Communication: An Underrated Tool in the Infosec Revolution

that am I am I doing the thing I'm doing the thing um geez that intro like really aggressively oversold me oh there I am that's my intro slide don't look at that yet okay so okay actually you know what before we do anything I've actually been in Wellington all week and I have really gotten to a backstage look at how much goes into putting together an event like this and these organizers are absolutely amazing I'm also literally living in Erica's actual home right now and like really did not know each other before I am an Internet stranger so if you're wondering like what lengths they're going to to make this happen and and it's also I

mean like I slept next to these crafts like her whole life is besides right now so like let's give them a round of applause cuz they are killing it and this is awesome and let's also be really gentle with them saying tomorrow because they are very sleepy so getting down to business I thought a lot about how I wanted to introduce myself I settled on this picture you got the preview you know it's just it's 9:00 a.m. like no one has time for a resume recap right now but I really did like this one shot of me recently furniture shopping with a just debilitating sinus infection and I do have this up if you want to get closer

to the sinuses if you are someone who takes pictures during presentations this really would be a good time I'm gonna just throw my Twitter handle up there so I definitely tag me and while you're getting out your phone I'll just mention I am on the internal security team at rapid7 over in Boston Massachusetts so pretty far this is my first time here as New Zealand is so dope like ten out of ten I started as a security analyst at rapid7 and my brand new title is manager of trust and security governance to look at my notes cuz I still don't know what my title is it's too many words so we all know that we are at

that's exactly how it happens are you kidding do you guys not go to board meetings um we're at a really exciting time for headphones like right now we're in the boardroom some of us are even getting the resources we need to do our jobs correctly it feels pretty revolutionary I'm just like I don't know do you guys know George Washington is he a thing here I just had to sneak some American history in here it is Thanksgiving at home but I'm with my b-sides family so I'm feel totally fine but you know I am gonna to compensate for for missing the holiday I'm gonna have to sneak a little bit of American history in here so if we

are in the middle of the InfoSec revolution which I do believe we are that would make us and our community the revolutionaries you might recognize some of the faces up here Erica gets to be George Washington because again I am living in her house so if I'm thinking about what these colonists needed to win the Revolutionary War in addition to the traditional cannons and muskets you might expect to see on the battlefields there were also these dudes playing drums and flutes and stuff so I would assume that's part of the battlefield communication system I didn't do a lot of research into it but it seems like a weird place for a jam sesh so I'm gonna

go with that and likewise I am here to suggest that communication can be a useful tool in our Arsenal we can treat communication like we treat any other focus area insecurity whether that's sharpening our pen testing skills or Osen skills or learning a new coding language it's it's something that we tackle and we look at as another skill to master and we take seriously so communication is admittedly a pretty broad subject here's how I'm going to approach it as we move through this talk we're gonna get increasingly and meta and weird so maybe at the beginning it seems like I'm giving you really straightforward chill advice but your brains gonna get super exploding by the end there we go yep so we are going

to be talking about communication strategies that affect our jobs that's great our industry that's even better that's a whole bunch of people and also maybe our whole lives we'll see but I'm getting ahead of myself it's still very early that brain is barely on it all it is not caffeinated we're gonna start with something very simple a problem that you may have noticed and that is the invisible InfoSec team so a while back I did a very unscientific survey where I asked as many people as I could from different industries in different sized companies about their experiences with their InfoSec teams my goal was to look at successful interactions and unsuccessful interactions and use that information to

create a sort of guide to outline how we can have successful engagements with the rest of the organization the results was that the vast majority of respondents had never interacted with their organizations information security team where they thought they hadn't and some people who worked at really giant companies were totally adamant that they did not have a security team at all fortunately some light LinkedIn searching revealed that that was not the case but we definitely have a visibility problem so do you have goals that are tied to your performance review or maybe even your annual salary or maybe you just make goals because you want to improve yourself and your company you we are nerd well assuming you are suffering

from invisible InfoSec team syndrome maybe you'll want to make increasing the quantity and quality of your communications with the rest of the organization one of your 2018 goals so we'll go over some strategies you can implement they're really easy and they're easy to measure to you'll put them in place and then you'll profit easy easy three-step plan so I did this actually was part of the presentation that Erica saw I did present some of these ideas before and when I suggested hanging out with co-workers in real life I literally got booed um which I should have been ready for I totally get that interacting with humans and meet space is bad sometimes so we won't spend too

much time on that I will say if it makes sense based on your company culture and your company's size and your budget maybe it wouldn't be a bad idea to host an event or to you know people think of us as gatekeepers that they're scared of getting in trouble with so an event in informing some trusted relationships really actually could go a long way in making your organization more secure and again well I personally think it's great that there really is a business purpose for the company to sponsor an InfoSec happy hour I know that this isn't everyone thing and there are plenty of other things that we can do and the good thing about the rest of these is that

they're very measurable which again we need to demonstrate success to get that bonus money so but we're gonna fly through these because I bet that you already have most of them in place but I am thinking that maybe you'll hear one or two new things that you haven't implemented yet that you can put in a place when you get back to the office so buckle up let's go number two templates let's say you needed to send out a security alert across your company or to a few people in your company right now how many of you have a template show of hands that you would work from and and send that's a bunch of light is all I really see

actually um I'm gonna assume like some of you raised your hand I mean this also isn't part of everyone's job but I do feel putting together template is like kind of lame but I feel really strongly that when we have templates for things like this we're gonna send out more security alerts we're gonna send out better security alerts cuz there gonna miss something and we're gonna be able to send them out faster which often is time is really of the essence for things like that if you're thinking about what you would want to you include in a template I have this handy little guide that I like to keep at the bottom of mine so I don't I mean these are

really obvious questions like you know these things but it is just nice to remind yourself I won't walk through all of them but for example is feedback necessary reminding yourself did if I'm sending out an announcement or a suggestion or you know rolling out a new project did I explicitly ask for comments and questions and did I give them a channel through which to send those so those are just handy reminders that I like to have documentation what kind of things do you want your team or not your team here the rest of your company reaching out to your team about definitely phishing probably violations of any policy is like the acceptable use policy or whatever and now think about

whether the guidelines for how people should reach out to your team are super accessible and really visible and well known and well documented sometimes they are sometimes they aren't but I would suggest that you know if you sent out a clear reminder linking to some clear documentation about how to report phishing attempts your report numbers would spike way up and that is a nice measurable stat you have right there so onward and upward two demos how do you make sure the rest of the organization has visibility into what you're doing at rapid7 the information security team reports into the products organization we are an agile organization and a lot of our engineering teams have bi-weekly

demos already it makes sense for us to also have bi-weekly demos to show interested parties what we're working on we're also a security team a security company you know more people that you not have the same level of interest maybe a newsletter or a blog update would make more sense for your team maybe an occasional lunch-and-learn but it definitely is worth thinking about what you can do to increase the amount of visibility that other people have into your work and let's talk about how you're using chat applications this is my favorite one so emailing a whole distribution list is kind of intimidating I find emailing one person I don't know kind of intimidating emails weird so it

is great if we can be available on more casual channels like slack or Skype or whatever you crazy kids are using DMing each other and whatnot so we have rapid7 private and public slack channels private channel of course to talk amongst our team in a public channel so that people can come and go as they please and ask us questions and just discuss what's going on in security this is great for a lot of reasons sometimes people join with a question and they see their question has already been answered my work is done sometimes people answer each other's questions and I just like it to sit back and watch it happen again amazing do you

my job for me definitely and something that we weren't really planning on but has been a huge resource is this group is made up of people from all across the organization all of whom are interested in security in some way or another so if you're rolling out a new project and you want to sort of get a temperature get some early feedback on that it's really a great place to start it's a pretty engaged group so it works really well for us monitoring for keywords so quick story many months ago I went to another office I discovered that there was kind of a big miscommunication about a project that I was working on and responsible for making sure people knew

about no but I worked it out in person not a big deal next thing I did was I set up a I monitored for the name of that project in our public slack channels so that whatever people were talking about it I could make sure that their questions were getting answered and they had all up to date information and I think that was a pretty good move we also can integrate and automate I mean these are favorite things to do right we can go above and beyond just monitoring for mentions and we can actually have slack bots do our jobs for us this is something my team is building out right now hopefully by the end of this project

for example if someone uses the phrase guest Wi-Fi they'll get a slack bot linking them to the wiki page with the guest Wi-Fi information on it so then they're not just getting the password there they also have all the information about how we do and don't use Gus Wi-Fi right at their fingertips and I didn't have to do anything that sounds amazing I'm really trying to make myself irrelevant as quickly as I can we can also use slack bots for policy enforcement for example someone post something that looks like a secret API key they probably want to know that they made a mistake the slack bot can be like do you maybe want to delete this really

helpful so I think that slack monitoring example really highlights we want to be visible and we want to be communicating with the rest of the organization that doesn't mean we need to be in your face and disruptive it just means that we want to be working alongside other teams consistently instead of you know just getting pulled in when there's a fire which I'm sure you all know tends to happen pretty frequently of course we're trying to get that bonus money so we have to make sure these efforts are planned out and measured so we can really demonstrate success and again I'm not gonna talk to you all these poets but we don't have time for that so I'm

just gonna I'll pick one example I'll do you let's do the slack the public slack channel so I wanted to find what success looks like before I try this what do I want to get out of this group I want to start with a pilot group maybe you want to start with a few people that are invited to a public security Channel before you roll it out to the whole company what worked and what didn't get feedback I love a good survey I just asked people how they felt about it and of course did we accomplish our goals if you didn't just go back to plan and do it again until you've got that sweet bonus cash it's easy also I mean

obviously this is a helpful process for anything not just communication like this is project management right but that's kind of the point we should be approaching communication like anything else like rolling out new fishing drills or implementing changes to our vulnerability management program this is something that the more time and efforts we put into it and the more structure we put around it the more we're going to get out of it oh and by the way doing all this stuff will be easier if you hire communicators okay so you may have noticed that our brains are starting to do things now because we you know I mean that was pretty straightforward right all this stuff that we can do in our job

it's easy peasy you get the money you go home it's great but now we are talking about using communication to address one of the most talked-about issues in our industry mmm ye olde talent gasps InfoSec thought leaders loved talking about the talent gaps it's a good one I personally as a self-appointed thought leader believe that we have a talent gap in part because we have a narrow understanding of what a security professional is and that you know I'm saying we pretty loosey-goosey because I've met a whole bunch of you over the last week and a lot if you don't but let me explain so let's look at this very scientific graph on our y-axis we have

tech skills on our x-axis we have communication skills I'm gonna put a potato down here just for reference it's not technical it's not a very strong communicator it's just a straight-up potato this is Robert Frost I don't really know anything about his technical skills this was a guess I just literally googled dead poet man he died in 1963 so he probably wasn't like reverse-engineering malware in his spare time and then oh how did thank you someone must I've been hacked but let's get serious I have a teammate I have rapid7 named Justin Pagano who is a super technical dude and he's a great communicator and since I'm saying so many nice things about him I'm gonna use

a really unflattering photo of him this is him after some sort of freak email surgery but you know it would be great if we could all be in that top corner with Justin and his weird mouth but I wish I had done a bigger version of it still it's so terrifying like also this even though under his eyes situation it looks his eyes look very dead okay so but it is okay that we are not all in that corner that's why we work on teams there are also plenty of security engineers who are amazing at their job and just not super strong communicators and maybe they have no interest in becoming communication masters and that

is totally fine but I think that they know it's fine and I think this group is largely aware of the opportunities that exist for them in the security industry and you know they're getting hit up by recruiters and it's just well known that there's a lot of meaningful work that they can do without having communication be 75 percent of their job what doesn't make sense to me is when we use these engineers who are few and far between and we really need to maximize their talent to implement things like security awareness training but you know who might be good at something like that oh it's your girl yes this is about putting the right people

in the right job I am never gonna be as technically gifted as a lot of the security engineer that I work with and do not diagnose me with impostor syndrome I am just I am calling it like it is and I'm totally okay with that because and also I mean don't get me wrong like I'm trying to get up there I'm clawing my way up there a little bit everyday but I'm really not close yet but there are things that I am good at I am good at understanding the security controls in my organization and articulating those to customers so that they can feel confident when they hand over their critical data to us I am good

at understanding third party risks the risk that they're gonna bring into our environment and working with business owners in my company to make sure that they understand how to engage with those third parties in a secure way I am good at anticipating where data leakage might happen and getting in front of that I am good at making sure our Bolen disclosure program is working the way it's supposed to and hopefully I will be a good manager it is too soon to tell like should I keep going I I didn't have I convinced you guys I don't have impostor syndrome yet I'm obsessed with myself so the real point is I'm not running out of work to do anytime soon so why aren't

there more people like me in InfoSec I really think that they don't know these opportunities are out there they don't know that a lot of the things I just described are part of this job basically as soon as I knew the information security existed I was obsessed with it I loved how quickly the space was changing I loved the idea of trying to stay one step ahead of someone or something that was out to get you I have always loved the security community it is such a unique and awesome and special group of humans and despite all of this when I met the person who is now my boss at a security conference a few years ago

and he started talking about an open role on his team I was almost adamant that I could make meaningful contributions in that role I was super stressed about not having the technical chops I thought I was gonna be a huge burden to the team of course I was not and there was plenty of work for me to do but my idea of what a security professional was was so different from who I was that I just couldn't see it so that's my personal experience but I've got some stats to back me up too this chart shows the disconnect between what members of the workforce think will make them successful and what hiring managers are actually looking for the

very top skill that is being prioritized by hiring managers is communication skills very closely followed by analytical skills meanwhile the workforce is prioritizing a slew of technical skills which you know they're not irrelevant they're important we need them to do our jobs but there's there's clearly a disconnect in in where their focus needs to be and yet we are so quick to devalue anything that is in a stem degree do I want to be on a security program of 15 recent grads with sociology degrees like no but we do need to recognize that the best teams are diverse teams it's also not a diverse team if you have 15 sociology majors and and then once we have that diverse team

we put people in the roles where they can be doing the things that they're passionate about and really good at I really think we can make a pretty big dent in this talent gap by expanding where we are looking for talent and by being mindful of how people with different backgrounds can contribute to our team of course getting people from unconventional backgrounds in the talent pipeline will also require educating people outside of our industry about what really goes into a comprehensive security program beyond the hacker in the hoodie and honestly I'm feeling kind of uncomfortable talking about my weak tech skills because I'm sure it makes me less credible as an information security professional to someone in this room or someone

watching on YouTube which it's like if you're on YouTube like fight me I don't know you troll but don't fight me if you're here in real life but I also know that I really love my job and the industry needs more people to do my job so if I can help someone feel a little less uncomfortable wandering into the security world then that would be cool so let's welcome communicators into our industry and close that talent gap it's closed we did such a weird slider anyone to clap that it's like okay so but okay guys like that was cool everyone's brain seems really odd right that was good um we did there were there were three phases though we only got

into the middle one so we have to keep going what could possibly be more brain exploding than closing the talent gap mind control you guys we're on it we're doing this so clear tails is a she has an awesome blog she has a background in crisis communication and PR and she looks at a whole slew of InfoSec subjects to Brio a social sciences lens and what I've really appreciated is her ability to explain why we need to move InfoSec communication into a more positive and proactive framework I mean you know it's one like people tell us to be positive but like why show me some stats Clare's showing us some stats in a 1999 study

beachgoers were presented with informational pamphlets and then they were given a coupon for free sunscreen those who read the pamphlets focused on the benefits of wearing sunscreen were more likely to use the coupon than those who were given pamphlets about all the horrible things that were gonna happen if they didn't wear sunscreen so there's a whole bunch of studies like this but the real takeaway is we know the consequences of ignoring security hygiene can be really bad but when we have the opportunity to do so let's focus on the positives and make sure that people feel good about interacting with us and interacting with these subjects we at rapid7 or building some security awareness training right

now and it is really tempting to try to just scare people with all of the things that could happen if they aren't diligent because we are projecting and we are scared but there really is plenty that people can gain by following security best practices these are some of Clara's ideas I'm sure you can think of a bunch more and while we're on this positivity kick let's talk about eliminating blame language oh yeah okay so I first came across this topic in a blog post by Jacob Kaplan Moss from last year also I totally realized that at this point I'm just reading other people's blogs to you but like they're not here and I am so they're busy so

Jacob explored the blame ful culture and info sack that focuses on individual failures instead of systemic problems so to give an example of what that looks like let's say an employee clicks the link he's not supposed to the blame focus security team chalks that up to a bad apple maybe they even get sassy with the user and this creates two problems one that user had a crappy experience with us probably less likely to report an incident again if it happens and two maybe even more importantly we didn't force ourselves to explore why the incident really happened so we might have missed an opportunity to fix a systemic problem instead of looking for a person to blame we probably need to

team up with this user and zoom out and identify how this issue slipped through the cracks in this example we could consider if we're doing enough and user training or if we need to change email filters etc if the only available vocabulary assumes that someone is good and someone is bad when we're framing the conversation like that we create opposing sides instead we need to approach every incident with this new mindset something bad happened to us and we need to figure out how to fix it moving forward this is the same reason we don't do we don't include names when we're doing a root cause analysis of course and you know what I'm really trying to say is don't get blame get

solutions they loved it ok we'll move along um thank you guys so much for laughing at that cuz I was gonna just I was going to do this until it happened and it wasn't that long we're moving on though to another wild strategy listening oh my god it's crazy this one maybe isn't mind-blowing but it's definitely as much a part of effective communication as anything else in this presentation and if we do it well it can definitely impact our jobs in our industry and definitely our whole lives so we can start by holding up weird question marks and thinking really hard about them is it so funny I'm good all that like asking questions like who

are stock photo people um so we can start by asking more questions and really listening to the responses instead of waiting for our turn to talk something that I have a problem with but I'm working on it obviously you know this stuff at a high level but it really never hurts to have a reminder I definitely need a reminder every once in a while it's especially great to hear it at the beginning of a two-day conference and it's great to hear right before the holidays when we're gonna have to be around our families for a whole bunch of time so let's uh let's do an another hypothetical situation someone is just maybe it's someone in your family is

adamant about not needing to use MFA this is definitely something that could maybe trigger me but what I'm gonna try next time is asking questions maybe they will talk through it and they will lead themselves to what you think is the right solution or maybe you will learn something about them and you'll see that their risk profile is just different than yours and that's the right answer for them but they're wrong and they should definitely use MFA people just don't like to be told what to do and by asking questions like well what's the worst thing that could happen if someone got into your email account what are their accounts do you have tied to that

who could they reach out to how long do you think it takes to set up MFA that last one was maybe sassy but you can probably get someone to think that setting it up was their idea more this mind control stuff but we're not just using listening as yet another tactic for for Claire's mind control we have a lot to gain ourselves from getting good at listening you know while we're out here networking let's not forget this quote from Calvin Coolidge 30th President of the United States I literally don't even know if that's him there were like I don't I mean maybe he aged really weirdly but i google-searched I mean it looked like 18

different men but like I just liked the way that the background looked and okay so whatever it does a helpful quote it was cool he probably didn't even say it let's let's revisit the parable of the Ox and how I'm doubting if this even happened did this even happen is history even real this is what I think happened at a fair in 1906 were like people are always miss attributing quotes you know like at Marilyn Monroe said everything like okay so at a fair in 1906 more than 800 people tried to accurately guess the weight of an ox well no one guessed the right weight the average of all the guesses was within 0.8 percent of the

auxes actual weight that is insanely accurate the more opinion you get the more likely you are to come to the right answer listening is dope and we have so much to learn from each other that is one of the reasons that besides has been so successful globally and speaking of learning from each other before I wrap this up I do need to say thank you to people who took time out of their very American holidays to get much-needed feedback on this presentation yesterday so thanks I know like in the grand scheme of things like comparing besides world domination to this like besides this may be a better example of learning from each other and this one's just me

procrastinating but I had to say thank you but like okay like we're gonna do this thing now I'm really excited to learn from you guys over the next two days and listen and if it seems like I'm not listening just like remind me that's like it seems like maybe I'm just waiting just waiting to say something just remind me that listening is really dope do you guys like feel ready to besides now [Music] [Applause]