BSidesCharm 2024 Keynote - Melanie Ensign - Influencing Business Decisions

[Music] before I got into cyber security I studied marine biology with a focus on sharks so is Caroline here with us this morning did she make it all right well if you were here for her keynote yesterday she asked us what we do for self-care I knew I was going to have a mic today so I did not hog it yesterday but this is what I do for selfcare it is definitely less stressful than leading the Press department for de or teaching lawyers the power of public apologies in the wake of data breaches I later earned a master's degree in corporate Communications and have led Global security privacy and Engineering Communications for several large tech

companies I'm a certified Technical and rescue scuba diver so if you're ever near Tulum I'd be happy to introduce you to our local reefs or underwater caves don't worry the sharks in the caves don't come together separate tours I tell you all of this as a brief illustration of my approach to cyber security I'm not actually an adrenaline junkie and I feel a strong ethical obligation to use my skills as a professional Communicator to help security teams find their voice and influence decisions to reduce the frequency and impact of security incidents I plan for worst case scenarios but I fight like hell to prevent them how many of you have heard the saying people are the weakest link

insecurity yeah it looks like most of us have if you're talking about end users it's an incredibly ignorant thing to say it betrays how little you understand the big picture and makes you sound like a jerk but I think the phrase is true if the people we're talking about are us the security teams what are we even doing here if employees can't click on things to do their jobs if security products features and rules are too complex or too convoluted for people to use that's on us if we don't have a plan for what to do after someone is successfully fished so that access doesn't Cascade throughout our entire system that's on us so I'm sorry to say we are in fact

the weakest link in security but we can do better by building our influence over business decisions Russell this is for you are you [Applause] ready I I agree with Jeff Moss when he said 80% of the problems we have as a security industry are Communications problems we can fix this communication is a soft skill that leads to better technical outcomes period uh oh I've just realized that according to science I really only have about five more minutes before your tension starts trailing off so I'm going the next two things I'm going to tell you are the two things that I want you to take away from today right so give me five minutes I'll give

you the gist of everything the first is the fundamental structure of communication who says what to whom with what effect this particular summation was introduced by political scientist Harold lwell in the 1940s I've underlined the word effect here because it's the point that I want you to remember throughout the rest of my remarks and later when you go home tonight the effect of our communication is what matters most Not Our intention not the channel not even the content the effect is what gives all of those other things meaning who do we need to communicate with who should be the messenger what should they say how should they say it should it be in person virtual is it

one: one is it one to many the right answers to all of those questions depend on the effect that we're trying to achieve our desired outcome defines our methods effective communication is an exercise in reverse engineering especially in business where strategic communication is rewarded with influence and resources so that's the first thing I want you to remember the impact of our communication is how we measure whether or not it's effective the second thing that I want you to remember comes with a story who is familiar with the story of Cassandra in Greek mythology quite a few of us uh it's very uh common um within our industry um sometimes to refer to ourselves as Cassandras

the way that the story is typically told in security and privacy circles goes like this Cassandra's father PRI was the king of Troy and Cassandra was a prophet in Troy with a remarkable gift to be able to see into the future you can already kind of see why infosec loves the story so much supposedly this ability was given to her by the Greek god Apollo but when she rejects his sexual advances he punishes her with a curse for being ungrateful personally it sounds like he was trying to take credit for her work and to be honest she called him out so he retaliated also very infosec she felt he felt entitled to her work and to her

body but she was simply not interested in him and good for her he sounds like a jackass so Apollo punishes her by preventing her PO prophecies from making a difference No One Believes her even though she's right and this is the point infosec typically obsesses with when we share this story Cassandra could see all of the horrible things that were going to go wrong but no one listened to her 10 years into the war between the Trojans and the Greeks the Greeks came up with a new idea they decided to build a giant wooden horse and hide their best warriors inside they then take take the horse and they leave it in front of the gates of

Troy they get into their boats and they start to sail away this leaves the Trojans to debate whether or not they should open the gates and bring the horse inside now to their credit at least there was some hesitation about opening the gates I've seen companies P put less thought into production access now Cassandra knows that this horse isn't a gift and she tries to warn her fellow Trojans not to open the gates but no one listens to her and they pull that giant horse inside their City just like the federal government bringing in Microsoft Exchange so that night while the Trojans are sleeping the Greek warriors spring out of the horse and they start

slaughtering the people of Troy to call it a disaster is a bit of an understatement and if Cassandra had been a ciso she might have said something super cring worthy like never waste a crisis while updating her slide deck to advocate for more resources further entrenching the executive team's perception that security is only a wartime investment but it wouldn't have mattered anyways because even after Troy fell no one was persuaded by Cassandra's prophecies are you starting to feel a kinship with Cassandra at all she's just like us poor cage first infos professionals destined to watch our warnings get ignored even though we know we're right yet there there's a part of Cassandra's story that's often excluded

when she's referenced in our industry and it's this she was a horribly ineffective Communicator Apollo's curse didn't change other people's abilities to learn or comprehend each other Cassandra's curse was that she couldn't write in executive summary to save her life she lacked power and authority because her prophecies were vague and opaque the accuracy of her predictions didn't matter because when she was revealing her Visions she spoke in a language that was hard for others to understand she produced a lot of communication output but not outcomes being loud doesn't necessar mean you're heard and attention is not a substitute for

persuasion so this brings us to the second important thing that I want you to remember we measure and direct the effects of to measure and direct the effects of our communication our Focus needs to be on outcomes not merely outputs all of our prophetic IC pontification doesn't matter if we're not bringing Business Leaders and operators along with us so what exactly is the difference between an output and an outcome well I'm glad you've asked outputs are simply things that we do artifacts that we make Communications that we send newsletters emails slack messages all of those things are outputs outcomes are the results the consequences of the things that we do and this is what gives meaning to those

outputs outputs that don't lead to outcomes should be deprioritized if not eliminated completely because it's outcomes that mean impact the number of communications sent is an output getting security protections into a product road map or on equal footing with other business risks at the board level those are outcomes presenting a quarterly report to the board is an output becoming a trusted advisor to the business someone they trust to make decisions Beyond security that's an outcome earning our place as a trusted adviser in business decisions requires a commitment to driving ongoing and consistent outcomes plus the discipline to divest from outputs that don't Drive these results so the two things I want you to remember today we're getting

close to this time where you can start to space out and you still got the gist of it okay so the two things are first the effectiveness of our communication is measured not by its existence but by its effects and two when we are effective communicators we drive business outcomes

all right so for those of you that need to take a break this is a good time to do that for the rest of you we're going to start talking about how do we actually put these Concepts into practice in order to influence business decisions I'm going to walk you through a basic exercise so you have something you can start working with um when you leave today thousands of years of research and scholarship in the communications discipline have created a massive amount of information luckily for you I've streamlined it into a single process for today so where do we begin we always always always start with outcomes what do you want to change or what do you want to prevent from

changing so this is this is the audience participation portion of um the presentation you don't have to stand up you don't have to wiggle I just need your your brain for a few minutes so think of a specific outcome that you want to achieve this year I don't even really care how realistic it feels to you in this moment you might realize by the time we're done with this exercise that it's actually more doable than you think so take a minute think of your outcome write it down or type it in your phone we're going to keep coming back to this so I want to make sure that that you don't forget it it's going to be our North Star for the

remainder of my remarks outcomes outcomes outcomes everyone's got outcomes okay great so now I want you to think about all of the decision makers who support you need in order to make that outcome happen and these decision makers aren't always going to be very senior people they could be but not always it depends on your outcome sometimes it's an srre or an infrastru structure engineer it could be a product manager sometimes it's legal it could be the ceso or somebody even more senior to them but no matter where you are in an organization you do have access to decision makers that can help you reach your outcome as you're thinking about the decision makers whose support you need I

also want you to think about whether or not there's anyone who's in action we might want to encourage uh someone who's likely to throw a wrench in our plan uh and we need to account for that in advance and set a goal to either reach an agreement with them or neutralize them uh before it becomes an issue there's a reason Congress often schedules votes on the days that fewer opponents are likely to attend sometimes inaction has the same effect as support as we anticipate reasons that people might not support us we can add those concerns to our Communications plan to ensure we addressed them early on a big one that comes up a lot in our

work with clients is budget both financial and in terms of human capital regardless of your proposed outcome this will likely come up with several decision makers there are some effective strategies for proactively neutralizing this concern including sharing resources and responsibilities with other teams and we'll discuss that a bit more in a minute also remember that there might be different potential paths to reach the same outcome do the decision makers change if you take a different path and how do these specific individuals change the likelihood that you will achieve your outcome this is an important factor in deciding exactly which path we're going to take for example earlier in my career I had responsibility for security privacy

and all of engineering Communications at a large company in Silicon Valley one of the challenges our security team faced was getting Engineers to fix and close security tickets it's a very common problem a lot of companies have it it simply wasn't something engineering leadership prioritized at the time and as the security Communications lead I knew that open security tickets especially the severe ones were skeletons just waiting to jump out of our closet it was only a matter of time before someone would exploit at least one of these vulnerabilities and because many of them had also been reported by security researchers through our bug Bounty program it wouldn't take a genius to figure out just how long we had been

sitting on these issues without fixing them to solve the problem of open security tickets there was an obvious path from the ciso to the CTO in order to make this a priority and I had a relationship with both of those individuals after all I led Communications for all of their organizations but I truthfully didn't have a lot of confidence in their relationship so I looked for another path that I could influence with more confidence I soon learned that our engineering ladder required requirements for Community engagement in order to be promoted to a certain level within the engineering organization it's specific Ty Al called out things like blog posts and conference talks as qualifying activities to demonstrate Community

engagement there was no requirement related to the quality or impact of those efforts they were just measuring outputs rather than outcomes and as a result nearly every engineer at the company seeking a promotion was desperate to publish a blog post or prevent a talk on something anything I saw proposals for everything from projects that were still in ideation that we truthfully had no idea how we would ever build to projects that had been deprecated and replaced years ago with better more reliable tooling sitting at the helm of both security and Engineering Communications this was an unacceptable outcome for me there were no guardrails for which projects were given public attention either in terms of technical Innovation

or even relevance and then there are all the known security issues lurking in those projects code we were sacrificing technical credibility across every engineering discipline because our competency ladder incentivized communication outputs over outcomes since I was also the head of engineering Communications I could have simply blocked all these problematic proposals for blog posts and talks especially those that didn't Advance our brand as an Innovative company and I really did send back the most egregious proposals with feedback for improvement after suggesting that they either choose an entirely different project to talk about or at the very least a less visible conference but the bigger problem was still the open security tickets associated with these proposals so I

addressed both issues with a single solution that I could control through my current and trusted relationships I asked our product security team who also covered all of application security at the time to give me readon access to their dashboard where they tracked open security tickets so I could see which projects and which Engineers had known issues that were still unresolved I did not want to draw public attention into two areas of our code that we knew were weak from then on if you wanted to publish a blog post or present a talk about a company project you had to First prove that it was in good enough condition to withstand public script scy by addressing all of

the open security tickets eventually Engineers eventually Engineers began addressing security tickets proactively to prevent me from blocking their blog post or talk proposals I couldn't Force the CTO to prioritize security issues all of the data breaches we had couldn't convince the CTO to prioritize security issues and I couldn't change the engineering ladder so I used the engineering team's existing incentives to help the security team get more bugs and vulnerabilities fixed quickly if we were going to get owned by a vulnerability in our code this is something that we all expect will happen yes I definitely didn't want it to be one that had been sitting in jera for 6 months going so now I want to go back to

the outcomes that you have all um defined for yourselves are the ultimate decision makers that you need in that path are they people that you already have a relationship with or are they people that we can develop a relationship with usually it depends on the organization it's not always going to be you know the CEO for many of us and in fact you might think of two or three other people uh who already have the influence of that decision maker that we can build a relationship with and this new list of individuals or groups uh will serve as an indirect path to those sen uh more senior decision makers until we've been able to establish a direct

relationship um for ourselves for example if you don't have a direct path uh to building a relationship with the head of engineering you might start with their direct reports or my secret weapon Chief of Staff identifying true sources of influence within your organization and not simply relying on job titles or organization charts is an important skill to develop as you advance in your career I once worked with a CEO whose number one influence was their mother and thankfully she was more than happy to be part of my influence campaign to drive security outcomes once you've identified the decision makers who sit in the path toward your outcome the next thing to do is evaluate whether your connection with

them is hot warm or cold so hot relationships are people who already trust you they can easily forgive you if you make an honest mistake and they routinely articulate that they share your goals when relationships are hot you can turn to them when you're in pinch and you can expect that they will Advocate on your behalf in rooms that you're not in warm relationships are cordial they're respectful but they still require repeated persuasion and negotiation in order to secure support cold relationships are either non-existent or perhaps they're stale and even hostile if you haven't connected with somebody before or if it's been a long time time since you've connected with them even previously hot and warm relationships can eventually

become cold and unpredictable so keeping critical relationships hot is going to be an ongoing investment for us especially if there aren't constant and organic opportunities in our workflow to force these to happen proactively working on these relationships will save you time and political Capital when you need to wield influence over a business decision so so far we have a defined and specific outcome yes everybody still remembers their outcome second we have a list of people that we need in our corner or a list of or people that we need to get out of the way to achieve that outcome right and third we now have a list of relationships that we need to nurture strengthen or perhaps even initiate in

order to influence the decision makers who are in our path and so now we're going to start developing a plan for how to do that a common tool among communication Scholars is the relationship maintenance model it covers the actions and activities that sustain fulfilling and productive relationships this is the part of the presentation that my partner thinks is hilarious because I'm going to give you all relationship advice it focuses on the Strategic behaviors that we can use intentionally to build and preserve trusted connections with others it's based on the theory that the longevity and quality of our relationships are based on whether each party perceives them as rewarding the original research behind this model was done in the early 1990s

and so since then there have been subsequent studies and the model itself has evolved a bit over time the current model includes five distinct maintenance behaviors you can think of these things as outputs generally speaking the use of these behaviors directly corresponds to the levels of commitment satisfaction liking and agreement that occur in the relationship and as I go through each one I want you to think about the relationships you have on your list the ones that we need to work on and where some of these specific behaviors might actually help strengthen those connections and increase your influence so the first maintenance Behavior we're going to cover is positivity this includes interacting with people in a

cheerful optimistic and uncritical manner it's not realistic that we're going to be this way every day all the time I'm not even this way right now as I'm presenting it to you but it's really important to remember that particularly early in the early stages of building new relationships people like to be around other people who make them feel good so the newer their relationship the more important this positivity um aspect is going to be if our business partners see us as the bearer of bad news or simply an unrelenting skeptic we're not going to be invited to many of the decision making parties our delivery of security risk assessments and our Council needs to be empathetic and

mindful of their perspective as Maya Angelou once said I've learned that people will forget what you said people will forget what you did but people will never forget how you made them

feel the next behavior is understanding and this includes things like cooperation and patience when interacting with our business partners we show that we value their input and ideas we listen carefully to understand their goals and their concerns and then we work with them to identify ways that we can help when people know that you're genuinely interested in their success they'll begin to see you as a valuable partner in problem solving don't forget to than and reward those colleagues for their cooperation as well you want to be seen as someone who can help others in their careers in my previous example when I talked about gatekeeping blog posts and conference talks every engineer who resolved their

security tickets in order to be able to participate in these um Community engagement activities every single one of them was sent an email that copied their manager and the member of the executive leadership team who they reported to to thank them for their partnership and not only representing the company publicly in showcasing the work that increased our Brand's technical credibility I also specifically called out how important it was that their partnership was reducing both security and reputation risk for the entire company those emails became coveted additions for engineering promo packages to prove that not only had they met the minimum requirements for promotion but they were driving impact above and beyond their individual role an added

benefit to this approach was that it also strengthened my relationship with every single one of those managers and El members because I was consistently communicating with them and complimenting their team as well as providing them with examples that they could reference in performance reviews the next maintenance behavior is assurance and this is insurance that you are committed to the relationship and supporting the other person proactively offering help without asking for anything in return shows that you not only care about that person but you're not really keeping score in the relationship one of the smartest moves I ever saw was a chief security officer who having just joined a new company immediately set up an introductory email

or I'm sorry an introductory meeting with the CFO just to ask what they could do to help they clicked immediately and the security leadership team eventually became invaluable to the CFO organization and that relationship paid off in Spades down the road the ongoing engagements not only developed trust between these two Executives but other Finance decision makers were exposed to a lot more security work this deepened their understanding of security risk as Financial Risk and ultimately business risk walking into a board meeting with the support of the CFO is a power play for any security leader celebrating wins is another way to show your support for business partners and reinforce incentives that keep you looped into their business

decisions whenever security has a win thank all of the cross functional teams who helped you doesn't matter how small that help was give them some ownership of the win and permission to celebrate with you when product teams ship a feature or service that you reviewed for a security assessment send them a quick note to congratulate them on the accomplishment and show them that you're happy for their success if you are their biggest cheerleader why wouldn't they include you in their process again or pick your brain about something new that they've just started thinking about imagine having all of these opportunities to influence business decisions before a lot of money and Engineering time has been put into

them the next behavior is the ability to talk about the relationship you need to be able to talk about the nature and the expectations of your relationship with these Partners seek common ground with business partners when discussing your relationship expectations focusing on areas where you align to that you can build a strong and positive working relationship being able to talk about the state of your relationships is also important not only to ensure that you're both on the same page but also so that you have an accurate understanding of the current state of the relationship if this was a previously hot relationship and it's slipping down in temperature you want to know that as quickly as

possible talking about your expectations with the other person also allows both of you to align your go goals and values and Foster a stronger connection these keeping these relationships hot means that they'll be ready when you need them it also helps prevent misunderstandings and conflicts down the road especially if they already know that you support them and their goals lastly share tasks and responsibilities set up regular cross functional meeting me to discuss ongoing projects and identify areas where collaboration is important this open communication between security and business partners helps you align and ensure that everyone is aware of each other's workload and your priorities it also gives you a regularly scheduled opportunity to demonstrate all

of these maintenance behaviors positivity understanding assurance and commitment to their relationship if you only engage with people every once in a while you're not going to have enough touch points with them to build the type of relationship that you need at the moment that you want to wield influence so also look for ways to share tooling resources and goals if there's an opportunity to get a security outcome through an existing priority on somebody else's road map propose collaborating and then contribute to help not only to decrease their workload but to create more opportunities to celebrate achievements together strengthening trust and influence for your outcomes when I worked inhouse my role leading security Communications was always created by the chief security

officer using their resources even though I reported into corporate Communications at every company where I worked the CSO recognized that they needed a partner in the corporate Communications team who understood their team and their work and could amplify their voice across the company very few corporate Communications teams will dedicate headcount solely to security so the CSO paid for my role while insuring that I reported into a team with the authority to speak on behalf of the company regarding security topics all right so we have now been through all five behaviors I want you to think about your outcome again think about the decision makers in your path and the relationships you need to influence their

decisions could any of these relationships benefit from those five deliberate and strategic behaviors can you envision a path where you become a trusted adviser and thought partner to these decision makers essentially expanding your influence across the business we need each of these behaviors in order to achieve our outcomes My outcome for Security Professionals is for all of you to be seen and trusted as the valuable business partners that you are these five maintenance behaviors are the outputs we need to commit to in order to achieve that outcome it's time to lift our curse and fill our roles with influence so thank you for your attention I've ended early so that we have time for questions in case anybody

has

any we don't have a mic so I'm going to speak overly loud to hope the room can hear it

this is better in this way I don't feel like I'm shouting at you I appreciate that yeah I'm thank you for the mic um so I'm a security control assessor and I report to an authorizing official and I have a wonderful relationship with them I have one particular program right now that has people up and above me and up and above even him and their way of working forward is bullying and they have decided because I actually want them to follow the rules that they're going to bully and push their way through and we're talking people who are really high up so they can even squash my authorizing official these people have no interest in getting along with

me they just want what they want and they're trying to bully their way through it it doesn't exactly incentivize me to be the wonderful Communications professional I strive to be and by the way I loved your talk I agree with everything you said but have you got any suggestions on how to deal with that kind of situation cuz that could really help me yeah it's a really good question and it's one that comes up a lot because bullying behaviors tend to stem from um like insecurities uh so if it were me and I want to be really honest I don't know your organization the ins and outs so I'm going to give you General um

advice so if if I'm looking at somebody who I suspect perhaps has an insecurity and is treating me a certain way because they are afraid of something happening or they're they're afraid of losing something they're afraid of losing position maybe influence they're afraid people are going to figure out that they're really incompetent like all of these things tend to inspire those bullying behaviors so instead of pushing my way through what I'm going to look for is points of friction that they're having where perhaps can I do something to reduce the fear that they're experiencing that is inspiring this bullying Behavior so if there's a way to to diagnose why are they bullying in this particular area

what is it they're afraid of can I do something to reduce that fear for them so that the insecurity is not as strong and they don't have the same strength of motivation to try to overcompensate for that did that make sense it does I'm not sure how applicable it is in this particular situation but I'm sure it's useful and I'll be able to use it as good advice elsewhere do you have any relationships with the people who do influence that other team I know you said they're pretty senior but do you have a path at all towards people who are even I they could be people who are even more senior or just people who have

their ear right honestly as a contractor working for the dod no I don't have a way to include this sces level two okay like yeah I don't have tou with those people I I still think that there's probably some level of insecurity um that's driving their behavior um I know as a contractor you're going to have limited access limited visibility but if there's something you can do maybe in another area where you work with them where you can be a valuable partner build the relationship through that project it could perhaps have a halo effect in the other projects you're working on yeah no microphone [Music]

okay so this is very enjoyable after 4 years being in this field and watch that uh the immaturity of management to be able to start helping us adopt so that we can provide um both evidence and capabilities to them I find it really interesting because you seem to be right now at like the the fourth level of of this particular process I mean I've I've seen companies literally say we're not going to pay for the malware malware uh virus uh signature because we can't afford it this year because the executives need an additional blah blah blah it took down Communications and several other networks for a week and uh because the FCC and such FTC had no actual

discussions about it they said oh yeah it was just like really bad rain it was a storm that that made all this happen so um that's it's really interesting to hear this particular conversations I've attempted to go through this particular process just ask questions I don't know please teach me um so thank you it's been fun yeah you're welcome was there a question no okay I just want to say that I just wanted to make sure I didn't miss it yeah so so one of the one of the ideas I slipped it in quickly which was maybe you can actually identify the maturity of both the security and the management because there's always a mismatch like

in the contractor domain um to actually Define the maturity of those to actually find out what are the other holes are yeah so I think there's there are very few Executives that I have ever worked with who are in it for anybody other than themselves oh yeah um some of them are not even doing what's best for the company right it's very individualistic at senior levels of large companies at least the ones that I've worked with um and so I'm often looking for what is the thing that makes particular people tick you know for example I talked about a CEO where I was like if I have to call your mom to get you to do

this thing that's what I'm going to do right um and so I think I think we perhaps need to lower our expectations a bit in terms of what why management will do certain things I don't actually need to convert them to the gospel I just need to get them in the church right um and so it it to me it doesn't necessarily matter if management actually gets security would be great it would make things easier but I'm trying to get to an outcome and I'm going to make that outcome happen however I need to even if it's not their idea and even if they're doing it just so they can get a bonus of some

kind thank you I was going

to hello good morning um so I work as a forensic analyst for ecover in general a lot of sorry forensic analyst okay um so in general uh what is your advice for someone who's in a technical world like me trying to connect with people who are in more general or non infosec field oriented positions that wouldn't necessarily or rather would have more of a friction Point um just on trying to connect um I find that in this field specifically there's a lot of a disconnect between Technical and non-technical positions um specifically like a lot of infrastructure people hearing the word GRC and uh dying inside um and and just what in general is your advice

for people who are in more technical more in the weeds uh positions connecting with more generalistic or people outside of our field yeah it's a great question um so if we go back to starting with with outcomes right what are those people are in your path for a reason right um because either they're a decision maker maybe they're contributor or collaborator in order to get to where we need where we're trying to go um so it's important to keep in mind the fact that you're reaching out to them and engaging for a reason right this isn't like totally out of the blue randomly just planting seeds wherever we can find ground right um and most people like to

talk about themselves it's a it's a stereotype it's a generalization but generally speaking people like when you ask about them so if you reach out to somebody who's in your path set up some time to talk to them get to know them and you can even be you know very honest and transparent and say look I think our paths are going to keep Crossing because we're working on these things together I would like to get to know you better I would like to understand what your goals are what your priorities are because there may become a time where I need to ask you for help and I want you to know that I'm also willing to help you so let's figure out

how we can support each other thank you [Music] yep thank you hello thank you Melanie uh my name is David I work in a large Enterprise that's very decentralized think Law Firm consulting company where it's very practice-based um and I work in a GRC function uh which is more or less centralized and I what I heard you say in the presentation was that you have to get things done in security through building relationships building processes um uh and also just navigating the structure in which you inhabit um I imagine that gets uh exponentially more difficult as you work in a in an Enterprise or Matrix environment versus like a you know small or Med size company do you have any have

you seen any success uh or what types of attributes have you seen uh work when you're working in those kinds of environments as opposed to smaller organizations sure so at least in my experience and I'll just be really candid most of my experience comes from like engineering heavy organizations um and so these are the types of people who hate all process who think any type of checklist is a red tape right um they're wrong but uh you know that's usually the friction that I'm up against this perception that I'm trying to introduce bureaucracy to their creative process right um and and so I'm looking for what are the incentives that already exist in their culture in their organization how

can I you know leverage things that they've already accepted how can I use that for the outcomes that I need right so when I talked about like the blog post example like it took me years to convince senior leadership and Engineering that putting something in their lad that I could single-handedly block from happening was not fair to any of the engineers but it took me years to get to that point I wasn't just going to sit around and let security tickets just like run them muck in the meantime so I looked at their existing incentive structure I was like okay they care a lot about their 15 minutes of fame where can I insert myself in that existing process so that

they get what they want and so do

I any other questions

there's hi oops sorry um so you mentioned that um we should be nurturing our relationships to keep those relationships in the hot um phase if we're if I'm going to do that I have to somehow like do it consciously um and I'm going to have to add it and it would help me like aign a metric to it like what percentage of time does it take to do that approximately yeah I mean it's going to depend on the specific relationship right and the the status of it and how much work we need to put into each one I think all of us understand that there are some people we work with where the relationship is a lot easier than other

people for various reasons sometimes we're just not as compatible with everybody else um and so I'll tell you even for myself I have reminders on my calendar sometimes of every two weeks I need to reach out to this person ask how they're doing ask how things are going because this is a relationship that's really important to me and I'm insanely busy and need to make sure this relationship doesn't freeze on me because I need it to be there because even if I only use it once in a while it's for like big ticket issues right so I think we just we need to be more deliberate and like you said more conscious of the fact that we have to

make these Investments we have lived our whole lives communicating and interacting with people in a very organic way that doesn't necessarily translate into professional environments where we're essentially like Trading favors and building political Capital as we go right that's not how I operate with my family um and so I think it's okay to find those those reminders and those tools that will work for you personally depending on the people that that you're trying to maintain those relationships with and it it's okay if it feels a little bit forced at first the more often we do these behaviors the more routine they will feel great thank you any other questions great well thank you for coming enjoy the last day of the con