Boston BSides - CSO Panel

so this is the CSO panel and a lot of baggage there we go alright so my name's Patrick clarity on this speaker chair and decided to moderate the CSO panel this was actually somebody else's idea on the committee and then we asked them do you still want to do it he said nah so it's okay I'll does oh alright so what we have today it is going to be six csos chief security officers chief information people in charge of security of companies and the six that we have here represent tech banking higher education and a non-profit so we have a bunch of questions and healthcare developer and I actually three of those a partner academic and South province

all right so that's going to make this next one even more just any sense the next one to us okay I asked them to answer questions from their own individual perspective and not anything like I would think in other industries they would do things and that's why we tried to get a little bit of a diverse bored here so that way each of them could kind of answer the questions from their own industry perspective so what we are going to start with and probably not in the same order that they're actually sitting up there is going to be some introductions so we have from akamai technologies and I guess the wrong will go up there is what I'm

dependable that's less settlers a lot oh we will fail he's not fire me you're done what's actually disclaimers I used to work for Andy but I don't anymore so so I'm gonna let them introduce themselves Andy pls i'm the chief security officer for off my have been on for 16 years and in addition to doing security governance across the entire business also gotten to work on the product side helping launch a lot of our new products before i was at optima i was in the Air Force doing information warfare nice next in him which is also curious we have Josh I love from rapid7 who now can fire we also have displayed on that I work for josh Josh when

introduced yourself then introductions great I can't actually fired him that's not you can ask somebody to keep the hominy back in the Corellian on this Jeff I'm the security rapid7 four out of seven I spent time and I bro healthcare companies and working in various telecom companies and law enforcement agencies and you know rinse and repeat federal agency said you know spell out of time gate different perspectives and found out my home was in high-growth high-tech companies and I just happen to also land the security company which a is allowed me to build a different type of team and experiment a little bit more and B is starting to give me an opportunity to delve more into product and building a

stronger community and helping our customers be successful but just as a function of what's expected of my job instead of you know going on way having people look at me saying why are you why are you here secure it doesn't make sense all right and next to him from century bank we have Adam Blake I can say they don't work for Adam I've actually working with him I'll give us am also a campfire hello I am out of it as mentioned I'm screwed officer for century bank a lot of you made mairone I've seen our logo we're a five-million-dollar bank right here in medford now kennedy bank relatively small in that sense but I responsible

security and all those big jargon and buzzwords that are associated with it thank you great and from Northeastern University with Martin our dome so I'm Martin are don't different racial security officer for northeastern I been in information security since the mid two thousand and two boys about a year after northeastern and starting to have an information security question so I got to evolve as the piranha no I run it so somebody's bigger and the end from cyber discovery group John Creek Park alright thanks Patrick my name's John Barrymore our chief security officer for the solder discover group it's a 501c3 and research and development education in cyber security so personally about me everything i say

is my opinion miss Carson my employer and one contractor this additionally at this time I've got about closest 13 years when pretty much consulting pro bono as well support work for a lot of nonprofits in theory that scrimmage would work predominant liveth the supporting people through security at Brewster nonprofits and we like working in the trenches of those people because he was several audible things was it and what last night I was creating these names hence that India's so nicely recreated for himself and one of things that I was noticing was that we didn't have a whole lot of diversity with them yeah very good to that watering the targa give the power now I was reading

the tents and noticed we did not have a lot of diversity and today josh came up to me and said we would like to add another person here CSO panel do you mind this ll be awesome so from Tufts University we have some yourself I have the diversity in the panel so pleased to be here I managed that information security for tufts medical center and the floating Hospital for Children been there about 10 years but always in the healthcare space so it's more for Harvard Pilgrim and they open health plan before that and before that i did a management consulting work out texas dell services and rosboroughs management consulting group so there's a lot of blog verticals in there in terms

of clients but really specifically focused in health care and love working in the hospital spaces thank you alright so basically refers to ask them questions and hear some of their answer so we can start with some really easy ones for them how about what's the CSO do with your typical day look like and take us through some of the typical things that happen in a CSO say let's see who has a microphone wants to start he's good what ya know oh wow that works everyone working with with cool things would be very security officer high res I never really know what men do day to day I try to apply my days as best I can

but they don't always targeted way that I plan certainly what I had what I do is evolving as the maturity of our program the university is evolving as universities profile is evolving the challenges continue to increase I do a lot of meetings with Jim caso risk and compliance talking about strategies for implementation for new things that northeastern want to do like good name brand new CMS systems or LMS strategy seems to be a big part of my job note and probably how the university positions itself for all the things that it wants to do and still protect the infrastructure and protect the data that we have on a daily basis and then it's also an annual base right handle is

Darren anuran crisis mode in your incident response so the key point that I heard there to agree with that your day is totally not predictable from a long-term perspective and that's an executive function that's not a security thing right did you the higher you go in an organization the less you're doing routine things because that's what you have grown the team is to take care of the things that are somewhat predictable and much of your day is handled escalations right talk about the things that are off tracking how do you get them back on track karen feeding of your staff becomes a much larger and larger portion of your job Larry's over there going man little better but it's

ensuring that people have the challenges that are one of them is that they're suited for right so they can grow and develop you don't take a junior contributor and say oh look I think someday you can be a senior architects let me put that job in front of you today it's how do you ensure this at work is being put in front of them in a way that's consumable that they can grow that your managers are doing the same that your directors are doing the same so a lot of it really has to do is sort of watching this machine and making sure that it's on track within your organization and that it's fitting within the larger organization

you know I think the simplest way to explain it is frequently herding cats which is a lot of what and you just said it's not exaggeration I think one of the really fun things about security security teams in essentially places of rapid growth or high technology places you have the opportunity to understand the business both from a strategic level and a tactical level in a way that doesn't exist it they'd almost any other component of that business and so I think that one of the one of the things that I've always enjoyed the most about it is that you can really get in and gain and both gained in perspective and get the business back a perspective that

they're not used to and I think that aligns directly with being both a tactical and strategic contributor and so I don't want an echo I mean obviously the same things that all these guys said what I think that there is very very fun perspective if we get to others go don't I think in addition to that the only thing that I would really add to my role day-to-day as being a constant evangelist and lobbyist for security and why security is important to the various individuals you know working in the organization so I talked daily with physicians and understand how they using technology and remind them that security is a big component of the patient experience and patient trust as it

relates to the help you know the hospital environment but that constant kind of lobbying for the program to mature within the organization I feel is my largest role yeah so did Oh to the previous four panelists very much along with Andy's sentiment is that it is much beyond knows what I would walk into every day we are a financial institution so I'd be lying if I didn't say that a large portion of my time is taken up by auditors we're audited five or six times a year so I am and with Deloitte KPMG the Federal Reserve FDIC whoever might be flavor the week at that point is is a good portion of my time but yeah you

know the day-to-day you come in and you're unknown you got to handle the reports there were changes yesterday what happened what was it very much responsive in nature unfortunately it's a gag album 25 people so coming from the background we're a non-profit cnc mountain system budget so there's a lot of all TT Gorillaz and managing security projects nonprofit has been rather interesting because the audit quality standards and things that we enable those people with I do think though that they've all been on as a sentence success factor actually is personnel management as well as communication and your team as a CSO you're actually working rather hard to be that communication Virgil a lot between your

neighbors and the people making decisions in the business so are not suited for multiple industries at this point a lot of rules down to being a communicator and being able to get employer yup John I'm gonna come right back okay so let's say all right listen number one thing as you struggle with each day at wish you could get a better handle on or what's the one takeaway you would like to see each of us leave here today that will make the security environment better we have some tackle in the first one on that one a new circle with every other nonprofits can anyone guess how the most work really hard for little Knights know by now

right so obviously financial constraints of accomplishing the objectives of the organization is always going to be the systemic nonprofits so that that is absolutely the one things innovating alternative methods to accomplishing their goals so he mentioned earlier being a tactical strategic you have to be able to have a team that can have the agility to go through the decision process where you go from being tactical to strategic a rapid notice is one right back and then one of the ones eight ways actually probably would be that is too long if you do anything especially nonprofits you have to work a lot of people come to you wanting to help with the mission ization maximize the potential other

people have so this personal management strategies again but also one thing I don't think a lot of people see with nonprofits often it's stakeholder ship so making every single person to like everything that goes detrimental the success of the organization they absolutely keep or give you anything CT meter mark about from the University perspective take away I mean I it's really getting people to understand that there is much are the solution as they are sometimes are the phone and making evil our information security us of commissioning baked into their daily job they realize that thing that's one of the things that you push really hard for when we do our information security awareness training is ok it's not just

European to buy job that you should you think is also excited so really kind of driving those things as a super important I mean worked I dated a struggle for me right now it's its value and resources to continue to grow the program we have one that the university needs of the growth it's tough because your university and we are a non-profit so full of money is small if anybody's from around this area area you know that kind of meteoric rise in northeastern over the last 15 years 15 years ago we were right there three hundreds and never in the top 50 universities in the country and that has brought some very many challenges not a

list of with is the fact that people never do our name which means people in China and money I think you really surprised that red increase profile and attack vectors or comment is there because we're on NPR or there's a news article in The New York Times it's aight surname and finding the resources not only keep keep universe and safe but also to continue to move forward strategically position as bad or Caminos challenges that's that's the next struggle is trying to find most all Sonia you described a couple three different industries I think that you kind of cover in your position do you think there is one thing that you struggle with or is it because you would

worry about so many different things that there are not one thing yes so I see my organization through the lens of if we look at research you look at the you know nonprofit academia obviously large consumer component with providing health care to the masses and in the mom for-profit component of the organization so you know I think I have to view the organization there's three different spaces and I've really leveraged leadership in those spaces and gotten them ramped up within security you know knowledge so that I have some visibility that's spread because even if my team were seven people I still wouldn't be able to look at security through the lens of what they're with their facing

day to day I think the biggest struggle for me that really is getting on top of the technology that's coming into my organization so if you think about how help you know we're in the middle Boston epicenter of great development from a software perspective a lot of big healthcare companies and small you know incubators developing software applications to use on your phone that will transmit health data to your physician and all of your friends on facebook if you and and so that's kind of one component of it there's an influx of telemedicine based medical devices that are now going to have random operating systems that are not haven't been a part of the program historically so that's a big

challenge for me out of you and from academia to banking sure how do you see is these questions being I'd opening for you when you went to the banking sector yeah so it's a obviously I don't need to tell you it's a world of difference between talking about the financial sector from the higher end hi red sector pirate is very much in open environment it's you know how can we communicate freely how can we enable this technology and then its kind about the earth day by the way you should we add us at some of that or maybe should we add some sort of security to it whereas the financial sector is very much the other way around

so the financial sector is okay is it secure is it a you know button down do we have all configuration corner correct okay maybe we should think about having a user in and see if they can use a technology so it's kind of this you know what end of the tunnel you're really looking at but as far as you related to the question one thing I struggle with my big shoulder right now he has the Swift network if anyone familiar explains my executives yes we have more than ten dollar routers and we do have something called the firewall on our network it's difficult to say yeah I've got it and also said try to explain to

them what it is but it goes back to the initial question of you know every day is different I did not know I was gonna have to come in and answer a bunch of Swift questions one day and now I find myself doing it but I struggle with that I struggle with user awareness getting my users to understand and be a part of the culture I find that to be extremely valuable from a security standpoint I want people to take centuries security as part of something that they are part of and by doing so they are secure in the professional environment and they're secure in their personal environment we work really hard at that and i

understand i'm getting you guys from bear song about watching um take away from this i think a you know a bit of a paradigm shift from the security world I try to be an enabler the most positive sense of that if someone says though we can't do that I want to find out how we can't do that no that servers isn't allowed well let's find something that is allowed will find a secure way of doing it lets you know let's not be that that breaking point let's be the enabling point of that that's gonna take away Josh your indigent yeah good you know one thing that I was that just president here was I'd say my biggest

struggle before I I myself and we the team is prioritization we're figuring out what I want to get what I want personally what I want the team to get an a-plus on and will be what's okay to get a C on I mean a lot of times it just feels like you're rolling the dice especially when you're dealing with you know a smaller organization but you know sometimes it just it feels like you're guessing it really comes down to intuition and ultimately instinct and I don't know it commission if you should have a larger larger organization and I'd say the takeaway is that I think that the industry in many respects is become very pessimistic and I actually

am optimistic i think that they're really problems that we can solve if we get curious highly apt and excited people that are going to solving problems and so when you're going out and hiring cause something I learned from this guy actually is don't you don't need to go find that security engineer with the five years of experience you can get creative and try and find find a creative creative and energetic people that are really smart and they're going to help you be very successful with your building your program yeah that's a new tangent for India the left one maybe talk about what Joshua is describing the kinds of people that you look for ya so

the struggles but I'm having here it is easy everything a good staff yeah good

time I'm kanya so often that was the state Larry because we weren't here in the previous talk Larry's that I who broke CBE and failed to find 1300 WordPress vulnerabilities wants down 30 instead but like we hired Larry and larry was it officially security person right his resume was been assisted men for god I don't even know how many years like since before there were computers right great security researcher yeah we hire from places and sometimes you make mistakes when you do that right you don't always find it the best fit and so one of your struggles is how do you take somebody because everybody has value that they bring into your organization and put them in a position where they'll

thrive because when somebody is in thriving more than half the time it's not their fault it's the fault of the organization of how you supported them of how you train them or didn't bother to and we've done you know almost every mistake imaginable all I'm sure we'll discover some more next year I have very defensive managers way to fail and you blew off food but for the second one the one thing I want ever been to take away with is you know in your career at some point probably on a regular basis you or one of your co-workers will engage with the business in a dynamic in which the security person is holding themselves up as

protecting the business and trying to stop this stupid or evil person from doing a thing cut it out it's not helpful right we have security personnel do not make money for the business our job is not to keep them from taking risks it's to help them make better risk choices and any dynamic in which you say that they're the villain which obviously means you're the hero is exactly the opposite we are sidekicks we're in the industry where the best we get to be is Robin you're not Batman we are not Superman we're not even Aquaman Wonder Woman like that I'd killed 31 woman I'm Robin I'm running around and maybe I help Batman remember to put on his

utility belt that's what our industry is there is there something that Andy said on several years ago that I actually whenever I stayed out business number oh my god what is what is happening he said something very similar which is known as the villain in a nobody and so whatever i'm going to crush created or or is then tell it to the same thing to every every professional point is when somebody is coming back and saying something that you think is the most ludicrous thing you've ever heard like you step back and try and make sure you don't try make sure you understand that respect in why they rely y all right I got this next one probably

a little bit more for Indian Josh since they actually do have staff here humping your staff and other people have your company better serve you it's all right give us one tapas and executives don't want problems brought to the mother staff they want solutions offered ideas suggested it takes problem set it so I have said that to people and I increasingly feel like that's an untruth when I want to tell that to post I do want to know what the problems aren't even if you don't have a solution now that doesn't mean that fact you found a problem that you think is crazy existential doesn't mean I'm going to do anything about it because guess what

gotta register some crazy existential problems that I can't do anything about anyway and this might just go on it so some of it is that level of tolerance to understand that when you find the thing then you're traumatized by that might actually be reasonable within the scope to order within the organization so accept it it's going to go up and it's not going to bounce which is not going to move the organization but also expect that if you bring me a problem without a solution and it's a problem that i think i know what a solution is I'm just going to tell you what's good too like if you walk into hey I got a problem like this

and you stop I'm going to say ok go to this this this and this like I'm not a psychiatrist if you want somebody just to be able to talk to for a minute you got to start by saying like hey I'm frustrated about this day I want to tell you about it and I don't want any action from but if you walk in and say I'm having a problem with my data are my great let me solve it I'm a troubleshooter that's what I do for a living so that that's the one thing that I think and I most of my folks were pretty good about learning that one but that's big piece I would say that I I

encourage as much open dialogue as possible and so it's never a if you don't have a solution don't don't come what I don't like they don't like people to complain a ton and never try and offer you know a valuable approach to the things that are bothering them it's just constant complaining i think that's different than coming with a real problem and and working through it as a team but what I what I don't like I don't like when people in the security industry in general go to business without a solution right you think we can't just be people and point out problems right so the most important thing is that when we see a problem

there's something that we're uncomfortable with that we're not just going in saying no it's hey how about this or if you can't do it this way maybe we can help you do it that way if you don't have the resources to which isn't always practical with all security organizations a you know froggy staffing reasons but it's a really important focus oh you just not the team of no I know you guys have started to hear that but if that's if that's what your team is doing your time to be successful as a team Sonia I think you said you had seven people and even if you had more that wouldn't be enough oh no I don't

have seven people oh man that I said even if I had seven people it one thing I guess okay one thing that I guess I DISA tag off of that you know it's I think we get tagged as a team of know and so one of the things I implore people to do is invite me to the meeting because I'd rather see that wreck ahead right or if a new technologies coming down the pipe or they are planning on you know doing something strategic that involves an application that is fraught with security holes like Swiss cheese in the code I want to know about it and make other you know mitigating decisions on it John how does this work with your

office oh man every one of my scenes is you are a security on profit internally is probably better than I am to be honest with you I'm the guy that's the extrovert the ncj is they fall in the psychology world apparently but I know that after that and just trust very much everything that they do for me the better served me they can stop bringing solutions for our clients basically because they don't sound like it's just hey we did this business and nine times out of ten as a matter of okay with what resource in time but no it's really honestly about communication and they never talked about it be very transparent routine on at times I would

like to be more involved as she said with things that may seem mind you to someone or they may seem so they don't have a solution to that problem cross-pollinating across little work you actually did a lot of things like the CFO make know something I've got CEOs or in preventable star I mean that person hell that you see SEO in one ear CEO other than okay good that's all so many more of those right so actually asking something back on the top side you can also help out I think not just people that serve you see the people you work for long okay remark doing a tease me a good yeah I have to

say I trust your team for a reason said smart I knew but what do you make sure that they understand that it's okay to get a problem sometimes penalize them for that look at an opportunity to get it right and x yeah in the tomorrow in Sonja's and Johnson also i really appreciate open communication so you know it's going to upset me more you know they come to me on a friday and say hey with banging our heads against the wall since monday on this and we've made no progress and we're still dealing with it i wish it came here earlier you know we've gone to these points and we're being paid to be solution providers i

think at this level in our job so open dialogue is extremely helpful talking through it whatever the case may be but bring us a little every right here party this next one we're going to ask you to look into your crystal balls and hopefully with the different industries we get different answers what do you see is the next big thing that security practitioners who have to face and deal with over the next few years who wants to jump in on first I was open security vendor I want to say ironically that I think that would you like we fear like a huge monolithic more than security vendor early very important but you do a lot

other really cool things I would say that the fact security tech cooling is failing us I mean lately if you were a security practitioner and all you do is install security tools you're not a security practitioners their tools practitioner security practitioners are innovative their intuitive they've learned how to automate problems and solutions they don't sit there and click the same button every day over and over because they go hey that's not effective like that's something I should be able to make happen automatically and so I think what if I had first of all its what what a practitioner is and how we start addressing problems to be much more oriented around as much more word

interest interest is building it into solutions that kind of bindings in both indoor environment first of all got a protest on security vendor 250 million in revenue broken out our revenue for anything is for security so excited been waiting to drop exclusive security vendor that's much better secret of boxes I think that it's the there's an approach on complexity apocalypse and you learning what everybody my father and here's a simple anecdote for you how many people here automotive engineers great no hands went up so I've got no readers in the room people remember the story the Ford Pinto put a gas tank right at the very back when you got rear-ended at least yeah how many of you

think that's a good idea again none of you you're all lame people and you can all understand how the Ford Pinto is badly designed the jeep cherokee that was taken over at top speed by a number of your researchers were always supposed to credit and i don't want to like blank on new haberdasher Charlie Miller's name so it's do I love their twitter name now what did they do wrong anybody here know what is the simple design failure of a Jeep Cherokee there's like 18 things that go wrong right it's not once I go into one simple we can the aunt about but the lane versity can look at that and say here is the one bad design

failure that went into that systems are now so inherently complex then we can no longer look at them and go this is safe or this is not safe and that means doing risk evaluations really hard because here's the other dirty little secret our industry quantitative risk assessment doesn't work outside of the actuarial industries like if you're doing fraud or insurance on large populations great other than that all risk management is done from the gut we're papering it over with the beautiful reports that say what we should do but it isn't it's a gut check we think we need more security short go to risk assessment so I track which things i'll go do but it's only

started because somebody believed that there was a problem we're losing the ability for lay people and by laypeople that includes three Gio's in the room and all of us if you're not a systems architect you're looking at some complex system that you're building and trying to judge its risk and we no longer have the tools to understand how these systems operate and that's something that really worries me is will security increasingly become a cargo cult where we just tell people will go rotate your password every 90 days because that's what we've always done even while that's no longer interesting problem or solution sorry so far yep oh so I think we're going to continue to see that cyber application

of traditional crying models I think that's the big emotional ladder 15 years you know you had vandalism with people just defacing websites and then we had that the sole credit cards and their data and there we have you know kidnapping and ransom warrior which is the next thing and even its evolving because they start their [ __ ] your fingers off and send them back to you is it delete your files when you don't pay I think that's it's not gonna where they at I think everybody knows the FBI said that ransomware is going to be a billion-dollar business this year and it's just never-ending and I think adding to the complexity of the Internet

of Things that's just going to open more opportunities for these you know traditional crying models to move into the cyberspace and and we all have bank accounts so this should be interesting to see what you're worried about management I like marc bullard and cyber advised the cyber cyber minus I thought of a good summer vacations like this one too like the bank at pointa know i wish i had a nice metaphor that like Andy had but um I'm with mark on kind of that that what we've seen in the past or regular crime taking on that digital life and I think one of the you know again if I knew what was gonna be the

next big thing I'd be talking to my broker's right now and not talking anyone else here but I don't know what it is so I think kind of that I OT that mark kind of led onto is as we start putting on more and more things to the internet without truly understanding the proper ramifications of you know how to secure you know a simple bus within you know jeep cherokee like that you know so someone can't tap into your car and turn it off while you're driving on the highway we're missing that full understanding of the implications of when we add these things and I'm sure Sony can talk more about from a health care standpoint of you know having a

heart rate monitor things like that to the Internet the personal devices all the wearables all that stuff are becoming more and more relevant and I'm just cautious that no one is watching the watchtower yeah this morning when Mudge was talking about how one of the car companies send out a USB to create their own where do so I'm I'm really glad that that I'm hoping the health care industry doesn't do that for pacemakers or something like that Jam this into your nipples likely taking all of y'all laughter yeah the market what would you have them do instead like think through the alternative of how else would i think it was our update we can send it over to

the internet and you can download it to your pacemaker does that no damn in I've idea like we have somebody hand side of it all that really makes me scared like so we don't give them place solutions to really children it's going every day when I was on drug dealer but there's real Duke solutions it was easy for us especially make fun of the ones they choose but at the end of the day the larger IT industry has failed yes to create means that will work for businesses so businesses ignore us because we haven't helped them solve their problems yes are to actually answer your question path from a financial sector what we're seeing is is

the sagra fication of money so the big boys editing of that manner in the blockchain looking at kind of how are we going to handle the credit default default swaps and things like that from a financial standpoint with this digital currency it's really unprecedented I haven't seen much regulation revolves around it it's gonna be an interesting world as it becomes morrell into the layperson health care so within healthcare the compliance the regulatory space is changing rapidly and it's been very difficult to understand and the standards and controls that are going to be used across the industry so everybody's sort of using their best effort right now but the technologies that we know around you know encryptions

in more secure protocols but since there's really not a definitive guide line and now you know changing with a political landscape that kind of in government is trying to you know regulate the standard that's even a little bit scarier and more challenging because we do have potentially solutions in the private sector they're going to be overlooked because government political officials feel like their standard is going to be better may not may be may not be but it's an effective rapidly evolving the space challenging and earlier one of you referred to us is how many the group of know which is often said that the security team is no you can't do that but enough negativity

in worrying what are some of the things that you think the security field does really well I'll go John yeah sure actually one of the last one answered Polly a directive if you really come on oh ok my selfish alert moment on the last thing of his challenge to my subjective opinion is that we are not as practitioners in our community mentoring and controlling and guiding industrialization of our workforce we have people with security buzz that have I made an industry experience working in drugs on those people and these children these projects innovations in their pocket of every of the block we don't have the best mentors for ethel barrymore references or them to meet the

demand our policymakers i created in the cyber nashville challenge over the summer I was probably not a person there that ever actually worked on the video network which is really good to see how these kids and remember universities talking about policy I actually went there as a social project the CBD to do a white paper is coming out soon to talk about the socialization of cyber security and to see the difference in the definition of what some of my age that's working on PhD a political science has to meet us in kc i'm working on is so in 10 years it's good for me to sit down and actually see what their thing is coming and it's totally

different so I talked about policymaker definition if people like much DTI workings advocates for years and no one's could see to have much more drastic impact if they had listened to them whether you do now so investing into your cheer one person now is absolutely been opposed to your success in the future I'm sorry about that that's just what I'm saying any part b 1 vectors welcome back on that social but negativity and wearing yeah absolutely or anything optimistic and it's like the [ __ ] is starting on the guys it's like it's cool we got this don't worry about it sometime i three gigs of data would be probably that back it was good though is that your bank

card works you'll right I don't know it's all century um they probably just be want to know telling me how's it going um Gator but know some of these materials / well so we're actually going to go back into their coin there I've seen the hackerspace situation right people while it sounds to people that arguing better things on their off-duty time than they're not if I working as a security practitioner and we've only driving that later but I really think is what we're doing well we are working as a middle piece better now I think that we honestly ever have an industry yet cso's that are going out of their lanes and doing things like going to the

Masters developing with the CEO because they know that might be what it needs to take it are keen to victory you next year and its back in the day that would then never even heard the security guy and I didn't even have an you know a full seat of the board so I think we're doing really well today or bringing ourselves out of her comfort zone that's it all Andy what are we doing well I don't know dorm conferences yeah so it's a hard one yep sort of step back and say what is our job right fundamentally our job is to enable better risk voices and so are we doing that or is our the industries that were

protecting thriving and are we helping contribute to that the automatics it like naming vulnerabilities might actually be the thing we did most well over the last three and look I know a lot of people are opposed it right they talked about you the jeep cherokee being stunt hacking and why do we have have a logo for heartbleed and image tragic and all this other stuff but let's put it this way how many people besides Larry can name Seabees by number right and sure times on the e guy and I can't there we go right we can you know continue to think of our industries being this arcane thing we have to be part of and which means we have to

market ourselves and I think we are doing better marketing ourselves and everybody interested that they had to do something because of Hartley like everybody across every business rather than I talked with somebody the reason we're hiring and he came in he said yeah you know heartbleed was a boon for me in my previous job I'm like why said well because for the first time I could say we have to do this thing and pass servers and nobody argued with all right that's fantastic then we're actually able to communicate up to the layperson even as our systems are getting complicated yeah oh I agree I don't want to go too much on the same similar rent but the

socializing of security you know the longest time the security guy was someone in a dark room in dark corner doing you know whatever security people did you know even if they had a security guy or girl and I think the ability to now you know understand that there is a human aspect to it and being out there and talking to people and I work very hard to be the social face of security I walk around I put my ear to the ground i know people see me kind of water in the halls and that's how i get good information i learn about it you know what are you working out when you see how this where possible we don't just

becomes very well yeah right thank you but I'm serious becoming that social aspect and I think we're doing a better job of it I think that we have a face we have a name you know security besides I don't know how long you guys been doing this six or seven years six or seven years but I think we're making that progress you know six or seven years ago this wasn't here so get out there put a face to it it's funny I occasionally somebody will poke fun at me for not a ping pong I play but I'd like the best source of information that is have be being social is so critically important to the role in here if you're

not going to walk around and again talk about a little really come from the top of the stack you're seeing you all the way down to junior developer help desk person they it's probably not a great role role for you so you get disconnected on the organization I would say as far as the optimism i think that the security community yeah I've talked about it a different way a few different tops but it will really a young industry right people have saw me in source on Wednesday long as I said is that you legitimately in the late eighties through the 90s were a bunch of you know teens or young adult or in some cases

kids breaking into shin and then we woke up in this I really do now epileptic crap this is like an industry to have Caroline and so we're really young and a function of that maturation so which has been good or someone obviously has been bad one of the fantastic things that we've seen is we've seen our community become more open and accepting so I mean you know Andy Lucas earlier with holding conferences it was not that long ago when you roll up to DEFCON people in OB were like you were going to be bored you weren't welcome like it was just a different experience than that you have now a lot of adventure and I'm add one

more thing on a jump onto the third rail yo that'd be really careful up as a white male to talk about diversity but if I was in a conference like this five years ago it would not have been twenty-five percent female or this outwardly female in case anybody's presented differently in the inner room right that was not our industry our industry was pretty much white male if you weren't white male you we felt like the outsider is nobody knew work I'm sure so I did quite has some stories of those days but that's a fantastic change we are not a community that is installer and we'll need one demographic so I think that's the thing

we're doing well at but that's well by comparison of we were horrible several years ago Chomp well by comparison oh he should just be done don't sounds bad yeah we don't suck as bad as we used to yeah that's going to all take that that's that's always the first step acceptance and markup I didn't pirate ah hi right in general I think one of the things we're doing well is we communicated with each other we share an information in ways that we have done previously on hell even the government's stop to get better on and that's that's unique and not only are they shared information better with themselves but they're sharing information with other it is important organ we're sharing it

back with that and I think that helps us all higher end is always being relatively good at that is Adam will probably a test when it was back in his days of high rent or longer we share information a lot we talked about how good vendors are badly their tax on quarter and thirty or anything else is whether the by-product or not we share indicators are compromised very quickly amongst ourselves and never I'm seeing more initiatives where high red is pardoned with the business is partnered with the government that collaborated shows of information and this is really help and not eat any job to get that pay no fees I think that's one of the things

that while I'm looking better did you want to add anything Simon yeah I would just say the collaboration I mean you would think that security professionals would not be a very open bunch but I don't know if it's the therapeutic value that comes from getting around the table with fewer stories I hear would you know we cross hair yeah and it but that's refreshing to me because it kind of keeps me aligned with what I feel like my strategy and my priorities are going to be for the next year it's sort of a sort of you know throwing things on the wall making you know having them stick just kind of reiterating the value of

what I'm doing day to day so I think collaboration is what we're doing well and that we need to do more of it and I think it needs to be you know security is not security across every industry and I constantly seek out people in my vertical to understand what their particular problems are because programs are going to look very different I mean you have baseline you know firewall architecture discussions at its you know security forum like this but when you get into healthcare you get into banking things become very different very quickly and with the amount of monies that we get in the nonprofit sector we will really have to be very careful about where we invest annually invest

with I just have one more question when I want to hit you sony just said something that I think it gave me an anecdote humble years ago to drive some pretty much a good chunk away just hurt I was standing at the recon two years ago there are different kinds of levels in September each year I think they're having their sixth one this year and every year separately they've broken the record of the including Kentucky Derby weekend of the hyatt in Louisville is about alcohol sold Institute and so they always have fleets on site we have large event and like it was like three o'clock for 45 min Mourinho's competing in CTF and I was just kind of taking a walk and

talk to one of the cops and he's like I usually I've never seen anything like this before like you like that sweetly obliterated people playing with complex variants of chess like some guys are talking about like Heidi headers and every excuse this is not something you just vacation other and it's only on vacation is just cool alright so we're drinking will yeah it really nice out drinking every what bunch of alcohol that was the takeaway about a functional social out foundation is that they excel in etiquette so before we can go all sit around the table and have a beer i7 laptop question afro so how would you say that your team is or your team can impacts the

community both local and abroad John do you want to start without yeah so uh we're dying here and here is that I don't not even explain Anaheim I see chapter president I think we were workers labor laws we have no chapter I mean we just don't stop it's pretty much the mission is in size every day two of us are finishing up at HT is Peavy who can't great long ago started loudly about 90 people here medical offices in there every heavy literally just don't stop every single day being advocated we get on the barnes and noble some votes on the group and basically just work to teach people like how the 3d internationally understands what's doing

for programming is security but advocating my god dinner with the mayor and next week to talk about the economy development direction cybersecurity and two weeks obviously one of the person who we volunteered via community courts council to help children with shua congregation initiative and sin as well as disabilities so nonprofit work belarus abilities so to summarize it don't hack the world and have a good time for you each other I guess along the way inception is where you're going my CEO is a roast and I even have a party response people everybody that just you have anything about how you're impacting the local scrutiny because everybody is it because it's because we had a 144 divided people speak like it's

exactly except I think that you a always push the envelope and then talk about it but one of the problems is industry guys they got caught in this run its end because people that aren't new to the industry or are new to the industry want to get out and they want to do best practice problem is best practices are broken and so do best practices don't happen and put people experiment and then talk about it talk about what's worked and what hasn't borin computer a doll that Nia better so the only weight will get better is if all of us experiment push the envelope and come together and talk about what worked and what didn't work

it was when we can't work in this like a state local municipality but that's my charity work our municipalities department where we do a lot of the banking for countin town is whatever light power things like that you would be surprised a lot of security so I have built this 10 page they called my security Bible whenever we bring on a new client and when I got here I went through all of our existing clients I sit down with them in their security department and I go over a when you're sending our you know ACH transfer you really shouldn't use pork 21 for that and we go over a lot of times I think so

I try to make as most I can too they expand our security and our posture internally to our customers and we work a lot with Miss apologies in a sense of trying to bring them up to the year 2016 just want to say thank you to Andy Josh Adam mark John Sonia thank you for doing this friend thank all of you for making this another successful d sighs