Goodbye "Department of 'No'", Hello "Team of 'Let's Go!'"

all right good afternoon folks sorry I know I'm the last one you're all probably super tired it's been a long day uh sorry it's just I'm the last one let's try to make it through this um so my name is team mman today what we're going to kind of go through is from the Department of no to a team of let's go essentially what this is is if you've been working in the security field or if you've had engaged with your security teams and your corporations you more than likely have heard the term that there's the department of no or security kind of gets in their way they they slow me down they build walls and hopefully

what we can get through today is uh trying to shift away from that and get some takeaways to make some some cultural changes that we think could be easy I'm going to go through some examples of what I've done um what I've heard in the past and some of the changes that I've done at the corporation I've worked at and share something there so first of foremost um who am I my name is the team Mothman again I have quite I would say it's a different background but it sounds like it's pretty normal for people that end up in Securities in the last like dozen or so years um my degrees were in biology and Healthcare

informatics uh so I had no idea what I want to do coming out of college I want I went into college to become a vet I came out of it not a vet um I got my first job in desktop support so work on broken printers and installing things and pretty much a standard help type of role uh which I'll get into a little bit more as well helped me kind of have the insight into how the business Works which I think is critical to a great uh sort of uh security practitioner and then I moved into uh getting my masters in Enterprise risk management uh at NYU uh paid for by NYU by working for NYU uh

so I strongly recommend working for big companies that have those types of cins uh and then I pivoted into my senior analyst role in cyber threat so I got a background and instant response uh did that for a few years um pivoted to California where I figured it was time to try the Silicon Valley idea the whole aore where we think Silicon Valley is uh realized that I missed New York too much and came back um actually before I before I came back I worked at PlayStation or I found with in West for a little while law firm and then PlayStation uh Playstation for about three and a half or so years um worked as a staff analyst so a little

bit more on the GRC side a little bit more on the operational side in the sense of approvals denials that kind of thing and now today I am the manager of GRC at Cisco moroi um and that kind of what I'm going to go through today is a little bit of what I'm hoping to instill in some of my staff within moroi but that I've already experienced Within PlayStation and uh NYU so touching back on kind of why the problem exists and what the problem is that I'm I'm discussing again uh the problem we run into is that you know security has a perception of impeding progress slowing down the business operations and we fail to partner with

internal stakeholders or business partners so some of our some you know feedback I've had had or had heard over the years was we don't understand the business we don't know what the business does kind of security is always slowing us down we're we're doing our own thing um and we're we're not aligned with them so something that I'm calling out here are kind of firsthand firsthand listed first one is security goals and business goals are not aligned security sometimes come down with an Iron Fist and just says you need to do this thing we need to roll out this EDR we need to block this traffic we need to install this thing because we said so and the

business is kind of like I don't wait for what why what is the point here um and ultimately one of the things my one of my uh first cesos taught me uh and I I credit him to this I credit this to him pretty often is it's easy to do security but it's hard to do security right and what that means is that you can turn everything off and block all traffic any end and your business will immediately collapse so the business can survive without security security cannot exist without the business and that's really critical for us to understand the next item is conflicting priorities everything comes coming out of security may not always be priority number one

for the business so compliance objectives things like that may not be the top priority for the business it's typically going to be developing a new title or or a gadget or Gizmo whatever um and it may not be aligned with that the next item was a lack of planning or urgent asks they typically tends to be a part where security is not involved in discussions with the business to begin with so it comes to security something com to security already on fire and we we find ourselves in that position all the time whether it's incident response or operations approvals Etc um and we need to kind of become a little better of of a thought partner there uh then

there's cultural issues that we run into there uh security engineering business I'm sure you all heard the phrase this is just the way it's always done this is the way we've always done it this is what we're used to and that's pervasive in in any industry in any organization then there's sour experiences leading to those walls being built somebody has worked with security at some point and they got burned and now they figure I'm not going to deal with security until security reaches out to me or until I end up on a radar or until something happens and so you want to build those bridges back strain relationships same idea you kind of done something

somebody's done something or you've had an incident with somebody where maybe the soft skill kind of needs a little bit of work then there's the Gap in knowledge technology processes that's by directional some of our our business partners may not understand what security functions are or what the tooling does we're trying to put some agent on their systems and they're just like dude what is this what is this what are you trying to do you're you're you know this application is killing all my bandwidth I can't develop on this you're you know you blocked an an agent and I I'm not able to to run this so having that understanding of security and then also on their end is we may go to them

and I've done this in the past for I'm guilty I'll put my hands up for this I've gone to gone to the engineers and said just do it this way and you'll be fine and they came back with that's not how that technology works that's not how the development works so me doing that means that I can't do my job so that Miss understanding that kind of you know cross lines leads to an issue there then there's a lack of senior leadership support pretty self-explanatory the business itself needs to be aligned with you in Security senior leaders if you're getting the senior leader of engineering to support you then the engineers that are working below that that leader are

going to likely be aligned with you but if there's a disconnect there it's unlikely that you're going someone's going to listen to you rather than their own boss uh and then there's the adversarial approach same thing happens here if there's finger pointing or if you throw start throwing up graphs to your leaderships uh meetings or their town halls and you say look at uh it they've already done this thing look at all the red graphs and these timelines they're going to be like dude you made us look bad in front of our boss you fought with me at home I'm not listening to you any there and then these last two items lack of recognition and lack of

incentive so if somebody does do well with you please make sure that you call them out you show them that they've done some well that they've done something for you they're a great partner for you and the same thing lack of incentive why should we work with you what is the point of working with security what do we benefit from here and that's where it's important to kind of build those relationships so I'm going to kind of dig a little bit deeper into the next uh next two items so um two roles were where I worked and this was a critical uh outcome I worked at noou langone and and that statement under there this is

impacting patient care every organization has something where if an indicator or a user States this one phrase immediately starts triggering alarm Bells so here it was this is impacting patient care so something gets somebody submits a ticket or escalates something and they say this is impacting patient care boom all you know all hands on deck figure out what the problem is I mentioned earlier that my my background initially when I first started my career outside of college was desktop support and although that's not directly within the Cyber realm what it did do was it helped improve the customer experience so now I got to interact with the individuals that were actually the stakeholders at the organization so I

knew who was trying to figure out ways who was putting poits on their laptops to put their passwords down who was unplugging things because they couldn't get around it who was just trying to hide a old computer under their desk until it's time to recycle it so all these things I I had that insight into um and then also helped build a relationship with them to say hey you know what you're doing I can help kind of help you get through that help you you know discard this before your six Monon review for your your systems come about um and then there's also the separ a of the way the business operates researchers versus healthare so I worked

for a langle and health but it wasn't just strictly a hospital right there's research being done there there's you know cancer research there's uh sort of like uh neurological research being done so there's different constraints that both of these teams have so on the healthcare side they're saving lives they have a very short timeline when it comes to responding to types of incidents or to responding to an outage of of of of any sort whether that means my keyboard's broken my whatever is broken all these things are need to be done very short timeline and appetite for anything to be out there so in that case that's a scenario where we know this is impacting Health uh this is

impacting patient care really comes into play and then there's research tight budgets so that's a that's a scenario where you going in and saying hey you're using old equipment you need to upgrade all your systems they may not have that funding to do so so you need to become a little bit more creative and understanding how can I help this person how can I maybe airap some of these systems or how can I maybe provide them with something that one of my partners might have had this other organization is disposing of um and then that last P part uh point that I have there is improved incent response so those first two items I kind of have built a little

bit of a relationship with the the uh the desktop support side on the third part there's improved incident response so which users were incident prone which ones which were the users that were likely going to be impacted by something because of their behavior of the way that they work of their their types of interactions with with other users and and then finally there's that prior coworker relationship the soft skills that I've used to develop over the time with my colleagues with my partners really helped in the instant response phase because I can then call and say hey Jimmy uh Dr Smith on on floor five when I used to work with you he's having an issue is that something you can help

kind of you know Grease the wheels on and help me get through so those soft skills those relationships really help particularly when it comes to getting things done a little bit faster not even just on the security side but typically in anything right it's a lot about who you know and how good those relationships have been developed and the next item I have here right is Sony PlayStation so working at PlayStation was honestly a great time um I would say probably one of my my my top experiences um you'll also find me in the credits that's a pretty cool thing for a bunch of titles um so one of the the the the famous ones it may not be

this is impacting patient care but this will delay our title release so we have to release X-Men we have to release uh you know ghost of sushima we have to relase God of War all by this date and each of these items are critical because they have a dollar amount tied to them right there's several millions of dollars that are tied to developers Engineers uh branding marketing Etc where coming in and just saying like no you have to do it this other way immediately has a tangible dollar amount that's measurable to say you are literally wasting this much time over this week in order to roll out this problem so couple of things that we call

out here too right is Enterprise versus Studios how are these these these parent companies being done how is that culture shift uh so critical so there's a parent company Sony who has a lot more of kind of a uh I would say a a a mature or strictly governed um protocol so Sony has this governance plan this way to handle it these protocols that you need to go through to get something approved implemented rolled out blessed Etc and then there is the studios the studios operate completely differently slightly more autonomously um where they are the ones that have have historically been the the the money makers right they actually generate several Mill millions of dollars a year

by creating titles and they are kind of the the the relationship of the creatives and creatives live work a little bit differently compared to sort of your typical corporate Enterprise um so working with them to understand all right well who is your your key players here what types of systems do they need to use that kind of thing and that was the the most critical thing that I need to work with with time was they're not using standard equipment they're not using standard Pro uh software they're engaging a lot with kind of a very small that's a last side of my call here I'm jumping around a little bit they engage with very small very Niche uh firms in

order to achieve their goals so sharing sensitive highly sensitive data in this case it would be you know the title that they're working on for the last 5 years they need to share the schematics for the the character art or what they call rigs uh with the these artists and these artists are internationally known and very popular but there's like a very small cohort of maybe like 10 artists that are really well known for making like in-game chairs so if you're talking about like a little niche thing like that where you need to share this amount of data with them that has such a critical difference you kind of need to also be willing to communicate that risk

to the business and say you can share this with them in these guidelines but you need to do it in a way where we can monitor it securely transfer it provide it in a certain way that's going to be acceptable with the business and then there's a lot of acceptance that needs to be done with um then there's uh going back up to the the planning C and says some of the differences we ran into there is Corporate side obviously ran on a little bit more structured Sprints right every two weeks we could do this we can project how much time is spent on development in six weeks we'll work on this in 2 months we'll work on this

thing and on the development side for the titles and the games you put yourself in a position of no I can only run this I can run this now or in a year from now so you need to be flexible in the conversations you have with these these your partners to understand what is our appetite what is our workflow and how can we start rolling it out operational differences same thing scalability of Standards M money comes into play again here we may not have the ability to spend the amount of money that we're making because they need they have very tight uh budgets when it comes to development um so you need to be a

little bit more creative in that same sense and then there's the exception side too right exceptions again organizations run into this pretty often and pretty frequently what we what you run into in this case is a scenario where you are unable to meet the the requirement that's set forth by the business and you need to figure out a way to say okay this is accepted for this amount of time with this many mitigating controls or compensating controls and have this in place follow up again in 6 months 3 months whatever and tellon the difference so those exceptions really are critical to building that relationship with the team because they'll understand hey I know I'm doing something wrong I accept the

risk associated with this because this is more important based on money or timing or resources whatever and I'll follow up with you again in this many months hopefully you get a good relationship with these with these Partners where that exception is just an exception and not the standard or rule um so I know that we're slightly coming up on time um but there's kind of my my key takeaways here what I want um to to build in terms of these relationships Dale Carnegie has stated in the past talk to someone or has wrote in his book Seven uh uh what is it how to win friends influence people talk to someone about themselves and they'll

listen for hours and that's a really important statement because if you start engaging with these business partners and you build that relationship with them where they're really proud to talk about this is how I build games this is how I uh this is the research that I'm working on this is the the new healthc care thing that I'm doing as a doctor and surgeons Etc and you start showing an interest in that you really build that relationship so the first one is to get to know how the business operates it's imperative that you as a security practitioner understand what you are protecting and how they are operating in a way because that also gives you the

insight into the way that they operate and what they're doing introduces different levels of risk and introduces different levels of potential threats to your organization so if you learn how the business operates you can then become a little bit more nuan in your offerings and your way that you support the business the next item is explain the why behind security asks and what's in it for them it's really easy to just say you need to do this you need to roll out the EDR because if you don't then I'm going to write a ticket you're going to get escalated I'm going to go yell at your man manager your manager is going to come down and tell you to do it

anyway no one wants to hear that but instead if you say we're rolling this out because we need to protect your data because we've seen this happening in our environment because we've seen uh you know this breach and we need to be able to recover from it or otherwise it's an outage on your part and you know whatever and that's actually something that we've done really well when I was at PlayStation we had a partnership program like a liaison essentially program where every you know every set of our of our analysts was tied to a specific studio so we became that one person that was tied to for example Sucker Punch Insomniac Naughty Dog Etc

and those individual the individuals at those those um Studios would then come to me and say hey team uh we're about to do this thing what do we need to worry about how do we need to engage with this or what should we do in the meantime and having that understanding of okay we need to do this because we don't want you to share ex schematics with Disney for example and accidentally have a breach of your title that you've been working on for 3 years to be out before it's released in three more years uh the next item is are there processes that security can be built in um and and the first one is is there

passive ing versus gated approvals we need to be honest with ourselves too security may not have the scalability to actually be directly involved in the approvals reviews etc for all of our uh all of our partners so what we want to do is actually get to a place where we can say all right where do we need to be in there for logging monitoring investigations in the event that there's an incident or where do we need to actually be in a place where we say okay before this gets rolled out into production somebody in security needs eyes on it maybe there's architecture review board maybe there's a change management protocol that security needs to see at the table at things like that

and then if not develop them with your stakeholders nothing gives an organization more a better sense of accomplishment than someone being involved in the process for something that was successful so if your partners were part were involved in the in the development of a process with you and that process ends up helping them become a little bit more efficient they're going to feel some level of ownership there and and and be a lot more more of a champion which is touching on the next item too which is to improve those relationships improve the relationships could be anything right whether that means building a soft relationship with some of your partners you know finding a common interest in them in in what

they're interested in or having the security you know what we would Define as friendlies or security allies and champions these people that are embedded within the organization are really going to help you with even with your own initiatives as well because you're going to come in and say hey I need you guys to be involved in this in this discussion when it comes to Rolling Out tool it come we need your help in getting this approval or denial or whatever and we need you to help with like instant response and you'll say hey I actually I know James in this in this team and and he and I are you know we meet all the time we're involved in

these conversations you become a common presence and they're not building you know building ways around you and then finally the last item is to be realistic uh there are going to be scenarios and don't take it personally where security has a very strong opinion you go and you tell your partner ERS hey don't do this thing and the business comes back and says we're going to do this thing because we made the business decision it leads to this many dollars sorry but we're going to roll the dice take the take the risk but at the end of the day that's going to be a business decision and really all we can do is paint the

picture and hope that they admire the artwork so at this point I think that is my last slide um I will stop here any questions Yeah you mentioned how when you're working with certain third party company yeah having to do exception your governance process to select what you develop right would you say it in the simplest terms for you guys just know like the Coca-Cola principle of one person has the syrup and doesn't know the rest so yeah yeah well essentially it depend yeah for to some degree so for example we would every vendor that we shared I'll take like PlayStation for example for every vendor that we we shared any data with st uh shared hosted transmitted whatever

uh they undergone a third party vendor assessment and so everybody had at least a Baseline and then if there's additional depending on data classification you would have a lot more stringent controls Etc put in place um so there was always going to be lease privilege access there's always going to be business justification and there's always going to be some level of risk acceptance because you need to be able to share for example if you're going to be building toys when your new video game that's not been announced yet needs to be released you need to share this with your partners in order to develop those toys um so yeah so that's kind of what we do is limit it

to who actually needs to be Hands-On your content and limit the amount of data that needs to be involved in that sharing so I remember I was talking about before uh you have a very limited uh very limited selection of of artists that you can share like the chair schematics with that's all they get chair schematics they don't know what title it's for they don't know what what uh due date it's for they just know I need to make a chair that meets these schematics so as much as possible as you can reduce the risk and reduce the exposure you reduce that blast radius in the event of an outage or a breach So Co anything

else cool well thanks so much everybody

com