You Scored 46 - David McKenzie

Right. Uh, graveyard shift. Nice. Uh, been a while since I did one at the end of the day, so I'm pleased that anyone's here. Uh, I'm not handing out beer or anything. It's not like a, you know, commercial conference but sorry. Mars barbar. Do you want Mars bar? >> Are you sure? >> I had two lunches. Did anybody not get a lunch? >> You bastard. I might swear. I am from Scotland, so punctuation. Um, right. So, who am I? Random slide. I don't care, but this might validate something around why you're here. Uh, I do lots of things in cyber. I tend to build blue teams for a living. Uh, and I torture vendors also, which part of this

will you'll see. Uh, it's not that I like I like torturing people. Um, it's not that I set out to torture people. It's just that I have been a vendor. I've been a big customer, a little customer. I've represented big customers and little customers. And I've seen it done really badly on vendor space and sales space. It's not uncommon for someone to give me a sales pitch and for me to speak to them afterwards and say, "Yeah, this is where you're this you need to fix this bit in your sales pitch because I can't see something bad done badly." Right. So that's me. So I'm going to pick four volunteers. Stick their hand up and answer the questions.

Come on. You do get a Mars. What is that? Somebody trying to get in? Are you now? Are you holding the doors closed? Do you need us to put We got some spare chairs. We can pile them up against that door if you like. Give you a hand. All right. Come on then. Give me a volunteer. Come on then. Job tail. >> Yeah. >> Right. What do you do? >> Uh I aviation companies for gas. >> Nice. Uh, so we now know what sector. Yeah. Nice. Uh, is your boss here or do you have minions? >> Excellent. >> And how tall are you? >> Fair. When you're wearing your heels, >> the nice ones. >> Thank you very much. You may be called

on later. Oh, we have another volunteer. >> I'm a post developer. I'm very bad at C. I'm in the finance sector. My boss is not here and probably and what's your favorite Taylor Swift song. >> Yeah, because you know like there was a simple set of questions and I needed you to answer all the questions. Now you're now looking at that going, "But the question's not up there." Just because like I've not written the scope down properly doesn't necessarily mean that you're not supposed to understand this. That might come back later. Do I have another volunteer? Oh, nice. Yes, you you're you're the only person to put Oh, debag. Nice.

You draw boxes for a living.

>> Any particular sector just you know development I suppose andyber >> cyber. Okay. Is your boss here? Excellent. And how tall are you? >> Nice. Right. This talk's going to be talking about vendor and staffing and managing across the board. So what I did here is that I have been a sock manager and ran socks and tortured socks for a living for a really long time. Um, so I went to an AI, pick one of your choice, it doesn't really matter, and said, "Hey, give me a service delivery report, monthly report for a sock being delivered by an MSSP." Now, given the fact that AI is just going to go out on the internet and

average everything it finds, I was not expecting a particularly great report. It actually came back with 19 pages in a word document. It was not as terrible as I thought it was going to be, but it still managed to have everything wrong that I wanted to talk about. So, I didn't actually have to go and tweak anything. I then took that word report and went, "Well, there's zero chance I can put 19 word pages up on a slide and then say, "Right, we're going to talk about this." I mean, it's the end of the day, but even at the beginning, even at the peak, you're not going to manage that. So, and then, oh, right, let's make a PowerPoint

out of that. And somehow the AI actually managed to create a PowerPoint deck as well, which is quite impressive cuz most of the time it fails miserably. Now given the fact that I do a bunch of work with loads of different types of people, I was doing a lot of stuff with a couple of different fintexs recently. So it had decided to remember some fintech in expressions in there, which I thought was interesting and makes me want to go and delete my cash. Um, so yeah. And I said, "Oh, you're gonna have to give it a give me a sexy title for my uh cyber security company." Uh, and a logo. And so we managed to get

Dark Glass Cyberworks. And the logo is that thing up there.

>> And yeah, I was like, "Right, okay, fair enough." You know what? I can go with that. So it let's we've gone and created a average sock report. Anybody know what like Okay, hands up. Has anyone ever been in a monthly sock meeting with an MSSP? Right. Okay. So the rest of you, this is basically your sock, the guy that runs your sock coming to tell you about how they've done over the month. Uh and it does look a lot like this. This is quite nice. You get a nice exact summary that tells a bunch of stuff because they expect you to pass some information on to your board or senior managers and stuff that. So, they're

looking for sexy things. You get, yeah, yeah, that's fine. And you'll get some nice KPIs. You're like, great AI. I don't know what the gray thing is over there. We're going to ignore that cuz this is not a talk about AI and what that gray thing is, but you will get some diagrams that look something like this. And then we're going to split down in incident categories. Quite often you get this in like a pie chart form sort of thing, but you know instead they decide decided that oh no we're going to put some detail in. Great. That looks lovely as well. Some response actions taken. You will always get something about the SLA cuz your stock providers

were always going to tell you how well they did against the SLA. I you're not getting any money back whether it's in credits or not. um some lovely threat landscape and trends because they need to be giving you information to tell you about stuff basically to keep you in a state of fear that means you'll pay next month. Um we're going to do some funability remediation status again. Me fine thanks AI. Uh some compliance and regularity because it picked up the fact I've been doing work for FinTech stuff. I went oh yeah let's definitely add some stuff in there. So I'm like great. So PSD2, DORA, and EMI stuff. Fantastic. Immediate actions. We'll swing back to why that's

called immediate actions later. Um, some medium and long-term initiatives. Again, we can swing back to that. Monitoring coverage because you always need to know exactly, you know, what's been covered. And then, yeah, next steps, contact staff, and and they always do a nice thank you at the end. And any questions? You're sitting in this in a team's call or a Zoom call or something like that. You got any questions? You never have questions. Right now, if you presented that to me, this is what happens.

You tell me I've got 23 incidents. What's an incident mean? See, if this is the first time I've been in with a sock provider and they tell me that you've got incidents and alerts, the cyber security industry does not know what an incident is or an alert is or an event is consistently across vendors, tools, or anything. So, somebody says they've had 23 incidents. If I'm in incident response and you tell me in the last month I've had 23 incidents, I'm like, that's busy and we've had a bad day. Uh, some other ones will be, well, that's 23 that somebody actually looked at physically, you know, right? Okay. Uh, but yeah, we always need to make sure

we're clarifying this. Uh, and if the person that's delivering this to you can't give you the why these things are called these things, ask for a new person. Right? So, we've got a 2.7 confirmation rate. I have been doing this for 15 years and never told somebody what the confirmation rate is. I Googled it. It comes up with this. I was like, "Right, okay, fine." I assumed it was something about quality checking because if you've got like analysts looking at hundreds of tickets, those are human beings looking at something, you need to quality control that stuff. So I assume from confirmation, maybe it was something along those lines. The interesting thing on this is that this

actually says a high confirmation rate indicates the sock's working really well and that slide said 2.7%. Right. Okay. So again, I even as somebody that does this for a living, look at a slide and go, I don't know what that number means. And now I'm going to go and torture the person that's presenting to me because I can guarantee you that most service delivery managers also don't know what that means. Meantime to detect, I hate this term because it gets misused. So meantime detect supposed to be how long did it take us to detect that there was a problem. I have seen a some really small numbers there and seen some really big numbers there. Now when

I run a sock meanantime to detect is actually from when the bad guy got in to when we were able to pick it up. But if you're getting this on a monthly basis that is not what that number is. I can guarantee you because if you've got bad guys in your environment every month again, come see me. Uh we can have a chat. Um but ultimately, yeah, you're like, "Right, meantime to detect." Again, it's another one where we've got it's lovely cuz people see it on slides and they go, "That's amazing." And somebody goes, "Yeah, that number's coming down." I have seen companies that take that is how long it takes from when the alert happened say on a firewall

device to when it landed in the seam. I have seen that used right hang electron speed of light how long is the cable that we need to worry about that. So yeah, so when somebody comes up and starts talking about MTD, MTDR, MTDC, you s go right, okay, I would love the fact that these things were standard across our industry and everybody was actually understanding what it meant and not lying. Um, we need to understand exactly what it is. So when someone's presenting this stuff, you go right, what does that mean? Because meantime to respond is another interesting one, right? What does meanantime to respond mean? For me, that's when a human being started doing

something. Now, if you've automated it and it blah, fine. But for me, if I'm providing the sock service, that's how long it took from something's notified there's a potential problem to somebody looking at it to actually like a human being doing that investigation. that sock anal is starting to look at it to figure out whe they've got a problem cuz that's actually the service stat for a sock if you're providing that sock service. It's like right okay do I have the right number of people dealing with the number of tickets that coming in cuz if that is I have seen some horrendous numbers in there and I've also seen people say yeah yeah like you know within 15 minutes and

you're like really you're saying like a P3 low fidelity alert that's probably noise that an engineer's not got round to thinking you're telling me a human being started looking at within 15 minutes as a person that's run a sock business I then go You have too many analysts to the number of customers. That's that it's pure like commercial. No, you have too many analysts cuz there's no way you can be picking up all those tickets. Slight caveat. If the if the customer is paying for a sock that has devoted analysts and they're happy to pay, we want five analysts working. Great. If that five analysts are doing nothing all day, I don't care because I'm getting my money. Uh if that five

analysts are overworked, that's even better because I get to go and charge them more. It's a business. Um but yeah, things like meantime to contain meantime to close to remediate basically to spin. All of these numbers are about spin. They're all about me telling you that I'm doing such a good job that you should pay me again next month. Um uh and you'll find sometimes that those numbers magically move, especially if you're coming up to that annual renewal or by annual renewal, then all of a sudden like the numbers start getting really better and everyone's we're all super pumped and we're all super secure. Um but ultimately, yeah, things like meantime to contain, you will get an alert that comes in and

says a virus was detected on that machine that was automatically quarantined the machine. So you mean time to contain is seconds. Fantastic. What caused the virus to get on there? Was it okay genie in the office downloaded some random file and double cllicked it? Fine. If it's actor's been sitting in the environment for like 3 months and then decides to deploy uh an executable gets caught on it, meantime to contain wasn't seconds. meantime to contain was oh god oh god oh god oh god so these numbers you have to challenge them whenever you see them and you have to understand them and when I work with people to determine whether they're actually getting a good sock service for

example quite often I'll sit through these service delivery managers hate when I go to meetings because I turn up and every single one of these I go how did that where did you get the number how how does that God help you if you don't know how it came about. Right? Key performance indicators. Lovely sexy term from service delivery. Everybody loves a good KPI. Ultimately, business is run on numbers. So KPIs are quite important to a business because that's how you work out whether you're performing well. Uh now when we're doing sock service delivery, KPIs are right. KPI 847 alerts. We already knew that from the exact summary slide. Uh we already knew how many incidents we had. We already

knew about our SLA compliance. So

I really wanted a little animation like I went AI please go and make me a cartoon of the thriller but call it filler and it came back no you're not allowed to do that really. Ultimately, the only thing that was in the only number that we've not already seen and we're only a few slides in to the service that we flag it is this one and false positives I could do an entire talk on. What is a false positive? Is a false positive when the tool got it wrong or it's a false positive when you detected it but you decided actually that is accepted behavior. That number is about accepted behavior being okay. we looked at it and it's

fine. That's not false positive. That's just a benign true positive. False positive is when your tool got it wrong. False positives you have to chase down really hard because that means that the expensive firewall device or whatever isn't working properly. But to have that as a KPI, a KPI is something we chase and we're going to go and do and we potentially get paid on. I'm like, "Right, that's a really weird number to have there." What that is is that they couldn't have three boxes, so they had to find us something to go in the fourth space. Right? We're not going to worry about the funny little thing. Right? Now, the good thing on this slide is

that the numbers add up cuz we had 23 incidents and those three numbers add to 23. Now, it is amazing how often you'll be in a meeting, you go, "Hang on, can you flick back a slide?" It's like, hang on, math is I know we're in cyber, but maths is still vaguely important. Um, so it is always nice when the numbers actually add up. Uh, and surprising how often the numbers don't. But in terms of me looking at how a service is running and whether it's doing something useful, those are just random numbers that don't mean anything. What were they last month? Has it gone up? Has it gone down? Why has it gone up? Why has it gone

down? These are the sorts of questions I want to be having when I'm talking to my like I want to know this month this happened. Are we trending up? Are we trending down? Do we understand? It's really great when your numbers go your bad numbers go down as long as you understand why because see if they go down and you don't know why you might have another problem. Um so you need to understand these things. But when somebody sits in and says, "Yeah, we're just going to break it down like this." Again, we're just we're just filler. We're doing nothing here. We're not actually talking about anything that matters. And at this point, your customer as your service delivery

manager has gone to mentally to sleep. So at this point, as long as there's a murmuring going on, you can actually leave the room. Leave the mean. Just go off, go down, make yourself a cup of coffee, come back, etc. Flick through a few slides and then you can mentally wake them up. So this is interesting. Incident categories. You go, right, okay, there's information there, and it's not terrible. There's not enough on this slide for me to know whether there's anything good or bad happening really. But when you look at the the detailed report which you would give alongside this, you do get some like interesting bits and pieces and you go, "Okay, I read this and went

five fishing emails that were detected in quarantine. That seems a really low number for a month. So, are we a really small Maybe we're a really small company. Maybe we've got a really crap fishing gateway. It's possible. Um, but also I'm looking at it going now, well, no human did anything on that. So, you're actually basically telling me that the tool I bought from someone else did what I paid for it to do. This is not my stock service. This is maybe me feeling better about the amount of money I just spent on a fishing protection system. Um, again, three credential spray attempts against Office 365. Again, that number is probably quite low given, you know, just how much 365 is

hammered every day by everybody. But again, no, nobody in that nobody in this sock did that. You're basically telling me about the tools that I've got and that's that has a place, but it's not something that you're able to sell me on every single month and tell me how great you're doing. You're literally just taking the output from something else I bought and telling me about it. Like, thanks, but that's not what I want my sock manager to be telling me. Um, and yeah, there's a whole bunch of really weird and wonderful in there. It's like two data exfiltration attempts blocked by DLP. Okay, that is two people from accounts tried to email something out and it jumped up

and went that looks like a credit card number and blocked it. That's not data necessarily data expiltration. That is just the DLP tool doing what I need it to do, protecting me, probably annoying the crap out of the person in accounts, but it's better than not having the tool at all. We've decided as a business, this is what we're going to do. You ran a foul off somebody doing their job ran a foul off an automated tool that jumped up and said, "Don't do that." But if you call it data exfiltration, immediately everything I'm doing sounds sexy, cool, edgy, uh, and you should definitely pay me again next month for doing this, right? Very similar trend. It's like, okay, did

when we say quarantine seven end points. Yes. So basically something suspicious happened. EDR quarantined it. Somebody looked at it and went, me, pushed the button and released it. Um, when you quarantined those seven endpoints, did that stop anything major happening in the business? Guarantee that the service delivery manager does not know the answer to that. When we say we quarantine seven end points, was one of them the CFOs 10 minutes before he went into a meeting? Impact matters. And when you're talking about things you've done, you need to be like understand what the impact is. Uh, and to be honest, the whole updated firewall rules to block for malicious external IPs, right? I have seen people that just keep adding

and adding and adding what they think as malicious IPs to their firewall until their firewall falls over because you can only put so many rules in these things. And if you're going to try and block the entire internet, just do it by ranges instead. Um, but really like you're talking whack-a-ole at this point. like you you're you're literally telling me that you did something and I'm looking at going okay maybe you stop a spray for like 10 15 minutes and then you take it out again but I would have automated that when I sat there and looked at it and went in fact to be honest office 365 and Azure etc will all do that automatically

anyway because it is a oh bad stuff's coming from there let's block it for 10 minutes see if it goes away quite often it does so yeah We're talking about less stuff in here that's just like we we're selling through like fear and we're like making people scared and telling how wonderful we are. But yeah, uh we have a 92 99.2% overall compliance, but our alert monitoring is 99.8% and then the other numbers are not percentages. We have a page of numbers that we don't know what they mean and they might be valid. We might have the the overall compliance could be including some vulnerability management stuff that's going to come up on the next couple of slides and stuff like

that. So, it could be including that, but you've got a big number up there and then a bunch of other numbers and none of them add up on the screen and I don't understand how you make that number. Uh and quite often when you ask the person delivering this slide to you, how did you make that number? They will say guys in the back office did it for me. Thanks. Um but yeah, you need to understand where these numbers are coming from, how they're made, and if they're actually important to you. um criticals, highs, mediums, these are all just standard things that you great, but do they matter? Uh were the critical ones actually critical? Should they be

still be critical? Uh like where where is the the the evaluation of things? Instead, we're just outputting random numbers from seam >> question. >> Go overall compliance to what? Yes I >> given the fact that it's SDM, it'll be to their SLAs's based that their bonus is based on, >> right? Threat landscape and trend. You'll get this because everyone's trying to say, look, we are super edgy. They also have to take the fact that their company has an entire threat intelligence arm and they're pretending to do really interesting research. Uh, and basically that's a massive play to get the next round of funding stroke cell. Um, great. I looked at I went brilliant. 32% increase in targeting financial staff.

Is that just the financial staff in my company or are we talking about the entire world? Is it because I'm a finance company and all my staff work for finance? Okay. I don't know. Um, and again, if somebody says there's an 18% increase in anything, I want to know why. Uh, the other stuff's just Google nonsense. But yeah, this lot did actually have a nice like extra report, but again, it's actually a report by the same company, which basically means we're marking our own homework, which is never a good look. This thing I kind of liked. Um, uh, I like the fact that they said no direct targeting detected.

>> Yeah, great. How are you looking for that? Are you are you saying that the number of alerts didn't go up or are you saying that you're doing dark web monitoring and all of that malarkey? I don't know. I don't know what's in the contract and I guarantee you nobody in this meeting knows what's in the contract. Um but it's very I mean strong defensive posture maintained. I take great umbrage of this because the number of socks that I've worked with where the sock that you're getting from an external provider is only covering part of your company and yet the manager that's sitting in that meeting that doesn't understand most of what's been going on looks at that and says I'm

going to put that in my board pack. And then all of a sudden the board thinks the entire company is super well protected except it turns out it's just a corporate environment with 15 people in it. Uh not that entire estate there, not the factory that's doing X, Y, and Zed. That doesn't have a strong defensive posture, but we've managed to misquote something. So if you're going to put something on a slide, make it defensible. Make sure you scope it properly cuz otherwise you do get some really horrible the number of times people on the board will then look at it and go I don't understand how this breach happened. He's like because we've been getting

great reports. The other issue with that is if the board are getting great reports from one bit of security saying everything is absolutely fine and then somebody else from another part of the business says we need to go and fix the OT environment. It's absolutely awful. We need to do network segmentation. We need to do this this and this. it's going to cost 500k. The board goes, "No, no, we've got a strong defensive posture. This guy told me we don't need to spend that money. We've already we're fine." No. You need to be very careful about scoping of things. Um because when you say things like we have a strong defensive posture maintained, people will read into that overly

positively about the current state of their environment regardless of all the other problems that are there. Right? Vong Vong is horrible and vulnerability management should never be in a sock service delivery meeting because it's a completely different service and if you're ask if you internally if you're doing a sock the sock's probably doing but bit helping with patching and stuff like that but if you're getting this from an external vendor this has no place in this meeting because for a start by the time you have a sock you don't just have necessarily one environment you're going to have multiple environments corporate, the products, your development. You might have, you know, X, Y, and Zed. This doesn't even have a breakdown of

that. We just got this random set of numbers that says, and yeah, you cannot have this in there. We don't understand what trends are. We don't understand if there's bits of the business. We literally have just put a slide that is essentially filler because this doesn't tell us anything about the business. And yeah, it does actually say and I cuz I was sitting there going, "Oh my god, we've only done 18 out of 19 high." And it actually the report does say we're waiting on a vendor update. I'm like, "That's great." That is a conversation in a separate meeting. If you slide vulnerability management into your sock meeting and give it 5 minutes, you have significant issues in

vulnerability management because you cannot discuss vulnerability management anywhere in 5 minutes. This slide I hate cuz you look at it going it looks really innocuous and it's fine, isn't it? But uh none of these regulations or only concern the sock except now when I take that slide to the board and go good news like we're completely we're sorted for Dora we're sorted for PSD2 we're we're up to date with all our regulations there's entire teams and massive sections of these regulations that the sock will have absolutely no oversight on and yet we put a green box that says the company is compliant. Again, compliance regulated. If you are at the point where you have to be

compliant against various regulations, that's not something your sock does. It is not in your sock meeting and you have a team that's dealing with this hopefully or one really tired person. Is there one really tired person in the room that has to deal with all the compliance? Is that 10 minutes and right media actions? That looks absolutely fantastic. Apart from the fact that we suddenly got numbers on there that don't make any sense. Uh how do we reduce fishing effectiveness if we implement these things? Where did that number come from? I apparently if we don't put the the PAL pilot in, we can't secure the already compromised service accounts. That sounds a bit scary. Presuming that you

know the language is not fantastic there. Uh again like how are we reducing MTR by two or three hours. Where are you getting these numbers? If you see numbers like this getting put in front of you by anyone it is a show me tell me because I need I mean these seem like great things but and absolutely none of them are action. If you want to come down to it, every single one of them is a project except we put it in as immediate actions that need to be done. Immediate actions which means it's a call to arms which means you should definitely do it. You should definitely buy this. You need to buy this right now. Now, if you are a sock

provider and you're doing service delivery meetings with your customer, you are looking to upsell your other services to that customer. That is that's the game. That's what we do and you should expect it. Your trusted security provider can help you with other problems and they are looking to tell you about that. There is nothing wrong with that. Various techies in the room might sit there and go, "No, that damned the techie. I'm not a salesperson." You are a salesperson if you work for a service provider. Every interaction with a customer is a potential sale. All of that stuff. That's how businesses work. But every single one of these seems to be a let's go and do this, we must do this,

otherwise there's a problem. not good. I have no issues with a slide. I mean, it's rubbish. Um, and it's not really something the Sock necessarily is doing it, but great, it's some bits and pieces. You can go and argue about AI sword and XDR and things. I don't have any massive issue with it. Good news, we managed to find a slide that doesn't have a problem with uh monitoring coverage. These ones are lethal. Those numbers look great. And when you look at the report, you get even more numbers. You're like, great, okay, detail. Let's a bit more detail in there. But then when I read it, I said then go, go, go, go, go, go, go, go, go,

go, go right a second. You see, I've got AWS cloud loads, but at no point do we talk about the AWS identities? You specifically call out Office 365. So, who's protecting who's protecting my AWS accounts? When you put up the there's 847 endpoints, I can guarantee you that next to nobody in the room knows how many endpoints are in the company. So, is 847 good or are we working in a multinational where they actually have 100,000 employees? At that point, that number doesn't look so great anymore, does it? Because then 100,000 is significantly bigger than 847. Um, so yeah, that when you look at these things like numbers matter, but also out of what matters.

I if you tell like the daily log volumes of events per day, what does that tell you? Absolutely nothing. It's filling up space on a slide. Uh now, if you told me it's gone up or gone down, then we can have a conversation about why and whether that matters. Uh if you told me how much it was costing, we'd then have a conversation exactly about what's in that data, etc. But we don't. We don't have anything. We just got random numbers on there that everybody thought was really good.

detection rules 847.

>> Yeah. Well, what we got? One. Nice. Yeah. I didn't spoil that one. Nice one. Uh, yeah. I've got like 847 rules. Are they good rules? Are they bad rules? I Are they checking to see if 2 + 3 equals 9? Well, that one's never going to fire unless there's an AI. Uh, but ultimately, yeah, I don't care about how many rules I've got. I need to know whether the stuff that I should worry about is being covered. I want my risk coverage. In an ideal world, would have a miter attack heat map. But even that, well, one, it's incredibly difficult to do properly. And two, there will always be caveats. So ultimately telling me how

many rules, how many custom rules are deployed? Right? Hang on a second. So you're talking about 847 that means that a good 800 nod just came from the tool and you didn't do any work. So again, you're now telling me there's 800 things done that the tool that I was buying did. You didn't do it. You did 23. Thanks. So um uh and stuff like automated playbooks. me. Are they any good? Why are they firing? Like, is are these numbers bigger than last month? Should they be going up? Should they be going down? Uh yeah. Right. You think that you couldn't get this one wrong? And this is a genuine mistake that the AI when it generated created

and I have seen genuinely

I have I've seen people misspell their own email addresses. But again, this is my monthly service delivery meeting. So why do I need to know what your email address is? It was in the team's invite and I don't need to know my sales guy's number as much as you want me to have my sales guy's number. I I'd like I don't know and I don't care. Right. We only got five minutes left apparently. Yeah. Okay, fair enough. So, we'll race through a little bit. Right. If I was a sock analyst and this was my job description. It's pretty bog standard. If you have an MSSP, if you ask their sock analyst what their job description

was um and this is not wrong. And if you ask their manager what it was, yeah, uh a shop manager's job is to put up with analysts moaning about how many tickets they've got to do and what shift they're on. Uh and can they be a senior, please? Uh and as a company, a sock analyst is there to service customers, and I want to do as many customers as I can against one. normal responsibilities for a sock analyst, if this is an internal body, this is what you would expect them to do. An MSP sock analyst does none of these things. They do tickets. Um, but when you're interviewing, when you're expecting the sock, if you take a

sock analyst from an MSSP and bring them internally, you have to go and double check that they can actually do any of this stuff. Um, and it's horrendous, but it's just that they're very different jobs. And if you go and try and give talk analysts uh some objectives, you'll immediately get back a whole bunch of complaints about no, this isn't my job because it's it's not if you're a sock analyst in a sock, they will immediately blame engineering for everything. Um, but these objectives end up being opinion based because we've got in there, have you done enough? They're really hard to measure in a lot of cases. They're miss scoped because there's engineering ones in there that

should be a sock analyst. Uh, they're frigable uh in terms of uh reopen rates and stuff like that. It's all right. If I'm getting measured on reopen rates, I'll just never reopen a ticket and I'll make that number. Um, if I'm looking to drive consistency or something like that, I don't do it in objectives. I do it in automation. That's what that's for. Humans are not consistent. Do not try to add consistency. And none of these actually reduce risk in my organization, which is what a sock analyst is there to do. It's what every security person is there to do, right? Appraisals. Um

that if you ask any techie is what the appraisal systems for. Um it's not fantastic. And if you're managing teams and they're thinking like this then this is what you need to do to fix it. You figure out whether you're paying competitively not whether I can pay you less. I'm trying to help people with their weaknesses. Yeah. Yeah. If I have to give somebody bad news, you're not getting your bonus. You're not getting X, Y, and Z. You explain why. You don't just like tell them they're terrible. Um, if we had more time, I'd have like Sean stand up and then tell him, "Has he had a good time at this talk?" He'd say, "Yes."

"Did you learn anything?" Yes. Great. That means you're now four out of five on sock knowledge. But I now need to remove one in of your height because otherwise the bell curve will not look quite right when I'm measuring you and it was never seen again. But again and again like career progression stuff like that. Yeah. Like career progression isn't for everyone. Not everybody wants to have it. Do it if you can. I

And yeah, if you think you're being underpaid, tell your boss. It's as simple as that. Uh don't be shy about it. Uh don't be an [ __ ] about it, but don't be shy. I And yeah, make sure that when you do bonuses, uh we're going to tie it to the performance that actually matters, right? Oh god, did she keep going to run out completely? Right. So are we secure? No. Uh, oh wow, it's gone really slow. Please click. There we go. Right, this is a love letter to uh risk. Essentially, every person in this room needs to be working against risk. Um, because we can't do our jobs if we're not actually reducing risk. That's the whole point of

our jobs. Um, and we're not necessarily nothing you do matters unless you're reducing risk. If you're in security, if you're a developer, you got went into the wrong room. Sorry. Uh, and ultimately, yeah, just make sure that you know the obvious. And look at

If you reduce the risk, that means you can show that you had value and you get to keep doing it, right? And with that, we'll call it a day because yeah, I somehow managed to overrun slightly. Uh, so you don't get the next three slides.

>> Take a picture. >> Uh, yeah. Yeah. uh ultimately uh realize that you work for a company and the company is not there to give you a job. It's to use you. Be comfortable with that and you'll be much happier. And 46, the title is actually uh when I did a test for uh ADHD and it came back. >> Yeah. And it Yeah. and it came back with 46. And I then went, "Is that good?" And then realized I was sitting in my own personal medical version of a service delivery meeting. I had to ask. I did a lot of Googling, did a lot of asking. Uh so yes, there you go, >> Dave. Those are rookie numbers.

>> Yeah. Not enough drugs. done.