Too Much of a Good Thing

The one thing the current lockdown has taught me is that you really can eat too much chocolate… who knew?

Left to my own devices and without the distraction of a routine, regular work and people observing my unhealthy eating habits, my faulty brain tells me that more chocolate can only be a good thing and that I should continue to eat it until physical discomfort forces me to stop (in spite of my brain’s protestations.). It is an obsessive and compulsive behaviour that I recognise in myself, and do my best to contain, but it is a constant struggle arguing with myself that chocolate is not the most important thing in my life.

The same could be said to be true of many security professionals and their desire to roll out security practises to their organisations, implementing new procedures, standards, policies and ways of working that are designed to make the organisation very secure. They do this despite the protestations of the organisation itself telling them they have had enough, the new ways of working are too restrictive, difficult to follow and ultimately leave them with a security stomach ache.

This weeks Lost CISO episode talks about when too much security, like chocolate, is a bad thing.

This compulsion to think that security is the most important part of a business’ life is one that leads to users having security headaches all day and the business itself feeling slovenly, bloated and sluggish. (OK, that’s enough of the analogies.)

It is ultimately self-defeating, as users will do their best to work around draconian working practices, and the perception of a security organisation will be one of business prevention than vital service. I, and many others, have spoken about not being the department of “no”, but it goes well beyond just saying “yes”.

Agreeing to everything without thought of the consequences is potentially even more dangerous than saying no, especially in the short term. The vital distinction that needs to be made is that of a two way conversation between security and the end users and business. Finding out what is trying to be achieved is far more valuable than just focusing on what is being asked. Requests can be addressed in many different ways, not just by punching a whole in the firewall or switching off 2FA on the VPN, for instance.

In fact, this very conversation helps create even stronger relationships as it highlights two things:

  1. How seriously you take their request.
  2. How much you care about the organisation you both work for.

A great example of this in the above video is that of companies relaxing their security stance during the remote working ramp up of the lockdown. If the response was simply “no”, or even a straight “yes” with no consequences there would have been issues sooner or later. Working with the business, relaxing the standards for the initial growth and then methodically scaling and tightening the security once the initial growth is over is absolutely the right way to go.

So next time you feel yourself reaching for the chocolate wanting to say “no”, think beyond the the immediate consequences and how you can use security for the long term betterment of your organisation rather than your simple security stats.

And one bar of chocolate/security is always enough for everyone, right?

Do you need two re-align your security team to your business and don’t know where to start? (TL)2 Security has a proven track record helping security leaders and teams creat strtaegies and business plans that make real, competitive, differences to organisations. Contact (TL)2 to find out more.


Strategic Defense

Most people who know me will understand when I say I am not technical in my field. Indeed, I have often spoken about how a CISO should not be technical; that doesn’t mean a CISO should not understand technology, but rather that is not the focus of the daily job. So what should a CISO focus on? I often talk about “Powerpoint and politics” and have even heard that expanded to …” and people” which makes sense really. Interestingly though, I used to say it as a joke, and then it came true. Huh.

This weeks video from The Lost CISO series talks about how to build a strategy. Or rather, it talks about how to build the platform upon which to build your strategy. One of the biggest mistakes I see organisations and CISO’s make is thinking that a security strategy comes from the roadmap of projects they will be rolling out over the next 1-3-5 years. Sure, they may feed into a strategy, but they play a small part of it.

Building a strategy requires knowing where you want to go, and what you are supporting. Essentially, it is a vision of the future, so no surprises for guessing that you start with a Vision statement. If, like me from 10 years ago, thought a Vision Statement was a way for expensive pony-tailed consultants to charge thousands a day to simply tell you to “strive to support our customers in a meaningful manner”, you may baulk at this starting point. Fully understandable, but also cynical, and let’s not allow past bad experiences taint our new approach.

The reason I say this is not because I have a ponytail, expensive or otherwise, but rather because a vision is effectively a rallying point around which your security team can focus on. If they do not know what they are working towards, you and your team will be in a perpetual state of fire fighting and reactive work. It doesn’t matter how many projects you have in place, or roadmaps printed nicely on A0 on the design teams plotter; if you don’t know what you are working towards how do you know if you are succeeding?

Make sure you know what the company vision is as well, otherwise you might create one that is pulling in the opposite direction, which helps no-one. Thom’s Top Tip: If you can create a security vision without the word “security” in it, you will definitely be on the right track (although this is by no means mandatory). Your vision, therefore, may look a little like this:

Delivering competitive advantage through trust and transparency.

It’s pretty high-level, doesn’t mention security, and gives people on the team some key pointers on how to consciously modify their behaviour towards a common goal.

But a Vision by itself isn’t enough, you also need some business outcomes to be achieved in order to achieve this Vision. Think of 3-5 or so outcomes that you want to achieve in order to fulfil your Vision, then add a metric (how you know it is being achieved) and an outcome (what benefit does it bring?). You then have one element of your 3-5 business outcomes that allow you to plan work, focus resources and (you will be glad to hear) add to your roadmap. So, for example, here is a business outcome, metric and value in support of the above Vision:

Business Outcome: Frictionless and scalable business processes.

Metric: Higher quality and faster outcomes.

Value: Standardisation resulting in increased efficiencies including easier decision making and better use of time, effort and money.

Add some more like this, and you have a robust vision upon which to build your strategy. Now you can think about how you are going to be doing that because you now have a better idea of what you need to do to achieve the company goals, what resources you need (including skills), and more importantly how you want to shape the future of your security team, and more importantly, your organisation. The whole point of a strategy is to ensure that your future is not an inevitability you have no control over, but rather you can invent it to be what you want and need it to be.

Looking to take your security team to the next level of productivity and business engagement? (TL)2 Security can help you define, establish and operationalise your strategy and vision ensuring you go beyond just keeping the lights on, and actually providing competitive advantage to your business. Contact us to find out more.


The Runners and Riders of Lockdown

After over six weeks of some kind of lockdown here in the UK, and similar amounts of time elsewhere in the world, it has become very obvious to me that many companies out there are simply ill-equipped to deal with the change in lifestyle the lockdown demands.

By ill-equipped, I don’t just mean from a technology perspective, although we see some of that as companies reduce security requirements to get users online from home. What I mean is that culturally they are not equipped to deal not only with a workforce that needs to work remotely but also a market that is doing the same. Put simply; companies are struggling to re-gear their sales and marketing departments to this brave new world we find ourselves.

I say this because as an industry we are used to a plethora of in-person events happening where vendors can either have stalls displaying their latest products, or stages where carefully polished presentations and panels are put on for us to watch, learn and hopefully decide to buy their product from. Webinars and online events were there but were the distant, impoverished, uglier cousin of something live, in-person and your face. Indeed, just a few weeks before the lockdown I was at RSA Conference in San Francisco, where the very epitome of what I describe was played out for the world to see.*

Then suddenly, it all stopped. Conferences and shows were cancelled, events postponed indefinitely, and in many cases, the security product landscape just stopped. I understand why, in many cases, cash flow needed to be conserved in these unprecedented times. However, it very quickly became apparent that this was the new normal, and that the companies that didn’t embrace it would quickly become irrelevant. after all, if you can’t adapt to a few weeks of disruption, what kind of company are you, delivering products to an industry that needs to plan for disruption?

I watched “Have I Got News For you” in those first few weeks on the BBC, a topical panel show comprised of 5 people, and they did it by having the guests record from their homes.

Have I Got News For You, March 2020

It was different, the dynamic was… a little off… but the show went ahead, the jokes landed, and each subsequent show got better. In other words, the BBC just got on with it, embraced the change, and made it work.

The same needs to happen to many of the security vendors, as unfortunately, it is a case of remaining relevant throughout the lockdown, in the front of people’s minds, and showing that they can overcome adversity by delivering knowledge and information. Those that don’t do it, retract into their proverbial shells and wait for “normality” to return will suffer.

Also, let us assume that normality does return, whatever form that might take. Those that have embraced these alternative Zoom/Skype/Teams/Hangouts/whatever approaches may find they are just as valuable as in-person events and can operate both, side by side, now unconstrained by the lockdown and able to use film and audio in even more creative ways. Which company would you choose to work with in the future, the one who sat tight, and did little market outreach during the lockdown, or the company that continued to communicate with their clients and potential clients through different mediums, sometimes getting it wrong but continually innovating and improving. Which company has the better culture?

It isn’t even a matter of cost. The LinkedIn Live, Zoom, Webinar etc. technologies already existed and were invested in, just woefully underutilised.

The same argument also applies to work from home, as many organisations now realise that productivity isn’t hours sat at the office desk, but rather results.  Which organisation/manager would you want to work for? The one that never changes or the culturally adaptive one that is based on results and trust?

These are challenging times, but these are the times that are going to show many companies in their true light, and you can use this time to differentiate between them.

 

*I do love a good conference, and the benefits they bring to my peers and me are fabulous, in case you think I am biased against them.


The Art of the Presentation (Part 2 of 3)

You’ve created your presentation, now you need to practise. Or as the great Yogi Berra put it:

In theory there is no difference between theory and practise. In practise, there is.

Almost certainly in the early days of your presenting you will need to practise a considerable amount. There are two main reasons for this; firstly you will be presenting your own unique content for the first time in an open forum like a conference, which means you will need to be absolutely sure of what it is you are going to say to ensure you don’t come across as someone who is less knowledgeable than you are. Secondly, you will almost always be nervous. How quickly you overcome your nerves will vary greatly from person to person and a variety of other factors. For me it took just over two years before my nerves stopped kicking in to the point where they were visible.

The key to coming across confidently is to know what you are going to say right from your first sentence, all the way through to your last sentence. You also need to ensure that you don’t learn every single word of the talk parrot fashion. Unless you have a gift for remembering dialogue (in which case you will sound like you are simply reading your verbiage), you will have to employ a few tricks to get around this…

The Opening

Firstly, practise your very first sentence, and make it snappy and to the point, and impactful at the same time if you can. Don’t drone on about how happy you are to be here, what your name is,  thank you all for coming, I hope you like my talk, how you can’t believe you are stood in front of such a talented crowd at this amazing conference etc.. I recall practising in front of a good friend, and before I had got halfway through my introductory sentence he bellowed:

BORRRRRIIIIING! YAWN 

 

His point was that people weren’t there to hear your platitudes, they are here to get their money’s worth and listen to what you have got to say, so just get on with it. Additionally, if people want to know more about you personally they will either read your bio in the conference agenda, or look you up after the talk. Do not spend five minutes establishing your credentials as not only can it come across as egotistical (except in very rare circumstances) but erodes your impact as a confident and knowledgeable speaker.

Slide on the slides

The second trick is to use your slides as a prompt for a train of thought rather than using them as an aid to specific sentences you want to remember. In the first blog on this topic I mentioned using imagery as much as possible; avoiding the use of bullet points or long sentences as much as possible means you won’t be tempted to rely on the text for what you are going to say. Try to sound conversational, and while practising do consider filming yourself or at the very least an audio recording. Running through it a few times will help embed a few key phrases in your head you can move between, and also give your imagination a chance expand further on your thoughts. Having a few Tweetable length phrases ready to roll off your tongue is a useful way of making an impact with few words, as well as encouraging people to potentially tweet your quotes during the talk (an increase your audience). Don’t forget your “story” or the beginning, middle, end structure either.

Variety

This point is also an opportunity to practise varying the tone and pitch of your voice, the use of your hands and even how you want to move around. Practise slowing down your talking , and possible even lowering your volume (more easily achieved if you are going to be using a microphone), when you want to emphasis something of critical importance. You can also speed up and become more animated on sections that you find exciting, fun or revealing. A little bit of humour thrown in as well helps, but be careful here, especially with an international audience. Test it on colleagues and peers first.

The Close

So you have made it through the deck and you are on your last slide; before you know it you have finished your presentation. how do you finish? “And, um, that’s it really…” is not the way to go. See the first point and memorise a closing statement, something straightforward, and again, snappy. “With that, I will close and thank you all for your time and attention. I will now take questions” is a good place to start. Don’t be afraid to make changes to the deck and the story as you go through either; they will evolve as you become more proficient, and the deck should not limit your message; the message dictates the deck.

How often should you run through your deck? In my early days I would practise at least five times, recording it a few times, and often in front of a critical friend or two. This is a very real time commitment, so be aware and plan it into the creation of your presentation to meet your deadline. As you get more comfortable, you will be rehearsing the presentation as you create the deck, and after a few reviews will know what you are going to say (roughly) with each slide and each transition.

Patience

Above all, be patient with the process; like anything it takes thousands of hours to be proficient at something depending upon your natural ability, the circumstances and the topic in hand. If you are not having fun, ascertain what part of the process are you not enjoying? Very often, I talk to people who hate the entire process, including the presenting, until immediately after when they get such a rush they want to do it again. if that is the case, the painful parts do get easier. Also, make sure you find someone who will honestly critique your presentation either in person or after watching a recording. Take their viewpoint very seriously, and if they are a serious speaker then all the better.

So, if you are wondering how you can get to Carnegie Hall, as the violinist turned comedian Jack Benny once answered:

Practise Practise Practise!

Next time, The Art of the Presentation (part 3 of 3) – The Delivery.

 

Note: Look out for a new YouTube series from me coming soon, The Lost CISO!


The Art of the Presentation (Part 1 of 3)

In a post a few years ago I talked about The Art of the Conference, and what conference organisers can do to improve their conferences and make lives easier for their presenters. I was reminded of this post again recently as this is the sixth year that I am mentoring a rookie speaker at BSides London, and in my initial conversation with them I discussed a three stage approach to creating, practising and delivering the talk (the latter of which touches on the content of my previous post).

This post focusses on the first part of this process, the actual creation of the talk.

The Idea

This is actually the hardest part of the entire process (aside perhaps from actually standing in front of 200 people of course). In my experience many people try to not only come up with a wholly unique idea, but then try and explore it in too much detail. Given your talk will probably be competing against many other talks, the easiest way to make yours stand out is with it’s simplicity. Take the core of a topic, and honestly ask yourself what your view on it is; do you agree with it, if not why not, what could be better, what is your experience of it and how have you addressed it? By keeping it simple your audience will have more chance of remembering what you said. This process could take anywhere from minutes to weeks and weeks dependent upon your experience, knowledge and confidence. Don’t assume however that just because you have an opinion that everyone else is fully knowledgeable of it either; if nothing else you are bringing your own unique viewpoint.

The Creative

This is a point at which your approach may differ, but I have always found this the best way of actually inspiring myself and getting my story straight. I fill a sheet of paper with boxes (below) and then start to sketch out, not always legibly) the approach I am going to take on the deck I produce. I do this because it ensures I don’t write any actual prose on the topic; personally when I do this I find it very difficult to then pull myself away from the prose when presenting. It is a mental block of sorts of course, but this approach allows me to sketch out the story of my talk without having to get attached to a certain way of saying things

I try and avoid too many words as they are a distraction to the audience, and focus on high resolution images that help embellish my point or provoke an appropriate reaction from the audience. There are some very good books on creating slides for presentation that I have referenced, Presentation Zen and Slide:ology; I strongly recommend these to anyone who wants to up their game on the visual presentation side of things.

This approach also allows you to build a story; making sure your presentation has a beginning, middle and end help draw your audience in. What talk would you rather watch…

My talk is about a simple technology we used to allow someone to Tweet over a phone call.

or

John Doe is a man who was imprisoned on the flimsiest of evidence and with ludicrously high bail. He had restricted access to legal counsel and even family were not allowed to visit him. His entire campaign for justice was focussed around his significant Twitter followers, and given his elevated fame in his industry was where most of his support would come from. Here is the story of how we used a Raspberry Pi, two cans, a length of string and Python to allow him to live Tweet from his weekly phone call, directly and un-redacted, and ultimately beat the corrupt government that had arrested him.

Your approach needs to be simple, but that doesn’t mean it needs to be dull.

The Timings

Timing a presentation is very difficult, but after some experience I have found I can not only tell roughly what the length of a presentation created like this, but can also vary it in length, sometimes upon to 100%. The other rule of thumb is to dive the number of minutes you have by the number of slides. One slide for roughly every minute is a good place to start, but keep an eye out for when that number increases. Trying to cover more than one slide every 15 seconds is going to be very challenging.

The Takeaways

I often say that people will remember less than 30% of what you said less that 30 minutes after you have finished speaking. Not only is this where the simplicity of your deck is important, but also making sure you leave the audience with clear activities or advice on what to do next is vitally important. If you don’t do this, you will leave the audience somewhat nonplussed even if your content is great. As one close friend of mine said to me after I had asked for feedback:

It was a good talk, but I got to the end and thought “meh, so what?”

Your talk can be interesting, but if it doesn’t have a point, you will always be in the “meh” zone.

Next time (or maybe the time after), The Art of the Presentation (Part 2 of 3) – Practising.