GT - Long Overdue: Making InfoSec Better Through Library Science

thank you all for joining me here today when i say so i'm going to ask all of you even our folks joining us remotely to close your eyes for 30 seconds i want you to think about your memories experiences and interactions in a library ready close your eyes the timer has started

[Music]

open your eyes now i know some of you are spread out and do your best but i'd like you to turn to a person next to you i'd like you to ask them to share their memory of using or visiting a library then share your memory with them for those of you joining us remotely please participate as well just think of a memory and say it out loud or tell it to a pet or a human who's nearby again i'll give you 30 seconds the timer started talk amongst yourselves [Music]

uh [Music] all right the timer is up 30 seconds is up

okay wrap up your conversations thank you [Laughter] i didn't realize people were going to be so chatty normally with this crowd they're they're not so um [Music] okay so by show of hands who had a positive or inspirational memory show of hands positive or inspirational excellent hands down thank you now by a show of hands who had a negative memory don't be shy i won't be offended anybody have a negative memory all right you need to leave and i'm just kidding no no thank you for your honesty i appreciate it okay so did you see it was most of the room that had positive experiences now if we were to ask people about their experiences with information security

do you think most people would have warm fuzzies no right librarians and infosec professionals have a lot in common we are both subject matter experts we both provide knowledge guidance instruction we both understand something that can be confusing or overwhelming at first so why do libraries rank so favorably in information security so unfavorably well that's what i'm going to try and change [Music] welcome to long overdue making infosec better through library science i'm tracy maylief

[Applause] so before i became infosec sherpa i was library sherpa i have a master of library and information science degree from the university of pittsburgh go pitt i began volunteering at my local library when i was 13 and have worked as an academic corporate and law firm librarian before bringing my skills to information security i'm here today to show you how we can learn from the successes and failures of librarians libraries and library science as a discipline to help make information security better using my unique perspective of having a foot in both worlds [Music] libraries have been around a lot longer than information security this is obviously a very brief sampling but i'm using it to demonstrate how

young information security is compared to other professions and industries we are still growing and changing and we still have a lot of work to do on ourselves now just take a look a look at that for a second look how long ago some of the oldest libraries have been and some of the more quote unquote modern libraries from the 16 1700s some of them are still operational today like bodleian library at oxford university in england but information security i was kind of grasping at straws here i decided to pick first digital computer you know and then then you got arpanet and then you have cliff stole's book look how recent that is most of us you know the the second two

that's in most of our lifetimes so i want you to understand that i feel this comparison is just because library science has been around for a really long time and we can learn from them and we have to remember that we are still a young growing industry so to get everybody up to speed i'd like to give you a super quick overview of modern library science and i'm not kidding this is a super quick overview so we got gabriel first one french librarian and scholar gabriel nade wrote advice on establishing a library in 1627 and that work is considered to be one of the earliest foundations of librarianship next we found out whatever the hell

thomas jefferson was doing in monticello pause for obscure hamilton reference applause break anyone anyone okay thank you he created a classification system for his personal library then in the year 1800 u.s president john adams improved approved not improv approved an aca congress which is considered to be the beginning of the library of congress quick show of hands who's been to the library of congress in person excellent go it is so cool it's really cool but then cut to 1814 when those pesky brits burned down a lot of washington dc do we have any british people here right now oh okay you know what we're gonna have a word later okay those pesky brits burned down washington

dc including the books of the fledgling library of congress collection so what did thomas jefferson miss second pause for hamilton reference applause break okay no no we'll keep going [Music] he missed nothing he was on top of it and quote-unquote generously offered to sell his private library collection to the us government yes you heard me correctly not donate but sell in 1815 the u.s government paid him roughly half a million dollars in today's currency uh today's value for about 500 books and the information system about his classification system that he devised once he did that his private collection then became the foundation for what we know today as the library of congress and you can see a lot of his original

books in the library of congress so this is how we got started with with the libraries in america basically was thomas jefferson collected books devised his own classification system and then generously got half a million dollars in today's value for that collection but moving on i do want to say that yes i am very well aware that this is a super duper american-centric based timeline but i am afraid that is what i learned in library school so if you do want to learn more um i do encourage you to you know investigate on your own and do some research but i just wanted to kind of give you a quick snippet to bring you up to speed to

where we are today and i am acknowledging i know this is very american-centric so apologies to our non-us folks you do have your own very robust and strong library histories [Music] another quick show of hands who here has heard of the dewey decimal system okay well sorry to burst your bubble um i'm glad that you've heard of it but i want to drop some harsh realities here he was a jerk i need to share some harsh realities with you today unfortunately one of the commonalities library science and i.t and infosec in common is the presence of inappropriate behavior by pressure professionals in the field yeah i went there yeah i did so yes while noble dewey's

classification system did revolutionize library science it was also very flawed because of dewey's racist and misogynist opinions views worldview etc beliefs librarians have been working tirelessly as early as the 1939 to correct all the races and other bias that were built into his system presently groups like the american library association have been removing dewey's name from awards and continue to improve upon the long-standing wrongdoings of his classification system but on a happier note there are other classification systems that aren't racist and misogynist so i want to just take a minute to talk about controlled vocabularies in information security [Music] so dewey is not the only classification system but i understand why it's the one you're most familiar with because it's

prevalent in schools and public libraries but me as a law firm librarian i use library congress so to me the letter k means law and i could not tell you what law was in dewey decimal because i never had to use it as a professional uh but there's some other ones so the medical librarians and they'll end national library of medicine they have mesh that they use uh so this is something i'm very passionate about is is that we we really need to have my wish for information security is that we have an industry-wide infosec classification system controlled vocabulary some of what we use comes from the military and we've incorporated into our own infosec lexicon

but we also have some very unique phrasing that really in my opinion should have a ruling on whether or not it should be used i'm looking at youth runting and smishing i'm looking at the two of yous okay yes we have lots of resources and we publish glossaries defining these terms but what i feel like we're really lacking in information security is a centralized authority that makes determinations on the validity of phrases in library science there's a publication called the rda resource description and access when you catalog resource which basically means the application of descriptive metadata for that item you consult an authority like the rda so my wish for infosec is that we need

to develop a robust authority for the language that we use uh it will be less confusing for users for professionals for journalists for everyone and please don't be thinking or say to me afterwards well why don't you just do it this is not a one-person job i think there might be a small group of individuals who contacted me once who is trying to work towards this this is definitely a committee and organization and institutional thing this is not something a single person can do um you know you might argue well novel dewey did it but he was a racist and misogynist and he had sole control over the vocabulary and look where that got us so we need a diverse group of people

to give input and to be an authority authoritative body to really to delegate what sort of language we use and now keep in mind this is also going to help you communicate better with your stakeholders right you know if you start throwing words around like fronting and smishing i really hate those that's why i'm just going to publicly shame them um do you think the cfo on the board that you're wanting to approve your security budget is going to understand what you're saying if you're just kind of using slang or words that can't easily be understood or defined we need to come together on this and that's something that i really really want to happen so i'm putting that out

there all right now i'd like to get to our main course in 1924 a librarian and mathematician in india wrote the five laws of library science now i like to keep in mind for the updated interpretation the word book really goes beyond just a paperback or a hardback it can mean a digital resource or any other offering that a library may have case in point did you know that many libraries have 3d printers that you can schedule time with at no charge it's true you may have to bring your own filament is that what it's called the stuff you put in to make the thing you may need to bring that but the machine itself is available to be used

for free at many libraries you can also use gardening tools you can borrow a rake if you need one you can borrow household equipment libraries are borrowing things so book really doesn't exist anymore it's just resource so in 2022 consider a book to be some sort of resource or tool of any kind [Music] now you've you've had a chance to see here what these five laws of library science are i'm going to go through each one and kind of dive in a little bit further and i'm going to help draw some correlations here to information security because i want to emphasize how much we have in common how much we can learn from them so let's dig in a little bit to the

first one books are for use resources are for use how about technology is for use apps are for use devices are for use your wherever c library i'm going to try to just change this out with a security term your your security team should be a welcoming environment insert chuckles here your security should provide easy access and convenience for the users do you do that do people know how to contact you simple as that are you squirreled away in a secret room in a building somewhere or are you all distributed and nobody knows where the centralized security team is the primary duty of staff is a curator do you know all of the security components what's

going on in your your enterprise are you working with your it teams are they using insecure software and you don't even know it are you curating all the security within your enterprise [Music] books are for all security is for all technology is for all the security team should provide education for every person now you may just think well that's just security awareness okay but do you really do a good job with your security awareness do you treat it as you know as a throwaway thing that people don't care about do you mock it do you put little value on it or do you rather just spend time rolling your eyes and making fun of all the

users the security team needs to be knowledgeable you need to stay on top of stuff what's going on in in the news i said this actually to one of my bosses chris krebs of the the other day i said i tell people all the time they need to be on top of the breaking news stories and you should be able if asked to translate that into layman's terms if asked if you're in front of a board or front of some sort of governing body that's trying to give you money or give you support for your security team and you can't explain to them in easy terms what happened with the colonial pipeline then you need to

to go back and hit the books as it were and stay knowledgeable you need to anticipate the customer's needs is there new tech coming out is there a new iowa you know watch coming out are there new issues coming out are there new attacks coming out anticipate the needs of your users don't be knee-jerk reactions get ahead of it it'll be so much easier to manage this last one if this does not ring any bells inside your head then i don't know if i can help you does access control sound familiar for information security libraries have access control too it just looks different there just might be books that are behind the desk that are not in

circulation did you ever go to a library catalog and you'll see something listed as no surf or non-circ it means you can't take it out because they have access control because the book may be valuable it may be stolen a lot it may be rare it may be a rare book there's a lot of times very old books that you can't handle yourself you have to get a skilled archivist or librarian we all have access control libraries have access control they've had access control we have access control we can learn from them every book has a reader every security has a user every tech has end user again classification system we really need to get on board as an

industry as a community getting one common language used and please for the love of jeff stop coming up with these new marketing terms you know smishing fishing squishing whatever all it does is confuse the people using the technology it's fishing it's fishing just call it fishing that's all it is let's give the end users one term to remember and stop dividing it out i have yet to hear an argument why all these duplicate terms are necessary if you have one talk to me later but i have yet to hear one other than it just causes confusion and what else do we have we want awareness person to person do you actually talk to your users do you

interact with them a famous story i tell is when i first started and as a sock analyst at a global pharmaceutical company i replied to a user's email to which she wrote back oh there's humans in security i thought everything was automated and i turned to my manager at the time and i said don't you talk to anybody don't we talk to anybody here you need to interact with people they're humans we're human security at the root of it is a human problem right sure there's ones in zeros and sure there's networks and osi models and all that stuff but at the very root of it it's a human problem so don't disregard the humans in this equation

and again education offerings not only for the the users but for the staff as well is the staff up to speed you know are you given some sort of budget to take classes is it enough of a budget to take classes these are really critical issues and i know a lot of companies feel differently about this but this is something you really need to stress or if you're trying to negotiate for a new job make sure you get some education credit in there because you need to stay on top of stuff otherwise you're just kind of chasing after things and not really getting ahead of it and use that terminology if you're getting pushed back you know do you want a

security staff who's you know behind the times or do you want a security staff who is ahead of the wave [Music] save time for the readers and the staff so just kind of like what i was saying before um you know you need to save time for yourselves to educate not only educating the users increase visibility maybe have a security fair i know a lot of people love to roll their eyes at me when i say october cyber security awareness month get a cake people love cake have a cake with a lock on it or something do something make it visible you know make security visible make it you know we live with it in our lives

every day don't make it this secret squirrel thing that you can't see that you can't touch make it known to the your customers your users your employees whatever you want to call them that it's a living organism that can grow with their needs can grow with the problems in the world and it's something to be celebrated not feared and not hidden away assess readers and understand their needs so ask questions ask them ask them what they know what they don't know why are they doing things you can do that in a way and not sound condescending um a story that i love to tell is there is uh there was a woman who every single day reported the company-wide

newsletter as a fish every single day and all my co-workers would just roll their eyes like there's betty again and blah blah so i finally said did anybody ask her why she does this no they'd rather complain about it so i called her monday hi betty i'm tracy from the security team just just a question for you you know these emails that you get the company-wide newsletter i said i see that you report them as a fish every day and i'm just curious as to why you do that her response was i thought that's what i was supposed to do so somewhere there was a breakdown in communication or instruction along the way and rather than rectify it

the team i was on at the time thought it was more fun just to make fun of it so when i explained to her that you know this particular email you know is safe i said but yes if you do see something suspicious about it then report it but just don't automatically report it because you see it coming into your inbox so i spent at most maybe five minutes of my day kind of going through that with her emails disappeared because she was getting the information she needed she was misdirected she was misguided it took five minutes out of my life and also then in the in the long run caused us less work because what did

the team have to do every day deal with that email so i just was beside myself like you need to talk to people and that's the librarian in me that you know you might want to call that human if you want to be in a real infosecchi about it sometimes you can get an answer just by talking to someone and i know like picking up the phone is anathema to many people you need to get over it that's a lot of times how you get to the root of security problems is just by talking to someone [Music] so in the original five laws of library of science the line for this was the library is a

growing organism that was updated too the library is always changing what's the only constant in infosec change right i often refer to infosec as a sisyphean task if you're not familiar with the tale of sisyphus it's the person who was doomed to rolling a rock up a hill for for the like for duration of of all lifetime that's kind of what it feels like right and yeah there's a downside and i'm not trying to all bum us out right now but there's so many positives we can bring out of that task you know we can we can anticipate threats coming and warn people or batten down the hatches of our network as necessary you know consider the needs of your

organization do you know that your company's looking to grow in maybe another country or another state or something get ahead of that do some you know easy oh sin or threat intelligence what sort of challenges might you face if you try to open up a call center in qatar just to throw a you know country out there not picking on them um watch the world cup this fall um so you know it's important to plan to plan ahead you know are there going to be layoffs that could indicate possibly insider threats you know and i know that the security team isn't always on top of this but this is where your person-to-person comment uh content and your human come into play

maybe put the onus on your upper-level bosses hey can you get looped in with hr i'd like to know if there's maybe a mass layoff coming because that could really be a problem for us or if you start to see a lot of exfiltration of data maybe run it up the chain hey are we about to let go a bunch of people because i see a lot of people you know bringing stuff out of the network you know things are always changing so you need to be on top of it and if you're familiar with the ferris bueller movie you know life moves at you fast right you need to stay on top of it

all right let's take a minute deep breath that was a lot of information i threw at you right so now you know we we looked at [Music] whoops [Music] so we looked at how we can apply the five laws of library science to infosec but i have a proposal for five laws of information security let's have at it [Music] so now you some of you may be looking at these five and me thinking to yourself well this isn't anything new this is what we do now great then you're better than most of the other people in this space but do you apply this consistently is it updated regularly are your sops and your playbooks updated regularly

or does one person hold the keys to all the playbooks and then they leave the company and then nobody knows how to do it because you know bob was the only one who knew how to do that don't hoard knowledge hoarding knowledge doesn't make you more powerful okay i think a lot of people confuse hoarding of knowledge with with power when all it does is make your enterprise weaker if you don't share that knowledge so and then do you actually practice what you preach does this does the security team have one set of rules always logging in as admin but then you're admonishing others for doing the same so these five here just my suggestion

and this always can be improved upon but the bottom line is make sure your information security program has a clearly defined set of purpose and guidance that is adaptable to your users needs your team's needs your organization's needs and the changing world around us you know you may have pages and pages again of those sops or there's playbooks or there's guidelines it might be stored on your internet but can people actually find them do they know where they are have they been updated does it reference an outdated version of an iphone do you think anybody's going to take security advice seriously if you're referring to a zoom on on your site and do you have something succinct in a

in layman's terms that people can follow sure you may have more advanced users then guess what then you can create a second set set of instructions how many times i know that i've run into this when you try to discuss security with one of the it folks who because they're in i.t think they know as much or more than you especially me being a woman in security well they don't because security is my job not theirs so fine if you need to create a more high-tech level explanation to account for those people do it do it don't fight them they're just they're they're going to look down on you no matter what so you know what if you want them to be

secure speak to them in their language if you want the less tech savvy people to be more secure speak to them in their language it's not one size fits all library science information security growing organisms you need to grow and morph and change to serve the different needs of the users you have so what do you think thumbs up thumbs down do you think that five laws of information security could work right awesome any thumbs down anybody who wants to like huff out of here you're kind of on the fence i i get it no i get you i got you it's hard i'm sorry i can't hear you okay thank you yes yeah and the ones that i came up with

may not be perfect you know i'm just kind of spitballing here because then this goes back to we need that authoritative body we need more input this needs more work but i'm introducing something brand new here this is a first draft but i want you to think about this and if we can't do this as a community do it for your own enterprise do it for your own organization [Music] but wait there's more okay one other thing i want to cover is the reference interview [Music] but spoiler alert i have given this talk many times and i am not going to go into it again today because this itself is an hour long talk this is actually a slide from one of the

early versions of the talk that that i've given so uh most notably i've given this talk empathy as a service to create a culture of security at derby con 2019 i was one of the speakers at the very last derbycon which side note i was stunned when they accepted my talk because i thought that was a very highly technical conference but as it turns out highly technical people need to need to know what empathy is and how to apply it so i was very pleased how well my talk went over there and then i was also a keynote speaker for the diane initiative in 2020 for this talk so you can view my full talk

um either one derby con or die initiative on youtube i do have the my last slide i have a link to my link tree which all my talks will be posted there don't watch it now just watch it later make some popcorn it's good but for those of you who have not seen this talk or heard about the reference interview before i'm going to go over a quick rundown of what each of these steps means so this is a seven step procedure that is often used in libraries called the reference interview as a way to really get to the root of what a user needs what a user wants so one approachability are people in your organization scared

to report that they clicked on a fish or are they scared to report and you're scared to approach the security team in general guess what you have an approachability problem and you need to fix it now i'm not saying you go out and you give you know hugs and you know unicorns and pink bunnies and all that stuff you don't have to swing the pendulum that way be a human be empathetic understand that security is not their job it's yours and these things can be very scary and intimidating you need to have an approachability factor there's so many stories i could tell you and i'll just tell you one very quickly how approachability saved one of the and the

companies i worked for uh somebody from the marketing department said we're going to have the cmo of this insert really popular app here um talk to our marketing team and of like 200 folks and i want them all to download their new app that they're going to release so that we can all you know you know make it a good impression on the person blah blah blah but they were too afraid to submit it to the general security email so this came to me directly and i said let me look into that app for you oh it took me all of like two minutes to go oh hell no no here this is a very insecure product and

we are not doing this so you know i did not admonish her i just i just laid it out to her look these are the insecurities i do not advise this i really do not want you know please do not encourage people to download this um long story short i got in trouble for handling something independently but i made the right call that's another talk for drinks another time but i was approachable i solved a potential problem that could have been huge we would have had 250 people downloading an insecure product and using it and then probably forgetting about it and leaving that insecure app on the network and because i was approachable i was able to nip

that in the bud i still take pride in that even though i got in trouble interest care about your job if you don't like being in this industry there's so many other jobs out there i just i really have disdain for people with a bad attitude it really just irritates me i made a choice to come into infosec okay i want to be here i want to help people and i think you should too take an interest in solving the problems not pushing them aside you know i mentioned earlier betty right because just kept submitting the daily wrap-up of the company you know blindly because she thought she was supposed to i took an interest in her problem

solved it and also gave her some other fishing tips along the way you'll be surprised how much taking an interest in your users can actually eliminate a lot of the problems you see on your network listening train yourself to listen for what people don't say yes what they don't say for example oftentimes i have what an employee say to me i got an email i clicked on a link it went to this weird-looking website and now i'm calling you okay let's let's rewind the tape there for a second so i asked a very pointed question well what happened between you looking at the weird website and you calling me oh well it asked me to fill in my username and

password and then it didn't do anything so i called you okay well your password is now compromised so i'm glad you called and um did not say those words exactly but you know so but why didn't they say that either they didn't know it was important because security is my job and not theirs maybe they were embarrassed maybe they knew they did something wrong and they were too ashamed or didn't know how to phrase it but again through approachability and through listening to what they didn't say i was able to piece together what happened and was very quickly able to block off their account change the password so we didn't have an issue you know and

you know you need to understand that a lot of times users don't know what is important to us so this is why you need to train yourself to listen for what they don't say and and a lot of people have problems and struggle with this and ask me for assistance so this is a guideline i can offer you that might help you know the checklist in your head how to remediate an issue if you don't know it in your head then physically you know write it down or type it somewhere take off the boxes when they mention things if there's some there's a if there's a box left until that's when you circle back and you ask the specific question

to get that box ticked and it may be nothing they may just be saying oh yeah i just closed it i didn't do anything okay but you didn't they didn't say that so rather than have an unknown just ask interviewing so while it's good to be you know good at listening again circle back and ask those questions in a non-threatening way non-mocking way you're not out to humiliate someone you're there to troubleshoot ask specific questions to get the answers you need to fix the problem you know and sometimes you do get resistance one time i i knew for a fact that a user had given up his banking username and password because of you know the blinky box tools that we have

i was able to clearly see the post request where he was giving up his information on a fake bank site but he swore up and down that he didn't do it that he didn't do it that he didn't do it and i'm like i got receipts dude inside my head i'm saying that um so i left him with all the contact information for his bank i was like okay like well you know what i think you might want to reach out to your bank here's all their legitimate you know information so i get it i get that not everybody's going to be willing to work with you leave them with something that they can do in their power and then you've done

everything you can and then document document document searching i've already mentioned it a bunch lately ocean human whatever you need to do to get a second opinion if you're not sure about something or get help solving a problem i can't stress this enough sometimes a single phone call can solve something um just another quick story of la i always like to tell have story time remember librarian aspect we'll do all these little little tidbits of story time i was working late one night i saw one of the uh computers in europe was going nuts you know lighten up lighten up the enterprise and lighten up the network and because of the time of day it was

over there i was like oh this is sketchy um i looked up who the user was immediately it was a security guard okay it's probably an overnight security guard they were downloading a bunch of stuff reached out using the company you know chat internal chat system not getting any answers it dawns on me this person might not speak english so i went to an online translator the very first sentence was i am using an online translator and then proceeded to ask my questions response right away in that and not in that non-english language throw it into the translator went back and forth he was just bored downloading photos i asked him to stop he did he was so sorry

and i then walked him through using the translator how to you know run the antivirus and all that stuff all these things remotely done you know i didn't panic i didn't think this this is it this is it the russians took over the network you know look into stuff you you know and then had that thought of oh he might not speak english you know do things like that but also i stress if you're going to use an online translator tell the person you're using an online translator because it doesn't really translate exactly well and it might look really strange to them and that might also give them pause but also also that's why i use the

internal messaging system but again he knew okay she's using an online translator this is why the language looks very strange to me so answering what does your correspondence or messages look like to the you know to your consumers um you know do you sign off do you have you know a sig file or do they know that they're corresponding with the manager or a sock analyst and that's not like an elitist thing but if you're an end user experiencing a problem i kind of like to know who i'm dealing with you know i know i'm gonna start i'm gonna make a bad joke here but yeah i need to speak to a manager well yeah because maybe

maybe you're not really getting anywhere with someone and you know that's maybe that's a fair assessment maybe that analyst doesn't care about their job and maybe isn't doing all these steps that we're talking about today so you know again how do how do you tell your internal customers you know that you're working on things for them i in my talk again i don't give too many spoilers because i want you to watch my original talk but i give a sample of an email that two sentences convey four very pieces important pieces of information it acknowledges the person's problem it told them you know when to expect an answer you know it it acknowledged what the issue was things

like that so is your car your correspondence doesn't have to be pages and pages long it you know it just has to be succinct and give information i know that i as a customer would feel so much better having a two-sentence email that had four pieces of information to know oh i can expect to hear back from them by the end of the day tomorrow they know that i reported a suspicious email they know who i am i know who i'm talking to that would put me at ease and then follow up are these solutions you put into place actually working no no i don't expect you to follow up with every single betty in your organization but can you just

tell by looking at your logs or things that you put in place working are you still having the same amount of false positives or or you know all other indicators you know are these things working do you really check up on this or if you do have an individual frequent flyer who always contacts security do you check up with them periodically um you know that those things are important because they you know some people might need a little extra hand holding and yes some of those people might be executives okay um you know if you have an executive who travels around the world a lot you know are they going to different countries like oh have we scanned your phone since

you got back from vietnam uh we should probably do that um you know are you following up on things this is another way that you can you know get ahead of potential problems and really nip them in the bud through follow-up so i'm going to start to wrap this up now so what did we learn today we can learn from library science that you know there are so many applicable lessons and failures to be learned but let's let's talk about the lessons and the positives raise your quick show hands do you feel like you've learned something new today that you can apply to information security you feel like you've learned something excellent there's a lot we can learn there's still

more we can learn please go back and watch my empathy as a service to create a culture security like i said that that whole talk is just about the reference interview and i go in a lot deeper with that we could really use five laws of information security as a guideline we could really use a standard vocabulary these are things we need to work towards as an industry and as a community and just talk look at all these things that we went through today and yes i'll figure out how to get my slides posted but use the reference interview techniques to adapt them to your particular situation i know it's not one size fits all remember the library and security is

a growing organism change them as you need to but have some guidelines in mind you know at the very root of it security is human-centric and we need to think about it that way that's what the library did the library knows that it's dependent upon users they keep all kinds of stats about their um you know their circulation and who comes through the door and all that stuff because that's how they get their money a lot of times based on grants so think of it that way you need to think of the human element how you can improve security [Music] so i kind of already asked this already but just last show of hands everybody feel

good about this you feel like you library science can help us in the future everybody feel good excellent all right you've been a fantastic audience thank you very much i'm tracy maylie fimpasek sherpa you can see my talks and articles and things like that on my link tree thanks for coming [Applause] and i'm happy to take questions and whatnot [Music] yes in the back can you come to the mic i'm sorry it's really hard to hear

so in uh i feel there's a term uh which is relevant but translating the term from a technical definition for people who are working in the space to a non-technical definition for executives and policy people there's a big disconnect in how what they actually end up hearing like they don't understand they are thinking one thing and we're thinking completely um what's the best way to reconcile the fact that the technical definition i mean how big of an organization are we talking is it something that you can actually have like head like face-to-face meetings or too big too big okay um can you have it do you have a carved out piece on the internet that people

can go to where you can establish these these explanations and terms and like make a big deal about drawing people to it um there is well there's a lot of competing people but they're all trying to explain it to executives and the executives are like we got it you're like you didn't get it um is there is there somebody at the company who has an authority to oversee like language and stuff like that so i don't have all the answers i know this is a this is a thing of like the community as a whole has this problem yeah it's at every single company it's that like government's got buying a little bit i don't apologize i don't

have an answer off the top of my head but um if you want to um like maybe just like tweet that question at me um i can give it some thought maybe like write a blog post about it or something thank you sorry i couldn't answer off the top of my head but i don't sorry i don't have all the answers so thanks for coming [Music] okay for questions yeah sure i can if we're especially if there's another speaker coming i can get out of here all right okay so if you have any other questions we're going to be getting another uh speaker going but chris is going to be out in the hallway uh if you have

anything thank you so much for coming uh thank you to our sponsors as well