I Don't Want To Spoil The Party by Ed Tucker

right afternoon i stand between you and london so i can be really quick if you want don't honestly don't say that we will be until seven the pub's open already so um so i'm in tucker uh i've been an accountant i've worked on a help desk i've been head of cyber in government i've been a vendor i've been a founder of startup and back to a cso and everywhere in between so i've been a defender a vendor and a defender again um i don't tend to kind of toe the party line when it comes to cyber security um frankly because most of it's rubbish and hopefully we'll just talk around a few things that hopefully resonate might

not from my personal experiences through life uh and have managed hopefully to get the beatles stream throughout to start off kind of almost everything that you see in the industry today expert analysis articles webinars conference speakers obviously it's all actually kind of driven by people who are trying to sell you something how many times do you see expert insight from the people who do the day job when i talk about the day job that's my day job as a cso as a head of cyber as an analyst as a defender to actually do it how much of the insides is actually paid to play you know you're top right of the gardner magic quadrant i've been a startup founder

we could have entered gartner we couldn't afford it it's kind of it's a bit weird because if you've got a good solution shouldn't they just look at it in every way and that sort of start now that could be forested whichever or whichever analyst forum wants to have a look at certain products um there's a certain amount of skin you have to put in the game just to be considered it's really hard to do it without joining the club how many webinars are front-ended with a presentation from a vendor that just kind of runs through exactly what they offer you rather than what's possible on this subject matter how many articles do you read where the expert insights are out

there's articles is from people again who are trying to sell you something it's not from the people who actually do it there's a major vulnerability let's get some insight from x vendor x vendor x vendor and x consultant and ex twitter expert rather than someone that actually knows the practicality of how to we address a vulnerability how do we put business context to someone that's got a huge backlog to go through that's got features to deliver features that are going to generate revenue or we could stop them generating revenue and say you need to patch this because there's a vulnerability and it's been exploited in the wild or some other nonsense term that means nothing to

someone in business oh there's a poc there it's been exploited what we do what's the business context what's the real rationale how do i prioritize how do i help people understand it so we can make active risk decisions how many people actually talk about risk and the different parameters that make at risk how many times you have people telling you what you need you need an insider threat program you need a next generation firewall you need to consider the iot or computers as they're otherwise known you need education and awareness no you don't need education and awareness it doesn't work you need to fish your employees you don't need to fish your employees you need you need you need how

do they know what you need how does anyone know what any one of you people need i don't i could guess some thematic things because they're ubiquitous across the industry and areas of concern i don't know what you need because i don't know your business i don't know your people i don't know what you do i don't know your appetite does anyone have a risk appetite is it literally a finger in the air medium or seven is it a genuine risk appetite because do we actually understand our risk and all the different parameters that change constantly not because the threat is exponential no because [ __ ] changes technology changes people change circumstances change pressure changes

stress changes and yes there are more exploits and there are more cyber criminals the vast majority of which are opportunistic shifters to spaft across the internet not high-end adversaries but if i just tell you you need to be wary of [ __ ] that's just spaffed off the internet you won't buy something off me you won't buy my consultancy you won't buy my startups you won't buy my products because i'm actually talking to you about the majority of stuff the 80 20 rule in fact it's probably about the 98 2 rule to beware experts they are not always what they seem there are many many many experts in cyber security many there are many of them with blue ticks

that means [ __ ] on absolutely that's because i've not got one no seriously it means nothing needs nothing um how many people in this room have heard of a guy called gary stevenson one two so gary sivaneson he's ex-gchq ex-intelligent services ex head of cyber for lockheed martin when they went through the genuine apt awakening when they came up with things like the kill chain that everyone now spaffs around when they actually coin kind of things like apt which everyone gets fundamentally wrong he then went on to be uh the director of cyber for ea games everyone ever heard of them yeah they lost the source code to fifa recently didn't they i'll tell you now giri is one of the

best cyber people on the planet by a distance and so is his team and they lost the source code for fifa that doesn't mean they're rubbish at security that means basically it can happen to anyone but guilty vanessa isn't a blue tick on twitter he's not someone you see at every conference he's not someone you've seen articles he's someone that i go to constantly to have conversations with because he really really really knows his stuff he's lived and breathed it he's got it wrong probably more than he's got it right and he'll happily put his hand up and say yes i will do we'll get it wrong i won't generally go to the people who

are in the articles because it's the same people over and over and over and over and over and over and over again who seem to have a comment on every single subject which means they're either a genius or they're full of [ __ ] or somewhere in between somewhere in between maybe but there's a lot of it about mixed with them telling you that you need stuff don't get me wrong some of them are very clever very well skilled but they are also playing a game they're playing a game to pull you in to spend money you are always going to have to invest in security it doesn't always have to be financial or directly financial

the trouble is most of what we see is a helicopter view a helicopter view 30 000 foot this is it you need a champion's network great i know what that is that's a good thing we had them in hmrc after the dis loss in 2007 so we had a champions network in 2008. hmrc that's government jesus christ were we 13 years ahead of the rest of you no it's something that's existed for ages the difference is how do you implement it why'd you implement it what's its purpose we implemented it and it ran the business to an absolute hot because we didn't know what we were doing no one did at the time we figured

it out and got better and it still didn't work perfectly you know there were kind of missionaries out in the business who dealt with business data and development business decisions in a hub and smoke model that came back to center around security decisions questions queries and we're kind of a face-off into the business and it was a full part or a full part of their job it was written into their contracts it was written to their objectives it's part of what they do on a daily basis there is a very different thing between saying you need a champions network and actually implementing one and actually understanding what are the outcomes i want to achieve when i do that

how do i measure the outcomes and i don't mean kpis and crap like that or we've lost one million things at the email gateway we've lost one million and two next week and was that good bad or indifferent or do i have no control over the internet whatsoever meaningful stats or am i trying to prove that i spend a million pounds and nothing happens trying to prove a negative genuine measurable outcomes but what are the bits that make it there the revolution is understanding what i need to do to make a success and a success can be literally one step forward one step forward is still a step forward better is still better perfect it's unachievable

but to take that one step forward to get better i need to understand the components that get me there one of the best analogies i'd like to talk about is fishing simulations education and awareness just because it's a really simple one to drive this home we all generally agree that some awareness activities are a good thing to do yeah we're generally rubbish at them but they are a good thing to do you sometimes spend half an hour a year on them which if that works my children would go to school maybe for a week a year and that's it that doesn't work but never mind no one wants to do it anyway and it's my job to

protect them so who cares but let's pretend for a minute that we make our people more aware they're now aware of how to spot phishing emails super what do they do if they delete it then the risk surely happens in their inbox and i am blissfully unaware of it so that's not good ah we want to report it don't we yeah we all get our users to report it brilliant so now they're reporting let's pretend as well they know how to report it and to who and how to forward an email as an attachment to keep the headers intact and things like that you know that your nan could do because they are just normal people with different skill

levels so let's pretend they can do that brilliant how quickly do your team pick it up what do they do with it how do they investigate it do they have access to things like exchange or do they have to go to the exchange team if they want to check if someone's clink tip do they go to next generation firewalls or they're seen taller they have to work with networks if they want to put block in place can they do it themselves and they have to go and work with another team what are the dependencies to make that happen what's the dwell time how do they contact other users really simple thing of i've spotted efficient email because actually quite a

complex piece to do any kind of measurable risk remediation of it that involves teams outside of your locus of control how many if you consider that if you do education and awareness because you probably should but someone will tell you you need an education and awareness program will they tell you you need to factor in all these other aspects well they tell you you need to work on your operational procedures will they tell you you need to work on your apis between teams of how you raise a ticket to the exchange team bearing in mind they've already got a full staff job load for that day how do you get into that list how do you

become a priority how do you work with them most of which is relationships but how do you do it oh that's the difficult bit you need an awareness program and you need our thing with widgets and why do almost every security company in the world make products with the worst interfaces possible i mean genuinely it looks like we write software from the 80s when it comes to actually usability you know my two-year-olds could navigate navigate an ipad i need a phd just to understand the dashboard because even the language in it we can work it out generally speaking that's if we kind of ignore the noise because most of it is unhelpful because it doesn't tell you all the

different building blocks you need to put in place to make a marked improvement they don't tell you that you need to empathize with your business people they don't tell you that they don't care they do care but they've got a day job and generally speaking they've got a really full day job and i know that we're working remotely and no that doesn't make the risk more exponentially worse because all of a sudden they're at home people have worked from home for years oh but now the perimeter is no longer the perimeter yeah it hasn't been for years if anyone remembers the jericho forward if anyone's kind of old there's a few older people in this room or you

might be really young and just had a hard life zero trust isn't a new thing it's just be badged for the stuff deep perimeterization and all that good stuff they're good concepts they're hard they're really hard to do but a lot of things that you get told out there simply don't work you need to understand all of your assets i think that's brilliant i also think it's [ __ ] impossible you can't you won't you can only discover the assets that you can actually discover we can discover all your data apart from the stuff that's in the safe over there because that's not connected to a network oh yeah we can classify all your data

awesome what words we're going to use confidential well that's a word that's used actually normally does it mean anything corporate oh well that's used all the [ __ ] time what we're going to do with that dlp is really hard they're all things that are actually hard and complex and i know people call it the basics the basics are hard they are you know we're getting to stages where people kind of say don't pay ransoms let's make paying ransoms illegal fine cool all right let's blame the victim because you are a victim of crime if we don't talk about well hang on a minute we've invested billions of pounds in offensive cyber security capabilities why aren't we using those against the

very people who are screwing over all of our businesses oh yeah but that's really complex uh what about kind of international law enforcement you know cooperation oh that's really complex yes i was protecting myself from ransomware as well all right if i expose rdp i'm a bit of a dick but sometimes it's hard because people can make change guess what people in your organization can make change and they do it every day and sometimes they go for the easy answer not necessarily the simple answer easy answer because it's easy and it's hard to stay on top of that it's not always our job but it is complex and the way we actually start to overcome some of this is to actually

sorry it's the 45th anniversary edition of this because again none of this is new we come together and we talk but i don't tell you that i've just done an awareness campaign it's fun and awesome and it's absolutely brilliant and everyone engaged with them is absolutely super and you know i did this and i did some videos it was brilliant because that's not the truth i tell you what we did what pitfalls we hear how many people really engage with it the problem we have with cutting people engaged how we try all the different mechanisms and everything that might get people more engaged what kind of worked in some of our areas and didn't work in

others and you tell me what works in yours and between us maybe ah you know i might try that i might try that and see if it works it might not work in my environment because my environment is unique your environment is unique yours is unique and all of yours are unique every single business is unique that might sound like bollocks but there's an exhaustive list as to why your business is unique you have different employees end of list but maybe if we start talking to each other properly and it's kind of scary because i've got to admit then my failings i've got to admit i've got things wrong guess what i've got things wrong all the time i've probably got

about seven or eight things wrong this week so i we do that's how we learn hopefully we don't make the same mistakes seven or eight times next week the same ones might do i've got a bad memory especially when i've been drinking but if i admit my failings and maybe you go well yeah i've had the same thing right so what do we think how do we come past it and actually we don't just talk as a security community because then we stayed in this little myopic sphere in our own little echo chamber we don't talk to those weird people over there in networks finance and stuff we have to have proper conversations and grown-up and adult conversations

that's how we change it not some tagline in a news article or some webinar that's trying to sell you this thing over here you talk to real people some of them are vendors some of them are consultants some of them are managed service providers because there are good people in all of them and you'll find good people to have proper conversations gary sivanesen to me is one of those people we have conversations all the time and even though he is genuinely someone i really really really look up to he's in my top three people in my environment of kind of i.t business and security that i really look up to absolutely hold him on a pumpkin and he

asks me questions as well because otherwise he lives in this little myopic sphere on his own so we have to come together and do it differently not just talk about coming together things like this where we can actually share things but things when we go out there and share or when we're in the pub or right dm over twitter or something we can actually have proper conversations and learn from each other and genuinely listen if you held the two up the wrong way mate yeah i know you usually show me the other way around that's it better thank you um i'm going to end it there you've literally got kind of a minute or so if you want to ask any

questions but i might throw them back at you and say does anyone else know the answer go okay

yep one thousand percent and a hashtag doesn't sort it a hashtag does not sort it you know whichever ones you want to call about whatever things are making for a safe environment we make it a safe environment by me allowing you to have that idea some people won't do it all right someone said they'll never work [ __ ] off i allow you to have that idea and we bounce it we bounce it we talk it's hard to do it in a big forum because there's always dissenting voices and it gets drifting off and taken away and it becomes all these things you can collaborate but collaborate small and then grow and mostly ignore the dissenting voices

you know there's a lot of people talk about things like imposter syndrome which kind of fits into that as well kind of i don't want to share my idea because most of the people out there have [ __ ] it the biggest skills that we have in the cyber security industry and i will stake my life on this is the people doing the job today i'm sorry but it is there are a lot of very very very good people there are a lot of people who are not as good find the people who are good find the people that trust find the people where you can have that conversation the bounce ideas the good people will pat you on the head

put their arm around you and talk about the idea talk about what environments how it might work challenge you to do due diligence on your own ideas you know and that's how we grow that's how we get better and we have to almost individually make that safe i don't think we can ever collectively make that safe there's too many vested interests over do

[Music] is [Music]

what do you think do you think silos teams helps um

[Music]

is [Music]

challenge really comes from having a management team that are prepared to facilitate the cross silo conversations and then [Music]

[Applause] [Music]

boundaries that don't end i agree with your whole heart the only one bit i've disagreed on i don't think it requires management ideally because you can just do it you can just talk to people the one mentor i would always say and it's an old one it's always easier to ask forgiveness than permission it's a lot [ __ ] quicker you know some of the some of the best relationships i had at hmrc was with some of the architects in capgemini because we recognized we could make each other's lives easier just by talking and we knew there was a point where we had to have commercial discussions and that's when we kind of stepped away but

before then if we talked wow that made their changes a lot easier to go through because there was less assurance and [ __ ] armor to go through and i got what i wanted and i knew and i built trust relationships and that was the cross boundaries that we shouldn't have done or i was in a little jurisdiction of being a certain level of seniority but my team members did it as well you know empowerment is a word not misused but mis-implemented autonomy is the same as well you as an individual go talk to people if you kind of have a we never get anything from this team here don't talk to them don't understand what they do for a day job

how much workload they've got probably a [ __ ] ton of it and that's why it's really hard to get anything from them start to build a relationship you're not always going to get success but you're going to get better you're just going to go ah i wish someone would do something about this or [ __ ] do something about it don't talk to him build up a relationship even in your own business

wow

[Music] how many of you just to go off that how many of you got kind of a a strategy in any of your business areas not just cyber how many of you got a strategy for your team it might not be that you own it i've got a strategy yeah how many of you published your strategy for everyone in the business to see why not it's really simple someone might not read it but just put it out there then anyone who happens to be really really bored um and looks and at least you know scrambling they might be on the internet trying to find something really useful like how do i book holiday and you know six days later

when they still haven't found it they might stumble onto you what's this tell them what you're doing tell them why you're doing it telling your story it'll engage with some people put your profiles on there tell them about yourselves make it human make it reachable make it transparent why am i doing this thing which might be an impediment to them living their life in the workplace i'm hopefully not going to be an impediment that's the other side of transparency i want to read but i want to tell them i don't want to just do it to them i don't make them part of the journey they might not be invested they might not go oh wow they just published

a new cyber security strategy well god the page won't load there's so many people trying to get on the bugger no generally speaking you know things like security policies the only poor bastard that reads them is the poor bastard that wrote them you know they're not riveting because god knows [ __ ] to policies thou shalt not without any risk but just publish stuff get it out there not everyone's going to read it don't say oh we're going to do a blog every week because that's really hard because you've always got to have content but things like strategy and stuff like that publish it let people read it let them understand that then pretty good let them ask questions

[Music]

foreign

i was light and then i was like um so we had a great conversation last night yeah we talked about cross-site scripting and the difference between everyone knows everyone knows everyone's heard of cross-site scripting everyone can talk about cross-site scripting how many people actually understand what it means in practice and it was kind of going on it was going about the epiphany moment of really understanding it really understand it and then going now i can apply that business context now i can simplify it to someone else rather just get cross-site scripting a bad thing and you need to be far far far yeah why what's going to happen oh yeah well you know something bad might happen

yeah but what's the business impact what's what's it mean to me i've got seven features to deliver what's the matter uh yeah but yeah but cross-site scripting is bad it's like high and no what's it actually mean to me because i've got all this [ __ ] to do i had not been able to actually really tell people in the simple form what does it mean and guess what they're not always going to do what you want guess what you're going to concede risk all the time you are all the time you accept risk now so one of the best things is when you uncover a risk everyone goes wow no we've got to do something it was always there

you've by default accepted it for god knows how many years all you've done is uncover it that's actually a good thing that's a step forward because now you know well now you know some of it now you can dig a bit deeper before you set your hair on fire and go far no it's a good thing now you're a step further forward than you were yesterday because that was there yesterday you were just blissfully unaware now we need to dive into it now we need to simplify now we need to understand the business context the effort involved to do something about it and then make decisions or help other people make decisions and they're not

always going to be the decisions we want them

is

the one that i would probably most likely get into bed with is health and safety health and safety or near misses why do they report near misses because it can stop someone dying how many of us report near misses that's a giant show of hands here everyone's really tired i know i can't even get it yeah [Music]

[Music] i've spotted this it is a near miss absolutely we need to just think of it that way that's that's probably the industry that of all of the ones that i think i think health and safety is what we should really think about and how we approach some of this

[Applause] [Music]

[Music] yeah it is a little bit of an easier subject matter it's a little bit like kind of there's a risk when you cross the road yeah it's quite tangible when you see a big metal thing coming at you that's quite a tangible kind of threat isn't it you're kind of like yes but guess what people get killed on roads every single day and we all know that things heavy and that thing's going to really do some damage but you know that's i've accepted the risk if i decide to run out between parked cars i'm accepting the risk by default

[Music]

potentially so it's a bit of a wishy-washy answer mainly because we're crap at legislation and we're even worse at implementation and generally speaking people see it and go cha-ching make it rain what's that the gdpr make it rain hang on let's get a countdown clock on this [ __ ] sorry you know because then it's an opportunity for someone to make i think it is so long as we talk about it practically at a practical level um just again simple steps forward thinking about things like near misses thinking about things like publishing your strategy talking to other teams one step forward think about where do i want to get to and what are the different blocks to get

me there and how many of them do i control so therefore how many of them do i need to improve relationships and apis between teams i think we're quite overwhelmed

[Applause] [Music]