CG - Your Ad Here: Helping your organization build their security brand

hi everybody Welcome let's get no no M okay you can you can hear me good barely no it's okay no thank you hi everybody welcome I'm sorry that was to love I hope you had a good uh lunch break uh we'll get started with our next talk uh it is helping your organization build their security brand uh so please welcome our speakers leave rler and Colleen kage over to you guys thank you hey everyone uh this is your ad here helping your organization build their security brand I'm Leaf I've spent the last decade working in security and besides Las Vegas was actually the first conference that I attended in 2013 uh so it's cool to be back as a speaker I'm currently an engineering manager at semrep we're an ABC vendor focused on static analysis and software composition analysis and we have a booth here at bsides on the opposite uh end of the the hall so check that out if you want some swag I'm also the co-host of uh the hit podcast 404 security not found we get about a hundred listeners a month um and we do uh we do news and uh discussion episodes sometimes we have special guests but it's pretty fun I've also been a cfp reviewer for appc California and Loom mosc which is probably some of the more relevant experience for this talk and before semrep I joined seg mint uh in 2017 as an absec engineer and later went on to lead a team focused on building security features as well as internal security tools which is where I met Colleen and a little bit about me I currently advise startups on security strategy and try to help the First Security hire uh promote their agenda and like put push back on the push back that they get I've been practicing security for about two decades now uh working in most of the security domains um I've also been a ceso at both private companies that are small and larger public companies um and if I'm honest I really really love preo way more it's just it's just a better experience for me um but anywhere I lead security I highly encourage folks to do blogs podcasts and talks whenever possible and I lead by example by doing my share of the conference talks Keynotes and podcasts um and I've been inspired to do even more because of people like Lea so thank you Leaf we broken up this talk for you into four sections first Leaf is going to start with the benefits of all teams being more engaged with the security Community next I'll cover how to foster a culture of rewards to keep the benefits flowing then Leaf will show you how to optimize the benefits by amplifying all this good work by your team and last we'll both cover the different ways that you can show up in the community so blogs podcasts and talks and how to prep for them uh in a quick PSA we've included a link to the slides here um so I'll give you a second to take a photo um that way you don't have to take notes you can just obsorb and as we're going through this and you're absorbing if you've been putting off your next Community piece of Engagement consider this your friendly nudge from some friends um make notes during our presentation you know whether you have an idea for a blog or you think you could get on a podcast do a talk what could you start working on today and that's exactly how anyone gets started on this stu um I'll wind on this little intro with a disclaimer um while some of the most successful infosec folks that that we've ever worked with or we know do periodically share their work they make time for it we know a few people who have had absolutely Stellar record shattering careers but they never do this maybe they've never written an article maybe they've never set foot on stage um they could be highly effective managers or ic's who just maybe haven't had any time um or maybe they work for an organization that actively discourages or penalizes sharing information um maybe they work for the government so uh or they could work for Apple uh not the government but if you've had friends or family who worked at Apple you know you can see that they are definitely not encouraged to share the inside workings of company security with the rest of the world for obvious reasons and that's okay it's not for everyone I'm going to start us off today by talking about the benefits of having your teams more engaged with the security Community having a public Persona really really helps with recruiting which helps you build your security Dream Team working with great people makes your job a lot easier it also makes it a lot more enjoyable see a lot of people that we have worked with in the crowd uh which is great um but it also takes a lot of effort because usually these are people that other people also want to work with and so you're competing for the best people uh I think there's a lot of overlap between recruiting and sales and you can think of your blogs and presentations as your marketing department because it makes better candidates come inbound and it also helps recruiters reach out to people and have them actually respond to their cold emails it's a lot easier if they've like actually heard that your team is good uh and working on cool stuff than just uh you know the million other emails they're getting and I think that having blogs and Conference presentations go live around the same time that you're trying to post roles is also helpful because uh the timing just helps Drive traffic to your jobs page and just make people more aware and I think a lot of recruiting is also timing so having someone be aware of your company and having a recruiter Reach Out is a pretty good combo um and with that in mind we have a lot of open roles at semrep but I wanted to highlight just one which is uh a security engineering manager for a vulnerability research team it's my personal mission to find a great candidate date for the hiring manager uh this week I am convinced that they exist in Vegas um and you should definitely work for semri there's a lot of cool people there so FYI um the infoset community is super small and orgs that publish their work come up more frequently in conversations when people are thinking about where to work next I'm sure the Netflix team gets a lot more inbound interest than the NBC Peacock team when they open up a role and you might be thinking well Netflix probably pays twice as as much and that's probably true but we didn't pay anywhere near what Netflix paid at segment and we were able to build a pretty awesome team that people from Netflix admired and I attribute a lot of that to our involvement in the community community involvement shows that your team is working on cool stuff is given time to write and blog about it as well as travel to speak at conferences and that they have at least a decent Learning and Development budget to be able to go and do these things uh and these are things that a lot of security people uh probably a lot of you in this room want from their employer and so showing that you have that is a good way to attract people to join you so here's another benefit it transforms all of us from being like maybe painfully awkward that's how I was and unwilling communicators to being effective and Powerful communicators at our own jobs all companies say security is very important to us but you on the inside know things like how often do Folks at your company actually fall in line instead do they actually admit admit sorry omit security work from their quarterly planning do they ignore your tickets do they get exceptions and otherwise get out of doing the security work while this is likely due to multiple reasons what you can control is the effectiveness of your messaging security folks tend to be correct right we research things we make sure that it's like all ready to go this piece of information but we can also come across as disgruntled sometimes or we might bury the lead or we avoid giving frequent loud and clear messaging to Eng teams um or execs and all of those groups definitely need to be frequently nudged and that hampers us from communicating danger and the need for quick action when something needs to get done so in this section I'll talk about how to shift your culture a bit so that teams improve their communication which will lead to getting more done and team members getting rewarded so some of you might be thinking sure I can do this it's not a problem but what is my manager doing to start recognizing rewarding this Behavior this is extra work or maybe you're that manager who isn't supporting this effort on your team Shame Shame as a ceso I've always emphasized that sharing work internally and externally is a key growth indicator in our job ladders and an art org because it's core to getting stuff done it was a hard requirement at segment and while it was extra work for all of us it definitely provided us with dividends and we also created infrastructure to support it because you have to all right I'll start with leaders leaders how can you expect your teams to hustle if you're not hustling first internally and externally inside your company never miss a chance to broadcast your team's good work and successes when's the last time you wrote a series of security slacks to your company or got up and spoke in front of engineering or at all hands how often do you do this or do you just sort of pwn it off on your teams and hope they do it unfortunately you're a leader means you got to go first you like get the Baton go do it hand it off and eventually the Baton comes back to you and you have to do it again um but that's the way it goes and outside the company if it's been like over a year since you've either blogged or or spoke your team needs to see you blogging and or speaking in order to emulate it otherwise they're going to emulate you not doing anything that's bad um so then once you're you're doing that they're doing that then you're like shoot we need to like advertise a little bit um so once you're doing this do you have a culture to support it and sustain it you know like do you just do it once and then nobody ever gets up and does it again are you in the audience cheering on everybody when they're doing it are you immediately amplifying people's work and slack uh the company internet or in LinkedIn or whatever social media um are you encouraging others to cheerlead it is an effort I don't know if anyone's ever been a cheerleader before but I think those folks are underpaid is a lot of work yeah and paperwork sucks and you have a lot of it when you're a leader eh but you can use it to change elements that positively influence your employees Behavior so if your job ladder is something like this fake job ladder um you know there are areas where you can State the different types of comms deliverables that you want to see from each level of employee along with the frequency and the desired impact of that stuff um you can think of this as like your success criteria for the communication and Leadership vertical that you have on your team because then once you start filling us out you can Port over the entire row that your employee belongs to over to a career development plan and it's like a CDP and in the CDP you can sort of collect a personalized checklist of work for this person based on that success criteria and you can use the CDP during your one-on-one see paperwork helps and then you could shade the different areas like red yellow or green depending is the person trending away from this goal are they trending toward the goal yeah so that's a but but what do you do about people who hide from their responsibilities and they're they're like no no no the rest of you can go and speak and vog and I'm just going to go hide under here and do my job well if you're a leader you have to hold them accountable that's the crap thing about being a leader um so I recommend keeping this column red until the employee starts delivering it will hold them back from going to the next level I'm sorry um because what you don't want is a situation where you have like two people three people on your team who are carrying the heavy load of the comms and Leadership stuff cuz it's demoralizing they're working really hard and maybe they're progressing at the same rate that the person who's not doing it is and once they get demoralized what can they do it's your best employee they can leave you and you don't want that to happen so for folks who do deliver describe this work very detailed and in its impact in their annual review and promo packets you'll see that great Cals and Leadership naturally leads to getting stuff done and high impact on the company and remember to go and get praise from other people who've been impacted as well and not everything is promo or money related your folks also want to earn some gold stars from you in your conversations with your employees describe the comm's leadership and impact growth that you were seeing in them you know before they started doing this to where they are today and how they're growing regular regularly recognize them in slack LinkedIn at your all hands all of that and then teach them how to self-promote that'll help them with their career growth and then when talking about your road map link these very effect effective employees to the overall successes of your program maybe because of them you shaved what one to two years off of your total roadmap that is huge that is a big differentiator for them and that means that your employee who's doing this work is foundational to your or being able to roll out security capabilities they're your stars which means you have to be their hype person all right now to I's for I's many of us uh the struggle is real maybe you have an underd veled comms and Leadership competency I guess you would if you observe the following symptoms in yourself and your experiences maybe product and Engineering don't include your security activities in their planning maybe they don't do any of your tickets maybe they push back maybe they make fun of your training if you're a person who does training or they don't do training without you berating them um so all this frustrate security people we've all been there so if you're frustrated and you're like I need to go talk to them I'm going to give them a piece of my mind so you go to talk to them and maybe because of the lack of communication and Leadership experience you have maybe you end up bearing the lead focusing on jargon or minutia giving them a super long-winded explanation that only makes sense to security people uh or you give them 10 10 times the amount of information that they actually need and yet you're still not getting the message clearly across to them so if this hurts a little bit you know maybe this also happens when you talk to senior leadership I have been there if this is there is hope um you're probably already a very good engineer and just a bit frustrated and just know that the gap between where you are and where you need to be is not huge it just requires some consistent work from you in this area um so one thing you can do is really just jointly work with your managers and build yourself that detailed career development plan don't wait for your manager like you can help do some of this um and that plan can grow the non-technical aspects of being a great engineer this plan works alongside all of your existing projects anyway that span multiple quarters which means you have multiple opportunities to work your slack and email magic to get up in front of engineering and speak and externally to speak at a Meetup and or write in the company blog so one thing to remember it's like we're all bought into security because we're security people but everyone else doesn't consistently do security stuff because it's the right thing to do unfortunately we all have to be sold so work on your selling skills writing good plans that folks buy into like and have people read them comment on them bring up the hype verbalize your plans frequently and crisply and just continue to keep that hype level high all right so doing all this work what does it get you um I'll get to that in a minute um but like this the true benefit at least from your manager's point of view they'll look at you and they'll see that hey this person's adding power to their messaging this year by regularly speaking and writing you know and maybe you're like shoot this has been forcing me to continually refine my message and gain confidence and confident messaging is what pushes people to do security work really confident messaging gets people to do almost anything so as people are starting to get security work done for you you document what that work is and why it matters on slack to C so it's another way that you can keep the hype up like thank you for the you know platform team for doing X Y and Z in there so this leads to higher job satisfaction because stuff is finally getting done in your org for us at segment it created a virtuous cycle within product and Engineering because folks actually listened to when our employees spoke and did the requested work instead of just avoiding it over time product and enge happily did even more security work it was something that we couldn't believe but then quickly took advantage of and then we spent less time on the basics that we hated things like chasing down old BS that nobody ever wants to fix and we actually got to shift left in that organization so like think about embedding with the Eng team to get projects done getting to set up real preventative measures to avoid tons of new vulnerabilities from being generated in the first place and a few of us got to teach end how to do their own threat models which is essentially like passing our security curse onto our friends and Engineering all right tracking all of this so finally you're doing all this great work but then how do you sort of like put it all together into a package uh well my suggestion for the first couple years that you do this is just keep it really simple just keep make it easy on yourself at segment um in the early days with a Security Org That Grew From like two to three people to 35 um I just created a a Confluence page that had a simple table and we just kept adding our blogs and talks to it it just kept growing and after a year the table was huge it was like a scrolling huge table because the crew there was just self-motivated and didn't need any micromanaging to to present um it was sweet as the sea I don't have to work as hard um this Confluence page was then visible to all of segment everyone could see it and then we'd hype somebody's latest efforts um in the engine security slack Channels with links we just wouldn't let any of that effort go today um at twilio so it's a little bit different there um with a Security Org of about 130 people and a different culture we started using a small company called discernible to help overcome the team's inertia on doing this type of work so imagine how happy we were to have discernable do all the heavy lifting for us to get folks moving all that nudging that you would need to do as a leader or as a peer like discernable will help with that so basically using their drop in workflow we could help our teammates through that entire engagement pipeline so from thinking about what to talk about to like getting your cfp together rehearsing and then finally giving the speech and then also metrics highly recommend this it'll take some of the burden off of your shoulders okay imagine now that you've done all this hard work you've set up the framework for it everybody's speaking you're tracking it and this team's collateral is like now being produced and counted ah what do we do then there's more Leaf will talk about how you can package up this work as an advertisement for how awesome your team is so this is uh some stats from a Blog that I posted earlier this year and as you can see about 2third of the people that went to the blog came from social and so I recommend posting on social first and the