Alex Dreams of Risk

But it costs a lot per piece. So, and and so today's today's discussion and and again since you know um there's we're the we're the small track I think we can have a more of a discussion. Stop me and interrupt me. Um today's discussion is kind of um a reflection on my personal journey. I've been doing um I've been doing the security thing since the first Clinton administration. Um, I I got my start at PSE and originally my job was to start trying to sell people T1s, which were horribly expensive at the time. Um, and T3s were, you know, that was the that was the great white whale in terms of getting people connected to the internet. And, uh, they

took me aside right out of college and they said, "Well, okay, you did a good job with that for 60 days. What we'd like to do is there's this thing called a firewall and we want you to ex, you know, start explaining to people why they need these firewall things because most people just had a Cisco 2600 if that u with some static packet filtering on it, right? And we wanted to upsell 50 grand for, you know, Gauntlet or, you know, at least five grand for a morning star box. I just dated myself. So So that's where I started. Uh currently I work for um the the smallest of the two big to fail banks. Um uh up

until up until Friday my role there was um technology and operational risk management governance and compliance. Um so it was a lot of info risk, it was a lot of op risk. If you're familiar with banking and financials, you know that includes physical and fraud and a bunch of other stuff. Um and uh starting Monday I'll actually move to um owning information insurance. So volunt scanning our red team security engineering operations uh keep it GRC the oprisk stuff goes to somebody else downtown thank goodness. Um but that you know that's that's kind of my path in between then I've been a product manager I've been a consultant. Um I've had a lot of fun. Uh I used to

work at a company called Verizon where we did the data breach report. I was part of that team as well as some I did some other stuff there. So um so this is this talk um was focused on on the burnout question because a lot of my friends on the Twitter or over drinks were talking about how you know they've gotten to this similar late 30s early 40s part of their career and they're just done. And I see a lot of CISOs whose sole goal in life is stop being a CISO but make the same salary level, right? Um and uh so that was that was part of it. As I've given this talk a

couple times now, uh I was fortunate enough to do it at besides Las Vegas and source Seattle. Um a lot of folks who may not be burned out but may be starting a career or trying to develop their career, they said they got a lot of out of this too. So, while this talk slide is going to talk about burnout, I think it's it's it's mult I hope that the concepts here are multi-applicable. Um, so real quick, um, I'm not trying to trivial trivialize anything here. It's a real and potentially devastating problem to figure out that you're in your late 40s, early 50s. You've got about 15 years of money making left in your life

and this is where you sit, right? Um, burnout is it's and is very real and it sucks. Um, and we're losing extremely talented people every year to burnout, either physically or mentally. And and the last thing is this is not a panacea. I'm not a professional. This is just my personal journey. Okay? Um, and don't be like, this is not self-help either. I'm not here to sell you a book and and get you into my, you know, paracult. All I can do is tell you what works for me. But he does have a 14step program. It's a cheap monthly uh thing from PayPal. You should not be here. Just sign up for the recurring charge.

All right. So, I'm not an expert, right? I'm doing this because um you know, generally I I I love everybody that I interact with in Twitter and and um at conferences and at bars. You guys um my friends, I believe in what we do. I believe it's, you know, really the whole reason I got into the internet was my dad was like, "Hey, this," he was, you know, before it was commercialized, he was on it as a scientist and he was like, "This is going to be a big deal. You might want to look into it." And I kind of caught the, you know, caught the love. Um, so I believe in the discipline. I believe in

securing in and that uh we're going to help Western civilization with what we do in the long term. I mean, as long as there is a civilization at this point, there'll be something that smells like our internet, right? Um, so, uh, I I like what I do in that way, but that doesn't make day-to-day grind any easier, right? So, um, so let's just talk about burnout real quick. There these are causes that I I swiped right off a Mayo Clinic, right? Google's your friend. Um, the first that they point out is a lack of control, right? And as I went through all of these causes, it just hit me how why we why we might feel this way as an

industry. Lack of control. Who controls the threat environment? Ain't nobody who does really. We don't control that. We hardly control the products that we use, right? You've got that product manager for those of you who saw that silly slide um earlier. Um you've got that person controlling to some extent what you buy and implement and to defend your network. Um, so that's lack of control is very difficult and I think we we suffer from that. We don't own all the inputs. Moreover, just who here is in security and has trouble with it? You're lying if you don't raise your hand. Um, no, it's it's true, right? We don't sometimes we don't even control what it does. We don't control what the

business wants, right? Somebody some people ask me what I do on a daily basis and I say well generally the business wants to sometimes wants to stick a fork in a socket and my job is to tell them that might not be a great idea um or if they really are heck bent on it um how they can might survive that encounter right so there's a lack of control there um that I think we end up with some unclear job expectations is another symptom of burnout right uh unclear job expectations are are kind of rampant, right? I mean, to some degree, if we're if we're working uh as a firewall admin or or we're in security engineering and

operations, right? Uh your expectation is to work your tickets, right? That that's straightforward. But if you think about what we do in general as a security department or security practitioner, there may, you know, the expectations that your CFO or CEO have of you may not line up with reality. you know, my CFO, uh, you know, CFO, too big to fail bank. He emails me every so often with a fishing attempt that he identified, right? And so, and goes, "This this one slipped through your firewalls, you know, okay, thanks." Um, you know, so he has this expectation that my firewalls are going to stop fishing emails, you know, 100% of the time. That's, you know, no matter how many

times I explain to him, look, we're at x, you know, 99.x% x% effectiveness here still gets to his email box. Um, dysfunctional workplace dynamics. We brought up it recently. I mean, heck, even security can get siloed. I've seen I've got silos personally within between different areas of fraud, more or less sec areas of security and different areas of fraud, right? So, check fraud, bank card fraud, wire fraud, that sort of thing. Um, so dysfunctional workplace dynamics are another another reason for that. And that only gets worse when anybody ever try to discuss a vulnerability uh with the business owner. Um, they have no idea what you're doing and they absolutely don't want to fix it, right? Yeah. Um, that's that's

dysfunction. You know, I I dread those conversations. Uh, similarly, a mismatch in values. Um, and this works both ways. Uh, in my experience, many times we get very very caught up in how clever we are, the romanticism of red teaming, right? And and that's cool and it's useful. And I'm not I'm not here to demean that. I, you know, I'm going to be owning the the red team function in, you know, tomorrow, I guess. Um, but we have this mismatch between we think we're really clever and we're providing value and the business is like, I have to go make profits now, right? Um, both of which are incredibly important, but they all tend to be

mismatched unless we really take a lot of effort to have those discussions and talk risk, right? Um, poor job fits. How many people in here uh started out it with security as their first choice in their career. How many people have a degree from a college in infosc? Did you get that straight out of school, Jake? Masters. Yeah. Yeah. So, we can now get MBAs and such and all that stuff. And there are kids graduating with infoski degrees. Um, but most of us, you know, I'm looking around the room. Um most of us our age groups we went to school for something completely different. We just kind of fell into this and we may may or may not

love it, right? Um so is it a fit for our skills or did we fall into this and kind of like it? Extremes of activity is another one. You like you're very busy and you got nothing to do, right? Um, many security departments as I've been a consultant over the last 10 years, I'm not anymore, but when I was, you know, many of them work from fire drill to fire drill, right? It's, oh my gosh, here's this problem. Let's go triage that problem and deal with it versus, you know, it's and it's very much like a development shop. Unless you mi really make time to manage towards internal work and planned work as well as address

this unplanned work, um you're going to suffer from these extremes of activity. And that's going to continue to contribute to burnout, a lack of social support. And I don't mean like, you know, talking to Jack on Twitter, right? Or having drinks with Jake. I mean, um, when you're at the office and people don't understand what you do or who you are or what you're saying or what you're saying. Yeah. Yeah. Yeah. Project managers are a great example. You know, I've got this project manager who sending me emails last Friday about how we're going to cause his deadlines to be missed. And, you know, the fact of the matter is the app's not ready, right? we're not

testing it because your developers say the app's not ready and it's not going to be ready for another week, right? But it's I had no support from that project manager right now. Um, and a work life imbalance, right? Anybody who's worn the worn the pager that's kind of an outdated I just showed my age again but anybody who's who's you know I've got a an email box full of 700 freaking alerts uh off of uh just you know I I think in the last 48 hours off of our network um you know I have to run through those and make sure there are no criticals there that I got to jump on. Um that's going to also

contribute to burnout. So these this is Mayo Clinic. I'll give some more in specific ones, right? First, security is not easy. What's funny is you say we're at the pager, but we're at B sites, which predates the pager, right? Yeah. So, um just some observations that I security is not easy, right? It's not easy because we don't control the environment. It's not e uh the threat or for that matter it many times, right? Wow. What's that IP doing and where'd that come from? Um, security is a cost center. Um, and this is a key one, right? Anybody here ever been a CEO, right? Okay. So, just real quick, there are two ways that businesses create profit. One, they create new

revenues, right? And do so profitably. Or two, they cut expenses, right? And everybody knows that you have to cut expenses. We're a cost center. The intrinsic desire of a CFO is to keep us from spending money. Right? That's it. As far as as accounting is concerned. Uh the last piece, oh went through this. The last piece is that the benefits of security are not directly observable. They're not. If we're doing our job, nobody freaking knows in the business, right? Uh I had to explain this to some folks and we'll get into this a little easier or a little later today. Um, what you provide is no experience at all to the end user or to management for that

factor. And the only work product that you're presenting to the business is a report. So why do our reports suck? Right? That was the that was the next question. We spent a lot of time working on our reports because of that. So, some personal causes, you know, as I as I reflect on this, um, some personal causes that I have that that kind of I have to reflect on when I'm not feeling like I'm doing my best um or not feeling like I'm very motivated to go to work that morning is first is is this kind of western expectation of self-fulfillment. Right? I expect the ticker tape parade, right? I I want palms lied down

on the way to my office because I'm securing the world, right? That's me. Hey, no incidents at the bank yet. Um, that's that's a very western self agrandizing egoist expectation. Um, we can I have poor expectations of my audience sometimes. What do I mean by poor expectations of my audience? I expect them to get security. I expect them to get how clever I am. I expect them to get the sweet risk models I've built, the sweet threat models I've built, right? The fact that I'm one of the few people who are really digging into data for them, you know, all this cool stuff. Um, and at the end of the day, they're worried about where they're going for lunch

because I've got an 11:30 appointment with them. Um, a lack of experience. We talked a little bit about this um ear, you know, just now. How many of us are really trained to do this? We've learned on the job. And if you and if you say, "Hey, here's some new concept, right? The experience that we've got is is all it's not like this is woodworking where we've been doing it for millennia as a society. Um, it's a very very new in general. It's a very new uh uh it's very new industry. It's a very new job function. um we all suffer at times I think from imposttor syndrome if you're familiar with that right but because there aren't

a lot of you know experts that you can point at and say this person really is you know the the very wisest of the wise and whatever they say is truth coming out of their mouth um we tend to look upon ourselves and be like I have no idea if I'm doing right or wrong there's nobody I can bounce this off of you talk to people who've been doing this for longer than us you know sometimes 30 40 years and they're like yeah sucks to be you right um so you know that that contributes to this lack of self-confidence at times I have a personal stubbornness as well which is you know I'm just I'm not going to let

go the business I think the business is putting a fork in a socket and I'm going to do everything I can to stop you regardless of how much profit you think you're going to make right um it it is it is that where um I actually and and this is part of it. I I personally feel the need sometimes to be that expert, right? You've called me into the boardroom for my opinion and my expertise and so I need feel the need to be the expert on this and tell you about all the ways that you're going to electrocute yourself with fork in socket syndromes uh as they're pervasive throughout the enterprise, right? um this you know so so you've got some

you know as I've reflected right the these were some things that I realized contributed to not necessarily burnout but those days where I was like man I don't want to do this anymore so at one point um I ran across something which is kind of the crux for the talk here um and it's this concept of craftsmanship I'm not going to butcher the Japanese word for it. Um, that there is an actual term. Um, and I came across it because there's a movie about this guy. Um, and has anybody seen the movie? Guy in the back. Great. If you haven't, it's it's really worth it. Um, it it's a great movie. Um, and essentially this man's name is Jirro.

And if I call him Jira today, forgive me because we're trying to figure out what to do with our ticket system as we transition on Monday. So, just bear with me. I've had Jurro on the mine for uh the last couple weeks. Uh but Jirro basically is this um he's more than 85 years old now, but he's this very old sushi chef. He's still going at it as far as I know. Um three Michelin stars, which is ridiculous for sushi. Um, and if you and it's even more ridiculous when you re when you look see his restaurant, which is basically this very small, innocuous sushi restaurant that's in like the Tokyo subway, you know, it's

not at the top of some building, you know, overlooking a great view. It's not it's not in the trendiest parts of uh and neighborhoods. It's literally this thing right there in the subway. Um, so it's it's a very interesting um it's a very interesting because what this movie does is it goes through why does this guy who generally has no real characteristics in terms of marketing and being a foodie and all that stuff, why is he so darn successful, right? Um, and if you'd see this tagline and fall in love with your work and that concept of craftsmanship, that's what becomes apparent when you watch it. And I'll I'll give you this clip.

[Music] I don't know.

[Music]

Did you

[Music]

[Music]

Foreign speech. Foreign speech. Foreign speech.

[Music]

Is

it speech?

So, here you have this 85year-old guy and if you watch it, you'll see things like when it comes time to massage octopus, he does it for like 37 minutes or something. If I got that wrong, excuse me. Not 30, not 40, right? He has taken the time to learn his craft, to learn exactly what the feedback loop is from his customer is. And he will sit there and it's very fun if you watch the movie. He will sit there and watch the customer chew, right? Looking for any hint in their face whether they've found something displeasurable or pleasurable at that point. Right? So to me, I started realizing like, holy crap, what am I focusing on? I'm focusing on me.

I'm focusing on the secure thing. I'm focusing on being the hero, right? Um I'm not focusing on actual craftsmanship. I never thought of myself as that, right? Um I wanted to think of myself as an expert. Sure. Uh but not as but the focus was still me, not the craft, not the product that I was delivering to the business. Remember, the business is interested in not having a product experience for the most part. Um, so again, it's about creating excellence in the eyes of your audience, right? That's the key. Our audience isn't Twitter. Our audience isn't Black Hat, Defcon, Besides Orlando, right? Our audience are those people who pay our paychecks, right, who have hired us to

protect them and serve them. Um, and yet sometimes we don't really act that way. In fact, if we want to carry this this chef analogy a little further, sometimes we act more like Gordon Ramsay right here than than we do this, you know, somewhat humble 85year-old guy, right? Um, so, you know, to me, you know, because we we end up screaming, you know, hey, you're sticking a fork in the socket. You know, I use that analogy on purpose to get to this point to say that's a ridiculous way of looking at it. like you're sticking a fork in the socket and I know that's stupid and you're like I can't I can trust you about as much as I trust my two-year-old

son, right? So, it's about mindset uh to me. Um and this is something I have to remind myself of every day because I get in the way of of of the mindset, you know. So, um with all apologies to Ron Swanson, I've got kind of a new life coach when I think about my career. So, there's a couple of things that that he talks about in this and I'll just uh in this movie that uh about what it means to be a craftsman. Um we'll just run through a few of these here. Uh first is you must keep an obsessiveness about you, right? And you saw him say you must fall in love with your work, right? Uh but it's critical

to know that that obsessiveness is not again is not about you, right? The the title comes from this quote. I d in dreams I have grand visions of sushi right and it's not dreaming of work like when I when I was 16 my first job was at McDonald's right and I worked the fry station for the very first time and I worked um a six-hour shift um and by the end of the six-hour shift I went home and I tried to go to sleep and all I heard was the freaking fry beeper going off right I couldn't even sleep as exhausted as I was I've never worked as hard in my life um you know that is not a pleasant

dream, right? He's got grand visions in his dream which is kind of interesting. Um it's and also again about that it's the detail, right? The devil is in the details. If you haven't if you're if you give a deliverable to the business that includes visualizations and you haven't read Steven F, right, there's a great play that's a that's an example. It's a great thing to think about, right? Second, shrunken white, right? If your deliverable includes copy, right? If you haven't thought about how people consume and the the the room in which they're going to consume your deliverable and their mind, all the possible mindsets, right? All of that stuff. Um it now the product I I've talked about the product

here, but that's the the result of the craft. That's why you go through and you look for great examples on data visualization. You work on your writing skills and your communication skills. Um so the the next thing is you know it's dedicating your life to mastering that skill. In other words, it can't be a transient journey. Um you could become a craftsman um to some degree. Think of yourself as a craftsman and have a second career and that's fine, right? Um but in his opinion, you know, it's a life journey. Uh this other concept that that you know the Japanese idea of craftsmanship blaze is something that we're going to have to deal with whether

you like it or not based on the evolution of the threat landscape is that it's always learning and listening, right? And and to some degree from a from a humble mindset as well, right? Understand that some of, you know, some of us who are older, some of these kids that are going to come out, you know, they're going to have a different perspective. uh you know if you ever get in a room with a bunch of crusty old CISOs, they worry about millennials and introducing them to the workforce because the cloud is just how you do computing to them, right? This whole crunchy perimeter control. We own the data that's oblivious to them. Privacy is another thing, right, that

they worry about. So anyway, um he he does not think he's or feel like he's achieved perfection. That's an ongoing thing. Even though if you talk to to food critics who are familiar with sushi, you know, they're like, "Hey, this guy in his craft is a one in millennial event. When he goes, we lose it all." Right? Um part of the movie, if you watch it, is about this this um succession and his sons, right? And and the fact that there's nothing they can do, and this is this is kind of the neat tension that makes it a cool movie, too. There's nothing that they can do to achieve that perfection, right? or lack you know near perfection if you want to

think of it that way. Um the other cool thing is it is about rebelling right it is about about uh craftsmanship means not f always following the way everything is done right um it's great always doing what you're told doesn't mean you succeed in life right um it's about trying to carve your own path and taking those risks taking that personal risk um you know sacrifices are made but no regrets now he goes through the when when they get into this inner dynamic between him and his children. There's a lot there that I I can't recommend. I do recommend a hearty work life balance. Um but on the other hand, this is how his peers view him, right? Um uh so, uh

you know, understanding that the sacrifices are going to have to be made in order to be a craftsman, but keep that, you know, my goal is to keep that balance strong. I've got five kids. That can be difficult. um that you know it's it's again for him the journey isn't over. So it's it's a neverending always improving path and we're you know understanding how he can make just and remember he said every detail what little even little refinements can you continue to make. One of the hardest for us is to love criticism, right? We feel the need to be experts in the room sometimes because we are the security guys. We know better than them. We know the

audiences have no idea. I was sitting with uh that what we're talking about and and and our experience and our knowledge base. I was sitting with a um CISO a little while back and you know I was talking to him about you know and talking about mentorship and all and leadership and these things. is one of the difficult most difficult things for him as a CI as a as a big company CISO is that there is nobody who can tell him how to do his job, right? He can't go to the CIO and he and that guy tell him, "Oh, you're dealing with this security problem. Here's how you deal with it." Right? Like you just can't, right? The only

people the and the only way that you're going to actually find out uh from folks about how to do your job is to love criticism, right? Is to get that feedback where you've done something uh and and humbly acknowledge that you could do a better job next time. Um so a a few things that that I've found um and it's that that craftsmanship is not egocentric. Um, one of the things that's been over the past 18 months since I started thinking about this in this way, one of the things that's been just wonderful for me to watch and especially now that um, I'm losing the vast majority of my team um, and and watching them kind of

graduate in that sense um, is the fact that I devoted myself to making those guys better leaders. It got to a point in the last four months where I was del I was just king of delegation, right? It wasn't laziness. It was knowing that a transition was going to happen. I wasn't going to be there letting them start to ride the training wheels themselves. I didn't have to be on every committee meeting. I didn't have to be at every workg group. I didn't have to give every pres presentation. Um it was letting those guys really run with the ball. Uh it was taking um the lady who uh started out as a CISO um as the executive assistant to the

CISO and she got moved over to do scheduling pentests for us. And then I got her and she was in charge of exception processes and to some degree vulner setting up conversations still about the pentest and vulnerabilities with risk analysts in the business. Um it was giving her new opportunities whether in fraud detection and operation or even just teaching her that's across the hall. It could be but even teaching her Tableau uh for those of you familiar Tableau is a data visualization tool, right? Sending her to Tableau classes, hooking up with basic data sets out of the vulnerability management process, that sort of thing, right? And now she's gone. she's she's not going to be reporting to me, but

she's got a new set of skill sets and a new level of self-confidence. Um, you know, I certainly could have created those reports and I certainly could have done a hell of a lot better than she did for the most part, right? Uh because I've I've dedicated that myself to those sorts of things. But that is again egocentric and and part of being a leader, the craftsmanship of being a security leader was to impart these knowledges no matter what skill set my analysts brought to the table, which is hard for me because a handful of them come directly from audit. Um it's not being mean. This is also very difficult uh uh for me. Um which you know is kind of

interesting, right? It's not being Gordon Ramsay. It's not telling people that they're freaking stupid. Um, you know, the other thing that I have to continually work through is that it's not a perfect world. Um, that just because I'm thinking about the craft and not myself. Just because I'm trying to to take this path here, um, it doesn't mean that things are going to be awesome all the time, right? It doesn't mean that I'm going to have an all hands given by the CEO at the same time that probably 25 or 30% of of you know all of our all of our staff is trying to watch NCAA uh NCAA tournaments online and so the Unix load on our proxies is you know

more than twice the number of processors we have. Um so it's not you're still going to have those days right? This isn't this isn't a path to unicorns and and lollipops and candy canes. Uh it's also not something you attain, right? This is not this it's if you look at Jira and how he talks about he's still on a path, right? He's still doing this at 85. He doesn't consider himself being perfected yet. Um there there aren't really powerups here. It's not like you're going to get to this point and suddenly, you know, you're in the um intelligencia of infosac. That's not that's not the goal here, right? Um this is not about you. It's about who

you decide to become. And and that's a key piece for me is that this is a it's always in my mind a constant decision for me. you get in and especially when you get into that meeting with that product manager or that marketing person um that wants to put a whole bunch of PII out to a SAS app that has no business doing business with a bank um you know I have to make a conscious decision here uh to be a craftsman and not to be a Gordon Ramsay. So a few things uh that that I'll leave you with and we'll call this section cooking like Jirro. um uh just a basic application at a high

level. Uh first understanding your customer needs, right? Uh so the question is what is you ask yourself some questions. What is it that your customer needs, right? Um many times that might be no experience at all. They need you to stay in the background, right? It may be they need to make decisions and whether you like it or not. For example, um now that that the risk world has changed at the bank, uh we have a brand new, you know, risk committee risk management committee function, right? And where it wasn't clear how much IT risk was a piece of that I now know I got five minutes. That's it. Actually, operation all of operational risk is five minutes. I get

a portion of that five minutes. Let me correct myself there. The rest of it is all credit risk. It's all how well how are our loans performing and all that stuff. Why? Because it's multi-billion dollar risk. At best, I'm a nine figure risk, right? Um so what does my customer need in five minutes? They need to make decisions when I'm and now I have many customers. Regulators are a customer to some degree, right? Um they these product managers or software developers are customers as well. But in that case, right, I have to identify that customer needs to make good security decisions and understand their risk in five minutes. In fact, less than that, probably two minutes and probably 10

seconds because they're probably thinking about the email that they just read. Uh again, what is your work designed to do? Is your work designed to create a decision based on security? Is your work designed to provide a secure experience for the customer? Right? Focusing there and focusing there first uh helps you in in that path. That's definitely understanding the customer's experience. So, um, ex attaining excellence in the eyes of your audience. I'll give you the obligatory Apple example, right? What's a what's a great customer experience uh slide deck without talking about Apple for a sec? So, this here, anybody remember these? Right. This was your state-of-the-art Samsung phone and smartphone in 2007. the first half of

2007. That's what it looked like, right? Anybody know what happened in the last half of 2007, right? Completely different. And if you ever held one of those or ever dealt with one of those, uh, you know exactly what I'm talking about, right? You know, if you if you again, I don't want to sound like a fanboy. I don't care to sound like a fanboy, but I think it's ridiculous to say to not say that this this product was a revolution. It was a revolution because the the experience was so much superior to that, right? When it came out, everybody's like, "Oh, it doesn't have keyboard. Blackberry is going to crunch it, right? Where's Blackberry now? Where's your

Blackberry now?" Um, but in all seriousness, right, what is the iPhone of pentesting reports, right? How much of our pentest report are pages and pages of medium volumes that you know your CFO or your CRO or your CIRO, if you're a big enough company, are going to look at and go, I don't know how many mediums make a high, I don't know, right? Um, and to that case, understanding the product you deliver. So, this is um redacted, but uh this is an actual report that uh was given to me as something that we show. When I first got to the bank, I said, "So, what does our what's our product look like? What what are we giving to these people around uh

risk, information security risk?" Oh, well, here's we've got this sweet dashboard. Let me show it to you. Right here it is. Right. And there's hosts of yellows and greens and blues and stuff. And if you pretended you could see that these were asset categories or business processes or whatever they are, right? And you give this to your average CFO, right? They're going to see a whole lot of red and they're going to be worried about that. They're going to see some yellow, but you know, they get the blues and the green, so that it's cool, but he doesn't know how cool, right? Moreover, what are you focused on? So just using some some data viz guidelines and you

know experience that's we turned that same thing into this. So in 5 seconds you guys all just went boom right there. Right. And I promise you the same data same stuff along here. Right now, I'm prepared to have I come to this meeting prepared to have a discussion around the adequate, the mod high, and their quantitative ranges that match this stuff. Um, right, and whether or not we worry about the moderates and so forth. Um, but it's definitely a very different consumer experience, especially when you consider you want to talk about this for two minutes or you want to talk about that for two minutes with a CFO, right? This is a much easier conversation. Um and again this is not

something clever that I did. I just kind of read some Stephen F books subscribed to some database blogs um and tried to apply this right. know um and and while I'm giving you a report an executive report based example right you think about um I'm getting this now right it's like we just had a I just had an email like hey uh we want to take away the firewall um rules and restrictions in fact we just want to take the source code rep repositories and put them on the way in and the only the only control we want is active directory controls right um you immediately I'm like yeah that's not flying um fork socket right is is where I went um you

know had to take a step back and say these are these are customers with an experience and I have to balance experience um with the rest of the business need now in this case my immediate email back was you know I want to I want to un I want to help but I need to understand how big of a problem is this is this a big is this really hurting our time to market or is this an inconvenience because we're a bank and we have a bureaucracy. I want to understand who's using it, how many people are using it, right? And I basically said this um you know, we both report now report to the

same uh CIO and um my job is to balance our risk requirements with time to market. So if we're going to come up with a solution here and it is to put all our source code available on the WAN um understand that our boss is going to have me and you in a room when the regulators come in and say why was this done? So help me make that business case. Let's prepare for that conversation. Right now they backed off. They went oh yeah I guess that sucks. Right? Um, but I committed to, well, you're asking for this because somebody didn't think, hey, if they're a developer, they're going to need access when they on board. So great, when they

on board, just make that part of the initial request. They get a laptop, they get a phone, they get access to that subnet. Boom. Right. Um, so it it, you know, it was that level of experience through that. Um, and that's that entire experience. Um, so again with with firewall administration, I I kind of jumped forward to that example. You'll excuse me. Um, another one was that that I've dealt with was definitely this. The hardest lesson I got was losing a huge customer. Um when about 12 years ago or so uh we had one of the world's largest credit unions as a customer of ours and um and we had helped the CISO out and

she loved us. Uh but then they had turnover. The CIO and his immediate staff all got uh had resume building opportunities given to them and they brought in a new guy named Chris Hoff. Something like that, right? Oh my god. Not that guy. Yeah. And uh so we handed him our pentest reports which had been, you know, great. And it wasn't just that large credit union, but was it was a bunch of other credit unions we handed the same freaking report to and everybody thought we were the bee's knees. We handed it to Chris Hoth and he promptly fired us, right? Um you know, and uh and that's how I know Chris. There's the story of how I know Chris

Hoff. But um uh but it was definitely this sort of uh the entire experience We had thought that we were awesome at it. We were the leader for all credit unions in the world, right? All that crap. And and the fact of the matter is somebody came from outside that universe and really set us on our butts. Um and to this day, I'm I'm grateful for that. Um it's also going to be security decision support as an entire experience. Those of you who get to sit down and whether that's a decision that you make in the bullpen at a sock, whether that's a decision you get to make with lines of business leaders about vulnerabilities or whether that's

a decisions that happen at at a sea level, right? Um going in and understanding they've got to make this decision or we've got to make this decision, right? People are going to balance. No decision is really that easy. People are going to balance pros and cons. How do I facilitate pros and cons with my knowledge as a craftsman and as an expert? Um, understanding the ingredients. So, um, I'm going to give you a high level understanding of the ingredients as as I work them here. Um, this comes to me from Jack Jones. Uh, when you're going into that into that conversation for decision support, folks are going to have you're going to need to help them balance four different

categories of information. The first is thread information. Right? This is what we're kind of worried about. If we didn't have threats, we wouldn't have jobs. We wouldn't have these decisions to make. And I've given you kind of some classifications through varys about what a threat means in case you're really wondering. Um the next are the assets, right? So you got threats. Now you got assets, server, desktops, workstations, people, that sort of thing. Uh money, PII, sensitive information. Controls. say, "Hey, there's controls, right?" Um, and then impacts, right? And these are categories of impacts. They're always useful to consider. When I was what I was doing when I was talking to that guy about putting source code out there was I was

like, "Okay, when we have an incident, the top three these direct costs, they're going to be, you know, similar to a lot of other incidents that we have, but we have the potential for fines and judgments." Even is just what what they call matter requiring attention for banks, which means that we get to spend a whole lot of efforts trying to trying to put all of this network segregation back in place after we took it away. It still cost money. Competitive advantage. Well, if our source code gets out, that's not going to be a happy day. But it's not like, you know, we're making defiills or rocket surgeons or anything like that. You know, how people borrow money from

the Fed is typically well known. Um, so there's not going to be a lot of that, but there may be some big reputation damage because our source code got out. There'll definitely be some operational cost increases because you can't just fix it to the prior state. You have to show that you're doing a much better job than you were before. That means money spent. A brief example of the operational increases. So, a retailer many years ago got breached. It was a big breach. If I told you retailer's name, you'd know. A lot of my friends from Nationwide went over there. In fact, one good one became their CISO and they were like, "Wow, we had a breach and I was told that there

was a lot of investment all this stuff." What I didn't know is that quite what the breach created was $54 million in shelfware, right? They had literally spent millions and millions, tens of millions of dollars on stuff, but never staffed it up just to show, hey, we bought this. And you guys know this. Hey, we got a SIM and it sits over there. Try not to turn the monitor on, right? Um, so anyway, impacts that. So you've got all of these four different categories. Now, when you put them together in a conversation or a scorecard or a quantitative forecast, then you get risk. And only then you will you get risk. And only then will

you really be talking to the business and giving them that full picture, right? Then will you only be able to have that discussion in the sock bulpin. Now sometimes the impact piece you don't really need that much. You can say hey we all know that if the web server containing um you know if the e-commerce server gets breached we're going to have a bad day. You know bad day is sometimes all bad day is sometimes all the qualitative risk statement that you need there in terms of impact. But it's important to know that that many times we focus on other pieces of this and you may have great conversations. some of the most meaningful conversations happen

here, right? Why is a threat interested in these assets and how are they going to get at them so that we can then have this conversation here about the controls? But you can't do that without the purple circle context. So that's just a a just a a basic thing, you know, whether I'm talking to this guy who wants to put source code out or whether I'm talking to uh um uh you know, folks to try and justify upgrading our proxy infrastructure. I've got to bring all four circles to the table because if I don't, right, I'm not going to be giving them the best product or the best experience or the best uh information to

create a decision which is really that product or experience. So, um the last piece I'll I'll leave you with here is create and use a feedback loop I should say without ego. Um that's the most difficult part for me. Um uh it's definitely to be able to listen um and have people say, "Hey, my security experience sucks." You know, we simply can't do that because that's going to hurt the business or the even if the business is just too afraid, right? unit. So, as an example, um we're trying to get a browser plugin that defeats malware more widely adopted by our our end user customers, not people inside the bank. The people actually use online banking, right?

Because it's going to stop wireframes. And um the business came back and said, "There's no way you can make this mandatory. Our customers will leave us." I said, "Hold on a sec. There's a whole lot involved in being a bank. You're going to tell me that people are going to get so frustrated with downloading a browser plugin that they're going to move banks. And this is like, yeah, they'll totally leave us. Like, um, okay, great. Now, what I took from that was, you know, people are going to leave us if we make this browser plugin mandatory. What I took from that is the business is really frightened. Frightened of the user experience. It's not that they don't

want the fraud to occur, right? Or they it's not that they want the fraud to occur. Um what they want is for the end users to have a more seamless experience. And so rather than demanding the browser plugin, what we actually negotiated was more time in the back end for uh fraud anti-fraud analytics uh for certain customer sets. Right? we went back and we did more work and we presented basically a much better uh experience for both the end user and the business. So um we have a few minutes left I suppose I've kind of given you what's worked for me or how I've thought about some things. Um I'd love to hear from you

about your experiences please. Um interesting. So I want I want to go back to where you were talking about um when you have CEOs or CFOs and you you know basically not multiple but this is the direction we're going to go how do you approach that you've given some discussions you know as far as security and where you know they don't have any how do you approach that Sure sure um and we'll throw this in the into the aggregate topic of aligning security with the business which is like one of the hardest things that we could ever hope to do um because we're cost and in their eyes we know more support profit than this room would,

right? Because again, we're costers and so forth. However, somebody was able to make the business case that will put more butts over there into rooms if we have one of these. And so that's why this expense and keeping up this expense with this beautiful rug and these wonderful chandeliers, right? That's why it makes sense to have these these expenses. So with that said um and I get this a lot uh from folks who might want to create metrics um uh is to under is to listen very very closely. A lot of times your executive levels will tell you here's what we're trying to do. Now, many times we'll get on that all hands call and we'll read

that that, you know, four paragraph email and and you'll get these keywords and we go, "Oh, all right, great." Especially we've had a lot of executive turnover, right? It's like, "Okay, here's another guy who's really thinks he's going to change the world." The fact of the matter is he's at the top here, disconnected, we're all down there, right? But when you get called into that room um and listening to the goals of of the business, they're going to give you clues as to what you do. And so my my suggestion and and my tactic um and we talked a little bit about this, interestingly enough um uh at the beginning of today, I don't know if you

were here or not, but uh is to say, "Okay, great. Well, let me have a conversation with you and about how I can support that." And what I'll do is I will go through a mind mapping exercise that is related to goal question metric right with the idea being hey I can give you either report or an ongoing scorecard or whatever but I can also be willing to talk to you because if you take a goal and you start asking yourselves these questions about about how you hit that goal in order to create metrics well you don't have to necessarily go through the metrics but you can say hey look if um the idea here is to help us with um

uh let's just call it mobile computing right pick a problem any problem but if it's around mobile computing what I can do is this I can tell you I will support that goal um with or without modest expense to you right um but what we have to consider is we have to start considering if we're going to let people do that well we might have some problems Now, I'm not going to overestimate that, right? I'm not going to go say, "Oh my gosh, iOS boxes have the same degree of anti-malware as our desktops do." A, that's not going to happen, right? But B, um, you know, the thread environment just is isn't necessarily there yet,

depending on what kind of business you're in. Um, there may or may not be be spend here. It may be process level controls, right? So on and so forth. But here's how I'm going to support this there and this is the cost to you. And if you want, you can financially engineer a an annualized loss expectancy or whatever, right? But even if you just say, hey, we're the reason to do this is because I I don't want this initiative to get derailed and by or or get um even paused, right? And the way that's going to happen is if we have a bad security day, right? That's where that's where most people will think of security as a

subset of risk management, right? Because if they want to do this whole, hey, we're going to go do, you know, empower mobility here, right? Great. Let me help you manage to that risk. Not going to try and secure mobile. Um, but I'll do that. And so, just coming to them with a handful of here's how I can help. That's really what they want to hear is here's how you can help. So overall, I hear you suggesting two distinct steps here. The first being to stop focusing mostly on other people's image of you and instead focus on making sure they get what they want in their interaction with you. The second is to break off small pieces of getting them

what they want, turn it into a skill you can focus on developing, and then obsess about that skill for a while. That I I'd be happy to take away things like that. I just the obsession part in particular made me think I want to make sure I'm not just sitting down and thinking about making sure other people have a great security experience but I'm actually breaking off pieces building useful skills and intuitions about them. That's right. And obsessing small pieces. That's right. What I'm not leaving you with is what what an infos what it means to be an infosc craftsman. That's a that's a whole another set of hourlong discussion or whatever it is. Um And especially

because you have many different infosac craftsmen in my opinion. Um is moves beyond just the the very simple blue team, red team categories. Um so it in and first and foremost it's thinking about what you do and being a craftsman and then comes what you actually mentioned first which is focusing on the customer, right? Um uh and their experience and how they digest it. Um what I've come across from this is I used to do a lot of work in theater and security and it is kind of like the stage crew. You know our customer is kind of the actors and the director. That's right. But what we're not we want to please them enough so that they can give

a good experience to the audience. You know, when tech goes exactly right, the audience is like, "Oh my god, you know, did you see the whatever on the costume? Did you hear the voice of of the singer? Did you whatever?" And tech is exactly 100% transparent. That's right. When it's not, people are like, "Oh my god, can you believe that show? It would have been really good except, you know, the spotlight person wasn't on what they were supposed to be, and you could never hear that guy in the back, and you couldn't do this, and the lighting was horrible because you couldn't see this." And then you become the focus where your job there is to be

as transparent as absolutely possible. That's right. Like so so anybody familiar with the the Broadway Spider-Man debacle. So yeah. Yeah. So that's what everybody came away with talking about was like okay so that sucked because X Y and Z, right? And the X Y and Z were defin were were a lot of these operational things. Nobody ever said that person's a bad actor. They said that person was given a crap script and the the special effects didn't come off and all that stuff. But is no visibility kind of uh bad for you, right? Because if people start seeing that, hey, uh if things aren't secured properly, then you know, here's an effect, right? But if everything goes

perfect, then does the C uh the CFO CEO go, hey, everything's perfect. Why are we you know X? Let's cut back on. is some visibility good versus so um I would argue that e that egoless visibility is good again the goal here is that the the whole mindset shift is be okay if there is no visibility right is because it's because that's where that's where what I said I had a western view of it is hey here's Alex and he's got a bow tie on he's going to tell you all about the risk Mr. CEO and isn't he awesome? Isn't he valuable? Shouldn't you give him a raise? Right, was my expectation. And when that didn't

happen in my career, I felt frustrated like don't these people know I'm Alex freaking Hutton, right? You know, um, so it's it it it is sort of that. And the other thing I'd like in that example I'd like you to understand is when the CEO comes and says, "Can't I cut?" He's not doing it just because he's like so SOB is in security, right? He's doing it because he wants cash from here to put over there. And sometimes we can give him that and sometimes we can't. Um, and again, this is not a panacea. It's not it's not a way to get CEO buyin. It's not a way to do anything. It's a way to say when I do get a 10%

cut, um, I'm not going to go out and have, you know, and and get heartburn and frustration and ulcers and take it out on my family or or, you know, take it out on a bottle of of Jack Daniels. It's um, Hi, Jack. It's uh, it's more about um, okay, that's going to happen. That's part of life. What I'm going to do is continue to focus on the what's important to me is the fact that I'm a craftsman. Jira's got like that what eightmonth wait for customers. Not all his customers are sushi connoisseurs. I'd go in and I would have no freaking clue what I'm eating. I promise you, right? I wouldn't know the difference

between his sushi. Well, I wouldn't know the difference between his and supermarket sushi, I'm sure. But you get the picture, right? I would not be ready to appreciate that. And sometimes those are just going to be who we're who we are or who we're dealing with. I got the impression there that you're saying you lower your blood pressure by focusing less on what they should do in a moral sense and more about cause and effect. If you do this, if you open up this, you're going to cause this. If you add these controls, then this will happen. My my goal is to help them is to create an experience where they feel like they've made the best decision possible.

I can't control the decision. I just can't. If we've got profit problems and the CEO needs to cut budget by uh 10% across the board. When I was at Verizon every quarter, they'd be like, "Hey, find the bottom 5% fire butts, right?" You know, um I can't control that. What I can control is that moment, right, where I present them like you're saying cause and effects and how I present the cause and effects right and again we're talking at a sea level right now this is this can be applicable if you're in the sock and you're talking about us versus the network guys right it it's I my experience has been that it's applicable to think this way

well I think we might be over lunch so it doesn't matter what's that we're at lunch time so it doesn't matter All right. All right. Well, thanks very much for showing up. I appreciate it. All right. Now, go away, find food, and come back. Do you think we could add Brazilian jiu-jitsu to the V side to Orlando to get it?