Culture Shaping & Insider Threats - Panel

really that introduction away it's all right can you hear me okay yeah okay great my name is Dick jento I'm the Chief Information Security Officer at William juel College also a professor practice and our new cyber security major we're launching this fall uh it is a a pleasure honor to be able to have uh some of my friends and colleagues from from the industry here to talk to you today about Insider threat I you can see my background up there I don't need to get into it too much but we also have some really impressive folks here as well so I'll start first with Josh jaffy he's the current ceso at Scout Motors uh which is

an e start up under Volkswagen uh 20 plus year career in government private sector um non nonprofit work as well so you you can take all that in on the slide as well Dr Stacy faer is with us she is PhD in cyber psychology she is currently the chief strategy officer at Hilltop Technologies which is a new Cyber startup that was just launched at Wei college for students to have opportunities in our degree programs to work in a real cyber startup and she's a professor of cyber psychology will J as well next we have Willis McDonald uh who does own his own comp he is also uh working Insider threat issues at chain alysis which is one of the more

the more Premier preeminent uh blockchain intelligence companies in the world and then we have Gul sponsor who is the uh owner founder of security outliers and has done cyber security work uh for 20 plus years in Fortune 50 higher education nonprofit uh all the things right all the things okay so I'm really excited to have their expertise here and so drawing on my own experience working Insider threat events at Uber and Tesla and other companies also coming from my background as a CIA operations officer where it was my job to break into other entities foreign adversaries and steal their secrets uh I take a a bit of a mentality or an approach of thinking about how the

bad guys think because I was the bad guy to our effort centers and so my approach to Insider threat has really been to think about vulnerabilities and gaps and problems and challenges and as a former operations officer it was my job to identify individuals with access to foreign intelligence and identify things that were bothering them about their jobs or their lives things that I could use to develop a relationship with them and get them to the point where using either that disgruntlement or that frustration or that ideological belief would get them to the point of being willing to share classified secrets with me as a representative of the US government and so what that taught me

was that it's not just governments that have these types of problems and things to protect but it's also so this is a people issue an Insider threat is just as much about protecting uh our our technical boundaries and perimeters with good Tech firewalls and all kinds of uh vulnerability management but it's also a p Centric Challenge and so we've assembled this panel today to talk about that people aspect of Insider threat and Insider trust so I'm going to start with Dr F and ask um so fundamentally right why do employees become disr and really to the point where they are willing to engage in in an actor in come and how do you spot that perhaps

in time to prevent that from becoming a security I think there's a couple of things um can you hear me okay so from the Bas I first off is good hiring practices and I I because I I strongly believe it is a people issue so a l people say me oh I hire for the person and the culture not just technical capabilities and I know that's hard because you have technical means but to what degree is that are those technical means where you're willing to compromise to hire somebody that you know might have a bit of a chip on their shoulder or you know might have the potential to not get along with your team and

so that's from just kind of to Geto now if you've already hired these people and they come in and they're happy and they're be there and what starts to happen is lines start get divided and they experience they they stop experiencing called psychological safety and don't feel value I think the scariest thing is somebody does not feel they have a voice but they have something very loud to say and if they are ignored and they start to feel small they start to feel like they don't matter a lot of times that retaliation comes out sideways like when you're unhappy it comes out one way or another so you're human here talk those emotions and it could be typical response like

oops I snapped at my partner or a friend or you know I'm I'm eating my emotions my talk this morning right and if it builds up over time where enough resentment can build up the company doesn't care about me I don't care about them they hurt me I'll hurt them and depending on the person APV Kong very ret atory and that's really where things start to happen is when somebody feels like they're not valued heard or cared for they're going to return that I think that's that's great insight and it speaks to a recent sort of situation use the cash app example um where their lack of coherent sort of uh document determination policy led a

former employee who was upset or gral without being uh dismissed from the company uh to download and leak information after they had already exit in the company because they didn't have the appropriate controls in place to prevent a former employee from access to systems um that led to a class action lawsuit which cost the company $15 million and 8.2 million people's financial information was exposed in the process of that so when ask J was questioning um how do you assess the level of technical safeguards that you should employ and how do you keep those tools from getting to the point where it's triggering employees with concerns about pry or trust yeah it's a great question um I think one of the things

that's most important isort to think about if you think about this issue from the perspective of um not mess with maybe leadership or authority or accountability for the control structure but just think think of that from like the perspective of how do you interpret when there's controls or boundaries but around some aspect of your life something you care about you think about that as somebody who sort of there's guard rails on the side of the road intention there's blinds in the middle of the road the intention is sort of help me keep me in a place where I'm more likely to be safe and not likely to become victim of some other thing some some bad accident or do you think about

that somebody's like they don't trust me they don't trust me they I I don't he's lying for show me where I should be driving right silly example but you sort of get the notion that at the end of the day there's sort of boundaries that are put around almost everything we do we sort of naturally accept them sometimes it feels um it feels invasive right it feels like somebody they're in inserting themselves their opinions their values their judgments somewhere into your life and like you know I'm a mature responsible adult I have my own value system I could think Jud those judgments for myself but I think one of the things that's important to do from the perspective of

an organization is to make sure that like if you're in the position of a ciso or a technology leader where you're responsible for the technology control that you're putting in place in a company is it make sure that those are consistent with the company's values so at the end of the day you shouldn't have values that say you know we we trust our employees we how their work but we're going to spy on you we're going to we're going to be managing a whole range of controls that are going to be reporting back everything you do everywhere you go pilot you access shouldn't you shouldn't do that unless you've established sort of a predicate for that which explains to the

organization why those things are mutually reinforcing or valuable or important for the sort of commitment to trust that that you have with your employees so one of the ways we talk about this I work I work for a cart company it's a division in Volkswagen it's uh for REM making a series of some of you might remember the old International Harvester scale for making a series of old trucks as um as as new Modern Electric most important thing we have right now is about to and most secret thing we have right now is about to be in a couple months the most public thing we have what are cars and trucks we're going to launch right now nobody knows what they

look as soon as we launch them everyone's going to know what they look like right but but right now that's the most sensitive thing we have so we got a whole bunch of designers most of our team most of our Engineers they're building the concept for the SC they're working on that every day we're trusting them we're owering them with the most valuable asset we have in this company but we're also not just empowering the one person who might be having a conversation with one to one about why it's important they working an ecosystem the community where all of their hard work their life's work the thing they pouring their time their energy their 12

hour days into is also the same thing they have to trust somebody else because they're working on it too and they're working with contract third parties Consultants there people who are coming in cleaning the building who are going to have walk by and see stuff maybe on someone's monitor screen so there's a whole bunch of stuff that we are sort of mutually empowering each other tring each other to work on and that's a thing that has tremendous value to our organization so you build this notion of I'm empowering you to do this work I'm trusting you with the most sensitive the most important stuff you you're and also because we all have to trust each other there going be culture of

beautiful accountability similar to the speed limits and the guard rails Mak we talking about the technology to answer your question it reinforces those knows those values it doesn't oppose them right so the idea technology should be a wir r of values and those values should probably be consistent with the corporate values they should be part of the way that you think about the way you're bringing people on the way that work sure and it's also I think just highlighted communication and expectation management are really important so that employees understand uh their colleagues understand why we have have there for protection um and so I I think that's I think that's a correct approach it makes a lot of sense

to me I so when I look at the statistics in Verizon puts out a really good report annually on Insider threat so from comparing their 2023 report 2018 53% of organizations had 21 to 40 Insider threat incidents a year now in 2023 that's up to 71% so something is not really working or working well the way maybe it shouldn't be so I ask go um what's the ideal type of structure in governance for an insire threat program from your experience the first thing to know is that uh we have amazing almost onp verifying technical capabilities to see what's going on out there on laptop the websites I talk to the data access you have when talk to those websites or

internal servers all that stuff some companies start board very intrusive things like full screen recording keoke vlogging and obviously those are generally above and beyond the normal monitoring um it's considered to be a little bit intrusive transparency and understanding I has to make sense in terms of is this something that we want to do do we want to collect this data and how does it ort to which type of risk is involved are they working on intellectual property or super sens projects a something someone that is managing life so there's levels of risk but the main thing is with all the technology that we have to be able to create an Evidence uh Trail to

support a legal moral investigation we have to make sure that we do have legal moral investigations and that the people that are uh creating these data trails are accessing them in a way that makes sense that you could justify to the front page of General W stre Journal New York Times and also to opposing Council and a jury because if someone is getting investigated with this massive tral data that was being compiled on there activities as a worker but it appears to be that you're picking on them for some reason and kind of creating a case that you're hanging on them because you just want to get rid of them because they don't do things that they don't want to

do and really shouldn't be doing as an employee then that's going to be something that coming back to bite you uh your reputation your community your reputation um as a company in in the market so we want to have the general counsil involved we want to have HR involved some cases law enforcement if if there's a crime involved certainly if there's child pornography that's a confence to touch that stuff have to call unfortunately it's probably one of the worst ones but really have to understand the time to create procedures and policies and relevant instrumentation and access to the data trail that you create of that instrumentation it's not when someone is discovered to have done things or is

leaking Secrets but beforehand so do a table talk with the so something from the news and understand that there's a layer eight governance controls involved that are as important may be more so than the technical evidence for that you can create the all ination that's possible so there there's some good stories to share later but uh that that's I think a big part of it it's not a technical issue yeah real quickly to follow up on that the thing that I hate the most that always scares me the most wherever I am and in my career as a as a security leader as I get some requests that's makes all the sense in the world

can you look into this person this thing this happened and there's no grounding in procedures or in in a governance structure for how we're allow to do that so we've got tools we can do it we have procedures for how we investigate outside in bad guy activ somebody did something they're accused of something internally in the company somebody walked by something suspicious and they go ask one of my people hey can you look into this form all of a sudden we're sort of changing that internal contract with the organization for what team's responsible what we're accountable for and maybe somebody maybe it does go somewhere maybe someone gets called as a witness and then all of a sudden you're

in the situation where where's where's the procedure where's the government structure that justifies that action and people who are only the best intentions end up finding stuck between two really Hardis exactly right absolutely time to build those procedures and those government structures is what this it's kind like the for equivalent of you know hack my ex in of Facebook like you don't want to be that just because you can doesn't necessar mean you should and it's legal and moral right so there there's technology and there's people and there's a process and the process is really where I think the the moral and legal issues come the most because everybody can build all the tech they

want basically corporate spyware who uh Microsoft per forh for examp Enterprise spyware for deploying around the country around your network we see a lot of things you probably don't want to see about and we want to you to see them so even turning on those features usually requires some Nexus of okay they've reached a threshold of evidence that imply there either malice or being exploited by third party and we need to gather some evidence to figure out what's actually going on here please use those tools responsibly appropriately and with theable of your information security that's what he also meant to say yes absolutely absolutely all right so I'll throw a little bit more more insight here

because these um these incidents despite the amount of technical security controls we have and policies and whatever when it comes to Insider threat they're among the more difficult issues or incidents to investigate on average Tak 91 days for a company to identify theer threat activity going on within its own walls firewalls that's crazy if you think about what if you had someone like sandworm inside your inside your network for three months what could they possibly do um you have an Insider threat working for three months against you in some form or fashion that's uh that's pretty troubling and it's why typically these events lead to such uh high cost for companies $6.5 million on average per incident when they occur so

I'm going to ask Willis who has had a lot of experience forensically investigating these types of things um you know going back to working atbi and and Fort and uh you know chain analysis and misos other places you've seen a lot of these types of things right despite a lot of techn security controls so um how often in your experience do Insider threat issues that you investigate actually retied to a malicious habit and um one of the commonalities that you see in the type of persona personality or individual that typically is engaged in L AC yeah so I would say uh about somewhere around 75% of the investigations I do uh tend to lean towards uh someone

who's actually doing something malicious they're doing something on purpose they have a reason reason behind it they have some sort of Grudge the other 25% are someone did something wrong they leaked information they didn't know that they were actually leaking information and that's where some of these other tools that are a little bit more intrusive them to help them make those decisions um but when you're looking at someone who is who has malicious intent they know what they're doing they are very disrup very angry with the company for any number of reasons but primarily it comes down to um issues that started out small um maybe at some point they got passed over for promotion

because for some reason the company wasn't doing as well but to them that was per it wasn't that uh the company just wasn't doing well and they couldn't afford that promotion um and these are things that come up in HR these are things that come up to managers um other employees and so those types of issues tend to snow and they become you from being passed over for a promotion it becomes okay well I'm not going to show up for team meetings um I talked to me a bit earlier about I'm not going to turn on my camera anymore even though I've always been doing this um and these to sort of mild passive aggressive issues come up um and so what

usually breaks down in where these to the snowball larg and Insider where they actually make the choice to do something malicious is where things break down just communication between the employee between their manager and between everyone involved so talking jar you've got silos between h on and security got silos between uh security and maybe physical security um and a lot of times those communication channels take the most time in investigation to go back and bring bring down some of the silence get all the information in order to figure out yeah this one malicious and we should have seen this but didn't because nobody was talking to each other um but those sort of activities are things that come up

common very behavior um vocalized a issue at some point and felt like their opinion didn't matter whereas if someone talked about it and addressed it um and made them feel Val was would never snall into an issue yeah so to talking about something if you're I would urge you to research this term called the critical path or the critical pathway um carneg melan does a lot of good work on Insider threat and they talk about this and there transations and really this gets a a lot into drh house because the critical pathway he's talking about is where an individual has those types of um there's just something going on in their environment either a personal life

financial situation could be a mental health issue could be a relationship issue that just kind of leads them predisposed to be frustrated by things that go on and they sort of internalize that like he said taking personally which is correct and as they move down that pathway there are usually indicators as Willis even gave us some examples of not Shilling up the meetings or not having their camera those are things that as colleagues not even as managers or supervisors just as colleagues to recognize our coworker and say hey you doing okay research has shown that that question asked at the right time of the person who needs that type of Outreach and actually stop someone from moving

down the halfway it's just sort of like being a good colleague or a good human and and caring enough to say you know something doesn't seem right being are you doing all right is there anything I can do to help you uh because companies typically have a lot of resources but it's really hard for that person sometimes to see the force through the trees and realize that maybe they need to reach out for some employee assistance and usually those are there for them so those I those sort of indicators are observable but in the critical pathway you get to a point of a triggering event and that triggering event is usually what like sort of sets

off that explosion and that's where actually see the activity then we know statistically that most employees will exfiltrate uh the most information out of a company within the last two weeks of their employment so typically they make up their mind to do this and it's in that last two weeks where they actually do something that uh that is significant so I think my well I'll actually touch on something that go said which is you know companies that Implement Insider threat working groups are the companies that recognize those silos have to be broken down and you have to do it before the incidents occur because chances are they've actually already occurred you just didn't even know it until you set up a

formalized program structured to deal with that and Insider threat working DRS bring in experts from HR and legal as he mentioned um security infoset physical security there's a number of different participants bringing those groups together is how you get ahead of these channelers and you also talk about not just how to handle them incident but how to prevent incidents what does employee training look like what does culture develop work what does engagement look like how do we coach our leadership on wasm good culture so I'm going to throw this over to Dr fa right what what is what is a a good culture look like in order to optimize a company's ability to get the most out of its employees

without leading to the situations so first off what I I always encourage what is the the pathway now not every manager is a people person right or feels comfortable saying hey you're doing okay and we don't want to create a culture with trust with our peers like uh okay Josh Wasing a little shady yesterday I think uh you know maybe want to talk to like we just it just doesn't we don't want to get into and starting suspicious of each other but do you want to think okay if somebody was unhappy if somebody did have to you know vent Express the themselves where would they go to do it is it the water cooler o that's that's a

slippery slope is HR available and I'm I'm a big I know those there HR is complicated and a lot of times they're there for the company and to protect the company and not everybody has that person that's actually there that goes around and um uses the the measure Instinct you know look at the culture but that role is or whoever that person is whether they you know that's what they were hired 49 who if somebody was UN happy where would they go do you have a kind of relationship with your staff that you're the person you're you have that open door policy and if you may think you have that open door policy confirm it you should be you should know if your

man somebody you should know or at least have some kind of gauge on right their patterns of behavior we spend so much time analyzing right security trying and and what's going on in the data people are data too and people are predictable they can be profiled if somebody who's previously been out Gro if Wilson is very quiet or they come to you many times complaining about something and it's ignored just people want to be seen I think people in apparently understand that okay the problems can't always be solved right so my talk talking about like what you can control and can't control so whe you how much your know budget you have to work maybe hard to

control but if you can explain have that transparency of okay team this is what we're working with uh it's psychological safety level of Engagement and what is the path to to get to those so that somebody does not feel unheard or unal or not valued or were they're just left with really the only recourse being to as I said earlier retaliate so I always encourage managers who think the only thing that matters the technical skills and I can work around personalities can you shouldn't you is actually the better question maybe you can but should you because people feed off each other uh and you want to create that culture of trust and if you aren't

giving trust are you communicating a lack of trust and a lack of empowerment so I the more awareness that you have of yourself your strengths your weaknesses the team around you and your resources so if you're okay I'm an open door policy but someone comes to me and they're really mad I don't I don't know what to do that's that's not my emotional wheelhouse don't try to stretch beyond what you're comfortable with you don't have to be the counselor if somebody has a family problem that they're dealing with but don't just leave them feeling like they're not hurt or they don't matter somebody say comes to you and says I'm going through a divorce blink

sty I need more money to take care of my kids etc etc okay what do I do would you know what to do and if the answer is you know as a manager I wouldn't know what to do find the answer resources even if you have just a resources of you know okay see here's your hotline to call not quite that but how can you make people feel valued yeah so I'm GNA um I'm G to take what what you just articulated and and ask Josh L because you know You' had to implement security policies and programs before and you sort of talked about technical guard rails you have to be open and communicative about it so

everybody understands but there's like I think organizations sometimes get into a space of their their uh implementing security more with fear uh and the repercussions of bad actions and like the you know Challen employees don't have the freedom to fail essentially right um and it creates pressure not just to you know maliciousness but also just I can't make a mistake do how do you think organizations need to approach this fear versus trust boundary yeah so ideally you build a culture where people AR afraid of faing and they're not afraid of the controls there might be things that fears are real emotion there be things going be fearful of in life and certainly in your professional way um

spiders spiders thanks

um no the trust much more powerful motivator I think if you're motivating people on the basic of dear you're never going to have as an effect not no matter how effective your controls are they're not going to be as effective as strong culture truth is you need both right I mean at the end of the day you can't it would be naive to think you could have a security program based entirely on trust and trans transparency but I think some of the things you do to enhance those are that you are honestly transparent with people about what you can tell them about what you're doing why you're doing it why we have these controls what

they're intended for they're not intended because we distrust our employees and are looking for the worst 10% think 10% were the lowest performers or for called that and keep moving them out of the company they're there to protect you and your work with intellectual property your personal information also thee possible you align that word a s of and show use a little bit behind the curtain show them how you use that right not so much compromising any actual investigation than any actual people stories but demystify right because not everyone's going to draw the right inferences initially when you do that I think you actually when you have this trust you can do much more what could potentially

be invasive things technically and instead of having the quence of people distrusting you it's actually going to deepen their their sense of trust because you're doing more and you're taking them behind the show trusting them think how it works and making them a part of it they see themselves in it they see themselves in it they trust it more I think it's actually even more important now like in this sort of postco work environment that we're in we talk a lot about like the ways people get affirmation or get value from their or it you used to run into people all the time in the hall and someone would say hey I I love that thing you did or I

saw that that was really cool or that was a great talk you gave or they might ask you a question and say you know what are you working on you might tell them that's great that's really exciting now we kind of get all of that information that value and like did I get a release or not did I get promoted or not or did my project past project review St PA whatever going on and all those other little sort of affirmational things those get lost those are gone those don't really happen unless you makes B and some like things that were obvious to us in terms of like corporate values just the way we engage with each other

the respect we show each other we look someone in the eye or your boss may just walk into your office and say hey what's going on today how's it working someone put have a team meeting and just say hey you look a little down today but what's up how can I help those things used to happen just naturally and now they don't happen naturally you have to kind of force them you have to say these are my values these are the values on our team you have to say them out loud maybe right balance you you have to conly affirm right yeah you have look for a way almost a way that sounds silly so

okay I like that thing you did s right seems kind of awkward but it makes it's necessary to make up for some of the things that were otherwise missing and if you don't then you end up I think in a situation where the amount of opportunities you have for sort of affirmation for trust building those are really reduced very easy people to draw a conclusion that my work's not valued I'm not valued if I'm not valued to be be a narcissist maybe I shouldn't worked this hard maybe this is there so there's changes happening I are not really aware of but yeah I just want to reinforce that of for your peers for your managers

well last time if you believe it by way but um you know you told your manager hey thanks you know I appreciate you or here I appreciate what you did a recognition I think sometimes we think it but we don't necessarily say it or your point there's a a hand HR slack channel of recognition you put do some software and it shows up in front of everybody and it's always like the same two people that are posting in it and it doesn't feel as natural as it did as you're walking down the hallway and and saying like hey by the way you're than I really appreciate it and I'm a huge fan of remote work I actually think it makes

people more productive and independent but we do have to to make sure that people aren't on an island where they don't feel

valid speak up a little bit more U but in other words you know if you think it if you if you feel it tell the person mean you maybe feel shy may feel awkward okay this is completely out a left field but more often than not you're actually creating that healthy culture because there by Nature there's going to be a toxicity factor to it and you're helping combat that with positivity if my sunshines in Rainbow for you but uh I think all use that well it's in personal skills right and and utilizing those effectively and also just genuinely showing care and concern I've this has been hammer in to my sort of Journey is in leadership over and over is not to

underestimate value of a handwritten note for someone which is really crazy to think it's so simple uh and it just shows one you took the time to do if you were intentional you um and and you were specific about something I say hey great job appreciate you have a nice day but hey thank you for that thing you did uh being very specific and intentional uh I found has actually gone a long way to to demonstrate appreciation to folks so we we are spending a lot of time talking about kind of that culture which is exactly what we wanted to do here I think we also to do justice to this entire topic have to recognize that a

lot of challenges from an insid Dr perspective are also not malicious they're unwitting or their mistakes and so go how like what's the optimized sort of way from a training and awareness perspective to uh to help us think through ways to prevent those types of things so everybody should know that if you have a position inside of a firm or an agency a profit a school whatever it is you have access to things that people outside that organization don't have and they want what you have and they want what you have directly or they want you have indirectly so if you have the ability to move a lot of bits maybe you're an admin on some technical

platform back end certainly domain controller person he's in charge with those things admin that's the end goal of a lot of hats and interestingly a lot of the things that look like Insider threat once they start living off the land and get out of the malware environment or just using abusing abusing credentials that belong to a powerful PR Insider similarly if you're moving a lot of money if you are someone who works for accounts payable and you get an email saying hey my pay information changed to this new bank account here's the invoice that you owe me from this month so understand what is it that you have access to directly and indirectly because of your passwords or

whatever is sitting on your computer and your brand understanding processes they can put together via some analysis a very powerful way to get at the end game which is what they want want data they want money they want to lock of your systems which then forces us to give them more money to Grant some more Etc so we need to understand what is my position here and why would someone be interested in me or or the role that I represent be able to get to some impact on the company and uh you ear today we talk about deep fa understanding how people come at you fishing Tex email approaches in person they're a little bit out of fashion CU

everybody's on on tubes all the time but that still happens right you're an expert at eliciting information in person uh there are people who really know how to do that are you being spotted on STS if someone asking information you'll never see that person again they're going to call someone who will come and get your stuff because you've been put on a Target l so understand what the whole chain of events the life cycle of a taring you as a part of a larger chain of events and be able to understand that and be able to to know if you're a ceso organization or you're in charge of a lot of people move a lot

of money do a lot of bits make sure that they know how they're going to get who's going to come at them and who to report to what elements of information should they include in a report like that so that someone on the back end is doing the analysis of oh you've been spotted in the SAS someone's going to come after you problems in this way because of XY the information you have access to I think people really need to understand you mentioned earlier people are in position of trust even if they don't necessarily know that I'm not some big shot of this company but they have access to information or access to a cross would unlock a lot of other

information down the stream so moving bits moving money uh be able to make statements on behalf of a public company through the person Char of releasing uh SEC facing information for pro reports before that happens before it's time to that report that's a very secret Market moving information people are not for that information it's like people want the images of re cars before it gets publicized it's the flip side of building trust being I trust you good someone trust me now you are in a position of trust right in that position of trust just like a CFO just like a general counsil anybody else in the organization now that comes with responsibilities too those responsibilities come with procedures

good goals government obligation ensure that that position trust other people who are part of and don't delay reporting even if you think you're going to get in trouble I've been in a lot of organizations where getting compromised is accepted because we're all being targeted for whatever reason usually money or data or being money together but not reporting that you are overtly compromised in some way or been approached and and uh we asked for cooperation that could be looked at as very suspicious and very U on on the borderline of malicious intent so you need to report that stuff very quickly to the right people so they can put the puzzle pieces together and figure out where what phase are we in

who's who's coming after us one of the companies that I work for in the past would we had a lot of intellectual property and scientists and and things that where people were traveling overseas quite a bit we had to put together a train training to help them understand what what a potential approach would look like that could compromise them so we we titled the training no you're not that attractive so I'll add one more thing to um yeah I think we can actually mention this while we were talking earlier but the other thing is also labeling your data so that when it comes time to realize what's moving out of your environment uh that you've already labed it and you

know what's the most important thing and you know what I don't really need to look at or worry about before it's the time when you're in a crunch and you you do have reporting requirements start missing things or you start wasting your time looking at data that nobody you know it's public data nobody cares about because a lot of times mean your investigator doesn't know exact what's important to you um and so if it's labeled it makes it very easy to start putting things together as to what happen What failed uh as well you know possibly who's responsible it's reinforce that you have a tool that you know use the Microsoft E5 Suite or you

have something else you're using for classifying the last thing you have to do before you close you have to you have to remind yourself oh this is confidential I had to press confidential so I can save it will classify it so I can actually close it so the last thing you remember was this was a confidential document this was a confidential this is confidential position this participated in a lot of internal investigations where the company was really upset when something was taken and uh one of the first things the FBI will ask you when you report the uh the incident is what information security controls that you have around the information if you as a company didn't

invest enough to protect the information then why would anybody have a reasonable expectation that that information was super important or confidential so it really does have to start with you defining what's important first before you can even expect to get help in the event that something does go out the door um we've covered a lot of really good insights information I appreciate everybody up here so much uh we want to have some opportunity and time for anyone ask questions because you've got some you've got some high voice power up here and a lot of great experience so would love for you to take uh take the opportunity if you have questions sir what what's your

definition of whistle above is that still on this side or FR uh that's that's a great question and so we all may have some thoughts on this but I can tell you I've I've investigated a lot of intellectual property or just confidential sensitive information incidents where that was passed to reporters where that was passed and and it was publicized and we had to investigate who that individual was to to identify them because we didn't necessarily know and when you catch them identify them it's well I'm a whist ler because I'm bringing to light something that you know was was uh was some sort of a cover up or an unsaving business practice or what have you I

always had a real hard time assessing or believing that that person F fed the definition of a whistleblower um because when we did the investigation we tended to uncover those same psychological types of elements going on where there was narcissism there was uh lack of self-awareness there was um um time and time again being told that they were getting out of their Lane that they uh or they were raising concerns they feel were being responded you know didn't didn't meet the level of response that they believed that they should get and so they ended up taking matters into their own hands if you're going to leak information um to a reporter and try to hide yourself you're not a whistleblower

so I look it more traditionally but at least my my definition would be someone who reports something to the legal entity the proper legal entity um who has the authority over those issues so if it's the SEC or the FBI or those are the individuals who meet that threshold in my opinion because they're willing to say I I I am publicly or you know at least directly non anonymously taking this to the right Authority because I believe that something wrong has occurred and those people should be protected right that's what gives people whistle or protection you don't you're not afforded that when you leak information to a reporter and you try to cover your tracks that to me is that's

criminal so I'm not a lawyer I don't take any of just ille neither am it's a good question but I I think I mean foundationally the person doing the the whistle blowing has to have a bonide expectation that the thing that they're blowing the whistle about is in violation as well and if they do then you know there should be protections that are affordable that there's totally different paths for someone who thinks maybe they own the intellectual property for this thing maybe they built it doesn't belong with the company you can sue the company for that right but you can't just take it um especially if if there's not clear expectation or judgment about the ownership

so it's a great question to ask a real lawyer not just somebody's sitting on a stage like this but I I think you know you do foundationally have B by expectation but the thing that you're blowing the whistle about thank so now that we are working more and more from home what's your advice suggestion on you keeping your work stuff and personal stuff you know like oh I'm working from my work laptop

maybe I think we have to acknowledge the flexibility that comes with that right that people are at home they're going to do some home stuff right but clearly defining what's okay on a work device is really important you do that through policies and educational training but if somebody's working from home I kind of expect that they're not going may not respond with slack immediately because maybe they you know they got up there to go pick up their their child from school or something right I just think you have to have that you have to set your own expectations as an organization or manager hopefully dependent and role dependent too I mean you you might be fine with somebody

checking their status of an Amazon delivery might be fine with them doing it from their from their work computer you probably AR fine with them doing it from the work computer if they're using a browser that logged in with their admin credential right at that point you're exposing that credential to range of other websites and things you got to be pretty clear about how you want to manage those expectations based on WS last got some like what do you do people really do about educating so I mean we've all I'm sure taking the with the bad and i' literally mean bad actors this time um you la it on YouTube or whatever at 2.0 speed to get through it that's great

that tells you you know don't Hello leave my laptop open right we still still do that all the time but you know I mean I'm in in security for a long time but I'm not technical but I still have to kind of mar for like okay so wait a minute so if I'm moed into say like the Google browser and I have my account and my work account can they look at like I don't I don't know and I become very aware of okay um you I had this conversation about getting like a work laptop what if I take all my stuff and I put it on my work laptop or what if I take all my work stuff and put

it on my home laptop or that the same thing like you know and I think what's really great is when as Security Professionals there's that kindness say that's what it feels like to me to be able to really kind of explain it here's why and so that becomes twofold because it helps the organization have the psychological safety to ask the questions that they feel dumb asking technical dat gatekeeping is real and when you have asked somebody to reset your passport 30 times because you can't remember it and then you want to ask something like really technical is it it's people are scared to do it but it's the why that helps and so I think when we do security

training kind of Dum it down and do and know and we have to but at that advanced level we're not even giving people the education to understand what it means like why they would do that and and what it looks like what it's supposed to look like we don't set those expectations and communicate it and so to the point we you were saying earlier is like say one of my mottos in life is like don't attribute to malice but you can attribute to stupidity like just one of those things like people stumble into it because they don't know any better and it's damaging I don't know if there are any parents in in the room that can sort of

relate to when you know child wants to you know sit in the front seat of the car and you're like no no you're sitting in the back why because I told you to I'm prepared that's why well that that really doesn't work that gets them frustrated and it sort of creates you know some tension but if I take five seconds to explain uh because the the government says that if you're sitting in the front there have been a wrestling Tak in a gy and if your child says cool whole other issue to address but the the point is sometimes if I just took five seconds to explain the why I wouldn't have to deal with the frustration of of

the insubordination of my child in that moment I'm not comparing trying to compare employees to to Children what I'm saying is we sometimes we we want something done and we ask for it to be done or we tell somebody to get it done and if we forget task purpose deadline we're setting ourselves and the and the other person up for failure because they're not going to meet expectations because you haven't first couched the expectations properly so just remember those three things when you ask for something it's is really important to actually ensuring the entire process goes much SM sir we just start the security program weing starting the security program our company youring would be the best way to

kind of give that out to the end users and Al okay the question is revamping a security program what's the best way to bow that out communicate communicate get a kind of I guess a level of set from being user to uhx kind of like the whole company well depending on the size of the organization there's lots of different ways that people want so you need to think okay how do people visually auditorally experientially so in an ideal world if I can wave my magic W right is small group educational groups for example or walking them through it and I know that that's that's really hard you just need to have the resources to do it but what you need is

essentially captive audience connection explanation this is why those videos to me just don't do it because when're not engaged in them you're just kind of cycling through on fast forward and then you answer the little quiz at the end and that that's it is anybody really learning something that they're going to remember two hours after whereas when you put them um through these scenarios and you got to couple of students here that I I we've talked a lot about this right like people don't always remember what you tell them but they remember how you made them feel and if you can connect to that somehow in the way that you roll it out begin explaining it to

them here's the scenario and let's walk through and how to do it so that they can have compassion and empathy for what you're trying to do going to remember it and bonus points hopefully they're not going to resent you asking them to do it so why you know I mean how many people when oh I to change my password every six months right you hearing this from everyone from my mother to my peers to everybody and it's like and doesn't even matter right but if they if if they can understand why okay can I SC Y and then like also figure out how to connect it here so I don't know what I don't want

what industry or vertical you're in or comp you work for but like whatever the executive team whatever language they speak whatever the things they care most about like next to program to that so I my company we had this notion of building a cyber risk B so we had a we took like these sort of fuzzy Things That No One about you're uncertainty and doubt we turn them into youve got X number of million dollars with a cyber risk on your couch it's City what do you want to do about them it's a lot like it's in the million tens of millions hundreds of millions you should probably want to do something about it if they speak that language

speak that language to them and then every project everything you're doing every governance initiative or the control you want to buy it's the best use of a marginal doome you're speaking up right I can buy down 10 million doll worth of risk for a for a million dollar investment I'm going to put a multiactor authentication across the company and we're going to put EDR on all of a sudden who else got a idea that's going to reach better than 10 to one on a marginal who's got a product that's going to do better than that may they do if they do they should spend it on right but if they don't then you've got to think Anor

Security Programs it's this is the best use of a marginal dollar to bind down this risk until it's not the best use then you've got a program to sort of achieve equilibrium and it's about the right Rising so depends what langly speak the example I was giving spoke BC fund spoke language Mar investment so we try to figure out how to Anchorage know your audience know their pain point so to speak but but know how to guide them right you wouldn't leave just someone in the woods and just say okay turn left your next stick right like you know you you go find them and walk them through it and when you meet somebody where they're at and then you

connect the neurons they have to something new that is a much easier Bridge than it is she just here's the new information that they didn't have to learn integrate and connected to their pre-existing thought system you're going to go a lot further we got a couple questions still and I appreciate it so much we uh we we've been given the hook uh and and that's yeah we we two minutes Turkish oh two minutes well no I mean like there's two minutes to switch out like