I've Had Enough! Of Security

so I'm gonna talk about security burnout so I know I'm standing between you and the beer gardens right now I thought this picture so you know I'm out and I'm sure you're burned out from today from all the information you've been exposed it's just been really great topics so this should be an easy topic that's not that technical I guess I don't have the think that's okay okay no I'm fine it's okay like I do have a disclaimer up here just to let you know these are my opinions not the opinions of the companies or organizations I have worked for I don't need to thank you so is it job burnout it's really just a

buildup if when you're tired of your job from an emotional and physical state and we can really replace job with security burnout because it's the same concept in definition but why are we there security is hard if we look at the evolution of security we started off as firewall guys right and then we started off as ids/ips individuals and then our positions have increased compounded over the years because all the risks is unfolded throughout the years and security in our industry so these are just some topics if you think about our role we wear multiple hats unless you're in a organization where you're only doing pen testing or some specific rules so just audited but if you look at most

organizations that are customer facing and you have a security team you're wearing multiple hats I can tell you when I was assistant well stir health systems we had about 14,000 employees five hospitals about 200 physician practices and had seven people on my team running managing an information security program for the whole organization so we are wearing multiple hats in multiple roles you know from a business perspective to a technicals perspective so and if we think about our workload every day its new threats and vulnerabilities there's new tools shiny tools we can work with we've gotta learn there's new and old risks to reviews those vendors and customers we have to deal with all the time and I feel like

I'm ignoring you guys on this side please Connor I heard you don't like moving around a lot so I'll try it okay there's like the audience to conduct and and honestly we have that every day security hygiene right we have to consistently do we have to patch all the time we have to you know look at vulnerability scans we have to look at our pen test results we're gonna update our policies we've got a security awareness training listen list just goes on and on right let me know I do talk really fast I could slow down so these are some topics of why security is hard in our industry and why we can't get burned out so easily so how can we

recognize that somebody or yourself can is easily burned out so obviously there's gonna be the emotional you know [ __ ] this job scuse my language you know I'm tired you know I'm just gonna go in and do what I have to do and leave for the day I don't care anymore I've had employees come to me and I've heard throughout the other colleagues a minute you know what I hope my company has a data breach cuz you know why if we have a data breach we get more money we can hire more people we get more tools you know I have definitely heard that in my industry we're going my colleagues and stuff and

then you know there's thing you're doing the same thing over and over and over but you're not making a difference in your organization I think that what burns most of us out especially if you're a company where you're providing security of security program for your organization you just feel like you're doing the same thing but you're not achieving your program is not actually maturing in itself anonymously there's a physical stress you know you can't sleep at night and then your managers it's are any of you managers in here do you have people that report up to you should be looking for these signs and your employees to to make sure they're not being burned out because you obviously

you don't want to quit because we don't have enough people to hire right we don't have enough people in the industry that has a security skill set and obviously if we have people that are burned out this pose a business risk a security risk and potentially a compliance risk because if you can't meet the demands of compliance then you're not secure either any questions so far okay yeah

and you can ask questions I know something you tend to forget your questions in the end yeah so I want to come back to this I wish I had my company have a security breach so when the company doesn't care maybe this company just doesn't need any security it's a compliance check at that point companies are yeah so why do we care more than the company which should want it when it doesn't I'm gonna talk about that why do we care more because we have passion for security we want to make a change right and I will talk about that in our next slide good you can go ahead and continue out sir I'm cut you up but

I'll talk about it yeah so how did we end up here first off usually it's a lack of support right from leadership and the company and the organization itself so we feel like we're doing the same job over and over feeding ourselves you know but we're not getting anywhere in our company because we're really just a compliance check at the end of the day right we're doing our audits is the compliance check even though we have all these security issues it's just a compliance check we're in a reactive State not a proactive State we want to get out of that we want to have automation and organization right we want to be able to be proactive a lack

of security maturity I've been in my company for years I'm not made of different and why do I keep on repeating myself I know we see these things over and over security awareness trainer we're saying these same things over a number it's amazing to me I've been in this industry for 10 years and we're still talking about phishing you know we shouldn't have to do that and we cannot keep up with new and as its technologies vulnerabilities and threats there's just too many out there and there's not enough else that's out there and there's no input into the organizational strategy I think that's very important where we tend to fail we can have an information security program is that

word we don't have any input to the strategy at all because that tells you that they don't really care about security they just care about that compliance check again so what do we need to do we need to evaluate ourselves so the first thing I always tell my people so why did you join information security a passion right why did you guys join information security hopefully not for the money we need to talk then all right yeah it's good money but it shouldn't be the main choice so to make a difference in information security we want to help protect organizations data and then we'd like to learn new shiny things and any others so you want to evaluate yourself

and if you feel like you are starting to get burned out you need to go to your manager yes I can use a mic if you want yeah okay so you know talking about valuating yourself sometimes you need to think about you know also what is your communication style like why are you effectively communicating to your peers in your organization to your leadership that we need to do better in our security program am i reporting the correct data when I tend to fine and and when I took over the CISO job the syste before me what he was reporting he was reporting very technical information to the board and to the compliance committee so sometimes you need to

change that because you need to change it into a financial this is very great pictures right you need to turn into a financial gain right because if you think about security security is really just looked at as a cost center to an organization or not looked at as an added value to the organization money to them

oh you're my jacket too so I am a mom of two boys and I and then the mom of a husband I guess you could say that so know how to multitask very well yeah so going back to the day that were reporting alright there we go we have to report the right metrics and the right statuses in a manner that's the owners of the organization the board the people that organization's going to understand I was talking to Jenna earlier working in health care she asked me he says how did you change you know the minds of the people at your organization to get them to effectively learn that security is important to them what I did was I had

my team go out to the nurses and the physicians and actually sit down with them and say hey I know you want to get this application and it looks like it'll bring value to the organization and your department but we want to learn why so we can better adjust ourselves to figure out what's the best security controls for that application so it's really about your communication style how do you communicate effectively and you have to learn how to communicate to different audiences you definitely have to change that because I had a daughter line two IT and we had a love-hate relationship so I had to go to them and talk the tech talk but I also could bring down the

compliance bat sometimes because they weren't doing their jobs are you following through and are you talking to the right people in the organization that's the key if you're not talking to the right people you need to figure that out who that is in your organization support so talk with management obviously and managers you need to do your job you now have your one-on-ones with them you know what I did was I had tea time every Wednesday with my team and then the employees I work with now we have one-on-ones every week we almost every day it seems find support at the organization reach out to your information security community Yeah right like us your chapters your

professional organizations and even from your MIT appears and and don't looked and when I also say is if you want to look to your peers look for a peer that's not a pen tester that works just like you and you're saying division you know but maybe go outside of that inquire help from a consulting firm so I can tell you most organizations they will not believe you but they will believe a consulting firm which is interesting you're saying the same thing repeating yourself because they had the shiny report from a consulting firm oh yeah we should do that here's the money for it you know so that always helps and that what's great about consulting firm says they're

becoming a really specialized so you can find a consulting firm that understands your industry in the past it wasn't always like that it was very generic take a break you know go on holiday somewhere enjoy your time off maybe pursue a different role and even a different organization I gave myself a goal as a SISO that and within three years if I didn't make a decision it's gonna be time for me to go because I know they don't believe in the security program and they don't believe what I'm doing and then managers and then we already talked about that anyway okay keep on going all right information security is not hard I know I said it

was hard in the beginning it's chaos but that chaos is exciting and invigorating and it keeps you going that's why we love our job so we want to continue to do it you have a unique skill set which is very valuable because look at our industry we have so many jobs that are open out there so you can get a job anywhere that's why I always say you can go look for a job in another organization and you got into this industry for a reason and we the information security community are here for you so what I want you to do this is the end of my presentation turn to your neighbor and say I'm here for you buddy

yeah okay I thought you I could talk fast yes comment complaints questions because I write somebody always as a complaint thank you for your talking thank you for the great presentation despite all the problems that are I actually I'm just gonna go ahead I have the first question because I'm not gonna name any one but I have someone that I can think of who I'm who might be close to to a Burnout what do you think I could do as a friend to help that person well I mean you obviously need to sit down with them take them out for a beer take him take him is that someone you work with or just a

friend okay okay good sorry cuz I was gonna say if it's somebody you work with taken outside your company you know go off-site somewhere and take him for a beer or coffee and have that talk with them and then actually you know start making them think well why did you really joined in this industry what do you really want to do because I tend to find that we were so exhausted that we have to know so much but maybe we need to focus on one particular area and I did that I was a security engineer and then I switched over to compliance which I loved a lot better I'm sorry and I'm happier in that role and I think that's

what it is is we get burned out because we're so there's such demand on us but we're not focused on what we really want to do and need to do and being able to coach that person to help answer questions okay thank you other questions yeah I'll get my microphone yeah I'm sorry like what I like my original question I don't think it worked so I have to okay ask again I just think that in our society right now nobody is passion so much about security as we are and they have right not to be there are people who just don't care about security and that's fine I mean if they think that this ayah Tito

we'll speak not only to their grandchildren but also to all over the world right with the same word that's fine that's what they really want and I think there are organizations who just need a compliance chair yeah so this this is a explicit decision of management of such companies that's what they want that's in which market they are so I I kind of think it's on our place like understanding that when you take in such a job which is like a Czech job which doesn't I mean be passionate help building the Monaro wallet right in hardware or change the job where the security is essential for the business I'm a little bit like that's not very

very wise to get burned out because you don't have impact in an organization which doesn't need this impact so yeah like I don't know maybe some crypto currency exchange security for them is essential for staying there but I mean some kind of library they just don't care right so just that's like the way where to change the job I guess well I think in the end what needs to happen is the company needs to get burned out right unfortunately it needs to happen you know if they're not gonna care and it's a compliance check the company needs to get burned out they need to learn from their lesson and incident needs to happen I know this has been recorded but

it's it's accurate you know you're gonna have people and board members and executives it's just not gonna care and they but they're gonna have to learn from the lesson eventually realize it's a financial risk to the organization I think you also need to consider that you might be working at a company that you really like working it you like the company and you think that they need the security but the management board disagrees and then you're sort up and across rooms but that's just and you know and it could also be maybe the managers just reporting security is not reported it in a manner it should be so sometimes that person needs to be weeded

out I would like to react also on him for his reaction because I think that people don't there is lot of misunderstand in a company because there is no communication yes as I told in the healthcare we think okay I T Department I say IT department not security IT department do their job so they protect us so if they are allowed to do something it's safe but this misunderstanding because we don't know when people hear and understand what is really going on I think they will react a different way but she said that she just did as I talk talk to the nurses talk to the doctors explain them work with them then you will get moving from

inside and because we want to work safe but sorry it's not my way it's not my work that I like to think about that and they see the problem that's another thing but nurses and doctors don't need to take care about security that is job from we think IT but what she said is communication and I priced it very good we need to talk to each other and with each other not not go to burnout yeah but to talk with everyone and then you can get a result I think yep it's just like regulations we take regs right they come out with a new regulation but they don't really enforce regulations right until 10 years later that's the same

problem so we know as companies we knew gdpr was coming around right it was here two years three years four years ago right we knew is coming you know and they finally stamped that date May 25th right 20 seconds living like that now everybody's scrambling right now [ __ ] we got to get our GED for our program together when you show already really have a security program in place you just got to modify it any more questions I know it's a very intense topic I'm an intense person if you want to stress out need a minute manager I'm here no I'm just get an LFO Oracle so I saw someone pointing but I didn't see your hand

don't be scared any questions over here I'm gonna look for questions now going once Melo questions you guys can always connect with me on LinkedIn I have my email address on the PowerPoint so if you have a private question we can talk well thank you very much for your presentation [Applause]