Everything I Know About Security I Learned from Someone Else

By the you you don't have to cheer and clap for me. I'm not that important. But uh I recognize that there's a there's a cheerleading squad right here. I didn't. Okay, bring it up. Let's go. Let's go. Okay. Well, how I thought this was going to start is not how it's starting, which means I'm already off course. Um, yeah. Well, uh, uh, thanks for the intro, uh, Harender. That was a really, really, really nice, well-written, uh, introduction. Um, all I did was take my entire CV, my LinkedIn profile, chucked it into chat GPT, and said every, you know, take this plus what you know about me, and just make something that sounds nice. And that's what it spit out. And I

was reading it going, "Oh, that's pretty good." Um, hi. >> Hi. Welcome. How's everybody doing today? Good. Good. Busy, tired, the usual. Yeah. All right. Um, so I just want to touch on one thing here. Harender said I work at UVA, so I know there's a there's actually quite a few out oftowners, which is awesome. It shows how much this community has actually expanded. It's not just Edmonton anymore. I think there's people all the way from Chicago here, which is really sweet. Um, if you're not familiar with the UVA, it's University of Alberta. So, it's the provincial flagship university. Uh, top four in Canada, top 100 in the world. Um, and when I say top 100, we straddle it. You

know, we we kind of break it. We kind of sit on it depending on what day of the week it is and what um ranking system we're using. We measure our devices in the well into the tens of thousands. We measure uh users into the hundreds of thousands globally. We measure our budgets and endowments in the billions. So, that gives you somewhat of an idea as to what my my background is um as a UVA employee. Yeah, I'm going to I'll plug the UVA while I'm up here for a few seconds. Um, so what I'm going to do here today is I'm going to start with maybe about 105 minutes. I want to drive some context

home. I'm going to talk a little bit about some stuff that's happened and then I'm really going to just tell everybody some stories, some fun stories, some quick stories, some short stories, some longer stories, and uh and then we'll we'll call it a thing and you can get out of here and go do what you're actually here to do, and that's not listen to me blab away. So, um, everything I know about security, I learned from someone else. So, that's probably a universal, you know, uh, what's the word I'm looking for? Universal idea. Everybody, none of us were born with this knowledge. We all learned what we know from somebody else. Sometimes in good scenarios, sometimes

in bad scenarios, sometimes in catastrophic scenarios. Um, I was uh we have a new CIO at the UOVA and uh he's been here for a month so he's my boss and I was in his office and he was like, "Oh, hey, grab a seat." And he pointed at his chair. He's like, and I was just like, "What' I do wrong?" I was immediately just kind of like, "What' I do?" Because I had learned over the years that someone inadvertently taught me that just pointing at a chair in their office meant that I'm about to get in trouble because that was the only time they'd ever point at a chair. So, point being, good stuff, bad stuff. you

know, you might be inadvertently influencing people in ways that you never imagined. So, I'm going to talk today about a whole lot of things that I've learned in my career and share with all of you. Before I do that, I'm going to do something called audience participation. I'm sorry if there's one thing I hate. It's going to an event and someone go, "All right, everyone, audience participation time." And you just kind of like cower, you know, don't pick me. Uh, I'm not going to single any of you out, but I have a couple questions I want to ask. And the entirety of this talk is based on the fact that I think I know what the

answers are going to be. If they are, fantastic. If not, uh, I'll have to get creative. So, you don't have to put up your hand. If you want to, great. You don't have if you don't want to. But out of curiosity, how many of you have the word security in your title? Doesn't count like if you have like pentest or any of that. Nope. Just just the plain the word security. Yeah, this is already not going as well as I thought. So, okay, that's fine. How many of you hope to have the word security in your title one day? One, two. This is also not going as well as I thought. Okay. All right. I might

have to add a fourth question here just to save this. How many of you have the word security in your title and can't wait to get rid of it? Yeah. Yeah, that's me, too. So for everybody who didn't put their hand up, I'm just going to assume that you're here because you're aware this is a cyber security conference uh something else. Okay. So how I assumed that this was going to go is I assumed that probably the majority of the room was going to put their hand up for um uh you have the security in your title. I assumed less of you were going to have it but you not have it wanted. And I assumed there'd be an

equal amount of of this. What I'm really trying what I was hoping was going to happen and you know what I think it happened was that we actually have a diverse an incredibly diverse room of people at all stages in their career. So looking around the room now since I can see all of you I can see your faces. I can see everything about you. Um I think that still holds true. So okay my questions work. This isn't train wrecking as much as I thought it was going to. But the point is we all have different things. We have different experiences and we're all at different parts of our career. There are people who are just getting started. Let me ask

you a different question. How many of you have been doing cyber security for less than a year? Less than five. How many of you haven't done it at all and are trying to get into it? Okay. How many you have over five? Over 10, 15, 20, 30, 100. I I wasn't going to do all of them. >> 40. Okay, there you go. 40. Anybody not put their hand up for any one of those? Okay, again, this is a cyber security conference. You might be in the wrong room. Um, so I think this is great. Okay, I think it's incredibly awesome that we have such a diverse room of people at all stages of their careers

here. Um, I've I'll be honest, I've struggled to put this keynote together. I've known I've had to do this since like April and I've been thinking to myself, you know, what could I talk about? What could I talk about? What could I talk about? And I finally, you know, just like I struggled with it. And um I think it's great that we have such such diversity here, but it's also a bit of a challenge. The greatness is we're diverse. The challenge is that when we have such a diverse audience, what could I possibly say that would be meaningful to everybody in this room? So, I'm going to go off on a minor tangent for a

second. Um as I was rehearsing this, this is the part of the conference or the part of the talk where I just kept kept doing this. I kept going off on the side and ranting about how to put together talks. So, I figured I'll just make it a slide deck and therefore it's not a it's not a tangent. But when it comes to me talking about preparing talks, there's two general trainins of thought here. There's what do I want to talk about, which is actually really easy. Um, I have in Microsoft OneNote, I have an entire just note. It's literally just called talk ideas. And as my life goes by, I think of something and I go,

"Oh, that'd be a fun talk one day. Oh, that'd be a fun talk one day." Uh, for example, one of them is what Lego teaches us about cyber security. I think that would be a fun talk and then it would probably just be one slide that says that, a second slide that says absolutely nothing, and then a whole talk that just becomes Lego. So, if you guys if you like that, I'm more than willing to do that. But if you ever see Michael Spalling what Lego teaches us about cyber security on a conference schedule, you know what's about to happen. So, but that's the point is that's what I want to talk about. But then there's also what do they want to

hear about? They being the audience that I'm talking to, right? That's a whole other thing. I get asked, Michael, you know, can you come talk to this group? Can you come talk to this group? There's some there's something that unifies them all together that's much more well, it's not just cyber security, but it's something else. So either way, you're stuck with me here. But, uh, a keynote at a conference is quite tricky because I got to balance both of these, right? There's things that I want to talk about, but there's also recognizing it's an incredibly diverse room of people. and what could you guys all want to hear about? So, this is where I struggled. I

have legitimately been struggling with this for like 3 or 4 months to come up with something that is actually like what could I talk about? And then something happened um earlier this year around June if you don't know. So, I'm currently in the role of acting chief information security officer. Uh I took that role back in June. It's not a role that I was expecting to have to take at this point in my career. I figured if I wanted it, it would have been many years out. And then I suddenly found myself being in the acting role. And my entire professional career just I don't know, flipped upside down, exploded, went on a totally different route. And that's when

I realized, oh, that's that's what I can talk about because this is an interesting thing to talk about. Um, I've basically been going through what I'm going to call the mid-career crisis. Uh my wife and I were we're walking our dog a couple weeks ago and she made a comment about you know someone having a midlife crisis and as soon as she said that I realized oh that's what I'm experiencing. I'm going through a midcareer crisis. I've been doing cyber security for 20 years. I had a pretty good idea of what my path took. It took me a good idea what it taught me got me to get to where I am. Hopefully I do it

for another 20 years. Right. So, I'm right in this I'm right in this middle point in my career and things are massively rapidly changing. When somebody said, "Do you want to be the chief information security officer for the University of Alberta?" And I said, "Absolutely." Three and a half months in, it's uh it's a role. Let me let me tell you. I'm I'm not going to I'm not going to go into the details, but oh man. Um just going through here. Yeah, that was good. But one of the first things I did becoming a CISO was I looked at my community, all of you, everyone around me, and I did the first thing that I tend to do, and

that's find the people who have been through this before and ask them for advice. And that's when I learned again very quickly I actually don't know a lot of people who've been through this that I could ask for advice because most of the people that I have gotten to know and learn who have been CESOS for many many many many years who've made this transition many many years ago who've done it to the scale of the UVA uh many of them are just either they've retired they're not in the industry anymore or they've passed on. Now, that's not to say all of them, but I'm used to having a whole community of people that I can

draw ideas from. But in this specific scenario, I needed a very specific type of advice. And I started looking at, you know, kind of looking for these people and I didn't find very many. And then at the same time, I was kind of looking behind me going, "Holy cow, there are a lot of people getting into the security industry, right? I know what it's like. I've been doing this long enough to go to conferences and kind of see the see the average age go up but not so much see a younger population joining and I'm happy to say I don't see that at Besides Edmonton. I don't see that in our community. I see a lot of people who are

younger and eager and they really want to get into this. So this mid-career crisis sort of has me going from me trying to learn from others versus in this transition period where now it's me trying to maybe teach and guide some of the folks who are coming behind me. So um on Friday this all came together really really great on Friday. I was here on Friday uh at the Alberta the cyber Alberta connect event and I was talking with a group of people uh someone who' been doing this for 40 years someone who um was just getting started someone who was transitioning and then me you know I'll be the scrub in the conversation and uh we all were

talking about this idea that we have different ideas we have different knowledge we have different things to share and this sentence really helped me put this into perspective so I hope the knowledge relationships and expertise I've gained are past of future leaders a decade earlier and that those before me do the same. I don't think you have to get to any point in your career where you start saying, "Okay, I've been doing this dirty 40 years. Now I'm going to give back." You can do that at 20 years. You can do that at 10 years. You can do that at 5 years. So that's what I'm going to do today. Okay? I know I've been a bit

of a long-winded intro, but they gave me a lot of time to talk and I'm going to use all of it. So, um, what I'm going to do is I'm going to tell you all a fun bunch of stories. Take it or leave it. And I want to teach all of you some things that I've learned. By the way, uh that cat picture that has nothing to do with the presentation. It has nothing to do with the slides. Um just give me a sec here. Harve, can I have this? I just Okay, I just I just kind of randomly took one. Um, I took this idea once I I got this like verbalized and I chucked

it into a chat GPT and I asked it come up with an image, you know, that that just visualizes everything I just talked about that visualizes midlife crisis, sorry, mid-career crisis that visualizes, you know, younger people, older people, middle-aged people, visualiz.

It failed horribly. it. I tried and I tried and I tried and I tried and I tried. At about 11:30, I think it was like Saturday night, I said, "Screw it. Just have some kittens." So that's what the kittens are there for. Okay, they represent a lot of failure in chat GPT actually getting this visualized. So everything I know about security, I learned from someone else. I figured I'll share a few of them. So let's get going. Number one, this is a theme. I've got a couple sub talks in here. Number one, model. Don't criticize. People follow examples, not policies. We can't fault people for what they don't know. Teach them, don't insult them. Now, it was mentioned in my intro here

that I I'm also an instructor, right? So, I'm the UVAC, but I do teach. You'll find me in the classroom um every winter semester teaching an advanced network security course. So, part of this is just, you know, I can put on my teaching hat and just talk to people. Um the context there is I get asked a lot of questions. And when people ask me questions, I'll be honest, a very younger earlier dumber less experienced of me would be like, "You dummy. You don't know that?" And now I'm like, "You don't know that? Yeah, let's go talk about it. How much time do you need?" Um, how many of you have been on the receiving end of toxicity for asking

a question? Yeah, you put every everyone put your hand up. If you don't put your hand, we've all asked some type of question and have had someone maybe, you know, shoot us down or or whatnot. Um, how many of you were the toxic person? I'll admit it. Yeah. You know, we we've all had I had a bad day last week. Yeah. So, so here's a few stories where I absolutely could have been but chose not to be the toxic person and instead let's model some stuff instead of criticizing. First one, and these are all real. Yeah, I'm going to change names of people and whatnot. Um, by the way, and and I usually have to say this, I'm not going

to mention any names, but if I'm talking, I don't know who's actually here. There's a chance that someone is here that I'm going to talk about. And if you stand up and you're like, "That's not what happened." Like, you've outed yourself and it's your fault. Okay, just so you know. Okay, you actually do that. You I just figured you knew what you were doing. Uh, this is about that time I was asked why I use a non-admin account on my primary work computer. So what had happened was I was um we're at the UVA. I was setting up for a meeting. I had my projector plugged in and I don't know some background process needed or something

needed to update itself and all a sudden it goes boop enter your credentials. All right. Enter my credentials. Think nothing of it. And then someone else in the meeting I'll say much much less experienced um just dropped this set. They said you actually do that. And I was like do what? And they said like you don't just run local admin. And I was like I was hoping one person would be like huh? Yeah. Like no. And then we had this conversation and and and you know I I could very easily have been like no you idiot. Of course I don't. But instead it's an opportunity for learning and education because I'm actually picking up on this and I'm going what do

you mean? Like why are you questioning this? Are you running local admin? Yeah. Why? Well because it makes things easier. Yeah. But also for the attackers too you know that right? So, so we had this whole interesting conversation where someone actually questioned why I was running local admin. And what I learned from this was that they sort of had this idea that that that local admin and non-local admin had no applicability to the IT staff and had no applicability to the security staff. They figured it was just something that we told everybody else to do but weren't ourselves willing to do either, which was really weird. I was like, "No, I I will practice what I preach. If I'm

going to tell everybody don't run local admin, you better believe I'm not running local admin either. Plus, what I have access to in the context of my job if someone were to pop one of my accounts and that's not that's that's not a uh an invitation to try. Um, we're going to have some problems, right? So, I'm trying to make it as difficult as possible for someone to compromise my system. And I remember the person just being like, "Oh, well, that makes sense." And then we just kept going on. So, the point here was you actually do that. you. Yeah. And I learned a lot about this. So what I ended up doing then was going to one of the team leads

who was responsible for this group and being like, "We should probably review how your, you know, your crew is using local admin because they seem to think that it's not applicable to them when they are probably like the most dangerous ones to be having local admin." So that was my first one. Just model, don't criticize, right? Another one. Um, yeah, you guys are going to like this one. We can't afford to have the campus community offline. At time I was told the new firewalls had to fail open. Yeah, just let that settle in. So this was a decision that was made a few levels above the organization than I was at the time. Um the context here is we

were we were at the very very early stages of rearchitecturing our firewall environment and um we were doing requirements gathering. So we knew we'd have to go to RFP for this thing and we were doing requirements gathering and this comment was made by someone you know higher up than us and he said it has to fill open and whether he has the authority to make that decision you know I'm going to say no but immediately you can look at a decision like this and be like huh you know we we we could easily criticize something like this and instead of doing that chose to chose to you know let let's model what what a good reason and a good decision makes.

And um this is one of the biggest risks I've ever taken in my career. Um I was explaining to him why this is a bad idea and we were both coming at it from different angles. And the reason he was saying this is that if you take cyber security, right, and you break it down into the the you know the the beloved CIA triad we all know, right? Confidentiality integrity availability. He was Are we good? Yeah, you're right. I was This is good. I was actually at a conference once talking and I tripped and I disconnected the power for the whole room because someone had run the cable behind me. So, thanks Harve. Um, so when we talk about

confidentiality integrity and availability, this was an individual who was accountable for availability across all systems and services at the U of A for technology. So, they're going 59s, right? 59 uptime. 99.999% uptime. What does that work? Is that five minutes? Is that the one that's 5 minutes or 1 hour annual? But that was like the primary metric by which they were judged was uptime. So if a firewall environment fails and it fails closed, what does that do to the systems and services behind it? They go offline. What does that do to 59's uptime? Plummets it. So that was his his model. And I learned that he wasn't accounting for confidentiality or integrity, which now suddenly becomes at risk if the

firewalls are open because he didn't know about it. No one had ever told him about it. It was a new concept to him. So instead of sitting here going, you know, you dummy, why you doing this? It was very much, we should explain why we're doing this. And he still didn't listen to me. He's like, nope, I don't care. They have to fail open. And I was like, okay. So, I had built a bit of a reputation internally at this point of being what they call the skipper. Not not like, you know, skipping skipping, but as in here's the reporting structure, and I just gooop whoop until I get my way. And uh what had happened was uh we had a CIO

who told us, I have an open door policy and if you think that someone is making a mistake, come let me know and we're going to deal with this. Right? and and it didn't mean to take place of the day-to-day nonsense, but situations like this when one person is accepting an incredible amount of risk on behalf of the whole university, not realizing what's going on, I think that's a perfectly reasonable time to go into the CIO's office, who is way higher up the chain than I was, and kind of say, "Hey, you know that thing you have about, you know, if you think a mistake is being made, yeah, I think a mistake is being

made. So, I kind of had to go around my reporting structure, report it to the CIO and and he he was like, "Oh, that's a total non-issue." Non-issue. He said he said, "They have to fill closed, make sure they fill closed." He said, "Ultimately, he's accountable for availability, right? It he's the one accountable for it." He said, "If if a fireball environment were to fail closed and it tanked our 59s, that's the easiest thing on the planet to justify. It's okay." So, I was like, phew. All right. So, the CIO is on board. I'm on board. The team's on board. The important reporting structure is not on board. How do I make it look like it was their idea that they're

going to change? And I ended up lucking out completely. Turns out, um, the firewalls themselves don't even have the ability to fail open. Uh, that's an external add-on that costs like $120,000, and that wasn't in the budget. So, I just went to him and said, "Hey, you know, you wanted to fill open. Well, you're going to blow the budget up." And he said, "Yeah, well, we can't do that. They feel closed." And I was like, "Yeah, all right." And then, and then I know at some point I'm, you know, oh, they must have they must have talked and whatnot. Um, yeah. So, model, don't criticize, right? I've learned many times when when people are talking about

availability, it's on the security team to come in the security folks and start talking about confidentiality and integrity and why that also needs to be considered. This was really recent. It's like a few months ago. Um, last one on model don't criticize. I think the security here is terrible. I was able to install I shouldn't say it that way. Sorry. I think the security here is terrible. I was able to install an app on my computer this morning at my old job that would never happen. See, I'm already criticizing the tone of my voice. Uh that time someone criticized my entire life's work. So, we we had hired someone relatively new, well, not new to the

industry, but um sorry, new to the UVA. And uh they it was the first time we were working together and they learned that I I you know, I do cyber security. I lead I lead that. And instead of just, you know, continuing this conversation, they they dropped this line out of nowhere. I think the security here is terrible. Like you've been here for like two weeks. How can you possibly say that? I mean, not that I don't think that, but but like what? I don't think that, right? And and I asked him, "What do you mean by that?" And he pulls up the Microsoft Store and he just picks some arbitrary useless app and he installs it

and he's not asking him for creds and I know he doesn't have local admin and he goes, "Here, I can install this app. The security is terrible." And I was like, "Yeah, what what the risk here?" Not that I don't know the answer to the question. I'm just, you know, trying to see what comes on. And he goes, "Well, I we shouldn't be able to install apps and I'm I'm looking at my team. They're sitting over there and this has been a bit of a they've got their heads down. They're all smirking because they they they know they know the general challenge that we've had with with apps and this idea that people think that

just every single app is terrible and you should never install apps and you shouldn't click anything." But I'm of the opinion that what else is there to do with a computer besides click things and install apps? I mean, like I get that there's there's risk management here, but really what had happened was this individual had managed to install one app from the Microsoft App Store, and I'm not going to get into the discussion about virtualization and containerization and how it's really not that big of a deal compared to the stuff we deal with. Um, and uh, yeah, I was just just thinking like I thought it was a pretty bold bold statement to make. So

what I ended up doing was talking to him not about the fact that an app could be installed, but more about the fact that he thought that the security here is terrible. That's a pretty broad statement based on just one one action that he wasn't used to happening. So what we did here instead of criticizing it, it was also it was talking about um I think it was Liam who once said to me years ago, the best control is the compensating control. I don't know if you remember saying that, but and and that has stuck with me for like a decade, right? So, we accept the risk of some of these apps being able to

be installed on demand. Yes. But there are compensating controls that exist to minimize any of the issues that might come from that. And he was like, "Oh, well, I still think it's terrible, but uh maybe not as bad as I thought it was, you know, good enough. I'm going to I'm good with that." So, that's that's what I have for model don't criticize. The next one, number two, this is one of my favorite things, but I'm going to put a big disclaimer on this. Risk a little to learn a lot. We are risk managers. Every single person is a risk manager. It is the universal constant across all human beings. Um, how many of you when you

woke up this morning hit the snooze and went back to bed for 10 minutes? Okay. How many of you wanted to but didn't? Yeah. Why not? Because there's a risk there, right? There's a It's the simplest thing. There's a risk. There's a risk with Oh crap, maybe I'm going to I'm going to um I'm going to sleep in. I might miss this. I mean, you can miss my keynote. I won't care. Some of you were like, "Oh, go strolling around 10:30 cuz that's when Michael's off the stage." That's what I would have done if I were you guys. But uh the point is is is risk is a universal concept that we all learn and we all know. So risk a little to

learn a lot. If there is one thing I have done in the last 15 years at the U of A in cyber security, it's this. Remember that story I just told about having to kind of go to our CIO? That was a huge risk because I'm circumventing the reporting structure and they don't like it when I do that. Trust me, I know. You know the whole thing about Michael stood in the chair. That's because I've circumvented the reporting structure. But holy cow did I learn a lot that has become incredibly valuable for my career. So I am strongly of the opinion that security is a relatively young industry. Okay, I know many people have been doing this for 20, 30, 40

years, but I'm going to argue that our the current form that we do today is relatively new. It's been around maybe maybe 10 or 15 years. Okay, it's okay to politely challenge the status quo, right? One of my favorite examples of this is like like the the motor vehicle industry, right? They didn't create motor vehicles with with airbags and uh seat belts. All of that stuff came later. And that's kind of where we are as an industry, right? Technology exists, business processes exist, people exist, finance exists, all this stuff has existed forever. And now along comes our industry that kind of says we got to change things a little bit because there's a colossal amount of risk here

and we're here to manage it. So it's okay to challenge that. I am going to say though some of the things you're about to hear from me, I'm going to confess things. Pretty sure this is being recorded. So, uh, hi YouTube. Um, your mileage may vary. If you don't know YMV, your mileage may vary. I'm going to tell you a couple fun stories, but just because I did this does not mean you should do this. Okay? If anybody tries to do what I'm going to tell you, and gets completely rad over the coals, and you go, "Well, Michael's talked about it at Bides." Again, your fault. So, here we go. Risk a little to learn a taut. Have you run

the weekly report? H it wasn't that time, but that times I flat out lied about running reports. It's one of my favorite stories to tell. I think some of you probably heard this one, but I'm going to tell it again. So, I I'm a big fan of efficiency. I like efficiency. I like information. I like data. I like making decisions from that stuff. I hate it when someone tells me to do something and I do it and there's no tangible outcome from that effort. Um, I get emails from people that ask me to do something. Uh, one of them has been in my inbox since June of 2024 and I still haven't done it. I'm not going

to do it. Okay. So, I'll I'll set the story. So, when I when I became a manager, this would have been the summer of 2016. Um, UVA created a security team and they said, "Michael, do you want to run this thing?" I said, "I don't know. What does that involve?" and they said you got to manage people and you got to do technology. I said okay. So I found myself in um a weekly meeting that uh the person that I reported to a director I was reporting to and all the other teams and managers about seven or eight of them every week same place same time would go through the you know the weekly meeting and there was this

standing agenda item called the weekly report and we got there my boss would go around the table point at every person and say did you do the weekly report? Yes. Yes. Yes. No. Yes. No. On it maybe. Yes. Yes. Because I was doing the report. Next week, same thing. Yes. Yes. Yes. Yes. Yes. Next week. Yes. Yes. Yes. Yes. About 3 months in, one of my fellow team leads asks a question about the report template. And so they pull up the template and I'm looking at this going, "Huh, I've never seen this in my life." I'd been running a report, but not the report. So, I had a few options. Um, I could say something. Nah, I could run

back to my office and spend the whole afternoon catching up on 12 weeks worth of reporting. Maybe I could actually start doing the report going forward and then, you know, whatever. Or I could do what I decided to do, and that was realize that after saying yes to a report that hadn't been run for 12 weeks, I feel like that's a pretty good amount of time to say that no one's looking, no one's doing anything with it. What good is this report serving? I would say after 12 weeks that lack of report should have been noticed by somebody, right? Somebody should have said, "Michael, where's that report you said you run?" Because it wasn't wherever they were

looking for. Their process didn't have it. Whatever system it feeds into would have been empty. Okay. I'm Can we agree on this just so you guys can like, you know, we're good. 3 months is enough time for that. Okay. Okay. So, I decided I'm just going to keep saying yes. Not do the report. Let's see how long I can get away with it. So, two years goes by. That's the number. Two years of me going to this meeting and saying um yes, I did the report. I hadn't touched the report, not even once. And by two years, that was enough time for me to uh get to know my boss really well, get to know the managers really

well. And one day, you know, you guys, you're doing the weekly report? Yes. Yes. Yes. Yes. Yes. Yes. Yes. Okay, guys, I got to confess something, man. And my boss looks at me and says, "You in my office first thing right after this meeting," which was a pretty common thing to say, so I wasn't really that worried. And uh, okay. And we get in and I sit down and you know, you know, does a point thing. Okay, sit down. And he says three things. He says, "You made your point. Never do that again. Start running the report." And I was like, "Permission to speak freely." Okay. which is I've learned to say that, you know, just let me just say

what I want and you're not going to fire me. And I said, well, so respectfully, I don't think I made my point because you still want me to do the report and I'm probably going to do this again just to, you know, prove a point. And and and I was like, like, but let's focus on this one. What do you mean start running the report? I've just shown you with two years of questionable methods that it doesn't provide value. So to to to talk about what happened next is I showed him the report. He pulls it up and I'm showing him like even if I were to do this report, it doesn't make any sense

because it's not a cyber security report. You're not going to learn anything of value from this report. So, let's do this. I'm not objecting to reporting. I'm objecting to wasting my time. And I should clarify, I was still doing reporting, okay? It's not like I wasn't doing reporting for two years. I just wasn't doing this one. And and I was like, so I've been doing these reports, so how about instead of bundling me in with everyone else and doing a report that makes sense for them, I'll work with you. Let's come up with a report. I'll show you what I think is valuable for you to make decisions at your level of the organization. Here's for the risk that

you need to manage. Here's how I can help. And I only want to do it every two weeks. And he was like, okay. So that's that time that I I lied about running reports. So risk a little to learn a lot. I took a quite a big risk there. And boy did I learn I learned a lot about why we're doing certain things, the value of doing certain things. And uh yeah, so if you go back to your offices and you just decide to do this arbitrarily again on on you on you. This is another fun. It's a little more techy. Um I got this weird email, but don't worry, I didn't click anything. So

that time I clicked every single link and every reported email and alert just to see what happened. Um, this is, and it's funny to hear you guys laugh because this is how I have learned so incredibly much about what I know about attacks and the conditions required for those attacks to be successful. Um, we, you know, I think even within security teams, there's people, you know, they'll forward you a link, they'll forward you something and oh, don't click it. Don't click it. So, I have a a uh, like, you know, an analysis environment, while it's all automated now where we click everything. I click everything. I click at all. I want to see what's happening.

Um, and I'm happy to say that I'm pretty sure most of the team I'm looking at them, you guys click stuff, too, right? You know, click things. Yeah. Tyler's going like, "Yeah, I click stuff." Yeah, you do. And, and that's good because this is this becomes a team effort. Everything I know about how attacks actually look and function on the network is from doing this. I'm not just clicking the thing. I'm turning on Wireshark. I'm turning on process monitor stuff. I'm, you know, I'm not doing what Josh is doing here, which is way beyond my skill set and, you know, debugging, but I'm setting up my own analysis environment, hitting go, and then watching what happens. And it is

awesome to see what actually happens under the hood with web requests, with get requests, with IP addresses, with file structures, with files that are being downloaded. All of that fun cool stuff is lost when someone just forwards you an email and you go, "Thank you." And you close it. Obviously, you don't want them to click it, but um the team probably might get annoyed with me because we do have a security incident chat with us where, you know, anytime something remotely interesting happens, someone just pops it in there. But every now and then, even though I'm the CEO and I should probably, you know, delegate this stuff, I still just get drawn to it, right? And I'm like, "Hey,

look at this thing. Look at that thing." Pop it in the team chat and it's a team effort. I don't have the full picture. Sometimes someone else has the full picture. Someone else might have a piece of that picture. Collectively, we work together. In most cases, they come back and they say, "Michael, we already dealt with this. Go back to your meetings." And I'm like, "Okay, I tried to be cool." But, uh, the point there is is you absolutely want to learn from clicking these things because it's how I've learned how so much of our attacks happen. Last number three, how much time do I have? Is there a time check? I'm just gonna keep on going. So, this

is a third one. Security is community. We are a young field with other people actively working to undermine our success. Our strength is primarily in each other. I want to say that line again. One of the things that makes cyber security unique industry is that other people are actively working to undermine our success. It's one of the biggest challenges that we have. So when somebody says, you know, what's the biggest challenge of security at the U of A? Well, yeah, I could say ransomware. I could say fishing. I could say all the technical stuff, but there's other answers I can give, but this is one that I like. Okay. As an industry, other people are working to undermine

our success. And one of the best ways to counter that is to have an equally, if not stronger, community of experts also working together to ensure that we are successful. So our strength is in each other. And there's a couple things that I want to talk about for this one. So I just can't do this anymore. That time I was completely burned out and countless of you were there for support. So, you all know who you are. Thank you. I burned out hard last year hard in May. I know it was a March. Uh went on stress leave for six weeks and I told our CIO at the time. I said, "I'm not coming back. I mean, I want to, but I can't not

come back to the role that I was in and everything involved. I just can't to do this." And she was amazing. She helped me out. I ended up coming back into a different role. And there were a lot of people that were in the community that were here for me. Whether that was just reaching out, hey, Michael, how you doing? Whether that was want to go for lunch, whether that was you got time to vent, you got time to chat. So, I've personally been able to benefit from the broader community recognizing that we're human beings and we need to support each other. Um, I actually have, shameless plug, an entire talk on this single topic. It's called the humans are tired

and the risk is real. It's about managing the risk of burnout within our own industry and whatnot. Um, I am thrilled. I probably shouldn't be plugging specific talks, but I am thrilled to look at the schedule this year and see I believe there's two panels on mental health and resiliency. That is amazing. We never got those kind of talks at these conferences. So to see them here and to see that they're even a couple hours. Um I've been on them myself in the past and a lot of the feedback we got was I wish these were longer because in an hour everyone's like oh I want to keep talking about this. So, so thrilled, thrilled to see

that here. But if you're seeing people that are burning out, they're exhausted, they're frustrated, please, please, please just reach out, ask them how they're doing. As someone who's had people do that, to me, I can tell you it's great. And sometimes they don't need advice, they just need you to listen. Sometimes they might want advice and just just be there for each other. We've done this really well um as a community. One more here. Sorry, then I got another one. I like how security folks always pat each other on the back. Uh this was actually taken verbatim out of um we have a a chat at work. It's the networking team and our core sec or

sorry it's the security team and our core networking team. And we were talking in there recently about um just just someone in the security community who found and reported a vulnerability in something and was getting good uh good praise from that. And one of the networking guys quipped up. He said, "I like how security folks always pat each other on the back." I cut off the rest of the contacts. see that and says, "No one thanks us for reporting, you know, routing bugs or switching bugs or wireless bugs." But, um, this is, I think, one of the greatest strengths about our community. Someone does something neat, someone does something cool, pat them on the back. Say good

job. Say well done. It's not a threat. They're not trying to beat you. We're trying to work in this together. And that I think is one of the neatest things about the security community that we've built is everyone is at different stages of their careers. Everyone's excited about things. Everybody wants to talk about stuff. But that time someone thanked me for helping them. I get this as well now. Um, I've learned that I can give 30 minutes to somebody and they can come back six months later. I'll be honest, I've forgotten that I probably even did that because I do it enough. And they say, "Michael, I just want to say thank you. Thank you for the 30

minutes you spent with me. You you reviewed my resume. You gave me some advice. I took it. I tried. I'm in a much better place now." Um, that's that's great to hear. So, we always like how security folks pat each other on the back. Be nice. Be kind to each other. It really helps. Um, in fact, actually, I had to write this down. Somebody in one of our Slack channels said recently, "Besides Edmonton, 2019 changed my life." They literally I don't think they're here to intersect. They said that. And they said, "That was where I met people. It's where I met the most amazing community. It's where I met everyone who supports me." And they had never met that before

in their industry. So, Besides Edmonton 2019 changed my life. An actual public declaration from someone who just thought to throw that out there. That's awesome. And all of you are part of that. Last slide. Last slide. I have no idea how we're doing for time. I think I got about 10 minutes. So, the craziest thing happened earlier. Um, security is community. This is my last one. We should do Besides Edmonton. That time a single comment on a random Sunday at MKT beer market in 2017 would set into motion the most incredible journey. You guys all got the biggest smiles on your faces. I see that right here. So um I was standing outside those doors like an hour ago and uh I see Liam

sitting on a couch. I know Josh was showing up today. Andrew's there. Our vendor's there. Um a few others. And this is actually, if you guys didn't know that, um, I want to tell the story about how Bides Edmonton even came to be really quickly. This conference didn't just happen. Um, it actually spawned out of Bides Calgary. Uh, I saw Doug Lee. There's Doug. So, if you don't know Doug, get to know Doug. So, Doug is one of the key folks that actually started and runs Bides Calgary. So, if you like Bides Edmonton, shameless plug for what I'll call our sister conference in Cal Harve. Can I say that? Can I call it a sister conference? I I don't represent

the Bides group. So, I'll just say there's another conference in Calgary um that that Doug and a handful of others run too. And that's what actually spawned Besides Edmonton was a handful of us, there were no communities in Edmonton for cyber security. We would go to Calgary to have to go to Besides Calgary in its infancy and then a bunch of us sort of met each other, come back here and yeah, this was after Bides Edmonton 2017 decided, yeah, let's kind of, you know, start meeting each other. We'll meet every Sunday or whatnot. just, you know, shoot the beer, shoot the beer, shoot the shoot the talk, drink the beer. I don't drink, they drink the beer. And uh, you know,

someone do a quick presentation, but it was the earliest earliest smidgen glimmer of a community in Edmonton with dedicated security people. And it was maybe 15 of us meeting wherever we could find a place to just talk about security. And then one random Sunday after Bides Calgary, there was about a dozen people just sitting around a table, these three guys right here, too. and someone just said the words, "Why don't we do it besides Edmonton?" Now, none of us know anything about running a conference, right? We're not event planners. We don't know how to do this. We've been to conferences. We can kind of figure it out maybe. But, um, we just said, "Yeah, let's do this." And we did.

And the coolest thing is this was many years ago. We've all kind of gone our own ways. We've all grown in our own ways. We've gotten, you know, we've moved away. We've got new new jobs. But, about an hour ago, there's about five six of us who all met again for the first time in 5 years. We haven't actually physically been in a room together until right now. Completely unexpected. And to see each other and talk about the community and see what this conference has actually Oh, you got 15 minutes. All right, you guys are going to get out of here early. And um and just to see what this conference has exploded into is one of the neatest,

coolest things ever. We commented how we all look older. You know, we're all more mature now, but to think back in 2017, all it took was a dozen people around one table saying the words the words, "We should do Besides Edmonton." And now look where we are eight years later. This is absolutely incredible. So, I think it would be the coolest thing ever if in 5 years, 3 years, 8 years, 10 years from now, someone else gets to stand up in front of a room of people and say the phrase, "Yeah." So, you know how we started this? It all started at Bides Edmonton 2025. There's a dozen of us sitting around a table and someone

said, "We should do this thing and we did it and look what it blew into." So, when you consider what 12 people could, you know, could could initially start that would become this. All it took was 12 people in one table. There's over 500 people here today. And there's like 30 some odd tables. I counted them. Imagine the possibility that is in this room right now with all of you together at one table or 30 tables. It just takes one person to say, "Hey, we should do this thing." And then you go out and you do it. So, I'm going to finish this. I'm mostly done. I'm going to finish this right back where I started. And um

that's everything I know about security. I learned from someone else. Things like be a model. Don't criticize even when you're being told your firewalls have to fill open. risk a little to learn a lot. Even if that means having to take, you know, you know, maybe put yourself in a little bit of jeopardy knowing you've got some people that can help you out of it, just to learn what's going on around you. And security is community. Whether we're having our good days, whether we're having our bad days, we have to support each other. So my hope is that every one of you has learned at least one valuable thing from me today that I've shared

with all of you. So no matter where you are in your journey, all of you have experiences of your own, which is why we're here today. Okay. So here are my final words. You are here. You are valued. You are wanted. You are the community. Go share what you know. Okay. Enjoy. Besides Edmonton. Thank you.

So, uh, again, you don't have to clap for me. I'm not that important. Um, I think we do have time for Q&A. I think they said about 10 minutes, so you guys can leave. You can stick around. Does anybody have any questions, comments, concerns? If I can ask it, was this Did this resonate with you? Was it good? Yeah. Okay. Okay. If you didn't like it, you can let me know. I'll just blame her vendor. But, uh, all right. Well, enjoy your day, you guys.