1 00:00:12,799 --> 00:00:17,039 good morning and welcome to our first 2 00:00:14,400 --> 00:00:19,199 talk of the day uh 3 00:00:17,039 --> 00:00:21,680 buffy currently works at canva as a 4 00:00:19,199 --> 00:00:23,920 security engineer born on a moonless 5 00:00:21,680 --> 00:00:25,840 night in an undisclosed location along 6 00:00:23,920 --> 00:00:27,599 the cyberley lines 7 00:00:25,840 --> 00:00:28,640 for the past five years they've been 8 00:00:27,599 --> 00:00:30,640 using the 9 00:00:28,640 --> 00:00:33,600 mystical powers handed down by 10 00:00:30,640 --> 00:00:35,520 generations to tame pythons and gophers 11 00:00:33,600 --> 00:00:37,280 manifesting themselves into the security 12 00:00:35,520 --> 00:00:40,000 engineer they are today 13 00:00:37,280 --> 00:00:42,480 they also have the best speaker bio of 14 00:00:40,000 --> 00:00:42,480 anyone 15 00:00:42,879 --> 00:00:46,000 buffy buffy's going to use pretty much 16 00:00:44,320 --> 00:00:49,440 all the time today so if you have any 17 00:00:46,000 --> 00:00:53,039 questions keep in mind and ask in the uh 18 00:00:49,440 --> 00:00:53,039 hallway tracks after the talk 19 00:00:55,120 --> 00:01:00,800 hi everyone um i'm buffy uh today i'll 20 00:00:59,039 --> 00:01:03,039 be walking you through three different 21 00:01:00,800 --> 00:01:05,519 societies exploring their success 22 00:01:03,039 --> 00:01:07,439 failure and perseverance and drawing 23 00:01:05,519 --> 00:01:09,280 parallels between these empires and 24 00:01:07,439 --> 00:01:11,360 modern security culture 25 00:01:09,280 --> 00:01:13,439 i'll also be providing a set of tools to 26 00:01:11,360 --> 00:01:16,080 help you identify modern day issues in 27 00:01:13,439 --> 00:01:19,080 your company's security culture 28 00:01:16,080 --> 00:01:21,200 which brings me to collapsology a 29 00:01:19,080 --> 00:01:23,680 transdisciplinary study of risk that 30 00:01:21,200 --> 00:01:25,600 results in the collapse of empires and 31 00:01:23,680 --> 00:01:27,600 just as a heads up today we will be 32 00:01:25,600 --> 00:01:29,680 talking about some of the toxic parts of 33 00:01:27,600 --> 00:01:33,680 workplace culture so that might bring 34 00:01:29,680 --> 00:01:36,159 upon some bad memories for some of you 35 00:01:33,680 --> 00:01:38,320 our first stop today is the neo-assyrian 36 00:01:36,159 --> 00:01:41,040 empire which at the time was the largest 37 00:01:38,320 --> 00:01:42,880 empire in the world it was located in 38 00:01:41,040 --> 00:01:45,920 the near east and had control over 39 00:01:42,880 --> 00:01:47,759 modern-day lebanon syria parts of turkey 40 00:01:45,920 --> 00:01:49,759 and egypt 41 00:01:47,759 --> 00:01:52,079 the empire was established in the 10th 42 00:01:49,759 --> 00:01:54,560 century bc and ultimately collapsed in 43 00:01:52,079 --> 00:01:56,560 the 7th so let's take a look at one of 44 00:01:54,560 --> 00:01:58,960 the key influences that resulted in the 45 00:01:56,560 --> 00:02:00,799 fall of this empire and lessons we can 46 00:01:58,960 --> 00:02:05,600 learn from their failure and what we can 47 00:02:00,799 --> 00:02:07,439 do to preser prevent the same fate 48 00:02:05,600 --> 00:02:10,800 so after the death of the king of 49 00:02:07,439 --> 00:02:13,040 assyria in 631 bc there was a lot of 50 00:02:10,800 --> 00:02:13,920 political instability and ongoing civil 51 00:02:13,040 --> 00:02:15,599 war 52 00:02:13,920 --> 00:02:17,599 between many of their occupied 53 00:02:15,599 --> 00:02:19,599 territories as they fought to gain 54 00:02:17,599 --> 00:02:21,360 independence from their middle managers 55 00:02:19,599 --> 00:02:23,280 i mean rulers 56 00:02:21,360 --> 00:02:25,599 the rulers of the time even wrote about 57 00:02:23,280 --> 00:02:27,840 their fear of internal danger palace 58 00:02:25,599 --> 00:02:30,239 intrigue and rebellion 59 00:02:27,840 --> 00:02:32,080 what made management's situation worse 60 00:02:30,239 --> 00:02:33,519 was that the assyrians gained most of 61 00:02:32,080 --> 00:02:35,760 their territory through a show of 62 00:02:33,519 --> 00:02:38,000 military dominance and were notorious 63 00:02:35,760 --> 00:02:40,480 for resettling conquered people to other 64 00:02:38,000 --> 00:02:42,879 areas within the empire which resulted 65 00:02:40,480 --> 00:02:45,200 in pockets of resistance 66 00:02:42,879 --> 00:02:47,519 so while most modern organizations don't 67 00:02:45,200 --> 00:02:50,400 collapse after the murder of their ceo 68 00:02:47,519 --> 00:02:52,959 or grow by placing armed militia outside 69 00:02:50,400 --> 00:02:54,720 corporate headquarters we can still see 70 00:02:52,959 --> 00:02:57,920 modern day equivalents of palace 71 00:02:54,720 --> 00:02:57,920 intrigue and rebellion 72 00:02:58,400 --> 00:03:02,319 in the modern day these types of 73 00:03:00,159 --> 00:03:04,560 political threats occur when interests 74 00:03:02,319 --> 00:03:06,800 and agendas collide in a way that has an 75 00:03:04,560 --> 00:03:08,640 impact to the organization's ability to 76 00:03:06,800 --> 00:03:10,400 operate and this is the same for 77 00:03:08,640 --> 00:03:12,319 security teams 78 00:03:10,400 --> 00:03:14,560 one of the most common political threats 79 00:03:12,319 --> 00:03:16,800 i've observed is turf laws 80 00:03:14,560 --> 00:03:19,040 when managers or employees engage in 81 00:03:16,800 --> 00:03:21,360 competition for bureaucratic control of 82 00:03:19,040 --> 00:03:24,480 resources or the advancement of 83 00:03:21,360 --> 00:03:25,920 individual or organizational goals 84 00:03:24,480 --> 00:03:27,599 you've probably seen in the 85 00:03:25,920 --> 00:03:30,239 organizations you've worked in where 86 00:03:27,599 --> 00:03:32,799 silos or particular managers stand above 87 00:03:30,239 --> 00:03:35,200 the decisions of security or decisions 88 00:03:32,799 --> 00:03:37,599 are completely undermined 89 00:03:35,200 --> 00:03:39,519 in other cases security management might 90 00:03:37,599 --> 00:03:42,000 even cease to exist or it may be 91 00:03:39,519 --> 00:03:44,640 relegated to a small security team with 92 00:03:42,000 --> 00:03:46,480 no authority to enforce the securities 93 00:03:44,640 --> 00:03:48,640 decisions 94 00:03:46,480 --> 00:03:50,879 when i was a pen tester i would see turf 95 00:03:48,640 --> 00:03:52,640 wars play out on onboarding calls where 96 00:03:50,879 --> 00:03:55,360 the team in charge of provisioning 97 00:03:52,640 --> 00:03:57,200 access would challenge or cause delays 98 00:03:55,360 --> 00:03:59,200 in getting started because they didn't 99 00:03:57,200 --> 00:04:01,439 like that another team had procured 100 00:03:59,200 --> 00:04:03,280 penetration testing 101 00:04:01,439 --> 00:04:05,360 when i moved into governance i saw 102 00:04:03,280 --> 00:04:07,519 obvious signs of turf wars during risk 103 00:04:05,360 --> 00:04:09,280 assessments when the security team would 104 00:04:07,519 --> 00:04:11,920 lament that security objectives were 105 00:04:09,280 --> 00:04:14,480 being sidelined for product delivery 106 00:04:11,920 --> 00:04:16,799 even when there were clear drivers 107 00:04:14,480 --> 00:04:19,040 the result was always the same though 108 00:04:16,799 --> 00:04:20,799 low risk acceptance with slow moving 109 00:04:19,040 --> 00:04:23,040 security programs 110 00:04:20,799 --> 00:04:25,600 a large and highly risky security 111 00:04:23,040 --> 00:04:28,479 backlog with a prevalent shadow i.t 112 00:04:25,600 --> 00:04:30,000 problem 113 00:04:28,479 --> 00:04:32,400 the other threat that appears when 114 00:04:30,000 --> 00:04:34,320 talking politics is vendor bias and this 115 00:04:32,400 --> 00:04:36,479 can be anyone providing goods and 116 00:04:34,320 --> 00:04:37,759 services so that also includes open 117 00:04:36,479 --> 00:04:39,840 source 118 00:04:37,759 --> 00:04:41,759 this threat can take many forms from 119 00:04:39,840 --> 00:04:43,600 consulting companies pushing products 120 00:04:41,759 --> 00:04:46,320 that aren't adequately matched to the 121 00:04:43,600 --> 00:04:48,320 company to organizations that swear by a 122 00:04:46,320 --> 00:04:50,880 particular vendor or hate a vendor to 123 00:04:48,320 --> 00:04:53,199 the point that it becomes a detriment 124 00:04:50,880 --> 00:04:55,440 it also takes the form of organizations 125 00:04:53,199 --> 00:04:57,440 refusing to buy a product because there 126 00:04:55,440 --> 00:04:59,199 are similar open source variations 127 00:04:57,440 --> 00:05:00,639 forgetting that you can pay in other 128 00:04:59,199 --> 00:05:02,400 ways 129 00:05:00,639 --> 00:05:04,560 and while there is some accountability 130 00:05:02,400 --> 00:05:06,880 required by the businesses seeking out 131 00:05:04,560 --> 00:05:09,440 vendors it can be very difficult to get 132 00:05:06,880 --> 00:05:11,759 unbiased information if you have a small 133 00:05:09,440 --> 00:05:14,320 or inexperienced security team and this 134 00:05:11,759 --> 00:05:16,320 is the same in consulting 135 00:05:14,320 --> 00:05:18,160 the outcome of vendor bias though is 136 00:05:16,320 --> 00:05:20,720 rational security decisions are being 137 00:05:18,160 --> 00:05:23,360 held hostage by forces that might not be 138 00:05:20,720 --> 00:05:25,039 fully articulated or understood by the 139 00:05:23,360 --> 00:05:26,479 business itself 140 00:05:25,039 --> 00:05:28,720 you may end up having to devote 141 00:05:26,479 --> 00:05:30,479 resources and budget to workarounds to 142 00:05:28,720 --> 00:05:31,680 get technology to match security 143 00:05:30,479 --> 00:05:33,840 requirements 144 00:05:31,680 --> 00:05:35,600 and security teams might actually deny 145 00:05:33,840 --> 00:05:37,759 themselves the best solution because 146 00:05:35,600 --> 00:05:40,639 they've decided that they dislike the 147 00:05:37,759 --> 00:05:42,560 provider on personal grounds 148 00:05:40,639 --> 00:05:44,560 internally the organization will 149 00:05:42,560 --> 00:05:47,520 ultimately find itself behind the curve 150 00:05:44,560 --> 00:05:49,360 on skills and innovation by continuously 151 00:05:47,520 --> 00:05:51,680 supporting vendors out of either a sense 152 00:05:49,360 --> 00:05:54,000 of loyalty or animosity to the 153 00:05:51,680 --> 00:05:55,199 competitor rather than sound business 154 00:05:54,000 --> 00:05:59,600 analysis 155 00:05:55,199 --> 00:05:59,600 which it can be a difficult debt to pay 156 00:05:59,919 --> 00:06:03,840 now there isn't much hope for the 157 00:06:01,680 --> 00:06:04,960 neo-syrian empire turning things around 158 00:06:03,840 --> 00:06:07,600 at this point 159 00:06:04,960 --> 00:06:09,280 but for organizations now you can reduce 160 00:06:07,600 --> 00:06:11,840 the likelihood of these political 161 00:06:09,280 --> 00:06:13,120 threats manifesting in similar ways so 162 00:06:11,840 --> 00:06:14,960 the first tool we're going to look at 163 00:06:13,120 --> 00:06:16,960 today can help you identify that 164 00:06:14,960 --> 00:06:18,639 political back and forth 165 00:06:16,960 --> 00:06:20,479 it's called the competing security 166 00:06:18,639 --> 00:06:22,400 cultures framework and like its name 167 00:06:20,479 --> 00:06:24,720 suggests it can help you explain the 168 00:06:22,400 --> 00:06:27,120 conflicts and competing priorities that 169 00:06:24,720 --> 00:06:29,759 often create security risk and failure 170 00:06:27,120 --> 00:06:31,919 especially those brought on by politics 171 00:06:29,759 --> 00:06:33,919 but don't be fooled it's not a cure all 172 00:06:31,919 --> 00:06:35,759 and the framework doesn't pretend to 173 00:06:33,919 --> 00:06:37,919 fully describe or explain every 174 00:06:35,759 --> 00:06:40,319 organization's culture 175 00:06:37,919 --> 00:06:42,400 it's a tool for learning and exploration 176 00:06:40,319 --> 00:06:45,039 so people working within the context of 177 00:06:42,400 --> 00:06:47,759 an organization's security culture can 178 00:06:45,039 --> 00:06:50,720 learn more about it assign terms and 179 00:06:47,759 --> 00:06:52,720 concepts and identify areas of risk that 180 00:06:50,720 --> 00:06:54,720 emerge when security priorities and 181 00:06:52,720 --> 00:06:57,120 values come into opposition with one 182 00:06:54,720 --> 00:06:57,120 another 183 00:06:58,160 --> 00:07:02,400 in summary if the assyrian empire was a 184 00:07:00,639 --> 00:07:04,800 modern business we can see how their 185 00:07:02,400 --> 00:07:06,880 management style would have incited turf 186 00:07:04,800 --> 00:07:09,280 wars as management looked to serve their 187 00:07:06,880 --> 00:07:11,280 own goals and by looking at how they 188 00:07:09,280 --> 00:07:14,000 left newly occupied territories 189 00:07:11,280 --> 00:07:16,000 unmanaged we can see how this would have 190 00:07:14,000 --> 00:07:18,479 encouraged smaller teams to make biased 191 00:07:16,000 --> 00:07:20,400 vendor decisions leaving their security 192 00:07:18,479 --> 00:07:22,880 team under skilled and looking after 193 00:07:20,400 --> 00:07:25,039 impractical security tools and most 194 00:07:22,880 --> 00:07:26,479 likely resigning in droves 195 00:07:25,039 --> 00:07:28,639 i also think that they would have had a 196 00:07:26,479 --> 00:07:31,840 massive shadow i.t problem as smaller 197 00:07:28,639 --> 00:07:34,000 teams work to maintain their efficiency 198 00:07:31,840 --> 00:07:36,000 for you though the competing security 199 00:07:34,000 --> 00:07:38,160 cultures framework can be used to help 200 00:07:36,000 --> 00:07:39,680 identify these political issues by 201 00:07:38,160 --> 00:07:41,599 providing you with the ability to 202 00:07:39,680 --> 00:07:44,160 describe and interpret the different 203 00:07:41,599 --> 00:07:46,160 ways that politics is impacting the 204 00:07:44,160 --> 00:07:47,680 security culture 205 00:07:46,160 --> 00:07:50,000 in the next section we're going to look 206 00:07:47,680 --> 00:07:51,840 at some of the successes achieved by 207 00:07:50,000 --> 00:07:54,240 another empire and what a highly 208 00:07:51,840 --> 00:07:56,400 reliable culture can look like and how 209 00:07:54,240 --> 00:07:59,560 we can identify similar qualities in our 210 00:07:56,400 --> 00:07:59,560 own organizations 211 00:08:00,400 --> 00:08:05,759 so by contrast to the assyrians the 212 00:08:02,800 --> 00:08:07,680 romans succeeded for nearly 1700 years 213 00:08:05,759 --> 00:08:09,680 and while they did eventually collapse 214 00:08:07,680 --> 00:08:12,000 when constantinople was taken by the 215 00:08:09,680 --> 00:08:14,319 ottoman turks rome's republican 216 00:08:12,000 --> 00:08:16,240 institutions left an enduring legacy 217 00:08:14,319 --> 00:08:19,039 influencing the italian city-state 218 00:08:16,240 --> 00:08:22,000 republics of the medieval period as well 219 00:08:19,039 --> 00:08:24,080 as democratic republics 220 00:08:22,000 --> 00:08:27,120 the roman empire evolved from ancient 221 00:08:24,080 --> 00:08:29,199 rome and was founded in 27 bc 222 00:08:27,120 --> 00:08:31,520 we're now in southern europe where the 223 00:08:29,199 --> 00:08:33,279 roman empire had continuous territories 224 00:08:31,520 --> 00:08:35,680 through europe north africa and the 225 00:08:33,279 --> 00:08:37,519 middle east so let's take a look at what 226 00:08:35,680 --> 00:08:39,360 distinguished them from the assyrians 227 00:08:37,519 --> 00:08:42,000 and what tool we can use to make sure 228 00:08:39,360 --> 00:08:45,039 our organization thrives like the roman 229 00:08:42,000 --> 00:08:45,039 empire once did 230 00:08:45,360 --> 00:08:50,160 so as i've mentioned rome is what i'd 231 00:08:47,360 --> 00:08:52,320 like to call a high reliability empire 232 00:08:50,160 --> 00:08:54,560 they maintain complex political 233 00:08:52,320 --> 00:08:56,640 structures with a constitution detailed 234 00:08:54,560 --> 00:08:57,839 laws and elected officials such as 235 00:08:56,640 --> 00:09:00,399 senators 236 00:08:57,839 --> 00:09:03,279 however unlike other empires of the time 237 00:09:00,399 --> 00:09:05,200 it wasn't as top heavy and instead they 238 00:09:03,279 --> 00:09:07,600 deferred to people who were closest to 239 00:09:05,200 --> 00:09:09,839 the issues which helped them increase 240 00:09:07,600 --> 00:09:11,920 social mobility 241 00:09:09,839 --> 00:09:14,800 the roman army was also known for their 242 00:09:11,920 --> 00:09:16,399 sensitivity to operational activities 243 00:09:14,800 --> 00:09:18,959 working to balance the political 244 00:09:16,399 --> 00:09:21,200 outcomes of the empire a process of 245 00:09:18,959 --> 00:09:23,680 diplomacy backed by the threat of 246 00:09:21,200 --> 00:09:26,080 military action and their military 247 00:09:23,680 --> 00:09:28,800 engagements in order to defeat the enemy 248 00:09:26,080 --> 00:09:28,800 when needed 249 00:09:29,279 --> 00:09:33,680 in the modern day though organizations 250 00:09:31,519 --> 00:09:36,640 that embody similar qualities are called 251 00:09:33,680 --> 00:09:38,880 high reliability organizations and while 252 00:09:36,640 --> 00:09:41,120 they have less reliance on military 253 00:09:38,880 --> 00:09:43,200 presence they have continued to adapt to 254 00:09:41,120 --> 00:09:45,040 their dangerous and hostile environments 255 00:09:43,200 --> 00:09:46,880 that they operate in 256 00:09:45,040 --> 00:09:48,800 the qualities possessed by these types 257 00:09:46,880 --> 00:09:50,720 of businesses can be grouped into five 258 00:09:48,800 --> 00:09:53,040 principles that explain the qualities 259 00:09:50,720 --> 00:09:55,680 seen in the roman empire but also 260 00:09:53,040 --> 00:09:58,240 distinguish normal businesses to these 261 00:09:55,680 --> 00:10:00,160 highly reliable ones 262 00:09:58,240 --> 00:10:02,480 firstly there's a preoccupation with 263 00:10:00,160 --> 00:10:04,720 failure and in most organizations 264 00:10:02,480 --> 00:10:07,200 failure is universally a bad thing 265 00:10:04,720 --> 00:10:08,720 that's to be avoided at all costs 266 00:10:07,200 --> 00:10:10,720 but in these highly reliable 267 00:10:08,720 --> 00:10:13,200 organizations there is a drive to 268 00:10:10,720 --> 00:10:14,959 identify these failures at all costs and 269 00:10:13,200 --> 00:10:17,120 as early as possible 270 00:10:14,959 --> 00:10:19,200 using small controlled failures as a 271 00:10:17,120 --> 00:10:21,279 tool that can be used to avoid larger 272 00:10:19,200 --> 00:10:22,880 disasters 273 00:10:21,279 --> 00:10:25,360 like the roman empire there was a 274 00:10:22,880 --> 00:10:28,399 reluctance to simplify but that's not to 275 00:10:25,360 --> 00:10:30,880 be mistaken with complex is good 276 00:10:28,399 --> 00:10:32,959 highly reliable organizations maintain a 277 00:10:30,880 --> 00:10:34,880 healthy respect for complexity and 278 00:10:32,959 --> 00:10:37,200 unpredictability of their environment 279 00:10:34,880 --> 00:10:39,360 and seek complicated answers backed by 280 00:10:37,200 --> 00:10:41,440 observation and data 281 00:10:39,360 --> 00:10:45,040 and like their military there is a 282 00:10:41,440 --> 00:10:47,040 sensitivity to operations hros put equal 283 00:10:45,040 --> 00:10:49,440 emphasis on the tactical requirements 284 00:10:47,040 --> 00:10:51,519 that make strategy work and leaders 285 00:10:49,440 --> 00:10:54,160 don't just do the vision thing leaving 286 00:10:51,519 --> 00:10:56,480 everyone else to hammer out the details 287 00:10:54,160 --> 00:10:58,480 instead they focus on gathering data and 288 00:10:56,480 --> 00:11:00,399 knowledge from a variety of sources to 289 00:10:58,480 --> 00:11:02,640 make the links between strategy and 290 00:11:00,399 --> 00:11:05,120 operations which helps drive their 291 00:11:02,640 --> 00:11:05,120 success 292 00:11:05,360 --> 00:11:10,560 the next two qualities are a commitment 293 00:11:07,920 --> 00:11:12,720 to resilience and high reliability 294 00:11:10,560 --> 00:11:14,800 organizations know that they'll 295 00:11:12,720 --> 00:11:16,560 experience failure at some point and 296 00:11:14,800 --> 00:11:18,800 instead of worrying 297 00:11:16,560 --> 00:11:21,440 about that they put time and effort into 298 00:11:18,800 --> 00:11:24,160 imagining how these failures will occur 299 00:11:21,440 --> 00:11:26,480 and what they should do when it arrives 300 00:11:24,160 --> 00:11:29,600 and lastly there's an ability to defer 301 00:11:26,480 --> 00:11:31,200 to experts and so while hierarchies are 302 00:11:29,600 --> 00:11:33,040 important to highly reliable 303 00:11:31,200 --> 00:11:34,880 organizations 304 00:11:33,040 --> 00:11:36,959 they aren't when they are a hinder to 305 00:11:34,880 --> 00:11:39,519 people so they focus on skills and 306 00:11:36,959 --> 00:11:41,440 judgment of the people who are closest 307 00:11:39,519 --> 00:11:42,959 to the systems in question gathering 308 00:11:41,440 --> 00:11:46,640 data and feedback 309 00:11:42,959 --> 00:11:46,640 as close to the source as possible 310 00:11:47,200 --> 00:11:51,680 and so that brings us to our second tool 311 00:11:49,279 --> 00:11:54,000 for today the security force behavioral 312 00:11:51,680 --> 00:11:56,399 model and this measures the qualities we 313 00:11:54,000 --> 00:11:58,480 just discussed and maps them back to a 314 00:11:56,399 --> 00:12:00,320 security program 315 00:11:58,480 --> 00:12:03,120 allowing the business to transform a 316 00:12:00,320 --> 00:12:05,519 typical security program into a highly 317 00:12:03,120 --> 00:12:07,519 reliable version of itself 318 00:12:05,519 --> 00:12:09,360 this transformation can help businesses 319 00:12:07,519 --> 00:12:11,680 reduce the number of large security 320 00:12:09,360 --> 00:12:12,880 failures and improve recovery time from 321 00:12:11,680 --> 00:12:15,680 them 322 00:12:12,880 --> 00:12:17,680 but a high reliability security program 323 00:12:15,680 --> 00:12:19,519 isn't a label that the security team can 324 00:12:17,680 --> 00:12:20,399 put on itself it's something that it 325 00:12:19,519 --> 00:12:22,720 does 326 00:12:20,399 --> 00:12:24,800 it's similar to duck typing if it looks 327 00:12:22,720 --> 00:12:27,360 like a duck walks like a duck quacks 328 00:12:24,800 --> 00:12:30,000 like a duck and has the dna of a duck 329 00:12:27,360 --> 00:12:31,839 it's most likely a duck this model just 330 00:12:30,000 --> 00:12:33,440 defines what it means to be a highly 331 00:12:31,839 --> 00:12:35,839 reliable duck 332 00:12:33,440 --> 00:12:37,600 so there are two parts of the model the 333 00:12:35,839 --> 00:12:39,920 first being a survey you can use to 334 00:12:37,600 --> 00:12:41,920 assess whether or not employees not just 335 00:12:39,920 --> 00:12:44,639 the security team believe the 336 00:12:41,920 --> 00:12:46,480 organization has a high reliability 337 00:12:44,639 --> 00:12:48,720 security program 338 00:12:46,480 --> 00:12:50,959 the survey is made up of 25 statements 339 00:12:48,720 --> 00:12:52,639 divided into the five sections each 340 00:12:50,959 --> 00:12:54,079 representing a value that we just 341 00:12:52,639 --> 00:12:55,760 discussed 342 00:12:54,079 --> 00:12:58,240 respondents are asked to state their 343 00:12:55,760 --> 00:13:00,000 level of agreement with each statement 344 00:12:58,240 --> 00:13:01,200 from strongly agreed to strongly 345 00:13:00,000 --> 00:13:03,279 disagree 346 00:13:01,200 --> 00:13:05,839 and like the competing security cultures 347 00:13:03,279 --> 00:13:08,079 framework it is a generalist tool so 348 00:13:05,839 --> 00:13:10,480 it's very flexible in its application 349 00:13:08,079 --> 00:13:12,880 and how results can be charted 350 00:13:10,480 --> 00:13:14,000 and because high reliability security 351 00:13:12,880 --> 00:13:16,160 programs 352 00:13:14,000 --> 00:13:19,279 aren't typically seen in organizations 353 00:13:16,160 --> 00:13:20,480 where security is highly centralized and 354 00:13:19,279 --> 00:13:22,480 isolated 355 00:13:20,480 --> 00:13:24,639 if you use this survey it's really 356 00:13:22,480 --> 00:13:26,639 important that you cast the net as wide 357 00:13:24,639 --> 00:13:29,040 as possible to make sure that you get a 358 00:13:26,639 --> 00:13:32,320 good mix of opinions not just the ones 359 00:13:29,040 --> 00:13:32,320 that will give you good results 360 00:13:32,880 --> 00:13:37,680 the second tool is a set of measurements 361 00:13:35,279 --> 00:13:40,000 for each of these values it's made so 362 00:13:37,680 --> 00:13:42,160 you can gather data regarding how well 363 00:13:40,000 --> 00:13:43,519 you actually embody the behaviors in 364 00:13:42,160 --> 00:13:45,440 practice 365 00:13:43,519 --> 00:13:47,600 the metrics measure things like the 366 00:13:45,440 --> 00:13:50,399 number of security failure scenarios 367 00:13:47,600 --> 00:13:53,199 developed in the past year the average 368 00:13:50,399 --> 00:13:54,639 time to organizational decision from 369 00:13:53,199 --> 00:13:57,519 idea 370 00:13:54,639 --> 00:13:59,519 inception to actual rollout 371 00:13:57,519 --> 00:14:01,920 and the number of security related 372 00:13:59,519 --> 00:14:04,240 training opportunities to pro provided 373 00:14:01,920 --> 00:14:06,160 to people and so on 374 00:14:04,240 --> 00:14:08,480 these metrics are designed to assess 375 00:14:06,160 --> 00:14:10,560 high reliability security program 376 00:14:08,480 --> 00:14:11,680 related traits and compare them over 377 00:14:10,560 --> 00:14:12,560 time 378 00:14:11,680 --> 00:14:14,480 so 379 00:14:12,560 --> 00:14:16,800 as you chart them the metrics will 380 00:14:14,480 --> 00:14:19,120 basically tell a story of behavioral 381 00:14:16,800 --> 00:14:21,199 change and artifact creation 382 00:14:19,120 --> 00:14:23,040 providing empirical evidence that the 383 00:14:21,199 --> 00:14:25,519 organization is actually changing 384 00:14:23,040 --> 00:14:29,880 behavior rather than creating artificial 385 00:14:25,519 --> 00:14:29,880 artefacts to tick a box 386 00:14:30,079 --> 00:14:34,480 i decided that if the roman empire was a 387 00:14:32,399 --> 00:14:36,800 modern business it would be a story very 388 00:14:34,480 --> 00:14:38,480 similar to that of code spaces who 389 00:14:36,800 --> 00:14:40,320 offered developers source code 390 00:14:38,480 --> 00:14:43,120 repositories and project management 391 00:14:40,320 --> 00:14:44,560 services using github subversion 392 00:14:43,120 --> 00:14:46,639 they had been operating with great 393 00:14:44,560 --> 00:14:49,839 success for about seven years and had no 394 00:14:46,639 --> 00:14:52,639 shortage of customers but in 2014 they 395 00:14:49,839 --> 00:14:55,519 had their amazon elastic compute cloud 396 00:14:52,639 --> 00:14:57,600 control panel breached and ultimately 397 00:14:55,519 --> 00:14:59,680 destroyed by hackers 398 00:14:57,600 --> 00:15:01,760 and so much like the roman empire where 399 00:14:59,680 --> 00:15:05,040 they embodied high reliability and 400 00:15:01,760 --> 00:15:08,320 success in some ways when they took away 401 00:15:05,040 --> 00:15:10,800 the ability to be adept at failure or 402 00:15:08,320 --> 00:15:13,519 practicing that value of resilience it's 403 00:15:10,800 --> 00:15:15,680 very easy to see a once thriving empire 404 00:15:13,519 --> 00:15:18,240 topple overnight 405 00:15:15,680 --> 00:15:19,920 because high reliability soft security 406 00:15:18,240 --> 00:15:22,639 programs are less about how 407 00:15:19,920 --> 00:15:24,720 organizations succeed at security and at 408 00:15:22,639 --> 00:15:27,360 the core it's actually about how they 409 00:15:24,720 --> 00:15:30,000 fail at it in very particular ways and 410 00:15:27,360 --> 00:15:32,480 under very specific circumstances 411 00:15:30,000 --> 00:15:34,800 so majority of security programs even 412 00:15:32,480 --> 00:15:37,120 very mature ones will often find 413 00:15:34,800 --> 00:15:39,440 capabilities are strained when it comes 414 00:15:37,120 --> 00:15:41,199 to failure because they rely on being 415 00:15:39,440 --> 00:15:43,279 robust 416 00:15:41,199 --> 00:15:45,519 unlike the roman empire though you have 417 00:15:43,279 --> 00:15:48,000 the security force survey and metrics to 418 00:15:45,519 --> 00:15:50,000 drive change in habits and behaviors 419 00:15:48,000 --> 00:15:52,399 adopting new ones that will make large 420 00:15:50,000 --> 00:15:56,399 failures less likely and to help your 421 00:15:52,399 --> 00:15:56,399 team respond better and faster 422 00:15:57,199 --> 00:16:01,440 so far we've explored how the assyrian 423 00:15:59,360 --> 00:16:03,519 empire fell because of politics while 424 00:16:01,440 --> 00:16:05,199 the roman empire had limited success 425 00:16:03,519 --> 00:16:07,040 because they embodied only some of the 426 00:16:05,199 --> 00:16:08,800 qualities of a high reliability 427 00:16:07,040 --> 00:16:11,040 organization 428 00:16:08,800 --> 00:16:12,560 we're now back in the modern day and the 429 00:16:11,040 --> 00:16:14,240 empire we're actually going to look at 430 00:16:12,560 --> 00:16:16,240 is yours and we're going to look at what 431 00:16:14,240 --> 00:16:18,560 the future could hold if additional 432 00:16:16,240 --> 00:16:20,880 security threats go unchecked 433 00:16:18,560 --> 00:16:23,680 and how we can identify them before it's 434 00:16:20,880 --> 00:16:25,440 too late now make the safe assumption 435 00:16:23,680 --> 00:16:27,600 that you've had some sort of interaction 436 00:16:25,440 --> 00:16:29,680 with security in some way whether that 437 00:16:27,600 --> 00:16:32,240 be with security engineers governance 438 00:16:29,680 --> 00:16:34,639 and risk teams or security consultants 439 00:16:32,240 --> 00:16:36,800 you might even be the security person or 440 00:16:34,639 --> 00:16:38,560 make up a larger security team 441 00:16:36,800 --> 00:16:40,480 so as we go through this section i want 442 00:16:38,560 --> 00:16:43,199 you to analyze how security decisions 443 00:16:40,480 --> 00:16:45,680 you've been a part of have been made or 444 00:16:43,199 --> 00:16:47,839 how decisions you've seen been made have 445 00:16:45,680 --> 00:16:49,440 been handled and see if you can see some 446 00:16:47,839 --> 00:16:51,839 of these threats lurking in the 447 00:16:49,440 --> 00:16:51,839 background 448 00:16:52,079 --> 00:16:56,560 now the security collap 449 00:16:54,320 --> 00:16:58,240 the security culture collapsologists 450 00:16:56,560 --> 00:16:59,839 can't be sure how successful your 451 00:16:58,240 --> 00:17:01,920 organization will be 452 00:16:59,839 --> 00:17:04,480 because the nature of collapsology tends 453 00:17:01,920 --> 00:17:06,559 to be retrospective but we can heed 454 00:17:04,480 --> 00:17:07,600 their warnings to try and avoid similar 455 00:17:06,559 --> 00:17:09,679 fates 456 00:17:07,600 --> 00:17:12,240 we can do this by understanding how 457 00:17:09,679 --> 00:17:14,559 employees at your organization view the 458 00:17:12,240 --> 00:17:17,120 security culture and look to explore 459 00:17:14,559 --> 00:17:18,959 this territory identify threats and 460 00:17:17,120 --> 00:17:21,839 treat them to ensure that your security 461 00:17:18,959 --> 00:17:23,679 empire stands the test of time 462 00:17:21,839 --> 00:17:25,600 one of the most common and threatening 463 00:17:23,679 --> 00:17:28,480 logistical threats i've observed is 464 00:17:25,600 --> 00:17:30,000 incompatible outcomes and i say that 465 00:17:28,480 --> 00:17:32,960 it's the most threatening because it 466 00:17:30,000 --> 00:17:34,960 regards strategy for example how bring 467 00:17:32,960 --> 00:17:37,679 your own device policies are introduced 468 00:17:34,960 --> 00:17:39,760 or managed or how organizations migrate 469 00:17:37,679 --> 00:17:41,280 to the cloud or introduce new features 470 00:17:39,760 --> 00:17:43,440 into their product 471 00:17:41,280 --> 00:17:45,679 when strategy is managed properly by 472 00:17:43,440 --> 00:17:47,440 involving people closest to the problem 473 00:17:45,679 --> 00:17:49,520 and when there's a mutual understanding 474 00:17:47,440 --> 00:17:51,840 and respect for opinions the threat of 475 00:17:49,520 --> 00:17:53,200 incompatible outcomes becomes largely 476 00:17:51,840 --> 00:17:55,360 mitigated 477 00:17:53,200 --> 00:17:57,120 but when product delivery isn't properly 478 00:17:55,360 --> 00:17:59,600 balanced with security and privacy 479 00:17:57,120 --> 00:18:01,840 controls especially when imbued with 480 00:17:59,600 --> 00:18:04,240 political emotional and psychological 481 00:18:01,840 --> 00:18:08,000 threats they can grow into serious 482 00:18:04,240 --> 00:18:10,240 security issues promoting shadow i.t 483 00:18:08,000 --> 00:18:12,480 people circumventing security controls 484 00:18:10,240 --> 00:18:15,120 and a lack of accountability with lots 485 00:18:12,480 --> 00:18:17,280 of finger-pointing and not even large 486 00:18:15,120 --> 00:18:19,840 technology companies are immune to this 487 00:18:17,280 --> 00:18:21,679 as we saw when apple introduced 488 00:18:19,840 --> 00:18:23,840 client-side media scanning which 489 00:18:21,679 --> 00:18:26,320 concerned a lot of security and privacy 490 00:18:23,840 --> 00:18:28,480 experts and slack tried rolling out its 491 00:18:26,320 --> 00:18:30,240 private message anyone feature 492 00:18:28,480 --> 00:18:33,200 that was quickly rolled back over 493 00:18:30,240 --> 00:18:35,280 privacy and harassment concerns 494 00:18:33,200 --> 00:18:37,440 in your organization this could also 495 00:18:35,280 --> 00:18:40,080 look like sales team promising clients 496 00:18:37,440 --> 00:18:41,919 new features without consultation or 497 00:18:40,080 --> 00:18:44,720 engineers rolling out features without 498 00:18:41,919 --> 00:18:48,559 security or privacy sign off and it's 499 00:18:44,720 --> 00:18:50,480 very common and ubiquitous problem 500 00:18:48,559 --> 00:18:52,559 it's also seen internally when 501 00:18:50,480 --> 00:18:54,640 governance teams enforce controls on 502 00:18:52,559 --> 00:18:56,640 employees without any regard for the 503 00:18:54,640 --> 00:18:58,720 impact on workflow which results in 504 00:18:56,640 --> 00:19:01,200 users relying on shadow i.t to get the 505 00:18:58,720 --> 00:19:03,200 job done 506 00:19:01,200 --> 00:19:04,960 this threat degrades businesses to a 507 00:19:03,200 --> 00:19:07,200 point of creating a sense of false 508 00:19:04,960 --> 00:19:09,440 choice where every concession to the 509 00:19:07,200 --> 00:19:11,679 business is seen as a loss for security 510 00:19:09,440 --> 00:19:14,160 and every security initiative is seen as 511 00:19:11,679 --> 00:19:16,080 a blow to business efficiency instead of 512 00:19:14,160 --> 00:19:19,440 being treated as joint outcomes that 513 00:19:16,080 --> 00:19:19,440 bring value to everyone 514 00:19:19,919 --> 00:19:23,679 but logistical threats aren't the only 515 00:19:21,840 --> 00:19:26,400 ones we need to worry about because we 516 00:19:23,679 --> 00:19:28,720 have emotional threats specifically fear 517 00:19:26,400 --> 00:19:30,720 uncertainty and doubt which i think is 518 00:19:28,720 --> 00:19:32,160 something everyone 519 00:19:30,720 --> 00:19:35,039 which i think is something that 520 00:19:32,160 --> 00:19:37,039 resonates with a lot of people right now 521 00:19:35,039 --> 00:19:39,360 when working as a consultant it was as 522 00:19:37,039 --> 00:19:41,760 common to have clients call about the 523 00:19:39,360 --> 00:19:44,960 latest security news cycle whether it be 524 00:19:41,760 --> 00:19:47,200 soloing supply chain breach a principle 525 00:19:44,960 --> 00:19:49,200 of vulnerability or the exploitation of 526 00:19:47,200 --> 00:19:51,120 public remote desktop services to 527 00:19:49,200 --> 00:19:53,360 ransomware businesses 528 00:19:51,120 --> 00:19:55,760 the media's ability to spread fear 529 00:19:53,360 --> 00:19:57,760 uncertainty and doubt is ubiquitous and 530 00:19:55,760 --> 00:20:00,400 it can have a major impact on business 531 00:19:57,760 --> 00:20:02,720 on a businesses ability to establish and 532 00:20:00,400 --> 00:20:05,280 deliver a long-term cyber security 533 00:20:02,720 --> 00:20:07,360 strategy especially when it's captured 534 00:20:05,280 --> 00:20:09,440 leadership's attention 535 00:20:07,360 --> 00:20:11,679 and it's not to say businesses shouldn't 536 00:20:09,440 --> 00:20:14,159 address certain risks as they become 537 00:20:11,679 --> 00:20:16,640 public but it's not an effective way to 538 00:20:14,159 --> 00:20:19,039 run a whole program and each risk should 539 00:20:16,640 --> 00:20:20,559 be weighed up and if needed the roadmap 540 00:20:19,039 --> 00:20:22,640 adapted 541 00:20:20,559 --> 00:20:25,039 so while it seems attractive to point to 542 00:20:22,640 --> 00:20:26,880 the rising cost of security breaches as 543 00:20:25,039 --> 00:20:29,520 evidence that we need to spend every 544 00:20:26,880 --> 00:20:32,240 moment and every dollar on improving 545 00:20:29,520 --> 00:20:34,080 security it's an incompatible outcome 546 00:20:32,240 --> 00:20:35,919 when running an effective business 547 00:20:34,080 --> 00:20:38,320 because features won't ship and it'll be 548 00:20:35,919 --> 00:20:40,159 easy for a competitor to start providing 549 00:20:38,320 --> 00:20:42,320 better services 550 00:20:40,159 --> 00:20:44,960 fear and uncertainty can become an 551 00:20:42,320 --> 00:20:46,080 excuse for security teams to say no as 552 00:20:44,960 --> 00:20:48,240 well 553 00:20:46,080 --> 00:20:50,799 it'll block every piece of innovation 554 00:20:48,240 --> 00:20:53,120 driving engineers to circumvent security 555 00:20:50,799 --> 00:20:55,280 to get new ideas off the ground 556 00:20:53,120 --> 00:20:57,200 so if these emotions are allowed to rule 557 00:20:55,280 --> 00:20:59,200 it can make unreasonable security 558 00:20:57,200 --> 00:21:01,440 decisions seem perfectly valid and 559 00:20:59,200 --> 00:21:06,159 justified which can make managing 560 00:21:01,440 --> 00:21:06,159 security on a daily basis a lot harder 561 00:21:06,880 --> 00:21:10,320 the last threat we're going to look at 562 00:21:08,320 --> 00:21:13,440 is a psychological one and it's a big 563 00:21:10,320 --> 00:21:15,360 one with lots of dimensions it's bias 564 00:21:13,440 --> 00:21:18,480 it can be introduced by generation 565 00:21:15,360 --> 00:21:21,039 education geography or culture and not 566 00:21:18,480 --> 00:21:22,640 just at an organization level but also 567 00:21:21,039 --> 00:21:24,720 at a national level 568 00:21:22,640 --> 00:21:26,559 and each takes a particular way to 569 00:21:24,720 --> 00:21:28,480 resolve 570 00:21:26,559 --> 00:21:29,840 the jurassic causes becomes more 571 00:21:28,480 --> 00:21:32,080 apparent when leaders aren't 572 00:21:29,840 --> 00:21:34,720 sufficiently managing differences in how 573 00:21:32,080 --> 00:21:37,039 people process information interact with 574 00:21:34,720 --> 00:21:38,400 technology learn and approach their own 575 00:21:37,039 --> 00:21:40,320 knowledge gaps 576 00:21:38,400 --> 00:21:42,080 a really common example is in 577 00:21:40,320 --> 00:21:45,679 communication style which can be 578 00:21:42,080 --> 00:21:47,360 exacerbated by culture gender role and 579 00:21:45,679 --> 00:21:50,240 education 580 00:21:47,360 --> 00:21:52,080 we also see these differences discussed 581 00:21:50,240 --> 00:21:54,240 in how we as an industry write job 582 00:21:52,080 --> 00:21:56,559 descriptions blog posts and engage 583 00:21:54,240 --> 00:21:58,640 people in discussion generally with a 584 00:21:56,559 --> 00:22:01,280 lot of domain specific words and with a 585 00:21:58,640 --> 00:22:04,480 heavy sense of contempt which can lead 586 00:22:01,280 --> 00:22:07,440 to which can limit who can be included 587 00:22:04,480 --> 00:22:08,640 but also who feels included and we can't 588 00:22:07,440 --> 00:22:10,960 forget the impact that the 589 00:22:08,640 --> 00:22:12,960 dunning-kruger effect has 590 00:22:10,960 --> 00:22:15,120 when someone starts to overstep their 591 00:22:12,960 --> 00:22:17,760 knowledge and offer up advice on areas 592 00:22:15,120 --> 00:22:19,919 they know little to nothing about 593 00:22:17,760 --> 00:22:21,840 the threats posed by bias can be 594 00:22:19,919 --> 00:22:23,919 difficult to resolve especially if 595 00:22:21,840 --> 00:22:26,000 people aren't willing to acknowledge it 596 00:22:23,919 --> 00:22:28,799 and management is complicit in 597 00:22:26,000 --> 00:22:28,799 encouraging it 598 00:22:29,760 --> 00:22:33,840 but we have one more tool up our sleeve 599 00:22:31,840 --> 00:22:36,559 to help us chart these threats the 600 00:22:33,840 --> 00:22:38,799 security culture diagnostic survey 601 00:22:36,559 --> 00:22:40,720 it provides a means of visualizing the 602 00:22:38,799 --> 00:22:43,919 tensions between information security 603 00:22:40,720 --> 00:22:46,960 stakeholders priorities and values that 604 00:22:43,919 --> 00:22:49,039 exist in every organization and map back 605 00:22:46,960 --> 00:22:51,679 onto the competing security cultures 606 00:22:49,039 --> 00:22:53,840 framework we discussed at the start 607 00:22:51,679 --> 00:22:55,760 keep in mind like a lot of cultural 608 00:22:53,840 --> 00:22:57,679 based things i can't tell you how to 609 00:22:55,760 --> 00:22:59,360 read the results and the survey isn't 610 00:22:57,679 --> 00:23:01,760 going to tell you what's going right or 611 00:22:59,360 --> 00:23:03,600 wrong because culture is a very relative 612 00:23:01,760 --> 00:23:05,360 and contextual thing 613 00:23:03,600 --> 00:23:08,400 but it will help you understand how 614 00:23:05,360 --> 00:23:10,480 cultures can co-function and collide the 615 00:23:08,400 --> 00:23:12,480 survey is made up of 10 questions each 616 00:23:10,480 --> 00:23:14,640 with four responses that align to the 617 00:23:12,480 --> 00:23:16,720 four quadrants of the competing security 618 00:23:14,640 --> 00:23:19,280 cultures framework with questions 619 00:23:16,720 --> 00:23:22,000 corresponding to the key organizational 620 00:23:19,280 --> 00:23:24,080 activities that influence and are 621 00:23:22,000 --> 00:23:26,080 influenced by norms and behaviors 622 00:23:24,080 --> 00:23:27,600 central to an information security 623 00:23:26,080 --> 00:23:29,200 culture 624 00:23:27,600 --> 00:23:30,799 when you go through the questions you 625 00:23:29,200 --> 00:23:32,559 might also notice that a lot of these 626 00:23:30,799 --> 00:23:34,880 questions don't mention security and 627 00:23:32,559 --> 00:23:36,880 that's deliberate security culture is 628 00:23:34,880 --> 00:23:39,440 about how hidden assumptions under the 629 00:23:36,880 --> 00:23:42,240 surface influence how we do our job not 630 00:23:39,440 --> 00:23:44,240 how the security team looks at security 631 00:23:42,240 --> 00:23:46,320 and so the response choices allow the 632 00:23:44,240 --> 00:23:48,840 respondent to differentiate between the 633 00:23:46,320 --> 00:23:51,200 relative importance of stability and 634 00:23:48,840 --> 00:23:52,159 standardization external validation and 635 00:23:51,200 --> 00:23:54,559 review 636 00:23:52,159 --> 00:23:57,360 adaptability and freedom of choice 637 00:23:54,559 --> 00:23:59,200 and having a sense of shared community 638 00:23:57,360 --> 00:24:01,440 and responsibility 639 00:23:59,200 --> 00:24:03,440 when grafton overlaid with the competing 640 00:24:01,440 --> 00:24:05,600 cultures framework you can see what the 641 00:24:03,440 --> 00:24:06,799 perception looks like when compared to 642 00:24:05,600 --> 00:24:08,240 reality 643 00:24:06,799 --> 00:24:10,720 and the thing that i love about this 644 00:24:08,240 --> 00:24:13,039 survey is that it's so versatile and 645 00:24:10,720 --> 00:24:16,480 depending on how the results are charted 646 00:24:13,039 --> 00:24:18,720 you can tell a million different stories 647 00:24:16,480 --> 00:24:20,880 to the right you can see how the results 648 00:24:18,720 --> 00:24:22,880 of an organization-wide survey can be 649 00:24:20,880 --> 00:24:25,360 mapped onto a radar graph to show which 650 00:24:22,880 --> 00:24:26,799 factors people see as the most prevalent 651 00:24:25,360 --> 00:24:29,360 and where there might be room for 652 00:24:26,799 --> 00:24:29,360 improvement 653 00:24:31,360 --> 00:24:36,559 so in this section we looked into the 654 00:24:33,360 --> 00:24:38,799 future and saw how unmanaged logistical 655 00:24:36,559 --> 00:24:40,960 emotional and psychological threats can 656 00:24:38,799 --> 00:24:42,240 manifest and what outcomes they can 657 00:24:40,960 --> 00:24:44,400 result in 658 00:24:42,240 --> 00:24:47,120 logistical threats impacting how people 659 00:24:44,400 --> 00:24:49,279 interact and craft strategy 660 00:24:47,120 --> 00:24:51,200 emotional threats defining how we assess 661 00:24:49,279 --> 00:24:53,679 emerging security vulnerabilities and 662 00:24:51,200 --> 00:24:55,760 handle them on a day-to-day basis and 663 00:24:53,679 --> 00:24:57,440 psychological threats affecting every 664 00:24:55,760 --> 00:24:59,120 aspect of how we interact with the 665 00:24:57,440 --> 00:25:00,480 people around us and encourage 666 00:24:59,120 --> 00:25:02,559 groupthink 667 00:25:00,480 --> 00:25:04,480 but the security collapsologists have 668 00:25:02,559 --> 00:25:06,640 armed us with a tool that can help us 669 00:25:04,480 --> 00:25:09,120 identify these things in the form of the 670 00:25:06,640 --> 00:25:11,279 security cultures diagnostic survey 671 00:25:09,120 --> 00:25:13,440 which asks respondents to express how 672 00:25:11,279 --> 00:25:15,679 they see key security operations 673 00:25:13,440 --> 00:25:17,840 balanced by the business 674 00:25:15,679 --> 00:25:21,440 this gives us a chance to map out and 675 00:25:17,840 --> 00:25:21,440 present a plan for the future 676 00:25:22,000 --> 00:25:26,320 so we've talked about a lot of different 677 00:25:24,320 --> 00:25:28,400 tools and what they can do to help us 678 00:25:26,320 --> 00:25:30,320 but how does it fit together 679 00:25:28,400 --> 00:25:32,080 the culture framework and survey gives 680 00:25:30,320 --> 00:25:34,640 us a top-down view of the security 681 00:25:32,080 --> 00:25:36,720 culture allowing us to orient ourselves 682 00:25:34,640 --> 00:25:37,919 amongst the organization's values and 683 00:25:36,720 --> 00:25:40,320 assumptions 684 00:25:37,919 --> 00:25:43,360 it tells us areas of competition and 685 00:25:40,320 --> 00:25:44,720 cultural risk it also allows security 686 00:25:43,360 --> 00:25:47,279 leadership to look at where the 687 00:25:44,720 --> 00:25:49,360 organization currently is and decide if 688 00:25:47,279 --> 00:25:51,360 directional change is needed but it 689 00:25:49,360 --> 00:25:53,360 won't tell you how to make this change 690 00:25:51,360 --> 00:25:55,120 because there is no one way 691 00:25:53,360 --> 00:25:57,039 and using methods that work for one 692 00:25:55,120 --> 00:25:59,200 organization can have a devastating 693 00:25:57,039 --> 00:26:01,279 effect on yours 694 00:25:59,200 --> 00:26:03,600 in comparison the security force 695 00:26:01,279 --> 00:26:05,440 behavioral model is designed to provide 696 00:26:03,600 --> 00:26:07,360 a bottom-up perspective 697 00:26:05,440 --> 00:26:09,840 analyzing how security behaves in 698 00:26:07,360 --> 00:26:12,480 practice and influences how this 699 00:26:09,840 --> 00:26:14,880 translates to group-based values 700 00:26:12,480 --> 00:26:16,799 this behavioral analysis is important 701 00:26:14,880 --> 00:26:19,600 because as an organization can't 702 00:26:16,799 --> 00:26:21,600 redefine its security culture by only 703 00:26:19,600 --> 00:26:24,320 changing behavior it also needs to 704 00:26:21,600 --> 00:26:26,320 understand the drivers behind them at 705 00:26:24,320 --> 00:26:28,559 the same time the organization has to 706 00:26:26,320 --> 00:26:31,039 have some idea of what behaviors to look 707 00:26:28,559 --> 00:26:32,640 at and improve if it's ever to know 708 00:26:31,039 --> 00:26:34,799 whether transformation is going to be 709 00:26:32,640 --> 00:26:36,799 successful or not 710 00:26:34,799 --> 00:26:38,720 and this consistent cycle between 711 00:26:36,799 --> 00:26:40,640 culture and behavior is at the heart of 712 00:26:38,720 --> 00:26:43,360 the relationship between the competing 713 00:26:40,640 --> 00:26:45,520 cultures security framework and survey 714 00:26:43,360 --> 00:26:48,400 and the security force behavioral model 715 00:26:45,520 --> 00:26:48,400 that we discussed 716 00:26:48,880 --> 00:26:53,039 influencing culture requires a lot of 717 00:26:50,960 --> 00:26:56,000 work to get right and as they say rome 718 00:26:53,039 --> 00:26:57,679 wasn't built in a day or by one person 719 00:26:56,000 --> 00:26:59,760 and so depending on the state of the 720 00:26:57,679 --> 00:27:01,840 existing culture there could be a lot of 721 00:26:59,760 --> 00:27:03,520 work and there might even be pushback 722 00:27:01,840 --> 00:27:06,480 from your co-workers who value the 723 00:27:03,520 --> 00:27:09,120 status quo or managers who benefit from 724 00:27:06,480 --> 00:27:11,440 existing power imbalances so if you're 725 00:27:09,120 --> 00:27:14,000 the primary advocate in an unhealthy 726 00:27:11,440 --> 00:27:16,240 culture it may not be possible for you 727 00:27:14,000 --> 00:27:17,440 to change much and that's not a failing 728 00:27:16,240 --> 00:27:19,600 on you 729 00:27:17,440 --> 00:27:21,520 before starting though it's important to 730 00:27:19,600 --> 00:27:23,760 make sure you have the capacity to 731 00:27:21,520 --> 00:27:26,320 manage those internal and external 732 00:27:23,760 --> 00:27:28,720 expectations and to make sure you set 733 00:27:26,320 --> 00:27:30,240 firm boundaries about what is and isn't 734 00:27:28,720 --> 00:27:32,240 possible 735 00:27:30,240 --> 00:27:34,960 once you're ready to take on the job of 736 00:27:32,240 --> 00:27:36,960 influencing cultural change i challenge 737 00:27:34,960 --> 00:27:39,279 you to go and talk to your engineers 738 00:27:36,960 --> 00:27:41,679 developers and designers about what 739 00:27:39,279 --> 00:27:43,760 problems they see with security don't 740 00:27:41,679 --> 00:27:46,000 argue with them don't justify these 741 00:27:43,760 --> 00:27:47,840 behaviors just listen 742 00:27:46,000 --> 00:27:50,080 focus on their needs and critically 743 00:27:47,840 --> 00:27:52,480 analyze how security is impacting them 744 00:27:50,080 --> 00:27:53,760 and start monitoring that informally at 745 00:27:52,480 --> 00:27:56,320 first 746 00:27:53,760 --> 00:27:58,320 in most cases i've seen security often 747 00:27:56,320 --> 00:28:00,640 loses out in decisions where the 748 00:27:58,320 --> 00:28:02,640 decision makers are far removed from the 749 00:28:00,640 --> 00:28:05,039 people who have responsibility for 750 00:28:02,640 --> 00:28:06,880 security and so part of this job is to 751 00:28:05,039 --> 00:28:09,039 bring those decision makers back into 752 00:28:06,880 --> 00:28:12,080 the fold and to help 753 00:28:09,039 --> 00:28:14,080 get buy-in into a project like this 754 00:28:12,080 --> 00:28:16,799 and once you have that you can start to 755 00:28:14,080 --> 00:28:18,640 measure and analyze the security culture 756 00:28:16,799 --> 00:28:21,200 to a level where you know enough about 757 00:28:18,640 --> 00:28:23,440 it and how it works to make changes that 758 00:28:21,200 --> 00:28:27,520 will stick and collect metrics that 759 00:28:23,440 --> 00:28:27,520 demonstrate these changes have stuck 760 00:28:28,960 --> 00:28:33,200 culture requires someone to look around 761 00:28:31,200 --> 00:28:34,880 and identify those behaviors and threats 762 00:28:33,200 --> 00:28:37,360 that have beared witness to the rise and 763 00:28:34,880 --> 00:28:39,360 fall of empires and it's things like 764 00:28:37,360 --> 00:28:41,279 this that undermine every decision that 765 00:28:39,360 --> 00:28:43,360 we make without knowing it 766 00:28:41,279 --> 00:28:46,320 it's the reason management protocols 767 00:28:43,360 --> 00:28:47,919 like rdp end up on the internet and even 768 00:28:46,320 --> 00:28:49,679 on the good days within the best 769 00:28:47,919 --> 00:28:52,080 companies these factors are still a 770 00:28:49,679 --> 00:28:53,760 massive force which is why culture is 771 00:28:52,080 --> 00:28:55,600 one of the biggest security threats 772 00:28:53,760 --> 00:28:57,440 that'll face the industry 773 00:28:55,600 --> 00:28:59,919 it will persist regardless of code 774 00:28:57,440 --> 00:29:02,000 analysis firewalls and third-party 775 00:28:59,919 --> 00:29:04,799 assessments 776 00:29:02,000 --> 00:29:06,880 i'm buffy this is collapsology and why 777 00:29:04,799 --> 00:29:09,840 security uh white 778 00:29:06,880 --> 00:29:12,960 ah no this is collapsology and why your 779 00:29:09,840 --> 00:29:17,039 biggest threat is an exposed rdp thank 780 00:29:12,960 --> 00:29:17,039 you and have an amazing conference 781 00:29:17,200 --> 00:29:20,960 thank you so much that was such a great 782 00:29:19,440 --> 00:29:22,240 talk it was 783 00:29:20,960 --> 00:29:25,440 really good to get sit here on the 784 00:29:22,240 --> 00:29:27,679 sidelines and watch the whole thing 785 00:29:25,440 --> 00:29:31,120 um if you have any questions for buffy 786 00:29:27,679 --> 00:29:33,279 please jump into the hallway chat um 787 00:29:31,120 --> 00:29:37,440 buffy will come in and out and i just 788 00:29:33,279 --> 00:29:37,440 want to say yes ducks are very cute 789 00:29:37,520 --> 00:29:42,600 thank you everyone we'll see you again 790 00:29:39,120 --> 00:29:42,600 in about 15.