gonna drive at the speed limit which I haven't met yet and I am never going to drive when there is any snow on the ground there's any precipitation if there's rain even if it's a cloudy day I am NOT going to drive because I want to be perfectly safe could I get into an accident why other drivers there's only so much I can control now would that be a reason for me to say I'm not going to get the ball boy to say

this car company get into an accident-- wait so what's the point I'm so gonna do the best that I can but I have to accept the fact that there still could be something bad that happened not because of what I'm doing as a caution that I'm thinking at the same party say part of it I was testing it but in spite of everything I do like it so get it connected so we often hear the attitude of wellness security as a security incident that breach is a matter of when not a matter of it and we just have to be really really careful of that yes that's true yes but when we don't want to take that

attitude she was basically parlayed that into well what's the big deal I'm not going to do anything about it if that - won't happen anyway so I'm disappointed the laksa basical Sh result which can be very very dangerous I'll be abusing could climb to the top of that staircase okay how many of you know how to find to the top of that staircase when you have to do the punch at the top of the staircase you thinking - I'll show you something that we we don't do a good job it is very very simple to climb to the top of that staircase even including only knows how to climb to the top of the staircase however that does

not mean it's easy to do if you think about the jobs that we have that's one of the most important things that we have to recognize and we have to communicate to each other to our team and to the business yes in the case of the equifax breached it was very simple all they had to do was pass the system yes in the case of the anthem breach all they had to do with not electron to ego yes and every single one of those cases prevention of a data breach prevention of the security incident is extremely simple there's almost never anything really complicated that needs to be done to prevent a security incident I would just ask that

we also think about yes it was simple but was it easy competitive and sometimes it's not okay and I think that between half a few minutes exited by excited okay so the one thing I think I did excerpt which was the question if you've had which was around how did you get budget for security I'll tell you how I am successful getting budget for spiritual I spend almost no time talking about security I spent all of my pocket my time talking about the exact opposite of security which by the way the George Costanza Pro really does work this movie opportunity will be amazed how well things can possibly go even though it doesn't make any sense that worked so in

the case of security I do not talk about security I actually talk about the opposite of security which is in security what I realized if security is very difficult to grasp after conversation after conversation with senior leaders and my boss and others about privileged access management and after I do this and EVR this and that and that I said you know this isn't working maybe I don't understand this well enough but I can't figure out a way to explain it to them so I said what if I just talk about the opposite which is the pasta in security so that is when I talk to my business about how many of you know the cost of cyber risk in to

the cost of insecurity according to the World Economic Forum in the year 2016 but more than that these are the numbers you guys have to have off the top of your head if you don't you're going to be talking about security and you'll likely not get be very successful working within the hospital risk of 2016 according to our Lebanon for four hundred and forty five billion dollars in three years of forty executive Research and Forbes magazine that number of a more than quadruple could be two point two trillion dollars which is equivalent to the cost of health care in this entire country for my business I have to make things more specific because someone could look at that and

say okay well that's everyone else but what about us okay the average cost of a single record in brief supporting a pot a ministry an idea a hundred and fifty five dollars to the victim organization if that record happens to be in health care the pasta more than twice as four hundred two dollars so what do I say to the business anytime you have a spreadsheet you have a printout you have a database with a hundred records in it imagine you are handling forty thousand dollars worth death and if that has a thousand records in it imagine you are adding four hundred thousand dollars in cash now what do you think am I talking about

falling buildings am i talking to them about threats they don't know what that means doesn't mean anything am i trying to explain to them what sequel injection is I'm here the understand what - wait so you have to talk to them about the stuff that matters to them find out what they care about well we care about adding more membership to our platform because that's how we can better serve the community and reduce our hops okay well 56% of people and 56% of people had suffered from data breaches ended up having their medical identity stolen out of that 21 percent of them will decide to change their insurance carrier 25 percent of them will decide to care to

their health care provider do you think the sales team at the resisted it's a carrot now they definitely care about you security because they are able to connect that directly with the business do you know what the business is now thinking doing homework can you please make sure that doesn't happen they're not saying can you tell me what technology you're going to in to prevent that forever what do you need to make sure that doesn't happen and instead of us going to do business and sayings let us thank you for help to let us secure you which sounds like the exact opposite of what we should be doing the business should be coming to us and say can you please help us you

are security given how this stuff works we don't really get but immune is out for us so don't talk about securities talk about the pasta insecurity you would like to get the budget that you need to be successful I'm happy to share with you you know a lot of the numbers that I have in expenditure needs you know if you asked me two years ago have it anything from certain contexts I need all that you have to do the research you have to look and you have to ask you've gotta sit down with the business and saying what you care about what it's freaking you out what are your goals and you have to like that there's old they'll never a my

article our job is to protect the business the business is job isn't that keep security funding and I think I thought thank you [Applause]