PG - Building a Culture of Cybersecurity: A Case Study Approach to Enhancing Risk Management

uh good morning SL afternoon it's now afternoon uh I'm Sam Humphries I am the only thing that stands between you and this man um right this talk is talk title it's not called that it is um building a culture of cyber security a case study to approach enhancing risk management I'm looking forward to this um quick things real quick thank you to our sponsors Diamond sponsor Adobe Gold sponsors prism Cloud Sr blue cat Plex track Toyota and could drct one all of you who are volunteering and donating and participating Lewis hman human excellent um the floor is now yours for the next 25 minutes big round of applause

please thank you everyone I'm super excited to be here today to talk about one of the things that I love in this world which is cyber risk management I'm excited to see so many people turn out who are interested in this topic with me a little bit about myself I'm a submarine fast attack Navy veteran I was a radian there for for over 10 years one of the highlights of my career after that I navigated through several three-letter government organizations landed in commercial cyber security through that entire time I picked up a couple famous CS CP PMP handful of others that are kind of entry requirements Security Plus network plus all those things one of the things that

I developed along the way is that I am a cyber nerd but I'm also people curious I always find it very interesting to see how people approach technology both those who are interested in it and those who maybe feel like it's maybe Beyond them a little bit but they're still interested in it today what we're going to talk about is the perception Gap the perception gap between us first of all let me ask how many cyber security practitioners do we have in the room show of hands wonderful wonderful thank you how many HR professionals do we have in the room all right I might oh did I see one we have a tape up here she can't cross

right it's a there lasers what about marketing professionals any marketing professionals room we got one right up here stilling fabulous all right there's a tape right there with lasers all right what we're going to do is we're going to approach this and we're going to think about this in the concept of what makes us as cyber professionals so pessimistic about users their actions the systems right I walk into the grocery store I see credit cards machines I'm thinking PCI audit you know has the cashier been briefed you know but the people around me are just shopping and grabbing groceries what creates this opposing optimistic perspective about technology compared to cyber practitioners pessimistic view is it because our skill

set our training where our focus is when you've seen the things and you know the things all you see are the things that can exploit it and on the other hand what makes others so optimistic is it ignorance is bliss or is it that they see things differently maybe there's a Middle Road maybe there's a table of commonality that we can find let's dig through some things and see what we can see the two groups we're going to talk about today are HR and marketing now how do how do you know I'm not marketing how do you know cuz this is what I Envision markeet this is what this is what I Envision marketing people

look like they're all super excited at the computer they're all point at the screen and they're just really really woo and and we're wearing a Microsoft shirt and we're still happy it's it's that's how you know but let's take a look you know so the HR department what do what do we typically see in the HR department what kind of things are they dealing with every day PDFs PDFs yeah PDFs PDFs only from known entities no no they're looking at Job resumés both solicited and unsolicited they're maybe looking at legal agreements sometimes solicited sometimes unsolicited they're doing all the things that make us cyber practitioners scream oh my God but they're like well I have

to that's my job like what am I not supposed to open PDFs what else what's some of the low hanging fruit Word documents email people's information HR systems people in general people in general yes one of the reasons I got into cybers because I didn't have to deal with people no one of one of the HR systems you know typically that's tofa at best we're talking login and password not a lot of depth in those that are getting better that's not a criticism against HR technology it's just the nature of it systems today SAS based where they're logging into an HR management system and they're handling extremely sensitive information on a laptop or an endpoint device that might

not be completely controlled if I hear someone say OCTA controls it let's sidebar that one but the point here is that the HR department is doing great things through also doing very dangerous things but do they see it that way if I go and I talk to the HR department and I say what things are you doing that are dangerous they're probably going to list people we deal with sensitive information on people and they'd be right they probably would not list opening a PDF as one of the most dangerous things they're doing today I might differ let's do a risk level check high medium low how would you rate HR in the organization High how many

high okay it's about a half the room how many medium okay that's the other third how many low zero lows I generally agree with that so we we understood that HR deals with sensitive data they've got financial information payroll information on everyone they've got confidential record records all the things that we understand HR has they deal with like breathing they have legal compliance requirements it's not just about your personal information they also have to comply with state federal and then International if the organization expands requirements on how they move handle and view data and who can be around them when they view that information again they're probably not going to list opening a PDF as the worst

thing they're going to do today this is where culture comes in can we work with the HR department and identify what sensitive data is and help them see some of the threats that are involved with the ways they're access that information at no fault of their own just the nature of technology is there a table for that discussion where you're at today and what are those questions being asked now that we understand the current risk level we identify HR as a high to medium risk in the organization based on our unoficial polling here so let's turn our eyes to the marketing department I know I know lasers lasers marketing how many marketers go to conferences and they have to meet with

people that's sort of why they're there right I mean this is we bring marketers in they join the Cyber team we've got great marketers out in the middle ground today doing excellent work they might not traditionally be cyber experts but they're familiar with the product lines or their cyber experts turned marketer they went the other way occasionally extroverts happen in our world it does occasionally occur and so meetups are going to happen in this instance a marketer was contacted to meet up for lunch by supposedly a foreign CEO of a startup let's do a risk level check high medium low how many for high okay about 5% of the room how many medium okay about most of the room and

how how many low okay got one two so this is sitting in the medium range for for risk what happens next oh I'll send you an email let's meet up for lunch emails happen every day by the millions and the billions and if you're in my inbox by the thousands it's a lot right either marketing or otherwise so they get an email how many times is someone here show of hands got an email with an attachment that just looks very innocuous but it turns out to basically be the images and the signature right yeah that's I've worked with organizations who actually require that you not put in an image in your signature because that happens and

because it can trick people into opening it I endorse that approach the body contains a base 64 blob the person maybe not knowing thinks it's their image tries to open it what happens next bad things it's called Bad Day some of the possibilities this is just the normal imperfect interoperability between Gmail and Outlook sometimes Yahoo and Gmail these these more text based email agents sending things that don't translate the image and so it attaches it so far we're within the realm of normal for a marketing person culture comes in by the marketing person saying this seems weird but we're not there yet next up the person says hey I'm down here down here in the

lobby going to meet up well wait a minute now they're trying to to move outside of it well I'm outside now what does this sound like to the Cyber folks in the room they're being lured out what I call getting off campus getting lured off campus outside of the comfort zone to again get that information from you a little bit by a little bit by a little bit let's do a quick risk level check how many people now are at high okay about a quarter of the room how many people are still at medium okay how many people are low so everybody shifted up a level by and large because now in our cyber brains all the hairs in our back are

just tingling all of this sounds odd to us to our residents marketing expert in the room your risk level is this high medium or low or is this pretty standard fair I mean it happens right it does a lot this is now the ordinary do I trust anyone no that's right so so far to our marketing person H this happens all the time her objective is to meet and greet produce information share information so from her perspective the risk very very low to medium little stranger danger but that has more to do with meeting a stranger than any technical implications well that's culture versus fishing have we aligned with the marketing department to understand what things could go wrong to

share with them the things that we see and did we work with them to understand their perspective of why this is every day for them there's no way to not do things this way the same as our HR reps there's no way for them not to do things that way so what's left our culture a culture of saying I know this seems weird but there might be a more secure way of doing it and I'm going to reach out to the cyber nerds and see if this triggers them in any way just to do a pulse check what do we need for that conversation to occur alignment a table that they feel good and open to come and discuss these

things that they have questions about if the culture is not built around one where we as the Cyber folks are so pessimistic that we put up walls users are dumb they don't know anything they don't understand technology ology how can they possibly be trusted if we put up those kinds of cultural walls that's not inviting to the folks who may have simple questions that's where culture versus fishing how do we encourage the marketing folks to only use official channels for communication to track an accountable accountability of these conversations how do we teach them how to verify profiles I understand your remit is to go and meet with folks and to transfer information between the two of you how

can we be conduits for a paved pathway of safety for those conversations and it starts with culture now I fooled all of you we've been assessing risk this entire time did we ever Define risk levels no what did I give you high medium and low did we the Cyber folks Define what high means did we ever Define what low means now I with a certain level of confidence know that when I'm speaking with cyber professionals I say high medium and low we all see red yellow green do the non-cyber folks know what what that means do they Define it in the same way we do and how can we correct or assure that that interpretation is equal engineering

departments have the same challenge with cyber departments what's high for them is not necessarily high for us what's low for them we're the house is on fire right we can't call enough fire engines to some of the lows I've seen engineering departments deal with they're like oh no that's not a big problem I'm over here freaking out so what do we do now we can mitigate some of the HR risk strict access controls private vlans training having that discussion inviting them to the table exclusionary discussions exclude open that door create cyber champions in the HR department how do we mitigate it and marketing same thing identify and verify show them how to assess the risk from a cyber

perspective and then we the Cyber people understand that for a marketing person they have to enter these dangerous situations technically speaking how can they do these dangerous things safely but to do that our culture has to be inviting and open up the table of discussion where do we go from here let's revisit that Gap perception we've got the Cyber Smee pessimistic the world me going into a grocery store risk risk Isle n risk everyone else just shopping for groceries and how do we get the folks who oh every day is a picking flowers day and get them to see like maybe there's some snakes in that grass that they're not aware of and help them align their measurement of

risk with our measurement of risk high medium and low but also maybe teach us something about what they have to deal with dayto day cultivating a culture of cyber security risk awareness should extend beyond the technical teams it's about empowering everyone with the Knowledge and Skills to protect themselves and the organization it might not be our fault if something happens but it is our problem and it's also our duty to empower everyone in the organization to appreciate how cyber risk can both Empower and also hurt us if not handled properly hopefully you can all go back with this message to your cultures and see how you're inviting those folks to the table I'd love to

open up to any questions

marke thank you that was great really really good does anyone have a question we've got probably time for one or none also fine she she gave she made me speed around that she was like two minutes no it's great go marketing how do you uh Define the risk levels to bridge the gap uh well how do I so I I heard two questions one how do I Define the risk level and how do I bridge the gap so I Define risk levels specifically based on the organization because what I consider high they might not consider high so step one is understanding the organization what's important to them what do they think is at risk what can

impact their ability to make money at the end of the day every business is there for that reason we need to identify the crown jewels or the things that might impact their ability to make money two how do I bridge the gap identify who the key relationships are that might help or hinder the mitigation of risk and that's through relationship management you know you catch more bees with honey than you do vinegar if we run around like the fear police that might instigate short-term gains but it doesn't create a positive culture around cyber we don't need to be the no police and we don't need to be you know we don't no no no no no right that's not us

we're there to empower it's a great question awesome thank you great question indeed right everyone please big round of applause