Time
57 minutes
Difficulty
Advanced
CEU/CPE
1

Video Transcription

00:05
Hi, everyone. Very excited to have you here. Excited. Introduced Dr Andy Amoroso for the
00:12
see So security controls. Course 12 effective competencies
00:17
and, uh, take it away.
00:19
Okay, Thanks. Leave. Hi, everyone. Thanks for joining. What? What a nice
00:24
settle. Lectures. I hope we'll go through here with you. Um, I want I want to start with a story cup, couple of stories and then we'll kind of get into the course. The first stories that on Sunday mornings I watched the Sunday morning political shows. I just enjoy them,
00:40
you know, sort of middle of the road guy, but I enjoy them, and I know noticed that after meet the press.
00:46
Ah, Joel O'Steen has the show
00:49
where it starts right up, and he always says,
00:51
Gosh, I'd like to start with a funny story and he tells a joke and he gets into his thing and and you know, after you watch the show, it's on and I was listen
01:00
for a joke. Sometimes it's pretty good. So
01:03
I'm over shopping with my wife, or I should say, my wife is shopping. We're in New York City, and I'm standing there filling my phone
01:10
at one of these stores. Century 21 or something.
01:12
I'm filled with fear and I look across. I see some other woman like roughly three dresses next to my wife and her husband's there. And I look over and I went
01:21
my cuffs. That's Joel. Oh, Steve.
01:23
So I went over them and I said, Hey, do you do the guy on TV? And he started laughing and I said, You know what?
01:29
That thing where you say I was like to start with a joke. I said, That's like genius, cause that really does keep people on. He started laughing and said, That is the way you start.
01:38
Um, and And I would say something that really nothing do with cyber security. But when you start anything, whether it's a course, a seminar, whatever, always start with a story,
01:48
I really do believe
01:49
that that's the way you connect people in
01:53
to whatever you do. It's just gives him an idea that you're you know, you're going to be fun, and you're gonna keep it conversational on you.
02:00
You know, administrative E about courses is like the least interesting part of anything you ever do in your lecturing. People always start with that, and I think it's kind of a terrible way to start. Of course, let me give you a second story here.
02:14
When I was back at the Labs in the early days of my career, I wrote this firewall
02:20
with Ron Shark.
02:21
Um, who's stolen over there? The labs?
02:23
Um,
02:24
reason we wrote the book is because
02:28
relevant and cheswick Steve Steve Bell that Bill Cheswick had written a firewall book and we were working 18 to building a firewall product.
02:36
And we noticed that none of our Castor's could understand Bill and Steve's book. Like at the In those days, there were people who barely understood the spiky. So we wrote a book that we thought help to explain their boat any right. I remember,
02:50
you know, because we were. We called it firewall strategies, and we wrote a little bit higher level. We dug into the
02:55
details of how firewalls work, but we also gave guidance on how you use it. I remember somebody looking at it and saying
03:04
so that's kind of like Maura management book,
03:07
and I remember being furious like you couldn't say something back at that portion of my career. That was more pejorative or more nasty or more vile than to suggest that I was a manager. It was like, What?
03:23
Management book? Are you kidding me? I remember. Pushed him back and sailing under protocols. We got code in here. Give me a break. Does not imagine because I was are arguing that you know. Please don't ever call me a manager. And God, don't ever call me an executive like that would be just about the worst thing you could imagine cause I always thought
03:43
in the beginning of my career that life was a bell curve
03:46
and your career was a bell curve, meaning the beginning of your career. You start up. You're kind of not so good. It's stuff. You get better, you get better, you rise up to the top of the bell curve and at the top of the current me or an individual contributor, you doing amazing work. You're making amazing contributions. Either is a developed
04:02
bird engineer a test or something that's an individual.
04:06
But then as you get promoted, you start moving down. That bell curve is sliding down the gun less effective and the worst thing you get interviews me like the CEO, then you're back to being is useless
04:18
as maybe when you started day one. That's how I always thought of careers.
04:24
I'll have to be honest
04:26
that there's still that bias with me,
04:29
but I know that it's not right now. I know it's not a hockey stick.
04:33
Like, you know, in the old days, you think of operations folks down on the floor and then you get promoted to supervisor him up a little bit, Then get promoted to director. Move up a little bit, then you're vice president. Move up a little bit, then you present your way up, perched above, looking down on the
04:47
factory floor like you just constant rise. I don't believe in that. I think it's something different. And for the people who are on this course, what I'm going to be sharing with you
04:58
are 12 basic principles
05:00
that I think will get you toward your definition of success in enterprise security. Now some of you let's say, Look, I want to be a VP. I want to be a C so and I'm gonna try and help you get there. There's there's no question that you make more money.
05:15
You have a lot of power.
05:16
People laugh at your jokes when they're not funny. You get to fly around in cool places. It's
05:23
there's some real parks to it, but there's also some disadvantages, and we'll get to some of those. But this really is a course for practitioners who are interested in advancing their career. Each of these confidences air around personal kind of capabilities or beliefs. Or
05:39
I think capability is the right sort of, uh, concept worker competency. These are the kinds of terms we're gonna go through 12
05:46
and each week we'll do one. We got a case study that's been sent out to you that I hope you're reading. We got I'll be bringing in some guests to share with you their personal nothing in each and each week I'll do a little lecture to take you through some of my thoughts on the on the topic on that particular competency.
06:05
Um, now, I thought it would be fun to do this
06:10
without any technical stuff,
06:12
so you're going to see each of the charts.
06:15
It's just some picture I took from somewhere
06:16
Well, and then a book suggestion,
06:19
like I thought that would be fun to do that. They had those dimensions that it's a course where I don't We're not gonna go through security architectures. I'm not gonna bore you with Power point list. There is not a single power point bullet list in here. I remember when Richard Feinman, my favorite person of all time,
06:35
um, physicist up, You know, the late, great physicist,
06:40
um, was testifying, you know, are serving on a board that
06:46
have been investigating the challenger accident Back in 80 against was 86 87 January 87.
06:51
And they were asking me about Professor Fine. Would you think of Washington Baba Ba And And he goes, you know, the one that you can't figure out our anytime soon. He's got to say something. They make this piece of paper with these little stupid round dots and they put around dot And then a couple of words, he goes, What are those goddamn dots and his left hand.
07:12
They realize he's talking about Power point bullet lists
07:15
and and I would ever see a bullet list. I think of those dots and crying and making fun of that so you could see any of that. This is gonna look a little different than things that you're used to sing.
07:27
So I hope you stick with us. I have a feeling you'll have fun with this.
07:30
That's how I always approach these courses. I've been teaching for 30 something years.
07:35
You know, I began teaching back night literally 1989. I'm literally that many years ago. It Stevens I talked linear algebra.
07:43
Um and I've not given up since. I've taught every semester the last 30 years, either Grads were undergrads. That teach a lot of these types, of course, is it's my great passion. And it's the first time through the material with Leaf in the cyber team, I think very highly of that group. They they said, Hey, let's do something. I said, Man, count me and let's do it.
08:03
Be fun
08:05
And this is brand new. So as we go through it, if I say something you think is wrong, you gotta tell me because we'll fix it. This is the first time to the material. You guys air the inaugural class, and some of it's gonna be nice and smooth. Some of you, Bumpy, whatever. But you let me know and
08:22
and also with the book suggestions. If you think they're better books, you let me know.
08:26
But these are all books that I've read.
08:28
It was another thing. I wanna make sure these your books that I had something. So So let's start first off, I just want to show you,
08:35
um
08:37
that here's a picture of my friend Alex Stamos on and you could see that book there by Steven Levy. I'm guessing most of you have that book if you don't know where you've been. But, uh,
08:46
Alex is an example of the sea. So who comes from essentially a technical or hacker tribe?
08:54
And it's important because I'm guessing a bunch of you on this call would say, You come from that tribe. I sort of d'oh because I'm kind of little annoying Acker when I was younger and I come from that I come from a compliance back from that. If you were like that, then I think I sort of get you and I sort of understand
09:13
who you are in your tribe and what you're about.
09:16
But there's others like, here's my friend Tom Harrington, who was formerly the
09:20
chief security officer at Citigroup. I'm There's a book by Candace on their life in the F. B. I think I read that I'm obviously very big
09:30
supporter of the bureau,
09:31
but Tom comes from a different kind of background than Hacker Alex, but they're both were. Chief security Officer is both very effective. I'm going to guess some of you on this call come from maybe a law enforcement background, and it turns out I can count many different tribes. I don't like my friend. Gary McGraw
09:48
has written extensively on this this idea that there are tribes. Let me list off a few that I know, like some of you probably come from an I t R I. T. Operations background, right that there are a lot of people on this call
10:01
who would say I was an i t. I moved into security. That's fine. And that that's your legacy and that your experience base. I'll bet some of you came from
10:09
like a complete its background.
10:11
Maybe you were an auditor. Maybe your necessity, maybe this or that. Everyone consultant,
10:16
I'm and then you got into about bank or a place where you got more of an operational, something like the sort of like visionary si sos where you're
10:24
dance, the the discipline and you like the only vendors and you like looking at our whole industry And and then on on on, on on there's There's some people who, like a said commit, come from hacker or he might be a business person.
10:39
Maybe you were working in a business unit came over. One thing I can tell you
10:43
is that it's rare to find somebody who goes from cyber security to something different.
10:48
We'll get into that in a minute,
10:48
but recognize that when you do cybersecurity,
10:52
there's a very, very good chance that your CEO considers that you personally
10:58
are incompetent for any other job in the company. Maybe like in adjacent I t thing.
11:03
But what was the last time you heard about a C so moving to run the marketing team or run PR, run marketing and in some country or run operation somewhere or take over? The factories are
11:13
moving to finance. It does not happen, happens adjacent Lee. Sometimes to seek the security folk might might get promoted to run infrastructure where security is part of that. I've seen that,
11:26
but I don't think we as a group are viewed as competent for anything other than cyber security. We need to fix that.
11:33
And some of the learning here in this course will be geared toward making it more effective executive. So to recognize these different tribes. So so competency Number one for our course. And like I said, we've got 12 of these.
11:46
Is there an innovation
11:48
and innovation? Here's a definition that I wrote out. I'm going to read to you. It's as effective Seaside develops the habit of innovation. Not that just sort of the occasional use of innovation but habit,
12:00
which involves always seeking to do things in a new, wet new methods. Think if you're if you're obsessed with,
12:07
you know, do something new, let's navigate. This evolved to evolving threats. Seek new opportunities. Bump of other words of their new new, new, different, different, Different. That's innovation.
12:16
If you are that person who says, Well, this is the way we've done it. This is the way we always do it. Then you might be in the wrong line of business because if you if you want to be
12:26
an effective executive in cyber security and even if your definition of success is. I just like to be the head of our pen testing group.
12:35
If you're going to be a leader than you will have, this habit of innovation is you better.
12:39
Now let's set the stage for this. And here's a book.
12:43
A Madame Curie Look, Look at that picture. This was a solve a Congress Congress in 1927
12:50
Um, and by the way, just finished Walter Isaacson's biography of Einstein. Man, if you haven't read that,
12:58
it is amazing. Einstein was a weird dude, man. He's not the greatest guy, frankly, but what a genius. A fun read.
13:05
But I came out with it, maybe not thinking as positively about on since as I had going in. Nevertheless,
13:13
there's Madame Curie, and there's all these great businesses. Look at the names. It's like all the constance you that you used in high school college physics, right?
13:22
But the point is, from about 18 19 about 1930
13:26
the people in this picture change the world.
13:31
I mean, change the world changed the nature of how we look at things change the nature of how we, you know, do engineering. I mean, every everything we do in computing now is made available because these people, But what happened in the thirties? Everybody freaked out because we realized, Wow, this innovation has good impact. Meaning,
13:50
you know, we can go do electricity and then an electrifying rural areas. We can build semiconductors eventually. You know, we got to that the forties with the Bell Labs group, and I'm another night, All these wonderful things. But
14:05
we also couldn't build nuclear bombs, atomic
14:07
atomic bombs with a frightening concept.
14:11
And, you know, you see Einstein there He was persuaded by Edward Teller
14:15
to get a letter to President Roosevelt demanding that he pay attention to this and put some effort into it. And thankfully, you know, Hitler was just idiotic enough to to push these great German scientists like Einstein out. Thank God they're working for the good guys. And it helped change history. So
14:35
from 1918 1919 30
14:37
I think we would all agree if you're gonna do physics, Man, this was the time being at that meeting right there. I was getting like people, you know? You play those games we go, man, if you could be anywhere talked to anyone or transposed, what would it be? I would say I'd like to be at the soul mate in 1927 like sitting between
14:54
you know, Einstein and Lawrence was
14:58
who was his hero. You see the red sitting there next to Einstein with legs crossed that he was an older man, but Einstein had more respect for him than anybody else in that picture. And there's some really smart people. There's high Heisenberg, not the
15:11
not the one played on the TV cooking up meth. But that's that's the realizing bird. So here's the point.
15:20
40 years of amazing innovation, followed by Whoa, you can do good, but while you can do bad now let's go look at this guy.
15:28
Let's go to 1968
15:30
1968 was the year
15:33
that the word suffer engineering was first cooked up. My dad was at the conference, was a kind of NATO conference, and it was called Suffer Engineering. First time that had been used
15:41
Count forward 40 years from 1968 and you get this guy
15:46
making the iPhone,
15:48
and I would argue
15:50
that those 40 years changed the world as much as as those previous 40 from those physicists, right This is pretty astounding change in our world from late sixties to now and computing. Are you kidding me? And I would say, if you want to do computer, that is probably the best
16:10
time to do it. I'm sorry if you're just getting into it now, it's still awesome thing to do.
16:14
Just like physics is still awesome. But, man, those 40 years were amazing. Then what happened to live the first and second decade? After that,
16:22
we all realized, Oh my God, that's amazing things we could do with computing now, including artificial intelligence having its rial, you know, second coming. You know, we're gonna actually do things with it. But also, there's some scary things that you can do,
16:37
and it's called hacking. It was called critical infrastructure attacks, and it's called weapons of mass computing destruction.
16:47
And I wrote a letter to President Trump. I'm pretty sure got their, you know, basically warning the same thing. So so recognize that the backdrop when I say innovation, what I mean is,
16:59
what you're doing
17:00
is
17:02
sensibly providing protection for things that are changing so fast
17:06
that it's hard to keep up.
17:07
If you think
17:08
that you can put a cybersecurity program in place without the ability to be nimble and open to change and always challenging yourself to do something different.
17:18
Then forget you're in the wrong business. Go do something else. No. Go sell coconuts for a living. If you can't do this, think different. You're in the wrong business. I have. I wouldn't spend a bunch of money. I don't spend money. My wife always thinks I'm just like crazy. I would never buy anything.
17:36
But I saw the original Apple poster
17:38
for that. Their ad that said Think different. It was basically was Buzz Armstrong on the on the surface of the Moon.
17:45
And it just says, Think different was original poster and, like 300 bucks.
17:49
And I said, Oh my God, I have to have that That's hanging behind my desk
17:53
And every time I walk to my desk, I see the word think different and it reminds me
17:57
that the business were in the discipline we've chosen. The people on this call chosen
18:03
demands that you think different and let me give you a cool example.
18:07
Back in 1992
18:11
there was a prize fight. It was Holyfield Riddick Bowe Now
18:15
some of you may find fighting to be pretty miserable. Two people pounding each other's heads in my wife. If she even sees me go near watching something like this on TV, she gets annoyed, barbaric, and she's probably right.
18:30
But I guess I grew up in a time when I sort of liked it. I was watch Mohammed Ali and
18:33
Joe Frazier enjoyed it, but whatever. But at any rate,
18:37
people would pay big money back in the nineties. I think they still do. I don't now. I don't know the heavyweight chances right now, but
18:47
the doctor 90 choose big deal and this picture on the right. If you share generation with me, you remember looking at that.
18:53
That's where you didn't pay for the channels that were. You know, in some sense
19:00
they're scrambled, wasn't encryption and they were scrambled for a reason, because you kind of make out figures. Unlike the naked channels and stuff, they would do a bad job of scrambling.
19:10
So if you were about 16 and it wasn't scrambled, man, you wanted that channel because you see that it just sounds ridiculous. But that's just let's craziness of the time
19:18
so That's the scrambling that you would see if you hadn't paid for the Holyfield. Both fight. Now, here's the bottom on
19:26
in those days, set top boxes were not tamper proof.
19:30
So what you could do is you could take the top of the the set top box off and look at circuit board.
19:37
Not that I did this, but maybe I did.
19:40
And you take the top off me. Look, you know, you're looking all these chips and connections and stuff. You look for the CPU, and even if you're dumb, you figure out what CPU is like the coolest, best chip on there.
19:51
You look it up in. There wasn't really much of a World Wide Web there, but there was an Internet. You could look stuff up
19:57
and and I remember those days you'd go to these T TL websites or places or
20:03
1 800 numbers were with a catalogue.
20:06
And if you found the CPU on the circuit board for your set top box,
20:11
you could look up that chip from its manufacturer and you would find that they sell the same chip, that same number with a capital T after it, which meant
20:21
it was the test ship
20:23
and you buy it
20:25
that comes to you in the mail. Lupin cushion! You pop it out of the pin cushion.
20:30
You take the chip off the circuit board. A lot of times they even have a dip. Sauder on the corners. If they did, you had to have a sada ring. I need to eat it up to pull it up. Whatever. Minor, minor speed bump for a hacker. But you're pulling up. You put the test chip in, and suddenly you get all the channels,
20:48
everything you get. You get to see the whole kitten caboodle
20:52
channels, which causes a problem. Now, suddenly
20:56
you've got people who were ripping you off, who were stealing the not paying
21:03
and they're getting the fight. They get all the channels. So there was a cable company
21:08
in Connecticut that I remember in those days we have had some interaction with them.
21:14
I didn't think this up, but I really we're finding out about it. Just I think we're getting contacted. This is like the coolest thing ever heard of. But here's what I only read it to you.
21:22
It's a Continental Cablevision of Hartford, Connecticut broadcast a special offer of a free T shirt during last fall's Bo. Let me show you a picture. Then we'll come back to this. You see the thing down here just to receive your free T shirt, please contact us at now. You see, there's the fight, which means that this is what you were supposed to see.
21:42
You hacked the set top box. So you see this You follow. But now what they did was
21:51
they created a special offer, a free T shirt,
21:55
and said, unlike most pay per view broadcasting,
21:57
this one did not show up through legitimate decoders. They decoded it,
22:02
so if you were legit, you'd see gobbledygook here. But whatever, it's not gonna bother. You can still see these guys beating each other's heads in. But you see gobbledygook there.
22:11
So this you didn't see that you backed the set top box. You're gonna see gobbledygook here because they created that. And then what they did was the ad and it showed up with an 800 number
22:23
and they said, Hey, you know, call us and we'll give you a free T shirt.
22:27
And 100 and 40 people called the number
22:30
just within minutes of it coming in
22:33
and they sent the T shirts and they also sent a follow up letter saying, You're ripping us off and you need past $2000.
22:42
Um, and here's an article in Chicago Tribune about that. How freaking cool is that, right? I mean, this is not a firewall.
22:52
This is not public. He cryptography,
22:55
This is not two factor authentication.
22:57
This is really innovative cyber security operations. In my mind, this is some seriously cool stuff.
23:06
I think
23:07
we have to adopt a couple more shakers of this in what we did. E mean, the problem that we have. Ah, let's talk about this for a minute. I think this is This deserves a little bit of discussion here
23:22
in our business. When you do cyber security,
23:25
you're taught that there's the set of controls and and and I contribute to this in some degree, a swell
23:30
where we say, you know what? Um here the controls that matter
23:34
Father's governance. So you need to be doing governance, risk and compliance. We need to have a whole program of
23:42
making sure that your compliance controls are in order and that your team has the documentation in place and lovable.
23:49
And then we tell you that there are these endpoint control. So you need to have
23:55
I need to have something on the end points that you know, the state of collection
24:00
and detection and response. Maybe does some other types of analytic functions and protective functions that that stop certain types of attacks? And you could argue
24:11
that the end point, you know, the set top box here Had it been maybe not tamper proof by members that have been tamper proof. Like when you take the top off. If it could have broken, maybe you could have prevented this sort of thing. But setting that aside way focus on these controls. 1/3 type of control would be
24:30
maybe network at the network level.
24:32
We tell you, monitor network activity, you collect data and you process it. You, you know, send the alarms off to, um,
24:41
some SIM person processing engine to do the detection. And you know the nana that these are the tools in our tool kit. These are the things that in our mind
24:53
makeup, cybersecurity, if we play word association is a cyber security architecture against a firewall. The emcee Cloud. And like all these types of things that in some sense someone else has dictated as the categories of the tool kit that we have at our disposal. You've all heard the story that if you've got a hammer
25:12
and a screwdriver in your in your toolbox
25:15
and you're going to do some task than everything is going to look like an alum, screw
25:21
somehow
25:22
we will need to de program ourselves from that. I really believe that. And I contribute a little bit too. This tag cyber in my company, I published 50 controls. I published market reports in these things and comment on the effectiveness of all these different controls vendor solutions and so on, kind of reinforcing that these are the tools of our trade.
25:42
One of things you're gonna hear from me
25:45
is that we need to be a little bit more obsessed with this idea
25:49
that you know what? Come on, man.
25:52
I don't need an intrusion detection system from a commercial vendor to detect intrusions. What's with the look what these guys did. Look how cool this is, Man.
26:00
I think this is about his cool thing is your
26:03
you're ever gonna find this idea that you're using
26:07
of deception.
26:07
There's really no vendor here.
26:11
You invented this. You thought it up. You put a whole scheme in place. You caught
26:15
malicious actors. You demand that a fine probably required, covered quite a bit of money, freaked out a lot of people. You reinforce the tamper proof issue You. There's just so many cool things that come to mind around this. But maybe the most important is that allows us to look at ourselves in a different light. Let me give you an example
26:36
when you go to
26:38
def com. I don't want to say Black Cat. I want to say, Def Con,
26:42
when you go there,
26:44
you know what that conferences like right? And I was feel very self conscious because I don't look like a deaf Connor and I've presented there a couple of times, and it's like,
26:52
you know, that nobody's really in charge and you're
26:56
and I was wear khakis and a chambray shirt or something. I would look like a hacker. I look more like the accountant, look like the guy works at the hotel, you know where they're having the conference, and it just feels weird But
27:08
what I love about that whole environment is a celebration of technology. It's people being themselves, having fun,
27:18
breaking into stuff, sharing, laughing, being a little snarky, just really doing what in many cases is what they would be doing. If they really couldn't make another penny the rest of their life. That just wouldn't do it. Any way to culture, to celebration of hacking, and I get a lot of credit.
27:37
I don't always agree
27:38
with some of the things that get published. I'm not a big fan,
27:42
you know, for example, hacking live, you know, minivans, you know, on highways where there's real people driving rings responsible. I mean, there's a lot of irresponsible stuff
27:52
that goes out in the offensive community. But that said,
27:56
it is a fun celebration where they don't talk about buying vendor tools to talk about doing stuff,
28:02
trying things, being creative, being innovative, that is, if you had to use a word to describe those places, these hacker conferences and hacker groups, and maybe go to B sides or other than since all that innovation now, transport yourself
28:18
to the gardener summit.
28:21
Just close your eyes and walk in. What does it look like
28:25
that? Boring. We're all boring people. We're grown ups Were jacket over, pants were male or female. We're not smiling. Would rather not be there. We want to go home. You're going to go to a talk at one o'clock about compliance controls for
28:41
now, the GPR and you know, you figure while it's boring, I'll do my email. You just want to be there and it zal this. You get the point.
28:49
It's not fun. That's not innovation, that being locked into a bunch of different things. In fact, compliance does that to us.
28:56
It drives us to a mindset where
29:00
you don't want to change anything because you're going through the compliance process, like less than you want to do is redo the documentation, right? I mean, suppose you had very specific controls, that you swore to some Ah, like a regulatory group that any time you put something on the screen here, it had to be regulated.
29:19
Look, you wouldn't be able to do this
29:22
because there would be a control that would prevent you from being innovative. So the point is,
29:27
which is more fun Def Con or the gardener thing? I think def. Con is way more fun,
29:32
and
29:33
I think we got to somehow get out of that. We got to get to the point where it's just a CZ much fun to play defense as it is to play offense. If you coach high school sports, if you coach
29:45
football, for example, and
29:48
you know you got kids that all show up, the one kid wants to be a linebacker and another kid wants to be a running back. You don't say to the running back. I am gonna have fun. You're playing offense and then you play. You say to the defender, The guy was played line linebacker, although is going, you're gonna be pretty bored back here. But yeah, go for it. It's ridiculous that both is just as much fun,
30:07
and we need to figure out how to adjust that mindset. Let me go one step further.
30:14
I think
30:15
the defense of work that we do requires 10 times more innovation.
30:19
I've run a lot of catch the flag type things. We think one recently N. Y U where I teach,
30:26
um, along with the city of New York, your school thing
30:30
and I remember we had a bunch of reporters in
30:33
and they all came. And you know, we're all standing in the room where the
30:36
the you know with a defense was all situated is most N. Y. U students and a bunch of New York City
30:42
employees, and they're all sitting at the consoles of the platform we were using. You know, when you do those capture the flag to engage with commercial platform, they train everybody. And what to do is a bunch of files, and the offense has to make their way in and steal files or change things or whatever the engagement's about you. You're all familiar with that.
31:02
Remember, we're all in there, and there must have been
31:06
40 or 50 of the kids and New York City employees on a room.
31:11
No school. We're going around and they're being interviewed positive feeling. And they're showing us, Yeah, they're the offense in the other room is breaking in and they're kind of even. You know, we're stopping some stuff. They're getting into some stuff. It is what it is. So then all the reporters want to see the offensive team,
31:27
so we all wander down the whole way. But but But but But we get down, you know, where was leading
31:32
tour saying some stuff. And then we look in the window and there's like, Bill sitting there
31:38
and that's the offense.
31:41
It's not 50 peoples. One guy, they were rotate E. It's It's like one on 50 is considered a fair fight.
31:51
Nobody said anything. I was sitting there squirming begets a reporter's gonna go. What gives here, man. One on 15 minute break cycle that school year. There's the hacker, and there's the 50 people in the way, about the same. This is utterly ridiculous.
32:05
So who needs to be innovating? War? Give me a break, man. It's easy to do offense. It's not easy to do defense. So look, when I said at the beginning,
32:14
you want to get ahead here. Then, for God's sake, developed a habit of innovation. You've got to be trying stuff
32:22
now. There's a downside.
32:23
And here's the downside that Henry Petroski, by the way, right school books, does my favorite of his engineers human.
32:31
And that's the Tacoma. I think that's the Tacoma Bridge, right? The one that gets residence
32:37
falls down. Um,
32:39
the downside of innovations you could break stuff
32:43
and you can cause embarrassing situations and you can create problems and you can create issues and you can cause outages and you can cause embarrassment. You can cause misunderstanding. Welcome to innovation. Innovation is not safe.
32:57
If it's safe, then you're not feeling it right. Innovation means trying different things. And when you try different things, that means they're not tested, which means some are gonna break.
33:06
So look, I know that Comma Bridge maybe wasn't all about innovations, more about engineering failure. But I love the idea of this this Petrovsky book of sea So is taking the time to really understand that subtitle in that book.
33:22
And it's called The Role of Failure in successful design.
33:27
Here's the problem. Go back. If there were done, take out a pencil and paper and write down your 10 biggest failures in your career
33:36
on and then trace back. You know what happened after that?
33:40
Did you become a better engineer? Tester, developer, manager?
33:45
Where did you become worse as a result of that failure, I bet you became better, and I'll bet whatever you were working on turned out to be better because of that failure.
33:55
So this is the tricky part. You might work for someone who may not agree with this
34:00
and years of stupid ed on this, you know, cyber everything, telling me I'll go innovate. Well, he doesn't know the lady I work for, man. She's not gonna let me innovate. I work in a box and forget it ain't gonna happen. We don't know what to tell you. I mean, you should at least understand your constraints if that's the world we live in.
34:19
Um, I wish you didn't. I think you should look for another job. If you can't, then you deal with it. Life is life. I mean things. They're not perfect.
34:27
But I'm not gonna lie to you
34:28
if you cannot innovate if you work in a box. If everything you do is dictated by some compliance manager
34:35
or by someone who's determined around you
34:37
what you're going to do and you need to live with those horse blinders on,
34:42
you're never gonna get any better, Period.
34:45
You should least understand that.
34:46
And if you can deal with it that you do with it. But but But this is a tricky one. And let me say a couple more things about fairy before we get into
34:54
talking about our case studies. So I want to spend
34:59
leave us a good 15 20 minutes to get into the case study and sort of frame for you.
35:05
But this piece is something like if there's one thing that you take back, maybe to your team
35:10
for a discussions, love you, you know, working in work groups and you'll want to go back during your
35:16
your weekly or monthly meetings with your team, and some of you ought to bring up some of the topics that we cover in the scores.
35:22
I think this is a good one to bring up this debate between
35:27
as a group. Does it make sense
35:30
dressed to willingly acknowledge that if we try some things differently
35:34
that were likely to break some glass? Is that except
35:37
And if it is, then what is the process for selecting
35:42
where we innovate, where we don't? That's something that's gonna be case by case. You need to look at the environment where you were.
35:49
I need to determine you know what sort of the
35:52
what's the local culture where I started in my career. I worked in a laboratory
35:58
where you had a long tradition of failure and Bell Labs, but had a long tradition of successes that came from things that looked like failures to just dump the UMP. Different cases made many of right now
36:10
are watching this, these charts
36:14
on a computer that has UNIX at its base. In fact, all of you do
36:19
because I know posits is part of Windows. So and obviously UNIX is embedded in Mac OS, and it's embedded in your iPhone and your android. So that UNIX operating system,
36:31
Where'd that come from?
36:32
Well, Dennis, Richie and Can Compton and some others that I had the great privilege to meet a little bit of work within the latter portion of my career.
36:42
They were working a project that was called Multex
36:45
in the mid sixties. So think
36:49
Lyndon Johnson is president.
36:52
I dream of Jeannie is probably the show you watch on TV.
36:55
Uh, if you wanted the coolest car, you goodbye Mustang.
36:59
You know, there was no Internet wasn't even touch tone telephones. That was rotary telephony.
37:05
So, um, it's that there's this project
37:07
called Multex,
37:09
where it looked a little bit complicated. Daniel, Bob Rowe and other people were working on this thing
37:15
and the Bell Labs guys looked at it and said
37:19
Is that this is gonna fail? It's just too complicated. It is not right Something not right about this.
37:25
So I went back to work and they took Multex and they simplified it to something they called
37:31
UNIX.
37:34
That's that was the the Genesis, and they simplified the concept to let's see if we could just improve the text processing for a secretary. It's really one of you. If I could talk to this guy. I mean, the ones that are still around.
37:45
Um no. Brian Kernaghan and others. He's over Princeton. I had him is the speaker by conference two years ago, so, so much fun having income.
37:53
But if you talk to them very modest
37:57
kind of goals. But it all came from what arguably was a failed project. And Multex, you don't talk much about Multex. Now.
38:05
You talk about UNIX because they took the failure
38:07
and they created a successful design.
38:10
So when did you when in your career have you had that? And welcome to cyber security, one of our great dilemmas. *** it! We're not allowed to do that.
38:20
You know not to fail here, See? So you fail, you're fired.
38:23
But I say at the beginning, you're viewed is basically being incompetent for any other job in the company.
38:30
So you get to keep the job the instant you fail, you're out.
38:32
How crazy is this ***?
38:36
Such ridiculous
38:37
Because it forces you If you want to keep the job,
38:42
do not take any rest.
38:44
And welcome to one of the reasons we all get hot.
38:46
You got a bunch of sea so sitting in positions, looking over their shoulder, worried they're going to get that getting fired If they try anything new, doesn't work out. They can hack doesn't work out, You know you're out.
38:57
You can't try things that are new
39:00
because you're afraid of risk. You're afraid you're gonna fail. Your viewed is incompetent for any other job in the company. And you can see the dilemma here is that makes sense. I hope this is all clicking for some of you. A lot of you probably have never felt what it feels to be in that executive role, and that's what it's like.
39:16
Part of the problem is that *** C says get paid too much money.
39:21
And once you get started paid that money,
39:23
then you don't want to stop.
39:25
You want to keep the money, be better if we put a cap on what's he says make
39:30
so that they quit the sea so roll they could go into it and incident response role are
39:35
Cloud developer whatever make the same amount? They probably have much better. See says, if you weren't paid the amount of money
39:40
that we pay to get the pieces into the role, but that's another discussion.
39:45
So this issue of failure and successful design is absolutely essential for you. Have an opinion about Go back and talk to your team about it. Now
39:52
you have been mailed a A case study. I want to talk to you about him. Use the remaining time to talk about this.
40:00
Um,
40:00
I sat down and I created this
40:05
this scenario with a woman name Emily, who's a security executive.
40:09
I have her in front of a small group of CEOs giving a little talk under Chatham House rules, and I thought it would be fun to just have 12 little little big nets that just sort of lay out a situation
40:24
or a scenario
40:27
that allows us to have a discussion.
40:30
And in each of the sessions here I'll spend about five or 10 minutes on these and then we'll have a guest. They didn't want to bring a guest in today because I wanted to just introduce you to the course, and I'll have a little bit more to say about the administration in a minute. I was like, Dude at the end,
40:45
but, um,
40:45
But we'll do a little bit of case study each week. And then on Tuesdays
40:51
at one o'clock in six o'clock, P. M. Eastern
40:54
there will be you've already received the calendar invites to join discussion sessions around the case studies this allow you with up. We've got two wonderful T A's
41:06
that have been doing this once. I bury for some time there listening room. Right now, you'll meet your T A's, and then they're gonna organize some discussions. I strongly encourage you to join.
41:15
You know, one or more all of these sessions. I think you'll like them
41:20
and you'll have the opportunity to go through the discussion item. So let me
41:23
let me give you an idea of how these things work. I'll take you through sort of the story here. I'm gonna tell you the story without reading it. That's done. You could read it, but I'll tell you where it came from. What I was thinking here, I had the idea that
41:37
many cases we like to try new types of controls really would like to.
41:44
And I remember when behavior Analytics really was no
41:47
today, you'd call it a commercial.
41:50
You be a or you'II be a tool. That was wonderful. Companies that do this, you know, observe it in others really good cos cure Onyx does something,
42:00
you know, there are many more jazz networks has nice tool. You have a lot of really good options. But in the early days you did.
42:08
We don't really know how this works. This idea that let's drop something onto a computer
42:14
that kind of sort of observes what you're doing
42:17
and then provide some, uh,
42:21
you know, some telemetry back to a station where I can go in.
42:24
You know, there's almost voyeuristic kind of experience of seeing what the behavioral activity is on an end point.
42:31
Um, and I was a little icky about it. I wasn't quite sure what was made sense. My my mind. I was thought
42:37
for a
42:38
predictable
42:40
controlled environment. Like a call center.
42:44
It seems perfectly reasonable, cause the expectation we sit down, strap a headset on and you start taking customer calls from a PC
42:52
is that you're in an Arab. You're on a headset on your
42:55
asking for last four digits of social. You're asking to confirm zip code. You're making an account change. You're asking if there's anything else I can help you with. They say no. You say thanks for coming to Acme. 123 bank. I'll see you later. You hang up, you go to the next customer,
43:12
that PC? The idea that you would be policing activity on That seems perfectly reasonable.
43:17
And most workers would be okay with that. You know, they're not going to use the PC to go buy *** on Amazon.
43:23
But
43:24
you're a developer. You know, you're working the finance team and you walk around with your laptop
43:31
That I'm not sure. So I remember it was kind of unclear in the early days, but there was some pretty innovative groups that decided, man, we're gonna try this and see what happens
43:40
so I created the story where Emily, our hero,
43:45
is working with a member of her team. The analyst says, Hey, I'd like you to try this very innovative
43:52
new control like the Deploy it and what it does is it monitors our employees and Emily goes, uh, we mean you no behavioral tool kit.
44:00
I made it from researchers at N Y U There
44:06
you said you will drop it onto species and Emily thinks of that. And she goes, Boom,
44:09
um,
44:12
seems a little weird. I guess it's okay. It's innovative, certainly.
44:16
And she even reminds her, says, Look, you said We need to be innovative. This is innovative. Let's try it.
44:22
So she goes back. Emily goes back and talks to the senior leaders and says, Look, we're gonna try this, but I swear, promise
44:29
we're not gonna run it on the senior executive
44:31
peces. And some of you are probably laughing. If you work in information security,
44:37
you know that it's harder to do
44:38
security for three desktops in your company. The CFO, the CEO in your CEO, then the entire rest of the company, right? That's more a lot of times you make the bad decision to put no controls on those things. No monitoring. Leave him alone. The last thing I need is a problem CEO,
44:54
and it's a shame, because there's a lot of risk there. But nevertheless, Emily tells this person, Okay, that's great. Do it.
45:00
But I've told the senior leadership team
45:04
that we're not going to
45:06
be running this stuff on their PC. And they all joked about like the joke was significant enough that everybody noticed it
45:13
when she brought it up.
45:14
So week goes by and some team members come back, and I have them sort of looking like they'd seen a ghost. One of says, Um, our C F O.
45:24
Looks like he's a total creep.
45:27
Inappropriate downloads. I put stuff like he's looking at cheerleader stuff, and you wanted to be
45:35
like illegal if it's illegally called the FBI.
45:37
But if it's just a little weird, you know, like huh
45:42
had certainly against the company policy. So there's no question that this is a policy issue,
45:51
but what sort of on the edges not really illegal? I if you quibble with the
45:55
example, I ever put your own example and try to think of something. I tried hard to think of an example where you look at it's creepy and weird, but it's not illegal. That was the idea of trying to come up with that.
46:07
But someday come back and I go. It's creeping were not illegal. What do we d'oh
46:10
and Emily go? Uh, great,
46:14
because she's told the leadership team she's not running it on their computers.
46:19
But what happened was they did it by see if they did it by accident. They said,
46:22
You know, they've been making my bubble bond, she says. Well, I told you, you didn't do this to go on. We made a mistake.
46:29
We went in with deployed. Everything it was someone made a mistake and deployed the tool everywhere, and I didn't realize this at first. That's what I wrote in there.
46:38
So Emily's like Mom,
46:40
Um, what should I do?
46:44
And that's where the three dots for months, you. She then paused for effect
46:47
and lead toward the group. Here is exactly what I decided to do. Dot, dot, dot
46:52
and not you now. So welcome to Emily's dilemma.
46:57
So this is the kind of thing that we will do each week. We'll do a little case study like this, and if we were all together right now, I'd say, What do you think if one of you would say Come on in, It's piece cake
47:08
You just go to the CEO and se R C A phone's a creek firearm,
47:14
but recognize that you've just been in there a week earlier and swore that you were deploying the thing to their computers
47:21
so they might say, Yeah, you're right. But also, you don't seem to know how to deploy software.
47:27
You must be pretty incompetent here. You said You're not pushing it through our computers. You know, howto restrict that.
47:32
Maybe Emily loses her job here like this. She get fired. Is that possibility? It could be
47:37
another one? Is that Emily says, Look, it's not illegal.
47:43
It's a little weird.
47:45
One of we just I don't need this problem. We've got other things to d'oh.
47:50
I'm just uninstalled from their PCs, and what I'll do is I'll reinforce to the leadership team.
47:55
You're some awareness training
47:58
that hey, as a group, I just want to remind you all
48:01
that, you know, looking at weird, you know, websites of cheerleaders and stuff is completely off the charts inappropriate.
48:09
And,
48:10
you know, if you're doing that,
48:13
then cut it out. You know, without having any names. Remember, you're making it clear and you keep the stuff running on the PC. Maybe in your watch. And if the behavior stops, then you stop the behavior. Maybe that's what you d'oh or something else. You get the point
48:29
like, welcome to the executive ranks. What do you do here? And I don't think there's a right or wrong answer, right? I mean, I think in both of the cases, I just cited one where you have just go in and fess up. A lot of you would want to say that, but suppose you got three kids in college
48:45
and you got lots of bills and you need the job and you just move there. You just took this job. He loved the family there.
48:52
And you really want to take root there? Do you enjoy it? And you think I really do want a comma causing my whole career over this? See, if I was probably not gonna get fired anyway, why don't I just do the train? So that's one. And like said the other one where you just look the other way? I I don't know yet. The point
49:12
You get the point now. Number five here. You could say could she lie
49:15
and explained that it was a proxy review that caught the CFO and not the u E. B. A trial. There's an example. Something I hope
49:22
that you wouldn't do. I was trying include a couple
49:27
of possibilities in the discussion items that I would consider to be personally,
49:31
um, pretty unacceptable. So, you know, maybe the word lie is the giveaway there, Um,
49:39
perhaps our t A's might. You know, dr those things up again, because maybe we didn't call it lie. And you ran a proxy review. You saw it?
49:49
Well, you say, how did you find out about this? We saw in the proxies? Yeah, you did. You not be telling the truth that your first saw it in the U. B A.
49:58
That may be started blab about you get the got the idea, and then ultimately,
50:02
every one of these case studies
50:05
closes with more or less the same question. What would you do?
50:07
You know, if this is you, what would you d'oh!
50:09
And and and I really do think it's important
50:14
for you to develop an inner voice. Here is a sea. So now that's an interesting point from a technology perspective, because
50:22
we all know that at some point, like it or not,
50:24
um, artificial intelligence could give us the right answer here, right? I mean, look, we we take all of our experiences. We take courses like this, we try to learn, we try and become better informed so that we can make better decisions.
50:39
Well, you know, Google has taught us that if you take all the possible information, probably the best decision of all. So I would save you, Fed every possible case study into a piece of a I in the future.
50:51
The answer here becomes very deterministic. You know, the probability is that
50:55
your best case would be to go talk to the CEO, tell the truth, take your take your lumps, and in the long run, you turn out better for that. You know, maybe that's the rational answer, and it's a deterministic thing. But until we have that, you personally still have to listen to your inner voice.
51:12
You can't google the answer here. Our grandchildren, maybe they catched, But you can't. You still have toe. Use your judgment. You still have to
51:21
become someone who has the right sort of understanding and judgment around this and notice the case study here on innovation Tried to reinforce the point that
51:32
you're trying something new and you might decide well, the right answer year
51:37
is right back to the topic that we started with.
51:40
We're innovating. We're trying something new. You go to the CEO and say, you know something?
51:46
This is brand new stuff where it's cutting edge.
51:50
Maybe I were clear he wasn't clear enough when I first said we were gonna try and do this. But this is new, different, innovative stuff and maybe didn't work perfectly, But we're not gonna stop taking risks. And look, we found something and I'm sorry. It's not my fault that the CFO is a creep.
52:08
So this is what we find. And as long as I'm in this job, I'm going to continue innovating. And I think you'd be crazy to move someone else. And you know, Bob above about
52:16
innovation in this case is the point not around judgments. Right in When you innovate, you break just like I showed you here.
52:24
The role of failure and successful design.
52:29
This is all about the role of failure and successful design. They're going to go in, read, rethink how they deploy,
52:36
tune it up a little bit,
52:37
get it just right, and boom, run you B A is probably a very effective control in their environment,
52:44
but they had to fail a little bit in the beginning. You get the point. You see what I mean? So
52:49
so that really is the cadence that will be following,
52:53
you know, through our 12 lectures here, I hope you stay with us. I mean, I think you're going to enjoy it on if if you don't, Then
53:00
let me know if you think there since I could do to make it more enjoyable for you.
53:05
I know how valuable an hour of your time is.
53:07
And and I also always try to finish, you know, within the hour, even a couple minutes early. Like I've learned a long time ago
53:15
that you start going over and people started getting a little fidgety. Um, I like to make sure I give you a couple of minutes if I can before,
53:24
Before the time is up, but I hope you stay with us. We'll go through the 12 pieces and those of you have interest in the actual charts here.
53:31
The cyber. The folks would be happy to make them available. I just don't want to show you the new ones because you can see it's fun to see the reveal. You know what I mean? Like after we do the lecture,
53:42
Um, you know, a little webinar lectures here. You can get you to the structure side. Very happy to give them to. Um I'd ask that you not post them on Web sites and put him around on Lee because it'll ruin it for the people. Take. Of course, next time I think they're fun to see. But if you find them useful like these, this this little story here Holyfield bo the scramble
54:01
pick
54:01
chur what they did and then how they entice. That's a cool picture and a cool story to tell Now, if you like that, you know, by all means use the charts. And by the way, I hope you read these books.
54:14
Petrovsky Book By all means.
54:15
Definitely. You haven't read the Steve Jobs Book that again. Isaacson's one of my favorite biographers,
54:22
Madame Curie and and these two books that Steven leave You had the pleasure to meet some number of years ago. I talked to a few times. And then there's a lot of good books on the FBI, so So go back and take a look. You know, order those books on Amazon. There will be enjoyable reading and
54:37
and unfortunately, you're going to get about 60 book recommendations through the 12 lectures. So I don't know if you can read 60 books, but I hope you read some of them. So So look, we're at just a few minutes before
54:50
Get on a welcome you to the course.
54:52
I hope we see a lot of you. Ah, at our next lecture and and my email address, which I put right up at the front here
55:00
E Amoroso tagged as cyber dot com. You're welcome to drop me a line if you want to. Tosto publish something directly, probably Justus. Well, that you work through the cyber team, you can get notes to me, but
55:10
let's keep a dialogue going and hopefully we'll have a really wonderful session together.
55:15
So with that I think there may be. Look and see if we have any sort of
55:22
and click on the chat here.
55:24
Um, I don't think we have any chat comments, but what we'll do is we'll work out a cadence with all of you. Um,
55:32
moving forward. Yeah. There's a lot of Chet. Let's see. Um,
55:36
mentioned you again, but that me the interviews. Yeah. We're definitely gonna be talking interviews that we looked through. We have definitely have a surprise guest next week. Slide desk available. I think I dressed most of these.
55:47
Um,
55:49
yeah, we do have guest lectures. They're not guest lectures, but I'll have Panelists that come in and I'll interview them about their career. So I think I have a lot of this going. Apologized my bed. I didn't really have the West does the chat going here. I see a lot of
56:04
interesting things that are coming in here. Let me make sure I've addressed everybody.
56:08
I think we got most of this. Looks like you guys were having a little discussion jet. That's perfectly fine. That's good. I'll make sure you keep this up
56:17
during this. Um, I think I got everything.
56:22
Oh, yeah. most of us we've got in here. So? So by all means, have the chat during the discussion next week, I'll keep it up. And if you really need my attention while I'm going through this, just we'll come up with some cadence, put some little head Stop what you're talking about an address this now, and I'll try my best to do so. So again.
56:42
Tuesday's 1 to 6. You've already got the invite. That'll be out.
56:45
Do anything for you to speak
56:46
to be part of the group to have the discussion about the case study and my email IHSAA veil open and available. If you need to send me something, Private
56:55
leaf, I'm gonna turn it back to you. I don't know if you have any announcements for the group or anything you wanted to share before we close.
57:05
Uh, thanks so much, and I really enjoyed it, Especially the story about
57:08
the Riddick Bowe Holyfield fight. Uh, amazing innovation opportunity.
57:15
Uh, just a reminder that next week, same time we'll be going through the administration side. So really looking forward to that. Um, and
57:24
there will be a surprise guest, So looking forward to seeing everyone again.
57:29
Okay, We'll see you later. Thank you. Everyone

CISO Competency - Innovation

This is the first course in Ed Amoroso's Twelve Competencies of the Effective CISO, which focuses on the CISO Competency in Innovation. The habit of innovation is an essential competency for any CISO trying to navigate variety of dynamic threats, risks, oppurtunities, and failures, so it is essential in an evolving business environment.

Instructed By

Instructor Profile Image
Ed Amoroso
CEO, CSO, CISO of TAG Cyber
Instructor