Don't Get Tangled Up in Your Cape: Hero Culture as a Negative Force in Cyber

both okay uh this is not going to be a highly technical talk I'm not going to be popping shells I'm not going to be showing you zero days et cetera so if that's what you're really super into I apologize um there were a couple of points at times in that career that things really kind of stuck in my head and I didn't know quite why they did at the time first one I'm going to mention was out at Defcon one year and I forget if it was concoto or DD Tech and they were talking about what it takes to win at CTF uh they kind of did a panel uh after they'd stopped running it and

got into the team composition and got into the ways that they were gaming people that were playing in the CTF one of the things that they did is they created things that were too good to walk away from for Rock Star players so the kind of thing where it's like at the end of the weekend you've burnt all your time and done nothing to help your team get forward the other thing and this is the one that really stuck in my mind was they realized in looking at the team composition and I expected as they started that conversation it would be like oh you need to have somebody that's like at this level in Python Etc and

they went through some of that and they wrapped it up though by saying and you need someone that's willing to go for pizza which is to say that you need someone that's willing to push back from the table someone that's willing to to stop the competition and go take care of the basic needs of the team and that stuck in my head second point there is a information security uh leader that uh I'm a a pretty big fan of some of you may be familiar with them uh they've run sold run sold run sold companies for years and years and years and at their conference one year they got up on stage and they said that they

measure success their measure of how successful they are in achieving their outcome is the number of analysts that they had sleeping on the floor of data centers worldwide and that really got stuck in my head and as a manager on that team I was thinking about what's that experience like for the people on that team what's the experience for the families of the people on that team and that really kind of stuck in my head now I posit that this person this person said that partially in just and this leader is known personally to me to roll up their sleeves and dive in and move Heaven and Earth for their people so I know it wasn't meant maliciously

so I started kind of thinking about well is that what it takes to be successful in this role and I looked around me at some of the people thankfully in this room thanks for coming and people that were legitimately crushing it in this career you know and started asking you know how did you get good at what you did how did you get to the point where you're comfortable standing in front of a room of other people and doing a talk how did you get good enough to be where you were so in a lot of cases the answer was you know it's like just like how do you know evil when you see it oh I I just do

you know you learned that through experience and bit by bit so thinking about how you're building career and then how do you take that and teach other people how do you build other other capable analysts other capable responders how do you lead those kind of people so I started thinking about it and there were some challenges there so thinking about those those superheroes if you will so those those Titans and thinking about well what does it take to be good okay both on my journey and and for others um and started thinking about the the stories that they would tell so anybody ever sit down in a bull session sit down after an incident sit down and

tell horrible stories of how many hours you spend on the road how many hotel rooms you are what status you have on the airplanes and hotels how many hours you've been away from home how many hours you haven't slept how many uh Red Bulls you've consumed anybody familiar with this okay so it got me thinking about this isn't just this isn't just the individuals that we're talking about we're talking about a culture so now we're talking about hearing culture we're not talking about heroism okay heroism is an entirely different thing there's certainly a need for it um sistrunk was talking earlier about heroes that are postured to go respond to the hurricane Etc not talking about

heroism have nothing but respect for people that take heroic action when necessary what we're talking about is the culture so why is that culture bad now there are going to be a couple of things and I'm going to try to run through this quickly fly through it if you will without the cape I'm going to show you some social media posts okay this is to demonstrate culture I appreciate it respect that I'm not trying to out any individuals I don't want you going after them this is just examples of culture if I find out that you went after them I'm going to be really cranky so um hero culture you may be familiar with some of these images

this is not an extensive list I've got like seven slides of images that companies have used who say we are a superhero culture hire superheroes right higher capes so it's effective and evocative imagery it sells especially to people outside of here but it also reinforces the mindset for us that we are superheroes okay and what are superheroes superheroes have made immense powers more than more than mere mortals right and superheroes are for the most part not terribly vulnerable this is problematic so here's the first screen so here are some clues that you may be existing in a hero culture anybody familiar with any of these phrases as part of their day-to-day firefighting saved at the last minute

Etc so has anybody heard these used as part of your corporate above and beyond Awards ceremonies on a quarterly basis anybody receive them all right so what's the problem with this well first off we'll get into some of the buckets why this is problematic But Why Do Heroes like being Heroes here's like being Heroes because there's recognition believe it or not that recognition on a social level stimulates our brains and feeds us all sorts of great biochemical responses that make us feel really really good when we do it so almost to the point where you learn that behavior in those neural Pathways become self-reinforcing so you almost get to the point where you what you're addicted to that energy you need

it you crave it okay so we start talking about uh 2.5 2.7 3 million empty analyst chairs this is a problem as a leader as a manager as a person that interviews people is a person that tries to work with organizations to fill that Gap and everybody's like we can't find anybody I think Workforce Development now I'm thinking okay is there a juxtaposition between superheroes trying to find superheroes develop superheroes need superheroes for these roles and not having those analyst chairs okay and why do people get cranky in their jobs well they feel underappreciated they don't get called the recognition's not there the recognition that We crave that we need so again not trying to call anybody out

so that that tend towards narcissism and this is not saying that we're evil or we're bad what I'm saying is we work in a culture that reinforces this Behavior so here are a couple of things and hopefully this will resonate for you and my outcome here is I just want to get thoughts percolating in your head and I'm going to give you some ways that maybe you can start changing some of this if this is the culture that you live in and maybe take a reflection and see is this the culture we live in maybe I'm off base so here's new villains who's the bad guy apt China right excellent who do we spend most of our time

complaining about apt China right no to our users the people that we're hired to protect those idiots that click on fishing links the users that call up and about password security or they can't get done whoops sorry so morons I promised myself I wasn't going to curse so the the the very people that we are that we are uh employed to protect are our problem so you think about all the fishing exploits and uh there have been a couple of great talks it was one great one at uh social engineering at Defcon about Kinder general or phishing campaigns that I would suggest you go look for so we create villains we need to have villains and in some cases yeah it

probably should be apt should be bad guys doing bad things but in a lot of cases it's our users and what does this do this also has the effect of creating a wall between us and them because where do we stand We Know Better intellectually we know more we're in the know and you're not that's a problem so a couple of examples there this release Heroes building silos anybody ever have problem getting documentation for somebody after an incident or after a tool is deployed we build knowledge silos WE wall ourselves off we have a very us indentment mentality okay fed by that some of you are sitting there going not me this is not us

I'm fine with that so we build silos in sometimes justify by saying you are not capable of securing the information that you need to secure now this is true in many cases however isn't our job to teach to build systems that allow people to do that also isn't it job security if I'm the only one that does the password to this they can't fire me so that concept those reinforcing Concepts move on heroism in this role hero culture also masks deeper problems you think about all of the firefighting that we do and in a lot of cases we talk about that firefighting going to say the reason we can't get stuff done right is because we're constantly fighting fires

but it's actually the inverse we're constantly fighting fires so we don't have to do all the things right a couple of the ransomware talks it's like hey it's basically blocking and tackling how many times have we put aside and said you know what network segmentation we'll get to it later we're too busy fighting fires so again everywhere every successful ransomware campaign building those silos separating ourselves here's here's where it really gets nasty not everybody can be a hero okay this I wish I had more time to dig into but very quickly can someone look at this and tell me what seniority level these questions are part of the interview process for entry level so now let me ask you this

let me ask you this are you saying entry level because they're so wildly outside of that or do you think these are appropriate questions for an entry-level job there we go yeah so this is this is on a Reddit thread for internship positions here's another one for an internship position this really pissed me off when I said it so interns have Masters in cyber security oh clearly that's an exception now it's the norm so anybody really familiar with Cobalt strike can somebody answer this off their off their cuff

how many years have you been working in the business yeah more okay this again internship position so there's this mythology that you've got to have lots and lots and lots and lots and lots of experience so we do unbelievably well with gatekeeping anybody ever been asked the what happens when you Google question so anybody ask it I know I'm asking for a lot okay what happens when I Google what are we really asking okay where do you want to start the appropriate answer in my mind is where do I start how much detail you want so there's some people in the room that can tell you exactly what happens when the keyboard gets pressed and

depending on the type of keyboard mechanical or electronic or can tell you from there on what I'm really asking what I'm asking that is for you to interpret what my answer would be and then parrot it back to me because if you tell me something that's outside of my experience what am I going to do so now there's a principle called homophily when we interview people and we have a tendency to look for people that know what we know and worse we have a tendency to interview hire people that look like we look okay uh studies done in CIA FBI post 911. looking at the culture in those organizations so call these things out so

again compsi doesn't make you an SME send requests and these will be posted zero knowledge infosex not an entry level field gee I wonder why we can't hire anybody for 2.7 to 3 million jobs what's our responsibility so this one really bugs me I'm not going to go into a lot of detail so somebody mentioned Equifax earlier so um anybody knew who Peter zakko is so hold your hand up if you know excellent do you know what uh so better known as right do you know what mud studied in college music Point made here is under my teams anybody work with a brilliant jerk how'd you feel as a team so what'd it do for morale

tanked it brilliant jerks so again I'm not trying to call anybody out but if you followed anything recently you followed this Exchange foreign I promised I wasn't going to curse so I can't tell you the name of the book but I'll post a link on my socials this is exactly it systematically allows them to enjoy special advantages and interpersonal relationships and transnational entitlements that immune immunizes them this is the brilliant jerk this is fostered by and encouraged by Hero culture how many times you can work with somebody that are like you know what they're brilliant but you can't put them in a room with other people and we tolerate it coming up on five really bad behavior

this is a really scary stuff and I'm going to walk a razor's edge here a culture does what so we Elevate people we put them on a pedestal and makes them unassailable so when they do really bad creepy criminal potentially criminal things it makes us hard to go and do anything about it we've probably seen a lot of this for some of you what's worse is we work in a culture where people have for years allowed people to do bad things to our people without saying anything because they were honestailable and they were the the smartest person in the room if you will so we can talk a little bit more about that offline bad behaviors though

how many hours of sleep does a CSO get in night there you go so we encourage that right no sleep so ctfs we're a couple of talks this morning about this it's like oh I know showers I worked on it for 72 hours et cetera how many times have you been to a con where the CTF goes all weekend built into our culture that we do these things so spare time no I don't have spare time I don't have hobbies I don't have to do you know what go take a walk I don't have time to go take a walk I'm too busy so so what do we do we self-medicate so play hard work hard

how many times have you been to a con where the after hours events were what drink all you can so self-medicate so why are your people burned out well also everything's an emergency if you're firefighting and that's your only response everything's got to be an emergency I've told you hey anything happens you call me in I'm going to bring the whole team in Shield's up right so and even if you're lucky to get the job so what do most people tell you work your way through it so it's going to suck for a couple years and then you'll be qualified and get a job in a culture that you really like okay this just happened for an

unfortunate person working for one of the big four in Southeast Asia with horrible results Heroes burn out so some stats here first off 32 changing jobs in the next six months obviously looking from 2018 to 2022 kovitz had a dramatic effect on things and shifted things quite a bit for folks 51 percent and this is a threat connect survey from this year 51 of the professionals that you know suffered depression anger anxiety claim there was not enough Talent on the team said you can't find skilled professionals and said their staff turned over in the last 12 months 67 I worked a lot of years in the restaurant I've never seen numbers like that in the restaurant business

so anybody familiar suffer these headaches fatigue sleeping anxiety muscle tension drop in workplace performance feeling overwhelmed and unable to cope You Are Not Alone so quickly looking at this how far down on the list do you have to get to before you get to the enemy 10. losing the adversaries so looking at this list those of you that lead people how many other things above that things that you could alleviate and take care of if needed how many of these are the responsible of the culture in the workplace that we work in so Heroes need villains build silos create exclusions Etc et cetera and again obviously slides up what can you do about it there is hope

one first thing understand your culture reflect look at it think about it I know it's not the sexiest thing but think about the signals that you're getting and the the things that are being communicated and the words that you're using to communicate them look at your recruiting and hiring process to see if you are unintentionally gatekeeping you're if you're unintentionally stopping people from coming and welcoming into the jobs things like you must have a cissp for an entry level position there you go transform heroic Behavior into transformal transformational opportunity look at systems and processes if you've come in again I started out a kid of an engineer problem isn't solved until you've what made a

change so it never happens again right so eliminate educate brilliant jerks call them out on their behavior and if they won't change get rid of them let them go work somewhere else so build collaborative diverse and healthy teams so adopt that behavior make diversity and inclusion and Equity a kpi for your teams diversity builds better teams more resilient teams teams that are able to help balance a lot of the stress and a lot of the workload and give you other perspectives update recognition and awards to not say oh this team worked all weekend and overnight value reward collaboration innovation so and then take action the community I'm a big fan of bystander intervention so the the 5Ds if you're not familiar

again I'll share some links with you this is a you don't actually have to jump in and white night and do something about it but you can document you can check on people um uh great book by uh activist by the name of Shawna Porter on making spaces safer so when you're at cons when you're meetings and stuff like that to improve that examine and think about implementing code of conduct overall these are the two things I want you to walk out of here normalize being okay asking for help if you're a leader make it okay to say I don't know let's find out okay and when you do it prize anybody know what the acronym is

there you go outstanding dbad yep all right so

so I I alluded to a uh I've got a bunch of stuff to give away here I alluded to a experiment done by guys by the name of uh oldsen Milner where rats press the button to stimulate their Pleasure Principle and starved to death and died so does anybody know what the the device they put the rats in and modified was called somebody got it no close to box yeah there you go oh which would you like excellent um superhero with the best dad jokes no come on the tech so Punisher so any anybody sorry anybody have a really bad interview story that they'll share with me after you're you don't qualify so you answered

I'll throw you that excellent um any good questions for me do we have like two minutes I'm over so okay so good questions

change companies so yeah my and and again I know not everybody can economically do that I I look at it this way if you want to if you want to change a culture one of the great ways to do it is to starve it out don't go work there go work someplace else there are plenty of places that are better so yep so any others yep sorry it's a USB condom yeah hit me yeah yeah yeah yeah so Vapor vaporware blood testing yep yeah very much so very much so and again disastrous or Cults any other questions uh uh man I'm trying to think a good one all right here here's one Pat interview question

okay first best first hand up gets it okay if you had a sign on the wall behind you whether in Zoom or in your office that conveyed everything I need to know about you in one sign what does the sign say first stand up gets it good man so ironic you get lock picks [Music] thank you so much uh thank you