Change The Conversation For Greater Infosec ROI - Part 1

January 05, 2022 00:52:02
Change The Conversation For Greater Infosec ROI - Part 1
I See What You Mean
Change The Conversation For Greater Infosec ROI - Part 1

Jan 05 2022 | 00:52:02

/

Show Notes

Smart money says in the debate between information security as a cost center or a business enabler, it's an enabler. Pull the infosec thread and a lot of organizational factors can line up. Not just infosec policies and practices but business strategy, department goals, organizational culture, and customer and supplier relationships.

But the "department of no" infosec conversations won't get you there, so how do you change the conversation?

My guest this week, Rick Dudek, knows the technical, people and business aspects of information security. Most importantly, he knows how to change the conversation to get people on the same page - even on new pages. Here are some of my favorite moments from our conversation:

2:20 - Rick's definition of getting on the same page

10:49 - The use of infosec metrics to support behavior change

16:13, 21:26 - Talking to internal customers about information security in business, not technical terms 

27:00 - The importance of delivering information in context to create behavior change

31:57 - Digital everything damages human interaction and communication, at a cost to the organization

36:40 - Venn Diagrams and recontextualizing information

43:26 - "I read the policy. But what does it mean?"

50:31 - Information security as part of the value equation of business currency 

View Full Transcript

Episode Transcript

Speaker 1 00:00:07 Welcome to, I see what you mean a podcast about how people get on the same page or don't, or perhaps shouldn't today. My guest is Rick Dudeck. Rick's a federal government consulting industry colleague trained in electrical engineering. Who's a senior information security engineer these days. Rick, welcome to the show. Speaker 2 00:00:25 Thanks for having me today. Lou pleasure to talk to you. Great to catch up again. Yeah, Speaker 1 00:00:30 Absolutely. Thank you. I'm looking forward to this. So, but to start Rick, give listeners a short bio about yourself. Speaker 2 00:00:37 Well, I'm originally from Virginia and, uh, I earned my electrical engineering degree from Virginia tech. Did most of three decades worth of work in the Washington DC and surrounding areas supported all facets of a federal regulatory department of defense national Intel, uh, contracts a couple of years ago, moved down to Georgia. So we're here in Atlanta, so Braves, and now I'm working as solely in private industry supporting an information security team. And it's kind of nice to be down here right now, kind of relearning street cred. As I put it back to the hands on a keyboard and mouse, managing defenses and, and all of our tools to get done. What an InfoSec team does, the Speaker 1 00:01:37 Real deal. I'm not just checking time sheets, Speaker 2 00:01:41 All of the anecdotes and experience and solutions I talk about today are my own professional experiences and my own professional opinions and not necessarily the opinions of my current employer or past employer. Speaker 1 00:01:59 Fair enough, Rick. Thanks. A number of guests. Do that. Makes perfect sense. Thank you for mentioning it. Cyber is so big today. So fundamental. So ubiquitous it's, it's an issue across organizations. What's it mean to be on the same page to you when it comes to cyber security or does that even mean something? Speaker 2 00:02:20 It does. And my definition of being on the same page, doesn't even, doesn't even vary when you talk about cybersecurity or you talk about decades old, it were even, you know, business pre-computers getting on the same page to me is understand where everyone understands a situation or an objective from the perspective of others who are contributing to the effort, the words coming into it, just with your perspective and your mission statement and, and what it is that you feel needs to happen here. You're willing to let project succeed and, and you're willing to give a little bit of, uh, uh, tangible ground when it comes to understanding where the other members of the team or initiative or are coming from, and actually trying to help them achieve those goals now. Speaker 1 00:03:22 Ah, that's good. That's good definition. Grech you might remember my masters studies in conflict resolution and you got some good things going on that, in that definition, that pertained to collaboration. So I like the use of the word perspectives in it. You said understanding issues from others perspective, right? From more than your own and, um, a willingness to help others accomplish their objectives. So I know in what you do got to help the business accomplish business objectives. Well, it would be interesting to know how other people in the organization, whether it's the business, the lines of business, whether it's HR or finance, et cetera, look at you guys as, as a department to help you accomplish your objectives. Have you, I think you told me you were in the prep call that you had made some strides in reaching that place where there's some mutuality across the, across the organization. Is that true? And tell me how that happened. Speaker 2 00:04:32 Absolutely. And I can't take any credit for it. Speaker 2 00:04:39 The manager is the one who, uh, really set the tone. So I landed here in Atlanta at, on a team that already had the right mode of operation to not only be successful, but to help a company be successful. Everybody understands that, you know, companies have to make money. There has to be revenue. Uh, otherwise they have to be funded some other crazy way. And you know, I, I don't even know how that works, but the, the key to what, uh, position I came, I actually came to Atlanta for this company for this, uh, position. The key to the success is as chewing all of the old school approaches to not just cyber security, but security in general, it's a tough, it's a tough gig. And, you know, you might, you might hear terminology such as the department of, no, you might hear, you might hear, you know, a development or an integration team grown when they find out, eh, uh, cyber security guy is going to be present that their planning or design meeting, and whether it's for preliminary review of what we're going to do, or a final critical design review, you know, it can be naturally very unnerving and it can be, uh, it can be a situation where it seems like there's no way out of the built in conflict that can and should occur between these two business units or business entities. Speaker 1 00:06:22 Okay. But you said when you got there, the organization was already on a track or going down a path of how would you describe it? It wasn't, it wasn't the worst case situation. It wasn't the department of, no, it wasn't people couldn't talk to each other and hated to see you guys, there was already some progress being made about the collaboration, Speaker 2 00:06:43 Right. And the best way to describe the, the norm and where we were when I got here and, and where the collective team has taken us in the meantime is through simple examples. I already mentioned department of know, uh, your, uh, my experience in the past, uh, with, with a lot of, uh, you know, larger organizations, they will typically have a group of just top notch, cyber professionals and, uh, you know, security thought people, and they're locked behind a cipher lock door. You rarely see him in the hallway or anything. And, and when you do encounter them, it is usually, uh, a panic moment, right? That you're, you're like, oh, what did we do or not do that we could have done. When I first got here, the, the defined directive was we're going to get out into the company. We only have a handful of people, but we are going to be in design meetings. We are going to be in large initiative meetings. We're going to, uh, be part of our vendor management program. We're going to be part of, uh, establishing business continuity program here. And, uh, we already had disaster recovery set up. That's almost low hanging fruit for a lot of it professionals nowadays. And we started to do that. We started to be out and about, Speaker 1 00:08:24 Well, so that directive that's an important directive. It sounds like it would have come from the head of it, or if cyber's in it, the head of it, or the head of cyber, and maybe the CEO, you know, like you don't get that kind of directive for, oh, I just used the word it's we could define it later. The collaboration you're describing you don't really get that from the bottom up that much. It probably came from the top down. People saying, let's, let's do this. Right. It was, that was that what happened? Speaker 2 00:08:53 You're a hundred percent correct. Very observant. That is exactly how it went down. When the InfoSec team manager here was, uh, you know, first, uh, I guess, put into the position or harassed if he wanted it. Yeah. Not sure how that works. It predates me, they did have a lot of meetings with, with the it director and even with the CIO. So those conversations took place and, you know, uh, another really good example of they knew how important it was to all be on the same page in order for this to work. Yeah. Got the buy-in from those higher levels. You can't you're right. You can't go around and just say, we're going to hire more people. We're going to run around the company. We're going to do all these things, and we're not accountable to, you know, what the C-suite or a leader as we need to do. This was very much a deliberate plan that everyone got on the same page for, and it's paying off in a way that I honestly could not believe how lucky I am to be right down here with this company right now. So, Speaker 1 00:10:11 So sometimes it takes a cyber security breach, a problem, some harm that's done to get those conversations going in an organization who had depression, who was, who had the presence of mine, who was for, who had the foresight to say, we're going to do this because it's the right way to do it. And we'll get out ahead of a problem. Speaker 2 00:10:31 Well, fortunately for us, uh, we hadn't, we had not had to experience a catastrophic cyber attack or an incident beyond, uh, you know, what, what we were able to Speaker 1 00:10:46 Handle. And Speaker 2 00:10:49 I, so, but I, I do know, uh, we deal in, uh, the card and payment space. We, we must comply with PCI DSS, which is the payment card industry standard, uh, for companies that store process transmit credit card data for transactions, uh, the stakes are high, should not pass an audit and maintain your attestation of compliance. You aren't doing the thing that gets your revenue rolling in. So, you know, we were lucky we had that, you know, that's undeniable. I think everybody up and down the company understands that we needed that, but at the same time, news of different breaches news and the threat of ransomware and, you know, what's ransomware and how can it impact it, impact us. And let's look at statistics and what's more, let's start providing seawall metrics and by seawall metrics, uh, we may talk about those a little later, but in general, a seawall metric is, uh, is data that you've collected that is direct evidence of positive impact of your own actions. Speaker 2 00:12:19 So for example, if I bought a piece of equipment, opened it up, plugged it in and configured it for my environment, whatever it does out of the box is not part of my seawall metrics. However, if I'm, uh, active in the Intel community and I'm collecting information and I'm as a team where, uh, inputting all of those, all of that Intel into, uh, active defense and that in turn blocks, bad guys, which is the official name of that for cybercriminals in our field, uh, I can take credit for that and we should, and it is a good way to communicate with upper level management and leadership as to how effective, you know, Chester Barnett always talks about a company needs to be effective and efficient. And it is very well understood by people who work in cyber security that not only do they have to help the organization be effective and efficient, but they also have to keep us from tripping over our own shoelace. Speaker 1 00:13:23 Yeah. So the, that the seawall evidence is really powerful, positive reinforcement for, uh, right. W w what would, how would you do positive reinforcement for what Rick, for the act of proactive execution of, of, of InfoSec practices, right? Speaker 2 00:13:46 Correct. It's it is direct evidence, uh, non, non manipulated evidence of the effectiveness of what, what it is we're doing to protect our automated assets. Speaker 1 00:14:01 Okay. So you had, uh, I love the idea of the industry standard. I think that's very cool. I'd worked on industry standards a long time ago. I think they're very important, probably in some cases, more important than regulation industry standard. Like you said, news of breaches, the company's own experience with the seawall evidence. So th th let's come down a couple of levels from the, the C-suite even maybe more senior VPs down into teams who are doing the work every day. You've got team meetings going on about pro products about customer needs, customer experience, et cetera. How did it translate? What happened over time after you got there? Or did you, how did you see the conversations evolved? So that people kind of started to get what they knew their leadership was saying, Speaker 2 00:14:50 Oh, wow. That what a great question. People are going to think that, uh, I prompted you to ask me that out of value in my answer, uh, first and foremost, uh, in the early days of, of an InfoSec team getting out and about, and, uh, you know, being proactive and, and working with other teams on initiatives and of course, software development and infrastructure modernization, right? In the early stages of that, it was nothing but a struggle. It was nothing short of a struggle, you know, part of being the department of, no, it makes people not want to listen to you, but not being the department of no means that you, you need to work really extra hard in order to, uh, communicate to people. Here's, here's what I'm trying to tell you. I need them to get to, I see what you mean, but, but more so I found that we would go to meetings and, uh, it depends on the team that you're talking to, but in a lot of cases, they don't even understand the risk or the threat. Speaker 2 00:16:13 And in other cases, there, they're already in fifth gear tearing around, you know, tearing around on the track and they've got stuff going on. They've got a schedule, uh, they've got their sprints in place. They're running with it, they've got their requirements and they need to interrupt that, but you can't do it in a way that slows them down. Uh, which of course historically would how you, you would see an interaction like this come out. So, you know, we, we made sure to, uh, be very present, uh, to, to listen to the other teams and then to, to be sure that we communicated, we are here to balance out the situation between first to market new features, uh, the ability to, uh, you know, for the enterprise to gain more revenue through new products and services. Yeah, we want that too, but we also don't want to be, uh, the victims of a cyber security incident, right? Speaker 2 00:17:21 We don't want a situation where we knowingly, or usually it's unknowingly create a new product that has vulnerabilities or can be exploited by bad guys. And those conversations, it took well over a year to, to get to the point where a lot of the development team leads and our co-workers HR and in finance, they now come to us with really interesting questions about can, can, cannot, I want to do this. And I want to, I want to connect or integrate with this vendor. How is that a bad thing? How is that going to impact us? Is there any risk involved? So, you know, I don't talk to people and our team doesn't talk to people. And even, you know, when I was up in DC, we were very good about not showing up at, you know, uh, in middle ground with another team or two teams or a bunch of teams, and just start blurting out our language, alerting out our acronyms, bloom, blurting out our words. It took a while to, to, you know, for both sides to educate each other on here's what we've got going on. And, you know, what, what is it that you, that we need to understand about what you need? Speaker 1 00:18:48 Several thoughts came to my mind. We were talking the test to a great deal of success to have had people in other parts of the organization, outside the InfoSec space, be thinking about the kinds of questions that the InfoSec guys would want, the issues you'd bring up and coming to you with questions. Wow, man, that's, that's, you're way down the road of, of a collaborative effort, because then they'd shifted their own personal perspective. And they have the thought process that says, we should check this with Rick. I know you're not doing a guy there, but I'm going to just personalize it to you. We should check this with Rick. Wow. That's uh, that's, that's really cool. Speaker 2 00:19:29 Not only that. And if you don't mind, I can, I can give you a couple of clues as to, to at least what I attribute as important factors to getting there. One of those first and foremost is security awareness training. Yeah. We're like all the other companies, we provide security awareness training. Uh, every new employee is going to in their first day of work or, you know, a briefing on secure Speaker 1 00:20:00 Fairness Speaker 2 00:20:01 And an annually. Everybody has to retake it, but it's a lot more than that. We have, uh, channels on our messenger, our business, our company's messenger service that are specific to providing security tips and hints to, to individuals, uh, that, that work within the company. Everybody can go there and see, you know, there's, there's a tip that, uh, is telling me about dangers with my mobile device. It doesn't always have to apply to business. And we also run around the clock and, you know, 24, 7, 365, uh, we we've run phishing campaigns. People are always, and you never know if the fishing campaign is real fishing from a real bad guy, or if it came from us and those tend to keep people on their toes. Now, one of the things that I really see as, uh, as a way to gauge the effectiveness of your security awareness training, uh, is not only when you find your coworkers reaching back to the InfoSec team to ask questions or to, you know, to get advisement on, we have to share this information, but good security awareness training. Speaker 2 00:21:26 You're arming your coworkers with their own common sense. And that may seem like a silly thing to say, but the truth of the matter is most individuals lack confidence in their ability to detect scams and their ability to understand, Hey, if I click on this link, what really happens? What goes on beyond the things I can see, there's something, is there something going to happen here? And common sense is got to be, I don't care what anyone else says on an academic level. Common sense is your, your number one tool. And the one thing that all members of a team and all in all of your coworkers share, you all have common sense and collectively you could use it together individually, your, your coworkers can, you can use common sense and they can have confidence in the common sense that, that their training tells them. I should recognize this as an indicator of compromise. I don't click, I don't open the attachment, Speaker 1 00:22:41 Rick. That's really cool. Okay. Let's, let's just back up to where you, where we started, the mandatory security we're in his training is important, but it can be a check the box thing. Exactly. And, and, but it's, it's, it's, it's, it's necessary. It's not necessary insufficient. You have to do it. You do it first day. You do it annually. Okay. It's not enough to make people. It's not enough to do what you said to inform or arm someone with a different, common sense. Okay. But it's a start, but it's not the ending place. Then you had the channels. Um, and the tips, if those are frequent enough, it kind of keeps clicking my fingers here. The Michael picked that up. It keeps things in front of people. It keeps the concept in front of people. And then if you're running phishing campaigns and people know you're running phishing campaign, you're right. Speaker 1 00:23:30 That makes people think they see something. And then they think, whoa, did that come from our own? It doesn't matter where it came from, but they're going to think, well, is that coming from us? Or is that coming from outside? I don't want to get caught either way. So it's a great way to raise awareness that, that I think prompts a little bit of different behavior in real time. Right? That's what you want. You need the, you need the behavior change in real time. So when an email comes in, they're not on the phone or doing two things and click on it, that when they see it, they have that pause, that pause reaction that it's actually like an avoidance motivation. It's like, pull back. Don't lean in. Don't, don't be attracted by it. Don't be curious about it. Hold back and go. What would Rick do? Speaker 1 00:24:20 What was in it for us, that guys do. So, I like how you put an arming coworkers with their own common sense. I think that's a super cool idea. Here's why people who understand InfoSec have a different level of kind of common sense that people who don't, people who understand physical security have a different kind or level of common sense that people who don't understand it, don't have people who understand anything with a risk involved in it. You keep electrician, plumbing, your health. If you understand the issue, you have a different kind, you have a more informed kind of common sense. And if you don't understand the issues and you're not, you're not wrong or bad because you don't understand the issues, it's not your job, your raised the level of common sense that wasn't common to that person prior to. So if you guys have been successful at raising common knowledge about InfoSec practices across the enterprise of people whose job it isn't to care about those InfoSec practices, that's an amazing degree of, of, of success. Did you have all achieved? Speaker 2 00:25:24 I thank you. I think so too. All the credit goes to this team and our manager and our, so, uh, you just, you can't read the news, hear the news, see the news without some mention of, of some very large scale, significant cyber attack. You know, we're fortunate it is on people's minds nowadays. And I feel like not only is it, is it good to help my coworkers? So we do no harm to the company and our assets and our forms of revenue, but also in their personal lives. I don't want a situation where my coworkers are having to deal with the struggle of identity theft and recovery from that are having all of their money stolen out of a bank account. We, we opened the door, not just for questions, dealing with corporate assets. I want to help them to, to really understand here's, here's how to protect yourself and your family and your interests. And if you have any more questions, come ask. Also another factor is we we've gotten an excellent culture here. Questions aren't frowned upon. I know most places will say you have you little quippy saying about, there are no Speaker 1 00:26:46 Stupid questions, Speaker 2 00:26:48 You know, just ask, but then you still get frowns. Cause now you've made the meeting go five minutes longer and nobody else cares about the answer, Speaker 1 00:26:59 But you're right Speaker 2 00:27:00 Where we are now. And in fact, many places that many of the teams that I've run and in decades past, it's always been a matter of, I need everyone to ask the questions when they need information, right? Because context is important, critical. And without, without context, you could have two people who believe they're on the same page. They think they're on the same page. The, the written grammatical perfect grammatically perfect statement of goal or objective or mission is a hundred percent understood, but they're lacking context. And all, all of the employees, all of the coworkers that I've had and team team members from previous years, we're not afraid to ask questions and, and what's more is, is good leadership, uh, recognizes, uh, how to make sure the rest of the coworkers appreciate those questions and it gets answers. And, and they're not, they're also not afraid of freeform conversations. Speaker 2 00:28:09 That's going away now. Nowadays, most, most business entities don't have time or means for there to be open forum type discussions. Everything is with an agenda. You've got your scrum meetings. You've got, you know, very rigid outline of what's going to be followed, but where's the time where, uh, a young software developer or a young integrator or a young finance person, or a young cyber security, uh, engineer gets, gets to ask questions and say, I understand how to use this tool. Why, why are we doing this? Right? Those things are important. And good leaders are, are always on top of demanding that everybody have the context they need because their performance is strongly linked to their level of confidence. Speaker 1 00:29:04 That's a great point. There. Performance is strongly linked to their confidence. Boy, that's true. Words were never spoken. Let me, you brought up a topic I wanted to ask you about, so let's stay on this. Sure. As companies have moved toward adopting best practices that are processed prac like scrum or any kind of iterative development process, as companies have adopted practices to make those conversations effective and efficient, you pointed out to me that had the unintended concept that has the unintended consequences of squeezing out the office agenda items for conversation, or just a free form conversation like you might have at the water cooler. So you were making, you made the point to me that I wanted to ask you about. There was perhaps an unforeseen cost in that, right? It seems like a desirable thing to do to put good process practices in place. Speaker 1 00:29:59 But if we, if we removed some of the wondering some of the ruminating, some of the, well, wait, Rick, I believed I understood what you said in this situation, but I don't know how it applies to that situation. Right? And if that, if there wasn't time for those conversations, people wouldn't learn that you would not raise their generally raised their common sense. And then you would not, you would not improve their level of confidence that would improve their level of performance with regard to cybersecurity. So say more about that and how you guys have combated that. Sure. Speaker 2 00:30:35 I appreciate you bringing it up because literally everywhere I've been for 30 years, we've been fighting the battle. That is, it literally is nowhere near over. And that is as we move to digital everything, digital, current cryptocurrency, uh, you know, digital tracking, uh, less paper, more, uh, content managed, uh, uh, information, databases of databases with everything. As we move more to the digital, we can't omit what we had before digital pre-digital. And by that, I mean, uh, there's uh, there are a lot of things humans have, and in our normal relationships, in our interactions with others that we probably took for granted, or maybe it wasn't taken for granted, maybe some of the people developing, you know, digital platforms and digital progress, uh, knew, Hey, you know, this is going to omit a lot of, uh, conversations where important content is shared so that people can really ensure that they're on the same page, but we did it anyway and we're moving ahead. Speaker 2 00:31:57 And really no one is looking back and we need to make up for that. We need to, we need to reintroduce the things that we've lost. Maybe not in the same manner. It may maybe, maybe we don't have, you know, water cooler conversations like in the fifties and sixties, you know, even, even before our time, but we, we need a way to replace. What's been lost and we also need to have, uh, definitely your C-suite definitely your, you know, your mid-level managers, your directors, those people definitely have to understand the importance of, uh, you know, content, the importance of conversations, the importance of, Hey, if I create a whole bunch of tickets to get work done, will everybody understand exactly what they meant? Sure. They're auditable, you know, it's all digital, you could just want to report and there's your audit, but can you trace backwards to S to see, you know, what were the original requirements for this new functionality? Speaker 2 00:33:09 Or, you know, what, what were the tickets, or what were we seeing before we realized this was a full blown incident that we had to respond to? You know, what were the clues? And, you know, you've got to be able to tell a picture and, uh, tell a story rather of, you know, what went on, what's going on. And a lot of times, even when we overload systems, you know, digital content, paragraphs, snapshots, screenshots, everything, even if we overload a digital repository with that information, it may do nothing but lead to more confusion. It may lead to more questions that at that point might not have answers as opposed to the early days. I don't bad mouth, the waterfall method I, I find. And, uh, also the spiral development, uh, methodology, both of those are really solid, but we're evolving at a time when people were still all in the same office, uh, all hands meetings still occurred. Speaker 2 00:34:20 Team meetings still occurred. Critical design reviews were done in person. And, uh, you know, you can see micro expressions on people's faces as you're reading something, you could see the end of the table, you know, react to what you had to say, try doing that on zoom. Right? A lot of times if people have cameras off, you've literally got no idea of any reaction from people. And I don't have solutions for all of these. Sure. I do know that there are, uh, you know, definitely needing to be, uh, open forum type discussions without agenda, without structure, where, uh, for example, a cyber team or a sprint team or your finance team can kind of get together and say, you know, I was watching TV the other day and I saw this ad for whatever. And I'm wondering, is that going to be a better option for us to move our financial platform here or for, you know, a third tool that we need for development, or, you know, a threat that now is, is being realized in the, in the FinTech industry, all of these simple comments that lead to good discussions that lead to sharing of information, we need to re-introduce those. Speaker 2 00:35:47 And we need to, we need to be clever how we do it. The more different ways people try, I think the better success they're going to find something that works for their organization. Speaker 1 00:35:58 You mentioned context a few times a night, and I want to, I want to comment on that actually would like to ask you how you came to appreciate that as much as you do. But I mean, let me pick up first on what you just said. I have a theory that we are start from our own page and we are all on our own page. And if Rick and Lou were going to get on the same page, we're going to create it from our, our own pages. Right? And to me, that means something having to do with what we see, what we, what we notice. We don't see everything in a situation, what we notice, what we make of it and why we make, why we see what we see, why we make of it, what we make of it and not something else. Right. Speaker 1 00:36:40 And what we think we might do about it and not something else as a means to an end and not a different end. Now, if I'm in the business unit and you're in InfoSec, in one situation, we could, we would probably expect us to have seen different things, size them up differently, decided what to do about them and maybe have different objectives. Not that they can't come together, but we're going to start from our own places. And then the context shift that I think occurs in a good conversation, which is part of your point is that we like an event diagram. We, we create a bigger space between us that same page as maybe a, maybe a more of a shared space in the Venn diagram where we have recontextualize was the word. I was thinking what you were talking. We, recontextualize what we see what we think about how we size it up, what we would do about it and why with each other's information, it creates a larger, and it's a different, it's a little bit of a perspective shift and good conversations, whether it's between you and one of your kids, you and your spouse, you and a neighbor, you, and one colleague you're talking to, or you and a team, good conversations, do that. Speaker 1 00:37:56 Good conversations get there. I know you're not saying that conversations that are part of a development or design process development process, review process, all the processes, businesses run her bad conversations. But I do think what you're saying is if you script them so tightly with agendas and you don't allow for some emergent property to come through in a conversation, because we're out of time on the agenda, we got to go, we're going to miss things and we could miss important things. And if we have make the time for it, we could catch important things and it could change what we do. Speaker 2 00:38:30 Uh, that is a hundred percent correct. And you're right. I believe the natural evolution is when, when you are first, let's say your first meeting with another business unit or several business units. And it's been announced that, you know, your team and four other teams are collaborating on X project. Right? Of course, it's natural. The teams come in there thinking, uh, what is it that they're going to have to do to make this successful? They're thinking, uh, you know, how can they exceed expectations, at least in what leadership wants in terms of the, you know, the outcome right here, I've got these resources at my disposal to make this happen. And, uh, the diminishing resource of time is, is one that I need to be very careful about and yeah, conversations take time. Uh, but so does failure. I would argue failure takes more consideration, Speaker 1 00:39:42 More time, more of other Speaker 2 00:39:43 Costs too. I I'm really glad you brought up Venn diagrams because I think everyone, uh, understands the importance of Venn diagrams. They understand how they work and without even closing your eyes, the visual is right there. So of course, you know, at, at onset, uh, you know, once initiated a project or, or a evolving program, we'll have a lot of people coming in with which seemingly have their own agendas. They definitely have their own opinions and they definitely have their own level of anxiety and different things that they're anxious about. And if you introduce an information security or cyber or ISO team into that, into that mix, now they've got extra anxiety because maybe they're thinking the best way to do this is going to be disapproved. Well, that's kind of scary for T and I, you know, with, with the future of, of what cybersecurity professionals can provide, uh, a team, uh, you know, a collaborative, uh, situation like that is not only making sure that we're successful in another area that might not even be written down. Speaker 2 00:41:07 I mean, how many times have you seen a requirements document? And it will say, yes, you're going to meet this standard and that standard, and you will comply with this and whatnot. And if you want to look at it, click on this link and you could go figure out what that's all about. Uh, but I very rarely see objectives written in terms of the objective. Here is a additional revenue of a million, the, uh, you know, our goals and, and the actual, uh, product or service that we're going to do is, is going to be in this area and it's going to work thusly. Uh, but I never see something at the end that says, oh, and it's going to be a high level of confidence, locked down, secured. Everybody takes things like that for granted, maybe not everybody, but it's very easy as humans to think, oh, uh, it's going to be secure when people get into their car to go to work in the morning, go to the grocery store. Speaker 2 00:42:11 I seriously doubt the first thought on their mind. Every single time they turn on the ignition as a man, I'm I can feel it. I'm going to get into an accident right. In the way. Well, you know, that's, that's a scary thought to have all the time. First of all. And it's, it's also, you know, it's, it's well known that the statistically you're not going to get into accidents every other time, your vehicle and stuff much the same with putting a team together, to collaborate on a corporate initiative or a project. They're not going to say, uh, and kudos if they do, Hey, we need to make sure that, uh, this thing is totally locked down, but they may say is this is going to comply with all corporate cybersecurity policies. And furthermore, the, the leadership of the company has gone. We'll have already ensured that, uh, the principles of cyber security, confidentiality, integrity, availability, and, and all of the policy that relates to certain areas of the company is present in their policy. Speaker 2 00:43:26 Instead of being this one-off document that sits alone by itself. And it in a Microsoft teams folder that, you know, okay, we've got coding standards, but then we've got secure coding standards. You should have coding standards integrated, you know, fully with all of your coding policy, with all of the security policy. And this, this helps people to acclimate to, to that idea right off. Okay. So not only can I only use these languages and this compiler or that's old school, right. Or, you know, losing TLS, uh, I can't have any clear text transmission between these two platforms. Those are things that should be part of their standard also. And that's a, that's a good way to get the word and the importance of, of, uh, cyber defenses communicated well to all of your coworkers. And they don't mind being held accountable for that because they can always ask, they can always come to you and say, Hey, I saw this in our thing, our policy, I'm going to try and adhere to it. Speaker 2 00:44:43 What does it mean? And, and that's our job that truly is our job. Get in there, tell them what you mean. If it's not understood, explain it in a way that is within the context of their world and their understanding of it, which I realize is a hard thing to do. The people who are people who are able to get, get in that mode, uh, are successful literally in everything that they do. I'm not saying that's me. I, you know, at times sure, but this is really something that the best cyber security professionals, the best CEOs they're capable of thinking in terms of other people's perspectives and communicating in a way that resonates with them. And the way that the message is clear in a way that the response you get is I understand what you mean. Speaker 1 00:45:36 It's a bit of a translation function a little bit. I think what you're saying is important because I've read, I can read something and it's in English. I understand the meaning of the English words. I understand from the sentence structure, paragraph structure. I understand what it's saying, but I might not always know everything. It means. Right. I might wonder if it means I might have a feeling. It is just that a feeling of it could be you, it could be a doctor you're talking to, it could be again, the plumber or the leg. It could be anybody's all right. I get what you're saying, but what does it, what does it really mean? Like net it out for me in a way that I will do something. Cause see, I think everything we do is a means to an end actions we take are a means to an end that we have as individuals or as parts, parts of an organization. Speaker 1 00:46:27 If you do that translation, if you contextualize something from me so that I understand it in my context, if you communicate something to me. So I understand that in my context, then I can go, oh, all right, Rick, I see what you mean. Okay. Then now I'm empowered to act with the information I can be informed by the information that I could have read in a policy, but not quickly clearly known what to do with, or couldn't have connected to in my, in myself to go. All right. I know what that means to me, that I can act on. And even, even back to your point about not seeing business objectives and goals in a requirements document, geez, Rick, how much more important, what that's such an important context. If it's left out, it that's that if that's a target, you could look at the near site of a rifle. You could look at the first sight on your rifle. If you're not looking at the target, what are you going to hit to know what the business objectives are, is to know how to line up all of the things you do that must be done, meeting the standards, meaning policy, best practices, whatever it is to accomplish that that's critical context Speaker 2 00:47:37 Could not agree more. And the, and the important thing about what you just brought up with all the other factors, not just in the outcome of a project or initiative, but the process along the way, this is where workers gained the most amount of respect for each other. And that's another important thing that we're not going to get. We're not going to get away with being in an environment via corporate or otherwise without truly understanding what it is to respect and at least understand where they're coming from, what they, what they know and, and what they value and what a provide as value. I don't have to agree with them. In fact, in the early days before there were InfoSec teams and cybersecurity teams, right? You, you probably had a couple of heroes at a company and they kind of knew what was going on. Speaker 2 00:48:35 And they knew that this HTTP requests looks fishy and inject code or something to that effect. But they, they really, uh, just like today, you can't go running in and be using your language and say, this is this because then they, uh, you know, the rest of the team may ask, well, so what right then now why do I care? And of course they won't ask it like that, or maybe they will. But if, if I can take my mind and if I can take my value and put it front and center into their domain and say, not only are you going to build this awesome, you know, revenue making money, hand over fist we've got now, but it's going to be secure. We're not going to be front page news. You know, the last day, uh, that the company existed, uh, was this horrific cyber attack or breach or, or anything I strive. And a lot of my coworkers strive to make sure that our coworkers understand the important things about what we're saying. If there are consequences, well, what are they Speaker 1 00:49:56 Well, so, you know, if you put that in terms, so if you're talking to people in sales who maybe feel like in their job, they're just as far away from InfoSec issues as they can get. But if you said to them, Hey, you know, if we release this product without making sure it's secure the way we want it secure, it could hurt your customer, right. It can hurt us, but what if it hurts your customer? What if they, what if there's a, what if there's an incident that on their side harm to them through our, then you've got a sales person going now, you got my attention. Speaker 2 00:50:31 Correct. Right. And that's, uh, you know, that, that's a perfect way to, for me to, to throw in also, uh, I try and socialize the idea of you're sick, uh, an organization's security posture being part of the new currency of business. And that's what you just said, your example of the sales guy, communicating to a potential customer or an existing customer about how important our cyber and security posture is to as a group is a perfect example because you know, they're prepared to deliver what, uh, ensures to, you know, provides assurances to their customers. Hey, look, we have our security situation under control. We're not doing crazy things. And we take it just as seriously as you do. We're a good partner and that's important. And I can't wait until, you know, 10 to 20 years down the road when it, when it truly is art of the, you know, the value equation for a business currency, Speaker 1 00:51:43 That concludes the first of two episodes. Rick and I recorded join us next week when we discuss the importance of mentorship in professional development, why InfoSec teams need whole people on them, not just technical experts and why getting on the same page with risk management means more than keeping our risk register.

Other Episodes

Episode

June 01, 2022 00:40:20
Episode Cover

Organizations Might Benefit By Zero Trust For IT Security, But They Need A Trusted Environment For IT Projects. Part 1 Of My Conversation With Richard Spires.

If you're not a technologist (I'm not), you might think success in a technology field hinges on technical knowledge. Technologists know exactly which technical...

Listen

Episode 0

February 10, 2022 00:58:20
Episode Cover

Communication And The Art Of Project Management. Or Is It The Other Way Around?

My friend Joe Launi has been in the project management business for 35 years. He's been a team member, project manager, and trainer. And...

Listen

Episode 0

November 24, 2021 00:58:36
Episode Cover

How A Grey Collar Gets Blue and White Collars On The Same Page

When I met Bill Stanton he was on point to make sure more than 100,000 LED fixtures were selected, ordered, manufactured, shipped and delivered...

Listen