So You Want to Be the CSO

sorry good afternoon everyone I'm Daniel blander the guy whose name's up on that scream with the FFL A's the something four letter acronyms I'll skip the profanity once in a while I can't guarantee I won't always thank you kids I think he's the one who set the model for us um what I'm going to talk about today is some research that I've been doing there's no beginning and there's no end to this research it's something that started a long time ago came out of work that I've done for a lot of my clients and is continuing and collecting hey studies over the years with CSOs that I've worked with and hopefully we won't blow away here on what are the

best practices the one thing about this talk you're gonna find out it's not gonna be about technology because what I found is great technology is important don't get me wrong as Jean likes to say great kung-fu is great kung-fu but what I found is that most of the challenges that CSOs face is not about their technological skills it's not about the best tools or the best kung-fu it's about how they work with the rest of the organization it's the challenges that they face that is very different from when they were just an engineer or when they were just an analyst it's a very very different set of questions I'm gonna tell a little story I was running a company in

Slovenia in 2011 a security firm and we were doing a large conference I went to go pick up one of the speakers and the speaker was the CSO for one of the national headquarters for a very large multinational bank he had just been promoted and he was coming to give a talk he'd given a talk for us every year about his experiences and usually penetration testing as we were coming back from the airport in Ljubljana he was telling me the story he said yeah I just got promoted and so it was really interesting the first day on the job in my new position is the CSO for the Macedonian branch of this Bank he said the

head of our corporation the corporate CSO called me up said congratulations I'm really glad you got this position I think you're gonna do a great job if you ever touch the keyboard again you're fired it took him a couple of weeks he said to figure out what he really meant said we mean I'm fired you know that [ __ ] I got to do work you know can't I do all this other stuff it took him weeks to understand what it really was that this gentleman was driving home this gentleman is known as the grandfather for all the other CSO's in the or in the organization for all the other national csos and he understood that's all right I'm

gonna kill myself here he understood what it was only after thinking about it there's a very very different set of skills when you move up in that ladder of management when you become that CSO then there is when you're playing the engineer and I would argue that those skills are ones you should learn while you're the engineer while you're the analyst because those skills are gonna be ones they're gonna help you not just if you aspire to be the CSO but also if you aspire not to be the CSO they're the same set of skills they're interactive skills their interpersonal skills their organizational dynamics these are case studies that we're collecting and so we're gonna talk about those today

oh don't do this to me there we go so we all make mistakes make sure it's the right one sorry this is new technology for me all right no back up oh no don't do this to me come on be good mr. iPhone

okay your challenges come on hold on a second we'll just go back and do this again okay so I'll make mistakes we all make generalizations about IT or about security big generalizations when I say generalizations I mean attributions Brent talked about this yesterday it was great arrived not yesterday just earlier in his previous talk he said sometimes maybe likely have you ever said that were misaligned or we need an alignment with the business thank you to Shawn Cordero he gave me these as some of the generalizations here what the [ __ ] does misalignment mean come on guys what is alignment how do you align IT with the business I mean we all drive around and

park between the lines in the parking space what does that mean what is that attribution that we're making or it's political boy that's one that really drives me and say no it's a political problem you don't understand the politics of this company wrong answer politics is an excuse to cover up some other rationalization some other set of data you have about something you've stated we just know well what do you just know what is it give me some ideas behind it or the company will fail if we are hacked the other ones were ones we heard is just phrases this is one we tend to tell our executives we're gonna fail how many of you know the story of

TJ X the breach side of it how many of you know the stock price a year later what was a stock price a year later 50% higher whoo-hoo Hartland did Hartland go out of business nope so be careful of your attributions don't expel I shouldn't say don't express opinions be prepared to back up your opinions with facts we're going to talk about this we spin on technology we think technology is the answer we get in front of an executive we start talking about vulnerabilities we start talking about an SSL certification that is broken and there's a trust and it's not going to work who he just goes what we make decisions about risk in a vacuum our biggest risk

is our personal data I have a client who is exorbitant ly focused on the personal data within the company thinks that's the biggest risk that they face spent literally hundreds of thousands of dollars of DLP they never spent a dime to protect their revenue stream hello wake up that's not how it works focus on what's relevant here's one just for you Jay I did my risk assessment in my office with Excel using ISO 27000 - anybody know ISO 27000 - not one - you should laugh hysterically at that one get marginalized I have a client I just met with last week we had a conversation it's a black box to us I t's just a

black box it's over there so when we have these conversations when we make these generalizations when we talk about what the risks are and how we've done it to them it's just black box just go do it but then you get the other side which is part C organization that just gets so tired of the FUD the fear the over technology the stuff that just doesn't meet seem to make sense Bret made a mention he said you know an executive goes and buys $250,000 worth of technology gives it to you and says okay Security's fixed it's done it's over and then they get breached it says wait a minute I just gave you that $250,000 toy what what happened here you

know weren't we protected weren't we secure well they're now saying you're just blowing smoke with me let's go next you know next item on the agenda let's move on they don't believe us anymore these are some of the things that we face here's the question do you ever open any of your statements or your work to examination do you ever state your facts state the data behind it state the assumptions that you're making to say it's political or we're gonna get reached or it's not relevant understand those statements my favorite if you saw my talk it besides la you know one of my favorite topics is wombats does anybody know what a wombat is it's a nice little cute free more

soupy oh no it is and I will now make it public a waste of money brains and time that is a wombat I have a long lecture all to show it to everybody later these are things these are actual quotes I am not joking about these I have witnesses I have proof just give me all the money and I'll buy the technology to fix all of our security problems yeah cuz that'll do it let's go next door we can solve all of them if I were in that meeting I would have told them what their problem is yeah cuz we know what their problem is we have the whole landscape of all the issues that

the business face all the risks all the things they're worried about this company really needs to revise all the in this case socks controls there's absolutely no reason to have management involved in this process hold on a second we need to force the users to do it wrong this technology sucks don't treat your opinion as fact so many times I hear people tell me this technology sucks a couple of us working on a project just hurt it that technology sucks rip it out replace it well why does it suck what is it about it that sucks did you have a bad experience with it did somebody that bought it buy the wrong pieces the wrong parts did not

interact with the technology you have back it up understand what it is because sucks is an attribution you're giving to something it's an opinion you need to have the data to back it up that's what the executives are looking for and trusting in you to provide good there we go here's one of my favorites this is another one I just dealt with two weeks ago stake holder we need something IT let us go back to our office and we'll go figure out what that something is and then we'll get back to you and we'll tell you what it is ever see that happen yeah all the time where is the understanding where's the information that you're gonna know how

to do it so here's a great quote this is Chris's quote this was off the RISC hose podcast here I'll give you a plug she increased from year for listeners to five we have to accept that it's not our risk tolerance that matters as risk practitioners so it's not us and our view of the world our view of the business that matters it's the person accountable for the risk at the end of the day who ultimately is accountable for risk in an organization CEO the line managers are line executives they own the risk in their areas it's them and until you overcome that you're almost a barrier to what you're trying to achieve this is so perfect

think about that for a minute because we have to understand if we don't know anything about the business we're not gonna be able to help I walked into an organization about four years ago was asked to take over the security team and clean it up and the first question I asked him I said so what do we do as a company I knew what it was mostly one guy said well we do this this this this is pretty spot-on he said you know there's a few things I don't know really well but I haven't had a time to go out there like that's good second guy said what do I need to know about the business it's not important to

me it's nothing to do with security I don't care wrong answer we proceeded to go out into the business we spent three weeks under the guise of a business impact assessment and we interviewed every line manager throughout the business said what keeps you up at night what's important to you what are the things that you want to make sure are always there for you or a working right or the most important things in your part of the organization well you should have seen people's face light up we got literally I'm not kidding reams of paper and documents and things where they talk to our ears off in one case for five hours about their line of

business it was awesome I ended up with a whiteboard that sat in my office that had a macro process flow so at any point in time someone could say well you know we're really concerned about this how does that affect other people and we could quick turn around take a look and say oh there's some upstream effects here I would have people coming into the office and look at it and go wow that's really the business it's not because I was good at it it was because we chose to collect that information we chose to understand what the business was very important keep in mind most companies are not in the business of security for Security's

sake they're in the business of staying in business and making a profit Brett mentioned this yesterday I'm not yesterday why I keep saying yesterday time lapse just an hour ago he listed out five positions security how much revenue they generate developers how much revenue do they generate business development how much revenue today generate think about it where's the money coming from what's driving the business what is keeping them in business so your challenges your security program needs first and foremost a clear definition of what it is your role and responsibilities what are you trying to achieve in that organization what is the business need now can you develop this in a vacuum so who do you think you should reach out

to everyone almost everyone it's okay you don't have to talk to the janitor but physical securities he'll talk to facilities who else would you want to talk to sales marketing who else about finance logistics manufacturing line management all those teams you understand what their concerns are about what are they concerned about protecting one of my clients found out their biggest concerns other than the revenue stream this is one who regatta at the revenue stream was the highest most important was the physical safety of their people they didn't want a disgruntled employee who had left to come back in and start harassing people inside the office so we put attention to that because that's what they said was

important get that management by him and get the users participation in this process so what do you need to do learn that business work every part of the business there was a great discussion bra fellows was on Martin McKay's network security podcast and they were talking about a discussion of should the security person have a business background or security background correct answer the answer is yes in fact I'll give you a little side note there's a very well experienced CSO I talked to based here in the Bay Area they have a CSO get together very regularly once a month they talk about it he said he's noticed a trend of CSOs where it used to be they were very very

technical and he said now all the people that are showing up in this meeting are all very very business he said none of them have technical skills and after wonder a little bit he he posed this to me said is that a trend is that something we need to worry about because I went back and we're selected on that notice I'm using the word reflected because we're going to talk more about that later but I reflected on that and I said if they lack those technical skills how are they gonna be able to translate some of the issues the technical risks that they face into some of the business speak absolutely the he gets that he need the

business speak but how they gonna translate that how they gonna understand it so to lose the technical is a mistake you got to have the balance working every part of the business one of the gentlemen on that podcast that was on the discussion I don't remember his name made the comment than when he went to go work for his current company they had to go and work every single position throughout the company he had to spend a week in each one of the roles in each one of the departments Hawaiian Airlines I love Hawaiian love these guys I did a great project with them their CEO when he started the emerge from bankruptcy new CEO awesome guy his first month he

spent two days in each position CEO of the company was doing baggage handling reservations mechanic everything that granted I doubt he was in there actually fixing and tweaking the jet engines but he was out there pulling parts out of the bins pulling stuff across the runways all of that real experience you get to know the company so think about that that's an option there's also the business impact assessment that I talked about earlier go around and ask them what are the things that you care about that you worry about and you're likely to find out what are the biggest concerns in the areas you may have input but they're also for once gonna have input into how you think that's the

novel part that's the part we tend to forget be in the business embed yourself great analogy here Jean Kim is writing a whole bunch of stuff about DevOps and one of the things that DevOps talks about is the embedding of operations into development will imagine not just in the development cycle but in all parts of the operations is whether it's in planning whether it's in business development whether it's in the the strategic development for the company I just went through two organizations that I did work with in both cases I T never spent any time at all with the executive team and I challenged both those organizations I said well hold on a second you're upset

that they're not answering your demands and serving you the things that you want but you're not including them at the table how often do you communicate with them how often do you meet with them oh well we don't really okay how are you expecting them to know what you want and what you need if you're not gonna communicate with them so embed and participate Hawaiian Airlines again big project they were doing they called us in someone had told them that they really needed to include security in this project it's about gift cards they were selling gift cards for airlines kind of an odd concept but they were doing it so we went into the meeting and

we found out that the biggest issue they were really worried about was the end of three years Hawaiian state law required that any unused funds on a gift card had to be turned over to the state I believe the same thing exists here in California so they were like you know that's our biggest concern we said okay so let's look at the program we don't manage it so you got all these terms in the contract all right third party stuffs taken care of so it's really not a heck of a lot of other things that we have to worry about from an IT security team information security team less of an issue so we had conversations about

those risks and we called out that issue about the three-year turning funds over how are you gonna track it are the records that you need to track that information how much leftover revenue is that gonna be there for three years they're like wow we didn't think of that stuff we weren't we didn't have our InfoSec hat on we were thinking about how you gonna hack it are their vulnerabilities in the system that wasn't our thought process our process was around what are the business issues going around we got called from that point forward into every single strategic business meeting because we participated Steven Koby in his seven was at the seven Habits of Highly Effective People talks

about that is emotional capital whatever you want to call it you've built a level of trust with those people that you can participate you can contribute there's something of value of you being there because you weren't always sitting there with your InfoSec hat on with your technologist hat on so communicate in person this is a big one my wife beat the crap out of me until I learned this don't use email don't assume that because you sent someone an email they know how to respond or that they're going to respond how many know the whole percentage of face-to-face communication how much is actual body language how much is tone and how much are the actual

words does anybody know those percentages it's about 70 2010 it's an inordinate amount the percentage of your tone if I were to tell you you're sexy or if I were tell you you're sexy totally different right tone has a huge difference if you're not in person you sent an email how much tone do you get across goose egg how much body language none these things make a difference people always ask me oh when you're doing this project management stuff what's the most important thing I say I manage by walking around oh that's not good project management what all of this PMP stuff and about you know analyzing the risks and laying out all your schedules and all that stuff I said yeah

that's nice those are mechanics so how many people when they're managing a project makes sure that people communicate oh well that's important too yeah how do they do it oh we send out emails yeah wrong fail doesn't work another technique focus on enhancing the business security isn't always about locking down things remember what are the three elements we always refer to as the triad confidentiality integrity and good job enhance the business focus on things like effectiveness efficiency availability another client of mine again these are all case studies that we're pulling into what I'm trying to slap together is kind of sort of a book at a company a retail company we had issues we were struggling for PCI

compliance we had two different types of point-of-sale over 200 of our stores had an older model of point-of-sale couldn't get antivirus couldn't get all the other stuff logging all the stuff that was required to have on it we looked damn we're out of budget we're down to like a $200,000 in security budget the IT operations team said well we've only got about three four hundred thousand dollars ourselves there's no way we can afford this well said wait a minute these are older point-of-sales right what sort of issues could pay him up with this obviously something if they're older we went down to the storage team we didn't mention anything about security we just went down and

said hey you know we noticed that you've got all these older point-of-sales what benefit would it be to you if we were to change those out so that all your point of sales across the company were the same yes please please yes can you do that because they shared personnel between stores someone was sick in one store they shared them to another store they had to train people on to point-of-sales they measured down to the minute the amount of time someone spent doing a non sales floor task that training had a huge expense associated with it I said so the cost of doing this is about six hundred thousand we've been able to scrape together about five hundred can

you scrape together seven hundred they said piece of cake we got that budget done we made it a business effectiveness and efficiency issue we never talk security we walked into the CEO she went wait stores security what the hell are you two doing together that's it here here you go we want to do this said I still can't get over the two of you in the same room together we said no no really here's why we're doing it she said I'm sure there's something else but I'm gonna sign before I find out what it is sign done finished we went back into our office closed the door and celebrated we didn't tell anybody else we just

achieved a security success because we wanted to make sure it was perceived as for the business a little example of some of the collaboration the benefits now this is not scientific so I'm sure all you stat guys are gonna rip me apart on this this was opinion base so I'm gonna make it very explicit back in 2009 I did a survey got a hundred and six responses from organizations literally around the world and what we did is we asked them who was responsible for developing your policies was it something developed entirely with an IT or InfoSec group or was it at the other end of the spectrum where it was collaboratively developed with people from various lines of the business and

we had it everything in between as well and then how excepted were your policies and how not accepted were your policies so a little graph here showing the staff stats if policies were accepted 44% had been developed by a group 10% had been developed by some sort of a few people in a group but not spread too far and 46% had been developed internally not very much it's spread between internal and external what was interesting though was if they were not accepted 20% were developed by a group 7% sort of the middle 73% were developed completely in isolation by IT or the security group a little bit telling is what it told me is also with some of the others you can

have a crapshoot you can write security policies and probably you a half-decent job and shove them down the throat of your users it works it can work but it's a crapshoot if you want your policies to be accepted you're more likely to do it successfully by a group in fact here when they were developed by a group there was a high level sorry I missed the tab here high level acceptance low low acceptance no acceptance when developed by a group 55% had accepted 8% did not does that tell me you have a higher probability of the good view of security policies that are much more accepted view of security policies when you develop them with

groups with the business and with the lines of business policies developed in IT or the security group alone it's gonna be a crapshoot so what does that relate to several the case studies that I've worked through have been where he's developed a security governance or a steering committee for security I did this I have a case of a healthcare company in Colorado as well as an insurance company on the East Coast who have done this and the result has been in the case of the medical company they had doctors who were running the practice who are running the company a little pointer in these cases they put together that team and the medical groups now understand that sorry the

doctors now understood what they were trying to achieve because he took the time to explain what he was looking for and they got to participate and talk about what their risks and what their concerns were the time HIPAA hit they had conversations about you know what is this HIPAA stuff well you got to keep the patient's information private well what does that mean well let me try and explain it to you and you can stop me when you get bored and you can it became a group for collaboration in the case that I built we took the leads for each one of the lines of business we said let's have a conversation let's sit down once a month and I want

you guys to tell me what are the things that keep you up at night the risks the organization how can we address them and we refused for two months to talk about anything IT related no two months no IT issues as part of the conversation no InfoSec issue so we didn't want to talk about the PC I work we were doing we didn't want to talk about the Sox work we wanted to hear what they were concerned about and it came down to the fact they found out there had been a felon actually not one five felons hired into customer-facing positions at locations I said Dan that's a little bit of concern because these were not

ordinary petty larceny felons these were violent crime felons and they said we want a better process around that no problem so as a team we now were able to say this is our highest priority we create our whole background check process and that's what we focused on and we continue that and suddenly people started to realize hey this is a collaborative group this is a group where we can interact present our issues talk about them and they'll get addressed it's not political anymore it's very specifics we always ask the tough questions all right so you say you have this issue was the data and the facts behind it we address that by the fourth month they started asking us so

how's PCI going how Sox going hey how's the info second stuff going because now they started to care about us they realized it was collaborative it was for everybody very successful model if you see any other models like this or even differently where this doesn't work again we're testing all these I'm collecting the case studies let me know please let me know because these are the things we really wanted to understand distribute responsibility this is one I feel kind of strongly in and I've seen cases to the opposite end but one that I've seen work very well it all depends sometimes in the culture of the organization distributing the responsibility so that information security team becomes more

of a trusted adviser to the organization antivirus why should security do that should that be embedded into the desktop or the server or the Wintel operations hopefully not mainframe I'm actually an auditor one time tell me well where's the antivirus for the mainframe get out of here truck network administrator how many of your security teams actually manage the firewalls how many of you the network team manages the firewall yep think about that where is it affect it affects the network well wouldn't it make sense at least as long as there's oversight and guidance from the security team for the network team to operate that seems somewhat reasonable and think there's a one second there's an interesting concept to

that we always want to include security in people's job responsibilities when we distribute these responsibilities what did we just do we put that into their job title you had a question that's where you can still build in the validation and the checks and balances

exactly exactly and that's the way I've started at least in the firewall case and I'm very open to hearing how it can break down the other ones but in the firewall case what we did is all requests for changes to firewall rules had to come to the security team they reviewed it pushes the network team Network team implemented it and then through a wonderful little tool with the initials TWU we would check that those were exactly the rules that they put in and if they weren't they got a phone call real fast and we knew pretty much right away so those checks and balances were really important it was a process it can't always work perfectly and if

you have rogue administrators you will have problems

yep

yeah that can be one of the checks and balances Richard you

yep and I want to get more case studies about this because I've had people argue the other side of it and I want to see how successful it is I do know that the successes I've seen here have been when it's put control and responsibility into the hands of the administrators and maybe it's the culture maybe it's the organization but it's been very successful in making them think of security a great example was configuration and patches we told them here's what you need to do and they said all right well we want to pick this tool wouldn't be a tool I would pick in fact I hadn't heard of it before but they said no we really like it and we'll do

this stuff and we said well here's the criteria doesn't meet that they said absolutely here we're gonna demonstrate it it does that Wow it does it okay great that's a tool you like go for it it meets our criteria roll with it so it gave them that flexibility now they felt participatory big big difference they're part of this solution collaborate on solutions this is one of my hot buttons for this past week because I've been reading this stuff there's a couple of people and it might be a little bit hard for people who don't like as much academic reading but their names are Chris Argyris Donald xirn and Daniel Kahneman Chris archers Donald sure and do a lot of

organizational psychology work they've been doing it for a long long time I stumbled them into them back in the 80s when I was in architecture school yes I'm an architect I did buildings weird stuff and I was studying teaching oopsy they found over the dozens and dozens of years of research that they did management research on best practices to problem solving not routine problems but complex unusual one-off problems they found number one don't assume you have the ladder artists are the answer so refer to the Allah as the ladder of inference don't assume you have the answer number two combine advocacy with inquiry it's okay for you to believe in something that what you're doing is gonna reduce

the risk it's okay to think that you've got that but we willing to have someone inquire and say well I don't get that but I think you're making an inference there can can you explain it a little bit more or it that doesn't match up with what you're saying be open to that illustrate your inferences and making the reasoning explicit data I love data this kind of sealed my whole data belief for me back it up understand one thing though a lot of times when we make inferences they're based on a lot of historical things that we have in our lives experiences that we have that we can't always externalize I'll give you a very

personal example I was accused when I was younger of being very unemotional my wife said you know you don't cry when somebody passes away I spent a couple years reflecting on it cuz I'm like no I'm emotional I care you died okay over with didn't understand it after the reflection came to realize because my elder sister had died when I was three years old and she was my best buddy that a huge impact on how I viewed that but it took the reflection the understanding and looking back and asking those tough questions to understand that same thing applies here don't be afraid to reflect on what your inferences are when someone says I don't get that that doesn't make

sense to me it's okay don't take it as a challenge to you personally take it as a challenge to an idea or a concept or even the data because it becomes about the data not you personally be willing to examine that seek disconfirming data and alternative explanations why is that why do you think that is test those competing views inquire into the impact of your decision how will it impact people how will it impact the organization this is referred to the ladder of inference I'm referred to in the fifth discipline in the book they borrowed heavily from this Daniel Kahneman wrote a book and has done tons of research Nobel laureate and what he says is that we as human beings

make most decisions based on our own intuition and most of the time they go counter to what the data tells us we should do here that again when we make our decisions based on our intuition they tend to run counter to what the data tells us we should do allow your ideas and inferences to be challenged when it's about the data it's not about you result is growth seem a little bit like risk modeling tiny tiny a little bit understand your users understand their motivations and their priorities I'm gonna give you a little example of this I could literally spend two hours just on personal motivations I'll but understand their motives they're gonna care about their livelihood they're

looking for certainty - I still have a job at the end of the day they care about their relationships whether it's with their family their kids their loved ones whoever it might be those are the things they worry about usually the most they also care about their significance have you ever listened to someone in your office and they just sit there and backstab and criticize people around them and you go man that person's a jerk did you ever think of and I know your parents probably told this when you're a kid and you got teased if you got teased said you know that person is just trying to make up for their own insecurity or

if you want to put it in adult language they're trying to gain their own significance understand these are real motivations Maslow talks about this a lot and if you understand those motivations and what people are trying to achieve every day and the reasons they operate you're gonna understand a lot more of what you need to do to build programs policies actions tools controls whatever it might be that they'll understand and appreciate and follow because ultimately their goals are self-interest every one of us are in my opinion selfish people we can't be anything different because we have to think about ourselves first whether it's survival whether it's what we do every day we're looking to satisfy

ourselves we're kind of centered around ourselves it's just the nature of the beast philosophical moment understand what those people's motivations are change your mindset that it's really about a cultural and behavioral change you're gonna be changing the culture of people but you're gonna be doing it by understanding what motivates them and fitting those pieces in so that they make that change saying WOW security could help me achieve my goals could help me achieve the things I want to do live it and learn it rah fellows put out a great post about do you walk your security walk do you do the same things you require your users to do a funny response was a lot of people said no

well why not well it's too difficult or I got better things I do or my company won't let me do that well hello wake up if you're not willing to do it why the hell are you telling your users they have to do it let's ask a private question here how many of you surf porn okay it's alright you can raise your hand we not we won't tell anyone yet we get mad sorry I'll change that how many of you use Facebook yeah there we go a little more socially acceptable so how many of us get really pissed when people at work use Facebook yet we probably also have our own accounts too don't we

or we put things on Twitter or we do various other things live it and learn it walk on their shoes play by your own rules feel the pain and the complexity that you're facing because you have to realize if you're not willing to do it they're not going to be willing to do it be ready to follow the same footsteps real quick and this will be kind of the end of it I just want to show you some of the motivations anybody ever read Daniel Pink's book drive cool book what is the number one motivation for most users most employees what is the thing that they usually are most motivated by it's not about money

recognition number one is recognition and he has study after study and I pulled this from a couple other locations as well it's about recognition am i significant am i relevant to the business so Maslow's hierarchy I've simplified the words I borrowed it from someone else the word simplification but certainty InfoSec we care about always being secure keeping my job management profitability bonuses keeping their job I don't see heroes you know how long do you stay CEO not very long users keeping my job there probably other motivations but it's a good example of certainty we want to know that that thing is there the next day when we wake up in the morning our job is there our friends are there love and

connection every one of us wants love and connection in one form or another we want our families we want our buddies we want our relationships around us we want significance negative way we get significance is we're condescending or insecurity we used Fudd man you better pay attention to me or bad things are gonna happen well guess what happens or at least used to happen oh wow you know security people please please help us please help us not anymore so we've lost our significance management condescending ego strut yeah I'm a CEO if you live in Orange County like I do I Drive my nice 7 Series I've got my Bentley and trust me people that are making $100,000 have Bentley's down

there they live in a one-bedroom apartment it's freaky condescending backstabbing a lot of that behavior because it gives significance it puts someone else down tell you a great joke later if you want to hear it uncertainty we want to test new things we want to try new things out for management it's a mistress because our married life is just kind of boring it's so certain because when you have too much certainty what's the first thing you want uncertainty variety change while you're bored with your marriage what do you do you go out and get a mistress because it's uncertainty if you value uncertainty that's what you're gonna do promotion take on new duties some people

are willing to do that to satisfy their certain or uncertainty we build on all of these these are all sort of I'd I call the four basic needs that you need to build up fundamental everyone has each one of these in a different percentage or a different value some people really care about certainty my two favourite uncertainty asked my wife drives our absolutely insane I cannot stand certainty if I get certainty I'm out of there love and connection number two number three hmm I don't even have a number three that's on there I could care less about the significance if you want to ignore me after this fine by me growth and contribution this is where you make the difference growth

and contribution is where you make the jump if you can grow and growth isn't always pleasant it's sometimes painful if you can help somebody else by contributing to them you make a difference this was Maslow self actualization that highest level surprisingly you can operate there if you can conquer and understand these I put this up here for one reason when you look at a user when you look at your organization or management understand their motivations understand what they're looking for because when you understand that it's much easier to fit the pieces in how to address and how to make them feel that security is valuable as a CEO so you have to take these tools and there are probably

others that we're gonna discover as I'm doing my research but these are the ones that I found so far the collaboration defining your role distributing that responsibility understanding the business and understanding people's motivation that I found to be the most powerful sets of tools that includes the executive level middle management and the end users when you can do that you will make the leap from being a security practitioner to someone who can lead an organization if you can make that leap then you can be the CSO thank you [Applause]