WEBVTT

1
00:00:00.080 --> 00:00:02.960
<v Speaker 1>Welcome back to the deep dive. Today. We're opening the

2
00:00:03.000 --> 00:00:07.559
<v Speaker 1>playbook for successful information security leadership, right, but we're deliberately

3
00:00:07.639 --> 00:00:10.560
<v Speaker 1>keeping the technical stack, you know, in the closet for

4
00:00:10.599 --> 00:00:10.960
<v Speaker 1>this one.

5
00:00:11.119 --> 00:00:12.679
<v Speaker 2>Huh yeah, good place for it.

6
00:00:12.759 --> 00:00:16.000
<v Speaker 1>Sometimes our deep dive is into the art of infosec,

7
00:00:16.359 --> 00:00:20.280
<v Speaker 1>that subtle, non technical side of building a really robust

8
00:00:20.320 --> 00:00:22.879
<v Speaker 1>and importantly sustainable security program.

9
00:00:23.079 --> 00:00:27.679
<v Speaker 2>That's absolutely our focus. Our mission really is to synthesize

10
00:00:27.679 --> 00:00:32.039
<v Speaker 2>the insights from the source material and extract what looks

11
00:00:32.079 --> 00:00:36.280
<v Speaker 2>like the true formula for creating respected security function. And

12
00:00:36.320 --> 00:00:39.000
<v Speaker 2>whether you're starting with a blank sheet of paper or

13
00:00:39.359 --> 00:00:42.159
<v Speaker 2>inheriting a bit of a chaotic mess, the argument here

14
00:00:42.200 --> 00:00:44.799
<v Speaker 2>is pretty compelling, which is which is a long term

15
00:00:44.799 --> 00:00:49.799
<v Speaker 2>success changes far more on people skills, cultural influence, and

16
00:00:50.039 --> 00:00:53.320
<v Speaker 2>you know, management finesse than on any particular piece of

17
00:00:53.320 --> 00:00:54.320
<v Speaker 2>security software.

18
00:00:54.439 --> 00:00:58.479
<v Speaker 1>And the context for needing this shift it's actually quite shocking,

19
00:00:58.520 --> 00:01:01.679
<v Speaker 1>isn't it. The author shares his experience moving from a

20
00:01:01.719 --> 00:01:03.119
<v Speaker 1>military environment.

21
00:01:02.799 --> 00:01:04.760
<v Speaker 2>Right where security is just baked.

22
00:01:04.480 --> 00:01:08.760
<v Speaker 1>In exactly it's understood, and followed moving from that to

23
00:01:08.920 --> 00:01:14.159
<v Speaker 1>the corporate infosec world back in January two thousand. He

24
00:01:14.359 --> 00:01:16.760
<v Speaker 1>calls that transition an absolute shock.

25
00:01:17.680 --> 00:01:19.239
<v Speaker 2>Yeah. I remember reading that part.

26
00:01:19.239 --> 00:01:21.760
<v Speaker 1>Stating he had more sleepless nights in his first year

27
00:01:21.799 --> 00:01:25.159
<v Speaker 1>of corporate life than navigating the Persian Gulf during armed conflict.

28
00:01:25.359 --> 00:01:29.319
<v Speaker 2>Wow. That really tells you something, doesn't it.

29
00:01:29.319 --> 00:01:31.359
<v Speaker 1>It tells you everything about the apathy he must have

30
00:01:31.439 --> 00:01:32.959
<v Speaker 1>faced immediately.

31
00:01:32.560 --> 00:01:35.760
<v Speaker 2>Exactly, and that initial shock it sort of defines the

32
00:01:35.840 --> 00:01:37.239
<v Speaker 2>environment for so many.

33
00:01:37.079 --> 00:01:39.319
<v Speaker 1>That feeling of pushing a boulder uphill.

34
00:01:39.519 --> 00:01:43.040
<v Speaker 2>Yeah, most security leaders feel like that because the fundamental

35
00:01:43.079 --> 00:01:46.319
<v Speaker 2>forces of the organization often seem to be working against them.

36
00:01:46.439 --> 00:01:51.680
<v Speaker 2>That feeling of being perpetually outmatched. That's the difficult reality

37
00:01:51.680 --> 00:01:54.319
<v Speaker 2>you pretty much have to accept, Okay, because it frames

38
00:01:54.359 --> 00:01:56.879
<v Speaker 2>every strategic decision you're going to make going forward.

39
00:01:56.959 --> 00:02:00.200
<v Speaker 1>Okay, let's unpack this difficult reality. Then what are the uh,

40
00:02:00.280 --> 00:02:04.920
<v Speaker 1>the undeniable fundamental facts describing the environment for most INFOSEC professionals.

41
00:02:05.120 --> 00:02:08.599
<v Speaker 2>Well, the source material lays out three pretty brutal truths.

42
00:02:09.280 --> 00:02:12.120
<v Speaker 2>And again this is for the majority. Right, we're excluding

43
00:02:12.159 --> 00:02:15.439
<v Speaker 2>the rare unicorns in say, highly regulated sectors like banking

44
00:02:16.000 --> 00:02:18.479
<v Speaker 2>or maybe those with really strong executive sponsorship.

45
00:02:18.520 --> 00:02:19.919
<v Speaker 1>Got it, So for most places.

46
00:02:19.960 --> 00:02:23.039
<v Speaker 2>For most places, first, nobody in the company outside of

47
00:02:23.039 --> 00:02:26.199
<v Speaker 2>your own team usually cares that much about infosec houch.

48
00:02:26.560 --> 00:02:26.960
<v Speaker 1>Okay.

49
00:02:27.360 --> 00:02:30.639
<v Speaker 2>Second, nobody in the company really understands your job. I

50
00:02:30.680 --> 00:02:34.080
<v Speaker 2>mean the scope is just massive, right, covering eight separate domains,

51
00:02:34.080 --> 00:02:39.080
<v Speaker 2>demanding you interact with engineering, HR, legal product teams all

52
00:02:39.159 --> 00:02:42.800
<v Speaker 2>at the same time. And Third, our entire industry, let's

53
00:02:42.840 --> 00:02:45.520
<v Speaker 2>be honest, is often guided by fear and scare.

54
00:02:45.240 --> 00:02:47.080
<v Speaker 1>Tactics, which doesn't always work.

55
00:02:46.919 --> 00:02:48.240
<v Speaker 2>Which often backfires. Yeah.

56
00:02:48.319 --> 00:02:50.479
<v Speaker 1>I think that first point the apathy one. We need

57
00:02:50.520 --> 00:02:52.719
<v Speaker 1>to stop there for a second. The sources mentioned this

58
00:02:52.919 --> 00:02:56.879
<v Speaker 1>like shocking cultural disconnect. If we all agree. Number one,

59
00:02:57.000 --> 00:02:59.240
<v Speaker 1>security control is asset enumeration.

60
00:03:00.039 --> 00:03:00.800
<v Speaker 2>Knowing what you have?

61
00:03:00.960 --> 00:03:03.879
<v Speaker 1>Yeah, knowing what you have? Why is neglecting that proof

62
00:03:03.879 --> 00:03:04.479
<v Speaker 1>of apathy?

63
00:03:04.879 --> 00:03:07.759
<v Speaker 2>Well, it's proof because asset enumeration is just a fancy

64
00:03:07.759 --> 00:03:10.439
<v Speaker 2>way of asking what digital stuff do we own and

65
00:03:10.439 --> 00:03:13.360
<v Speaker 2>where is it? Right? Simple question seems simple, But if

66
00:03:13.400 --> 00:03:15.240
<v Speaker 2>you don't know what digital assets you have, you just

67
00:03:16.199 --> 00:03:18.840
<v Speaker 2>you can't protect them. It's like building a fortress without

68
00:03:18.919 --> 00:03:20.719
<v Speaker 2>knowing how many doors and windows it has.

69
00:03:20.919 --> 00:03:21.159
<v Speaker 1>Right.

70
00:03:21.280 --> 00:03:23.919
<v Speaker 2>The fact that so many organizations seem to completely ignore

71
00:03:24.000 --> 00:03:27.719
<v Speaker 2>this foundational step, it just shows that security often isn't

72
00:03:27.719 --> 00:03:30.560
<v Speaker 2>the priority it's treated more like an afterthought.

73
00:03:30.639 --> 00:03:33.719
<v Speaker 1>Wait, but if this lack of care is so pervasive,

74
00:03:34.560 --> 00:03:38.000
<v Speaker 1>you mentioned policy violations being ignored while HR policies get

75
00:03:38.000 --> 00:03:42.520
<v Speaker 1>strictly enforced. Isn't that a failure higher up like executive leadership?

76
00:03:42.560 --> 00:03:46.520
<v Speaker 1>How can one CISO possibly overcome that kind of ingrained

77
00:03:46.560 --> 00:03:49.919
<v Speaker 1>disregard without you know, massive regulatory backup.

78
00:03:50.199 --> 00:03:53.560
<v Speaker 2>You've hit the absolute central dilemma. And the conclusion from

79
00:03:53.560 --> 00:03:58.080
<v Speaker 2>this this painful reality check is pretty stark, which is

80
00:03:58.159 --> 00:04:02.120
<v Speaker 2>the work of building a sustainable INFOS program rests essentially

81
00:04:02.560 --> 00:04:05.319
<v Speaker 2>solely on the security leader's shoulders. Wow, you have to

82
00:04:05.360 --> 00:04:08.039
<v Speaker 2>accept that you are effectively on your own. You can't

83
00:04:08.080 --> 00:04:14.000
<v Speaker 2>just rely on executive mandates or fear tactics to compel change.

84
00:04:14.280 --> 00:04:19.600
<v Speaker 2>That acceptance it sounds negative, but it's actually the necessary

85
00:04:19.600 --> 00:04:21.839
<v Speaker 2>first step toward building the program strategically.

86
00:04:21.920 --> 00:04:24.800
<v Speaker 1>That makes a lot of sense. Actually. Okay, So once

87
00:04:24.839 --> 00:04:28.319
<v Speaker 1>you accept that environment, the source material pivots pretty quickly

88
00:04:28.360 --> 00:04:30.399
<v Speaker 1>to the art of the job. It presents a seven

89
00:04:30.399 --> 00:04:33.240
<v Speaker 1>step formula. Let's dive into the first two because they

90
00:04:33.279 --> 00:04:35.160
<v Speaker 1>seem purely cultural.

91
00:04:34.920 --> 00:04:38.319
<v Speaker 2>They really are. Step one is the absolute foundation of

92
00:04:38.319 --> 00:04:44.079
<v Speaker 2>this whole approach. Relationships come first, always. Success is basically

93
00:04:44.120 --> 00:04:48.720
<v Speaker 2>impossible without building truly excellent working relationships across the entire company.

94
00:04:49.240 --> 00:04:51.959
<v Speaker 2>And to do this, the infosec team has to dedicate

95
00:04:52.360 --> 00:04:55.199
<v Speaker 2>get this up to twenty five percent of its entire

96
00:04:55.279 --> 00:04:58.879
<v Speaker 2>operational time just to activities that build and maintain these bridges.

97
00:04:58.959 --> 00:05:00.959
<v Speaker 1>Twenty five percent. That's yeah, that's huge. What does that

98
00:05:01.000 --> 00:05:03.240
<v Speaker 1>actually look like? Is that just like smiling at people

99
00:05:03.240 --> 00:05:03.759
<v Speaker 1>in the hallway.

100
00:05:03.839 --> 00:05:06.839
<v Speaker 2>Yeah? No, far from it. It means actively looking for

101
00:05:06.879 --> 00:05:09.319
<v Speaker 2>ways to help other teams solve their problems, even if

102
00:05:09.360 --> 00:05:11.439
<v Speaker 2>they aren't strictly security problems initially.

103
00:05:11.600 --> 00:05:14.079
<v Speaker 1>Ah, okay, building goodwill exactly.

104
00:05:14.720 --> 00:05:18.120
<v Speaker 2>It means running informal sessions, maybe not about rules, but

105
00:05:18.199 --> 00:05:22.920
<v Speaker 2>about understanding, say a pure department's new product launch constraints.

106
00:05:22.959 --> 00:05:25.639
<v Speaker 2>It means, you know, taking system owners out for vendor

107
00:05:25.680 --> 00:05:30.120
<v Speaker 2>sponsored lunches, just removing that transactional friction. Right. The contrast

108
00:05:30.199 --> 00:05:34.680
<v Speaker 2>here is that classic, often contentious approach where the security

109
00:05:34.720 --> 00:05:38.600
<v Speaker 2>team acts like a radiologist a radiology, Yeah, just holding

110
00:05:38.639 --> 00:05:40.439
<v Speaker 2>up the X ray showing all the flaws, you know,

111
00:05:40.480 --> 00:05:45.240
<v Speaker 2>exposing shortcomings. System owners then start referring to your vulnerability

112
00:05:45.240 --> 00:05:46.560
<v Speaker 2>scanning as friendly fire.

113
00:05:46.879 --> 00:05:48.120
<v Speaker 1>Ouch, yeah, I've heard that.

114
00:05:48.279 --> 00:05:51.399
<v Speaker 2>And that just breeds organizational antibodies, right, people actively trying

115
00:05:51.399 --> 00:05:54.560
<v Speaker 2>to block the security team. Yeah, and that that's the

116
00:05:54.600 --> 00:05:55.879
<v Speaker 2>kiss of death for any COSO.

117
00:05:56.079 --> 00:05:58.279
<v Speaker 1>So we shift from being the company police to being

118
00:05:58.360 --> 00:06:03.079
<v Speaker 1>like trusted consultants precisely. Okay, that transition leads us right

119
00:06:03.120 --> 00:06:08.199
<v Speaker 1>into step two. Alignment. Now, this seems really counterintuitive compared

120
00:06:08.199 --> 00:06:12.199
<v Speaker 1>to the traditional security purist approach that says you must

121
00:06:12.240 --> 00:06:14.600
<v Speaker 1>strive for maximum protection no matter the cost.

122
00:06:14.959 --> 00:06:17.759
<v Speaker 2>It is counterintuitive, but critical.

123
00:06:18.000 --> 00:06:18.399
<v Speaker 1>Yeah.

124
00:06:18.560 --> 00:06:22.079
<v Speaker 2>Alignment means recognizing that your job is to be the

125
00:06:22.120 --> 00:06:25.120
<v Speaker 2>security person the company wants you to be, not the

126
00:06:25.120 --> 00:06:28.639
<v Speaker 2>purest you think they should have. It means operating within

127
00:06:28.680 --> 00:06:34.240
<v Speaker 2>the company's existing and often unstated risk tolerance. You absolutely

128
00:06:34.279 --> 00:06:36.160
<v Speaker 2>have to read the culture and figure out where the

129
00:06:36.199 --> 00:06:39.560
<v Speaker 2>company's risk needle is actually pointed when it comes to

130
00:06:39.600 --> 00:06:40.439
<v Speaker 2>information loss.

131
00:06:40.680 --> 00:06:42.759
<v Speaker 1>Okay, how do you read that needle. It's not like

132
00:06:42.759 --> 00:06:43.560
<v Speaker 1>they publish it.

133
00:06:43.720 --> 00:06:47.480
<v Speaker 2>Right now, definitely not. The best indicator usually is how

134
00:06:47.480 --> 00:06:50.720
<v Speaker 2>the organization reacts or doesn't react to a major incident

135
00:06:50.800 --> 00:06:51.879
<v Speaker 2>or a breach. Ah.

136
00:06:51.920 --> 00:06:53.519
<v Speaker 1>Actions speak louder than words.

137
00:06:53.639 --> 00:06:57.759
<v Speaker 2>Toti. The author shares this career defining moment He experienced

138
00:06:57.759 --> 00:07:00.839
<v Speaker 2>a breach that got in his words, hardly any attention

139
00:07:01.000 --> 00:07:05.920
<v Speaker 2>really a breach. Yeah, leadership didn't demand some big executive summary,

140
00:07:05.959 --> 00:07:09.600
<v Speaker 2>No new resources flowed, nobody got reprimanded, and he realized

141
00:07:09.639 --> 00:07:12.439
<v Speaker 2>quite clearly the company didn't really care about data breaches.

142
00:07:12.560 --> 00:07:13.480
<v Speaker 1>That must have been jarring.

143
00:07:13.800 --> 00:07:18.639
<v Speaker 2>Jarring, but also clarifying this revelation was key. It allowed

144
00:07:18.720 --> 00:07:22.759
<v Speaker 2>him to stop stressing over those purest ideals, align with

145
00:07:22.800 --> 00:07:26.079
<v Speaker 2>the actual appetite for risk, and then focus on building

146
00:07:26.120 --> 00:07:29.240
<v Speaker 2>the program the company would genuinely support and fund. Wow.

147
00:07:29.399 --> 00:07:32.800
<v Speaker 2>Failure to align with that reality, that's often why CSOs

148
00:07:32.800 --> 00:07:36.120
<v Speaker 2>find themselves constantly in conflict and probably why the average

149
00:07:36.160 --> 00:07:38.600
<v Speaker 2>tenures just a little over two years. They're fighting the

150
00:07:38.639 --> 00:07:40.160
<v Speaker 2>culture instead of working within it.

151
00:07:40.439 --> 00:07:43.879
<v Speaker 1>That is, that's the ultimate strategic point, isn't it? Okay,

152
00:07:44.040 --> 00:07:47.759
<v Speaker 1>Moving past acceptance and alignment, let's talk practical tools. How

153
00:07:47.759 --> 00:07:50.199
<v Speaker 1>do you build the program when you know your central

154
00:07:50.240 --> 00:07:53.079
<v Speaker 1>team will always be basically resource constrained?

155
00:07:53.439 --> 00:07:57.079
<v Speaker 2>Right, you use governance and shared ownership. This starts with

156
00:07:57.480 --> 00:08:00.680
<v Speaker 2>what the source calls the four cornerstones as part of three,

157
00:08:00.800 --> 00:08:02.959
<v Speaker 2>and then it moves into the necessity of the neighborhood watch,

158
00:08:02.959 --> 00:08:03.720
<v Speaker 2>which is step five.

159
00:08:03.800 --> 00:08:05.399
<v Speaker 1>Okay, cornerstones First, what are they?

160
00:08:05.480 --> 00:08:09.439
<v Speaker 2>There are foundational governance documents. First, you absolutely need an

161
00:08:09.480 --> 00:08:12.839
<v Speaker 2>information security charter. Think of this as your political document.

162
00:08:13.120 --> 00:08:17.720
<v Speaker 2>It grants authority, but crucially it codifies shared infosec responsibility

163
00:08:17.759 --> 00:08:19.319
<v Speaker 2>across departments.

164
00:08:19.000 --> 00:08:21.120
<v Speaker 1>So it's not just securities problem exactly.

165
00:08:21.199 --> 00:08:24.319
<v Speaker 2>Then you need the information security policy, but it has

166
00:08:24.360 --> 00:08:28.959
<v Speaker 2>to align with reality. Often that means keeping it brief, clear, focused,

167
00:08:29.199 --> 00:08:32.159
<v Speaker 2>not just some industry standard sprawl that nobody reads.

168
00:08:32.279 --> 00:08:33.679
<v Speaker 1>Practical okay.

169
00:08:34.080 --> 00:08:39.279
<v Speaker 2>And finally, the Security Incident Response Plan SRRP. Got to

170
00:08:39.320 --> 00:08:39.679
<v Speaker 2>have that.

171
00:08:39.720 --> 00:08:42.960
<v Speaker 1>Okay, makes sense. And to make those documents actually work

172
00:08:43.000 --> 00:08:46.279
<v Speaker 1>and ensure those relationships you build earlier actually influenced decisions,

173
00:08:46.399 --> 00:08:48.360
<v Speaker 1>you need the governance councils right.

174
00:08:48.279 --> 00:08:52.200
<v Speaker 2>Exactly right. You need structure. The source recommends three distinct

175
00:08:52.200 --> 00:08:55.679
<v Speaker 2>councils to manage decision making and ensure alignment up and

176
00:08:55.720 --> 00:08:56.519
<v Speaker 2>down the hierarchy.

177
00:08:56.600 --> 00:08:57.320
<v Speaker 1>Okay, what are they.

178
00:08:57.759 --> 00:09:00.279
<v Speaker 2>First, At the technical level, you have the Extra Ended

179
00:09:00.279 --> 00:09:04.080
<v Speaker 2>Security Council xSe. This brings together the technical leads, you know,

180
00:09:04.120 --> 00:09:06.720
<v Speaker 2>the people who actually do the work to discuss complex

181
00:09:06.799 --> 00:09:09.440
<v Speaker 2>technical stuff, the tasty topics as the author calls them.

182
00:09:09.879 --> 00:09:11.600
<v Speaker 2>This council informs the strategy.

183
00:09:11.799 --> 00:09:13.480
<v Speaker 1>So the geeks get to talk geek.

184
00:09:13.440 --> 00:09:17.240
<v Speaker 2>Pretty much yea, and their input is vital. Then that strategy,

185
00:09:17.360 --> 00:09:21.519
<v Speaker 2>those ideas move up to the Security Business Council SBC.

186
00:09:21.879 --> 00:09:26.600
<v Speaker 2>This group includes key business representatives. They review the xsse's input.

187
00:09:27.000 --> 00:09:29.720
<v Speaker 2>They help run the infosec strategy. They weigh in on

188
00:09:29.799 --> 00:09:33.440
<v Speaker 2>things like new purchases or policy changes. This is where

189
00:09:33.480 --> 00:09:36.480
<v Speaker 2>the real buy in and alignment happen at the business level.

190
00:09:36.720 --> 00:09:39.000
<v Speaker 2>Can you give an example, sure, Let's say you want

191
00:09:39.000 --> 00:09:42.399
<v Speaker 2>to increase the frequency or maybe the consequences of phishing campaigns.

192
00:09:43.000 --> 00:09:45.639
<v Speaker 2>Instead of just decreeing it, you let the SBC debate it.

193
00:09:45.919 --> 00:09:49.639
<v Speaker 2>They discuss the impact the frequency. Since they effectively own

194
00:09:49.679 --> 00:09:50.679
<v Speaker 2>the decision.

195
00:09:50.279 --> 00:09:52.799
<v Speaker 1>They own the outcomes and the pushback exactly.

196
00:09:53.000 --> 00:09:55.840
<v Speaker 2>It takes the heat off the central infosec team. And

197
00:09:55.840 --> 00:09:58.799
<v Speaker 2>then finally, for budget approval and final sign off, you

198
00:09:58.879 --> 00:10:01.919
<v Speaker 2>have the Executive Security Council yes SE, which is your

199
00:10:01.919 --> 00:10:05.279
<v Speaker 2>senior leadership group. The whole structure is designed to share

200
00:10:05.279 --> 00:10:06.000
<v Speaker 2>the burden.

201
00:10:05.840 --> 00:10:07.480
<v Speaker 1>Share the burden of decision making.

202
00:10:07.600 --> 00:10:10.639
<v Speaker 2>That's the whole point. The central infosec team simply cannot

203
00:10:10.679 --> 00:10:14.120
<v Speaker 2>own all the operational risk. The company has to, and

204
00:10:14.200 --> 00:10:17.360
<v Speaker 2>that thinking leads us directly to step five, give your

205
00:10:17.440 --> 00:10:17.879
<v Speaker 2>job away.

206
00:10:18.039 --> 00:10:19.200
<v Speaker 1>Give your job away.

207
00:10:18.960 --> 00:10:21.759
<v Speaker 2>Sounds crazy, right, but it's the neighborhood watch concept.

208
00:10:21.960 --> 00:10:25.559
<v Speaker 1>Okay, explain this one. This sounds revolutionary, maybe a bit

209
00:10:25.600 --> 00:10:29.360
<v Speaker 1>scary for a security team. Why is giving away your

210
00:10:29.440 --> 00:10:30.639
<v Speaker 1>job necessary?

211
00:10:31.480 --> 00:10:35.279
<v Speaker 2>It's necessary because infosec is just too broad, too massive

212
00:10:35.600 --> 00:10:39.519
<v Speaker 2>for one single department to control everything. You can't possibly

213
00:10:39.879 --> 00:10:43.519
<v Speaker 2>secure all the assets centrally. Just not enough people, never

214
00:10:43.600 --> 00:10:47.759
<v Speaker 2>enough people. So the only real hope for actually securing

215
00:10:47.799 --> 00:10:52.279
<v Speaker 2>the environment is to transition security responsibilities, things like managing

216
00:10:52.360 --> 00:10:57.679
<v Speaker 2>endpoint security or administering firewalls. Transition those tasks to the

217
00:10:57.720 --> 00:11:00.519
<v Speaker 2>system owners and the engineering teams that already manage those

218
00:11:00.519 --> 00:11:01.399
<v Speaker 2>assets day to day.

219
00:11:01.519 --> 00:11:03.519
<v Speaker 1>Ah. So the people who own the system own at

220
00:11:03.519 --> 00:11:04.240
<v Speaker 1>security too.

221
00:11:04.480 --> 00:11:07.120
<v Speaker 2>That's the goal. The central infosec team has to shift

222
00:11:07.159 --> 00:11:11.759
<v Speaker 2>its role almost entirely, become governance, consulting policy guidance. Effectively,

223
00:11:11.879 --> 00:11:15.399
<v Speaker 2>you deputize others across the organization to protect their own homes.

224
00:11:15.480 --> 00:11:16.960
<v Speaker 2>You run the neighborhood watch program.

225
00:11:17.039 --> 00:11:19.120
<v Speaker 1>Okay, but if we're relying on the neighborhood watch to

226
00:11:19.159 --> 00:11:22.360
<v Speaker 1>protect the homes, those neighbors need to know what they're doing, right.

227
00:11:22.399 --> 00:11:23.240
<v Speaker 1>They need to be competent.

228
00:11:23.360 --> 00:11:24.679
<v Speaker 2>Absolutely critical point.

229
00:11:24.559 --> 00:11:29.399
<v Speaker 1>Which brings us to step four communications education and awareness.

230
00:11:30.600 --> 00:11:33.000
<v Speaker 1>How do we ensure that this kind of cultural training

231
00:11:33.080 --> 00:11:37.320
<v Speaker 1>actually sticks and produces measurable results, not just check the

232
00:11:37.399 --> 00:11:38.240
<v Speaker 1>box stuff.

233
00:11:38.399 --> 00:11:42.039
<v Speaker 2>Yeah, awareness cannot be an afterthought or just boring compliance videos.

234
00:11:42.080 --> 00:11:46.399
<v Speaker 2>It's a critical cornerstone and honestly, it probably requires a

235
00:11:46.480 --> 00:11:49.720
<v Speaker 2>dedicated creative staff member. If you want to do it well.

236
00:11:50.120 --> 00:11:51.600
<v Speaker 1>What does doing it well look like?

237
00:11:52.080 --> 00:11:55.639
<v Speaker 2>Variety? You need different channels, lunch and learns, engaging newsletters,

238
00:11:55.639 --> 00:11:59.200
<v Speaker 2>maybe with humor, raffles, campus events, anything to make it

239
00:11:59.240 --> 00:12:02.399
<v Speaker 2>not feel like a choice. But the real ROI, interestingly

240
00:12:02.639 --> 00:12:05.600
<v Speaker 2>often comes from targeted technical education for your peers in

241
00:12:05.639 --> 00:12:06.639
<v Speaker 2>IT and engineering.

242
00:12:06.879 --> 00:12:09.440
<v Speaker 1>Ah okay, the source material gives a great example of this,

243
00:12:09.559 --> 00:12:12.279
<v Speaker 1>doesn't it. Where the security team was just stonewalled for

244
00:12:12.320 --> 00:12:16.679
<v Speaker 1>like a year trying to get intrusion detection systems IDs installed.

245
00:12:16.440 --> 00:12:20.000
<v Speaker 2>That's the perfect example. The bureaucratic channels, the formal requests,

246
00:12:20.840 --> 00:12:22.759
<v Speaker 2>they failed for over a year, nothing happened.

247
00:12:22.799 --> 00:12:25.399
<v Speaker 1>So what did the security leader do escalate?

248
00:12:25.639 --> 00:12:29.440
<v Speaker 2>Nope, instead of escalating and creating more friction, he built

249
00:12:29.440 --> 00:12:33.279
<v Speaker 2>the relationship and offered value. He arranged for an external

250
00:12:33.360 --> 00:12:38.840
<v Speaker 2>vendor to provide specialized network security training, good training specifically

251
00:12:38.879 --> 00:12:40.399
<v Speaker 2>for the network services.

252
00:12:39.960 --> 00:12:42.679
<v Speaker 1>Team, ah, giving them something useful exactly.

253
00:12:43.039 --> 00:12:46.200
<v Speaker 2>The engineers attended, they were empowered by the knowledge they

254
00:12:46.240 --> 00:12:49.919
<v Speaker 2>learned why it mattered from experts, and within two weeks

255
00:12:50.039 --> 00:12:52.879
<v Speaker 2>two weeks of the course finishing, they rushed to install

256
00:12:52.960 --> 00:12:56.759
<v Speaker 2>the IDs systems themselves at all the key Internet points

257
00:12:56.759 --> 00:12:57.360
<v Speaker 2>of presence.

258
00:12:57.480 --> 00:12:59.080
<v Speaker 1>Wow, just from the training.

259
00:12:59.120 --> 00:13:02.120
<v Speaker 2>The requirements were delivered through a valuable training session by

260
00:13:02.159 --> 00:13:05.360
<v Speaker 2>respected industry folks, not by the central security team just

261
00:13:05.519 --> 00:13:08.440
<v Speaker 2>demanding compliance. Huge difference.

262
00:13:08.759 --> 00:13:12.000
<v Speaker 1>That really shows that relationship building and smart awareness provide

263
00:13:12.039 --> 00:13:15.120
<v Speaker 1>security gains, maybe far beyond what tech alan could achieve,

264
00:13:15.200 --> 00:13:16.600
<v Speaker 1>and probably way cheaper.

265
00:13:16.320 --> 00:13:18.000
<v Speaker 2>Too often at a fraction of the cost.

266
00:13:18.080 --> 00:13:20.519
<v Speaker 1>Yes, okay, let's move quickly to step six team building.

267
00:13:20.559 --> 00:13:22.519
<v Speaker 1>If your team members are going to be these evangelists,

268
00:13:22.600 --> 00:13:26.080
<v Speaker 1>these deputies, what's the non negotiable hiring criterion?

269
00:13:26.159 --> 00:13:30.519
<v Speaker 2>Technical candidates absolutely must have great interpersonal skills, full stop.

270
00:13:30.799 --> 00:13:34.639
<v Speaker 2>More important than sertch in this model, Yes, more valuable

271
00:13:34.639 --> 00:13:38.519
<v Speaker 2>than any specific certification. Remember, you're sending these people out

272
00:13:38.519 --> 00:13:42.480
<v Speaker 2>as ambassadors to build that neighborhood watch. If they lack

273
00:13:42.559 --> 00:13:47.200
<v Speaker 2>the grace the empathy, the political agility to handle sticky situations.

274
00:13:47.440 --> 00:13:49.320
<v Speaker 1>They'll create those antibodies you mentioned.

275
00:13:49.039 --> 00:13:53.000
<v Speaker 2>Exactly, they'll generate resistance against the team, and all your

276
00:13:53.159 --> 00:13:57.360
<v Speaker 2>carefully constructed governance efforts could fail. You hire for diflomacy

277
00:13:57.360 --> 00:14:01.759
<v Speaker 2>and communication skills first. Then technical aptitude makes sense, okay.

278
00:14:01.799 --> 00:14:06.240
<v Speaker 1>Finally, step seven measure what matters if the ultimate goal

279
00:14:06.399 --> 00:14:10.279
<v Speaker 1>is this self defending organization. What are the key metrics?

280
00:14:10.600 --> 00:14:13.240
<v Speaker 1>How do you show that cultural change is actually happening.

281
00:14:13.519 --> 00:14:16.159
<v Speaker 2>You need to focus on metrics that are simple, resonate

282
00:14:16.200 --> 00:14:18.799
<v Speaker 2>with leadership, and actually prove the culture is shifting. The

283
00:14:18.840 --> 00:14:21.960
<v Speaker 2>author really focuses on two main ones, which are metric one.

284
00:14:22.279 --> 00:14:25.080
<v Speaker 2>Can staff recognize a policy violation when they see one

285
00:14:25.360 --> 00:14:27.720
<v Speaker 2>and do they report it? That shows awareness of the rules?

286
00:14:27.759 --> 00:14:28.080
<v Speaker 1>Okay?

287
00:14:28.120 --> 00:14:30.519
<v Speaker 2>And the second metric two, which he calls the mother

288
00:14:30.559 --> 00:14:33.799
<v Speaker 2>of all metrics. Can staff identify a phishing email and

289
00:14:33.879 --> 00:14:34.360
<v Speaker 2>report it?

290
00:14:34.519 --> 00:14:35.519
<v Speaker 1>Ah the phish test.

291
00:14:36.559 --> 00:14:39.879
<v Speaker 2>It measures the level of healthy skepticism and vigilance in

292
00:14:39.960 --> 00:14:45.159
<v Speaker 2>the general employee base. It's a direct indicator of awareness, effectiveness.

293
00:14:44.639 --> 00:14:48.320
<v Speaker 1>And the results from these kinds of intensive cultural campaigns

294
00:14:49.320 --> 00:14:51.039
<v Speaker 1>they prove the power of this focus.

295
00:14:51.240 --> 00:14:54.320
<v Speaker 2>They really do the source sites an initial social engineering

296
00:14:54.360 --> 00:14:58.960
<v Speaker 2>assessment where the failure rate was forty six percent. Almost

297
00:14:58.960 --> 00:15:02.639
<v Speaker 2>half the employees gave up critical credentials over the phone

298
00:15:02.720 --> 00:15:04.720
<v Speaker 2>to someone just posing his IT support.

299
00:15:04.919 --> 00:15:05.960
<v Speaker 1>Forty six percent.

300
00:15:06.039 --> 00:15:09.200
<v Speaker 2>That's bad, that's really bad. But after a three year

301
00:15:09.399 --> 00:15:13.159
<v Speaker 2>intensive creative awareness campaign BLITZ using all those techniques we

302
00:15:13.200 --> 00:15:16.879
<v Speaker 2>talked about, that failure rate dropped dramatically down to four percent.

303
00:15:17.000 --> 00:15:19.519
<v Speaker 1>Wow, from forty six to four that's incredible.

304
00:15:19.600 --> 00:15:22.480
<v Speaker 2>It's incredible, And that results is the ultimate proof, isn't it? Leadership,

305
00:15:22.519 --> 00:15:26.879
<v Speaker 2>cultural change, smart awareness, they provide a staggering security ROI

306
00:15:27.120 --> 00:15:29.399
<v Speaker 2>compared to just throwing money at more expensive boxes.

307
00:15:29.519 --> 00:15:31.720
<v Speaker 1>So, to wrap it all up, the core idea here

308
00:15:31.840 --> 00:15:36.159
<v Speaker 1>is successful INFOSEC isn't achieved by technological mandate from on high.

309
00:15:36.440 --> 00:15:38.480
<v Speaker 1>It's achieved by leading a cultural change.

310
00:15:38.679 --> 00:15:40.559
<v Speaker 2>Yeah, becoming the company's trusted.

311
00:15:40.240 --> 00:15:44.759
<v Speaker 1>Advisor, and building this wide network of advocates the neighborhood watch.

312
00:15:45.039 --> 00:15:48.840
<v Speaker 2>Precisely, if you, as a security leader, want to ensure

313
00:15:48.879 --> 00:15:53.399
<v Speaker 2>your survival and hopefully thrive beyond that depressingly short average

314
00:15:53.399 --> 00:15:58.200
<v Speaker 2>CIO tenure, you need to ruthlessly prioritize maybe three things.

315
00:15:58.519 --> 00:15:59.039
<v Speaker 1>What are they?

316
00:15:59.200 --> 00:16:03.080
<v Speaker 2>First? Culture? Those relationships. They literally determine the quality of

317
00:16:03.120 --> 00:16:04.720
<v Speaker 2>the security program you are allowed.

318
00:16:04.440 --> 00:16:06.399
<v Speaker 1>To build, allowed to build interesting freezing.

319
00:16:06.600 --> 00:16:10.679
<v Speaker 2>Second, insure alignment, operate within the company's actual stated or

320
00:16:10.720 --> 00:16:14.720
<v Speaker 2>demonstrated risk tolerance, even if it feels uncomfortable sometimes compared

321
00:16:14.759 --> 00:16:19.600
<v Speaker 2>to best practices. And third, view your work as incremental progress.

322
00:16:19.840 --> 00:16:23.240
<v Speaker 2>Think of it as continuous laps around the track. Always

323
00:16:23.320 --> 00:16:27.840
<v Speaker 2>always prioritize kindness, humidity, and adding value over picking fights,

324
00:16:27.879 --> 00:16:30.320
<v Speaker 2>even with difficult teams or underperforming neighbors.

325
00:16:30.639 --> 00:16:33.120
<v Speaker 1>The source material suggests, and I like this framing that

326
00:16:33.200 --> 00:16:37.120
<v Speaker 1>while infosic leadership needs those left brain muscles analysis engineering,

327
00:16:37.159 --> 00:16:39.440
<v Speaker 1>the art side absolutely demands right brain.

328
00:16:39.320 --> 00:16:41.559
<v Speaker 2>Thought, creativity, empathy, diplomacy.

329
00:16:41.639 --> 00:16:44.759
<v Speaker 1>Yeah, to really win over your colleagues. So here's a

330
00:16:44.799 --> 00:16:48.360
<v Speaker 1>final thought for you listening. If you find yourself perpetually,

331
00:16:48.720 --> 00:16:52.639
<v Speaker 1>you know, warring with other departments over security controls or requirements,

332
00:16:53.480 --> 00:16:57.759
<v Speaker 1>consider this. What is just one way you could leverage

333
00:16:57.799 --> 00:17:02.320
<v Speaker 1>a simple relationship building technique this week. Maybe volunteering your

334
00:17:02.360 --> 00:17:05.519
<v Speaker 1>team's tech skills to solve a totally non security problem

335
00:17:05.559 --> 00:17:09.359
<v Speaker 1>for an antagonistic department, or maybe running a short, informal

336
00:17:09.400 --> 00:17:12.160
<v Speaker 1>but highly valuable training session on something they care about

337
00:17:12.759 --> 00:17:15.480
<v Speaker 1>just one small step to turn a detractor into even

338
00:17:15.519 --> 00:17:17.160
<v Speaker 1>a hesitant security advocate.

339
00:17:17.240 --> 00:17:18.559
<v Speaker 2>That choice, that decision, that.

340
00:17:18.599 --> 00:17:20.799
<v Speaker 1>Choice, that conscious effort to build a bridge instead of

341
00:17:20.839 --> 00:17:22.880
<v Speaker 1>a wall. That's the true measure of the art of

342
00:17:22.880 --> 00:17:23.400
<v Speaker 1>info sc