Articles, News, & Discussion - Business Security Weekly #91
Articles

Articles, News, & Discussion – Business Security Weekly #91



coming up Paul and I discussed the importance of telling stories how we view our contributions to the team getting the upper hand and a take-it-or-leave-it negotiation and the importance of skills assessments Plus and in the Conway rejoins Paul talked about intellectual property protection business security weekly starts now this is security weekly for security professionals by security professionals broadcasting live from g-unit Studios in Rhode Island it's the show where we explore the business of security to improve the security of business your trusted source for actionable insights on leadership communication and innovation yet ready for business security weekly brought to you by do you have a website in external presence employees in office any of these things can be compromised and attacked how are you defending your assets have you penetration tested your public assets start 2018 by taking a proactive approach to securing your vulnerable areas Black Hills information security has been helping companies find their weaknesses since 2008 email consulting at Black Hills InfoSec comm and see how they can help you sleep better at night are you getting pressure to improve your data security would you like a faster easier better way to patch then you need to check out Auto mocks Auto mocks is a cloud native platform that patches and manages every endpoint even remote servers and devices including Windows Mac Linux and third-party software from a single dashboard improve your cyber hygiene reduce your attack surface and save 90% of the effort you spend patching Auto mocks your patching system of record today's determined attackers easily bypass even the most advanced network defenses trying to ramp up staff to detect their backdoors can cost thousands of dollars and take months even years with active countermeasures AI hunter we enable junior analysts to detect even the most advanced backdoors in a matter of hours sign up for a demo and purchase our product today by visiting active countermeasures com /v SW active countermeasures make every analyst a hunter hi everybody and welcome to business security weekly episode number 91 we're gonna record this on Monday July 9th 2018 well we're recording part of it on Monday July 9th 2018 this is the show where we explore the business of security to improve the security of business our goal is to be your trusted source for actionable insights of leadership communication and innovation I remain Michael Santa Archangel your straight-talking guide to elevate performance and accelerate results in joining me from g-unit Studios in Rhode Island your friend in mine Paul acid Orion hey what's going on Michael it's good to be here every time I read you NAT Studios I didn't understand it for a long time and now I've been in studio I understand that it's appropriately named because you're in the g-unit but then I always go back to like old-school rap right it was a g-unit so 50 cent I love how you uh you work all this stuff out ran it's fantastic that's a you know there's a great speaking that's kind of interesting in preparation for a talk that I might give I've been looking at hip-hop and you know there's a cool story about the business side of it and dr. Dre and oh yeah pretty soon he's gonna be if not already like the top grossing hip-hop artist of all time and that story's pretty pretty amazing dude pretty amazing yeah and looking at the business side of it I think there's a lot there to take a look at that'll be fun well I hope you do the talk we continue and we roll on with our summer so just as a quick reminder if you're picking us up here we are exploring ways that we can give you everything you want in the timeframe that you want what we're seeing so far from some of our initial efforts on and looking at the stats and looking at engagement and stuff is that most of you are craving something in the neighborhood of 50 to 60 minutes so we're trying it out we're trying we're tightening some stuff up and we're gonna continue to work on that programming and you can always give us feedback on the parts you like things you want to see more of and how to make this better for you one of the things that people do enjoy is the article discussion and so Paul and I are going to break down a couple articles here with insights and so what happens just to remember when I pick these articles I'm not looking at stuff that's necessarily the latest and greatest because it's just happened last week I'm looking at things that give us insights into how we lead better how we communicate better how we make those decisions and even when we look at things from a start-up perspective we're still thinking about the way then that a lot of us in our teams is we're growing and the challenges are pretty similar and a lot of what we do applies and we're possible Paul and I try to break that down and share that out so this will come as no surprise the Harvard Business Review and I try to limit these those of you who are on the free subscription if you're registered you get six articles a month otherwise you get three so I try to limit this and we don't get too crazy here with everybody technical experts need to get better at telling stories now I'm not a big fan of the punch in the gut strategy so this and effect I think I've shared I know I've shared this with Paul a number of years ago when I really started focusing on helping people communicate I got really excited that I was making a difference I developed a framework I had taught a couple classes I showed some models but I'd go to people Paul and I'd say I can help you get better at communication or I could help you communicate value but whatever I'd say if someone says it to you how does that sound like what do you what are you hearing when when they say that because I'll tell you what surprised me about it it means sounds good right but it also sounds like you suck at communicating yeah and and so the most common answer was like you just said well that sounds great I know a lot of people that would benefit from that and if I said well you know how about you and your team oh no I I think we're pretty good I you know I mean thanks for asking here's what changed I then spent about three years really looking at well how could I ask us communication and this was around the time frame whenever we said well you need to be an effective communicator and I'm the guy going cool what's that mean and they say right well what of what you need to do is over communicate which by the way worst advice ever just bought and re-watched the Tommy Boy over the weekend right I mean it's kind of like you know I could take crap on a box put a guarantee on it all you got is guaranteed box of crap we talk about that a lot with automation if all you're doing is over communicating but the substance the style the manner in which you're communicating is just creating friction all you've done is create a lot more friction which means you're going to burn people out faster disconnect faster all these different types of problems so here's the point why I included this because I don't like doing stuff that I feel is kind of slappy in the face yeah you need to get better at telling stories that the idea is this if you're in a technical field you're probably really good at that technical field the time it takes in to be really practiced at the craft of communication is certainly possible but it doesn't seem to be something that's there and I think what's important about this is a distinction that I learned when I started showing people a model in fact I didn't even finish that point the point was this when I came up with a model Paul and it took me three years and I broke it down to here look for these three things and this will tell you whether it's it's effective or not oh well then people wanted to see the model and it would say whoa thought it was effective but I see now I'm not and I always say can I improve the model they said no that worked it helped me see it better it's the same point here you might be really good at security or even a specific element of security which then means you understand that jargon you understand the nuance you understand the context and those things for you become reflexive this is not worrying about the curse of knowledge this is just saying when you go to communicate the way you would communicate to somebody in the same situation or the way that you commonly communicate because you're giving directions you're asking for something you're just interacting with people doesn't necessarily translate to the craft of how to tell your story and so their point was if you need to get help now that'd be fair there's not a ton great training on this there's some really good books out there and this is of course what we try to help people do with this book and I think it's something that you can learn and certainly absolutely Michael you are you were part of that lesson for me Jason Blanchard works for sans was part of that lesson for me in around that time when I was kind of working on my storytelling I was like wow this is stuff that people can learn I realized that and I think today for me Michael it's almost like a self testimonial or a form of a testimonial when you tell a story right you're putting it in context for your audience whatever you know goal you have if you're putting your communication in the form of a story it's kind of like a testimonial right in that it can be right and that can be nice to achieve a specific goal right and well now that's the key point right there is the way I would say it slightly differently is we're trying to translate something into an experience right stories are about experiences that someone else understands and therefore we achieve whatever that particular goal is so you'll often hear people say well as people we're wired for story yeah true absolutely true but that doesn't translate to so therefore we know how to tell a good story I learned this lesson through and I've got I'm sure I've told this before but when you do improv or you do stand-up comedy you do need a subsidy about you just do writing what you realize is it's about editing right it's not so much the writing it's the editing it's getting down to the brevity and it's getting down to just the essence of what people need no more no less all right it's like lease privilege but for communication there's an art form to some of that that's why some people are really good at this but yeah you can learn all of this type of stuff I pull to see people are just better at I mean I think Johnny Blaze was telling me that Dave Chappelle got fifty million dollars for for stand-ups yeah that Netflix three stand-ups three stand-ups fifty million dollars Dave's one of the best storytellers and what I think is fascinating about that is think about how data-driven Netflix is yeah so they understand how that's either going to keep subscriptions create subscriptions or otherwise generate revenue for like they can tell you why that was worth it and trust me they're gonna measure the return on that but that's know when I was doing the research and the stories and it's funny you put this in here Michael when I gave my talk at the social engineering conference like I usually try in front him I talk with some type of story that relates to a point or goal or an outcome that I want people to take away from my presentation yeah get their attention put things in context right ain't have one for this conference so what I did was I talked about a story that I really liked that I kind of drew inspiration from and encouraged people to tell stories you know in the front and your presentations or just use that in a general communication format so I really to me one of the greatest stories that I've heard and it's very popular on the Internet is Bert Kreischer as the machine I mean the way he tells that story not only is it funny but it's absolutely brilliant I mean it is masterful how he tells that story and I really drew inspiration from that and more of the art form that you talked about Michael right like you know from you I learned the the making some of the mechanics write characters conflict resolution right yeah some structure yeah and in Jason too had like a different take on structure so I kind of merged those two together well burr hands like flair and art form and style like Wow Wow the usual lately triplet mm-hmm structure reveal substance and then substance gets delivered with style and he's like you get visual images as he tells the story so I really learned how I told well right like how you tell the story should conjure a visual image in the person's mind and that's really important for them to relate to it he's got he's at an advanced level and I love this he tells the sub story that then relates back to his main story to reinforce a point yeah and callbacks yeah he's there's a lot of advanced stuff that he's doing there that was fantastic and it's great to study those write down I talked to somebody last week to have been in the very first communications class that I offered 15 years ago he could still remember the examples that we used and and the stories that I showed of professionals who do this exceptionally well that's always going to be the trick in this is so then who do we pattern after in the answer a school look at people who are professional communicators people that have really studied it but then don't say okay I want to be like them go say what did they do and what did I like about it right that's the gesture from the substance and unfortunately I can't really turn it off anymore Paul like if you and I went to an event I'm probably gonna spend at least 50% of my time breaking down their structure independent of their substance and then figuring out where it goes right that's the breakdown concept here's the two things I picked off of this I think are worth reinforcing first one is be plain in your language it's the Hemingway approach be plain in your language means people can understand it I think there's a misnomer and they call it out here too because what we do is so technical and we want to be technical and we want to be precise and we want to be correct and I want to capture yeah it ends up getting really confusing really fast and we use these really complex sentence structures and although that might work you know if you're you're writing a novel a hundred years ago the the functional reality is that people right now prefer simple you can be formal or informal you could be conference it's that the voice is not what I'm talking about it's the time to distill those concepts and this is the paradox when you distill it down I don't mean dumb it down but when you when you take that time to translate it and to simplify that message it actually enhances your ability doesn't diminish it I always like to point out if you're the smartest person in the room and you're acting like you're the smartest person in the room and no one else recognizes that you're the smartest person in the room are you actually the smartest person in the room and and the other thing on this is one idea at a time we we make this mistake a lot in technology I want to give you all the things I used to call it I still call it the perfect message fallacy if I just push it all in front of you you'll pick what you want out of it no way think about the foundation think about the journey right all the stuff we talked about with marketing and everything else what does everybody need to know what do they actually know okay cool start there and then when you get that concept communicated then you can come back you can communicate the next and then the next and then the next and and it's it's break stuff down to the smallest pieces Shawn D'Souza does a great job of this and he does a great job teaching us how to do this absolutely well he spent a lot of time in the first story we sure did so faster the other one this overestimate my contribution to the team I think it's important we're in an age where were burned out and we're in an age where everybody's busy and and as we talked about on BSW 90 that there's some attention residue and there's there's a penalty for task switching and there's all sorts of stuff there that happens so what I thought was kind of interesting was that our friend Tomas here wrote about overestimate his contribution and he basically says he boils it down to this I know all the time I put into it I know the trade-offs I made I know the decisions I made I know the sacrifices I made and all I look at it with everybody else is I don't know what any of that is and and as a result of that it's easy to state well I did all the work well I'm the difference well I'm the whatever when are they gonna do it and everybody else is looking at it's kind of saying the exact same thing and his point is stop for a second look at it from their perspective ask them questions understand their reality and then think about how you better improve your communication as a team to to appreciate the different things that people are going through I'll tell you right now this is a big deal with a lot of the teams that I'm working with not so much that they're overstating their contributions it's that we get so locked down in what we're doing that we're not always aware of what our colleagues are doing that not only means that we've got gaps it sometimes means we're not working efficiently because we're overlapping and in duplicating efforts and that's frustrating yeah no flash Swan are never split the difference folks I love this that they do some blog post and this is what they actually sent out they sent out recently and it's something they wrote it before and it lays out the details really well so this is this is worth again this this book is worth reading or listening to this is worth taking a look at as a good reminder and what I really loved was this note oriented opener so the idea here is and if we think about some of the ways that the book worked it basically said you know stop with this false yes this this Fisher getting to yes yeah that was neat in the 70s but now we're so conditioned for yes yes yes yes yes that we either don't trust it or they're false instead you kind of want to get to a real note not a fake note but a real no and you kind of want to let people have some comfort with saying no to figure out where you really need to focus so he's saying all right so somebody says all right so I know this is a deal take it or leave it you know I'm not not negotiating with you whatever like what do you do and I loved this this first one I think they call it the know oriented opener and you ask is it disrespectful if I asked to clarify a few points and what's interesting about this is it's you pretty much want them to say no that's not disrespectful you actually want that no because if they say yeah they'd be disrespect the point here is if they go yeah okay then now you know you're dealing with right okay you're protecting but but most of us would probably say well can I ask a few questions Matt no go differently say is it disrespectful if I asked to clarify no it's confusing because I'm not expecting there makes you realize how powerful that no responses in it crazy for me I looked at it when you were describing this Michael from this lens right when you're marketing in sales Dec for your security company leads in with while all these companies are being breached and this is a problem and you're like yeah yeah like the dismissive yes is kind of dismissive right like it doesn't really make an impact when you see that slide at a marketing sales deck today as a security professional you're like yeah okay but like really what's the value right now how you flip that into getting a no response out of you know I mean there's a lot of different ways you could go with that potentially but I think just realizing that that yes response is not as impactful powerful as you believed it to be is a good starting point the other thing I liked on this he's got they list out four points but I just wanted to pick three they talked about using labels but but the approach to the label so in labeling is really important right it's it's its labeling something here but what he said is it's also the tone of voice that matters and in this case you want to be differential so so the example is it sounds like there's no movement on any of these points right now you can say like so it sounds like there's no movement on any of these points right okay that's just that's confrontation they could say so it sounds like it's not really movement on these points not not there's not really any space we can go on this that's it and then and then this is the key right go silent let them answer let them figure it out the other thing to do I I like this in it I think the key here is so he's closing it again with label and a tone tone is generosity I I see it where it's it's so false is sickly-sweet I really recommend practicing true genuine generous like really learn to ask somebody because then you know if it's not really working you could say well you've been very generous it looks like there's nothing more here you can do thanks for your time and and if they can they'll say no no no I can still you know and if not I can't I love labeling it because it's kind of like if you're a technical person and we talk about labeling right it's kind of like you're your QA test or whatever right like you have to be right when you label something you want to label it to see if you really understand that that person's perspective right and that's what I love about labeling is it allows me to understand because a lot of times and if you ask people directly they're gonna be coy about things but if you've that label it that's gonna elicit either or nowhere yes right like either you labeled it right or you didn't and maybe you intentionally labeled it wrong to like get that off the table like okay that's not what they're after right yeah you could do that you could you can mislabel something intentionally they just kind of evoke or provoke a reaction this is also where stories come back into play fault once you've labeled something if you're trying to get to an understanding of what I call navigating the mutual understanding um you can do what I call story swapping so you could say well I'm kind of seeing it this way tell a story fast tight like minute long and have them either say if you have kids kids do this naturally and you'll listen you'll say well it's kind of like that but it's more like do you remember the time we borrow oh so is it like that and eventually you go okay yep we're on the same page it's the same thing with adults and and that gives you that ability to do it the this next article here I really liked this because now you have to read it because the title on its misleading it says how and when to inform your team of major developments in your business really what it's driving is how transparent should you be the reason I put this in is and I love this as a trend we're seeing a lot more security teams okay I get it we can't be no anymore we need to be more transparent we want to make decisions that are auditable we want to show people our thought process we want to invite them into it and so what that does for a lot of people as they say well then I'll be transparent about everything and what this article says is yeah hold on a second here there's a spectrum of transparency and you you want to be committed to in fact I like this I'm gonna read it I'm gonna quote it for a bit for Batum leaders must remain committed to the truth while also respecting the fact that the truth isn't always what it seems this nuanced understanding is vital when it comes to determining just how and when to communicate with your team yep and basically the point is you don't want to go so fast that it's not accurate like the way I would look at it differently is you don't want to get swept up in the emotion of a moment you actually want to be that cooler head to say let's go take a look at it let's make sure we understand it yes I will act decisively yes I will communicate with you clearly right not over communicate maybe maybe not effectively but I will I will be it's parent with you let's go make sure we can be transparent about the right stuff and I like that and that's why it says don't share information in real time it almost always is incomplete not always accurate oftentimes lacks context you want to be complete and have context before you share with people and in it it doesn't always go the way that people want it to the other thing it says though which I really liked was you know be careful with rumors like if you hear the rumor starting up you've got to stop it like if a rumor gets out of hand that's a bigger detriment than not so there there is a balancing act in like at what point do you step in on a rumor I think Paul you and I've been doing this long enough that the answer is you learn after the first couple times because you step in too fast or too late and eventually it's Goldilocks you can figure out just right last piece that they like and I'll curious your take on it is look for facts so instead of talking about what you think or how you feel just give me facts give me evidence listed out we observed this in this context now you can interpret it that's cool I'm good with that but start with the facts start you know just the facts ma'am right now and lay it out how do you deal with how do you deal with some of the timing on this so I was just thinking of when you said use facts right are a recent testimonial that we generated which I just added into the sales deck by the way Michael so inside baseball listeners don't hit basically we collected some testimonials I like you to review them specifically for that right because there's a really nice fact in you know what we're hearing from to speak on security weekly for a moment what we're hearing from our partners is when they come on the show and they do an appearance that there is a relatively short amount of time that goes by before someone is interested and moves to purchase I'm like wow that's really powerful and we got to talk about like how we do that like I don't know I just sit around and talk to people right and that's you know a strategy isn't it's more strategy behind just sitting around talking to people but that casual environment I think is it's useful but having that fact is a good starting point right to start having those conversations about value and backing up your value proposition and so I like I like using facts but yeah right in helping and help with the interpretation – I'm gonna come back to what I said before right structure substance and then style structure is what lets you be transparent even though you might have to wait and figure out the substance or structure helps you get the substance you need to communicate back in the years that I've figured out how to do this by introducing a simple structure like the Straight Talk framework and making sure everybody's comfortable with that structure now your substance can ride over it however you need it to whenever you need it to set your etcetera and that that's Club tends to go really well so last piece and again this is something I'm seeing everybody do so I put this out it's a fairly long well fairly it's a longer article then we're gonna cover it when it talks about building a skills inventory the reason I think this is so important is when we start looking at the the perception of a skills shortage or the perception of a shortage and security overall a lot of people I talk to them when I say well what are you hiring for why need someone's security and you read somebody's job descriptions and it's stuff that doesn't exist or it's combinations that are not really typical of career paths today or just it's outlandish I think the experts are the ones that there is true maybe not so much a shortage but there's only a certain number of experts in Johnson III I thought had a great conversation about this and John really put this in context because he works with a lot of different organizations in enterprises and enterprise security teams he's like look dude in a lot of organizations he's like you know I can pinpoint the expert right away like that's the person that came up when there wasn't a security team right had some other scalers has been building it for 20 years and they're an expert but guess what there's only so many of those experts in security today so how do we enable the mid-level and the junior people to be effective so that the expert can still practice their trade but be effective you drew the line and he said look a lot of organizations have this expert and they drop that person in a lab and then like yeah go play with stuff he's like nope the expert has to be aligned to the business objectives and also help enable the middle and junior folks to be effective at their jobs as well I thought it was laughs you know the they on the head right yep no he's got it exactly right everybody who tells me that they've got a challenge hiring I always ask what's your development program look like and they go well I don't have one that's why you're having a problem hiring everybody who doesn't have a problem hiring they can tell me what skills they were hiring for how they knew that person would fit the team and how they were going to advance their development as as a contributor to the team they those people pulp consistently don't have a problem finding or hiring anybody in fact they get almost as many people not telling me is it really a shortage because I've applied for a bunch of jobs and no one's even calling me back so here's what I think it comes down to then so what's your team capable of right and this is a skills inventory so it's not an aptitude this is not an attitudes and beliefs this is a what is what skills do they what skills does your team currently have and then therefore what skills do you need like where are you overlapped so for example if all you've done it or hire people that have pentesting experience that's awesome but then does that give you your compliance or your governance experience it might depends on their backgrounds but so you need to take a look at what your functions are as a team and then you've got to match that up – it basically says and it walks you through right go through inventory the skill sets then organize them so you can make sense out of them analyze what you've got and then make a plan that's where I would start so if you think that you've got a skill shortage cool but the more clear and detailed you can be on where that shortage for you is the better your plan will be – to stop it up to get the right people and for it or to develop for it but I I'm completely in alignment with John I don't think that what we have so much as the skills problems we got an information-sharing problem it's a misalignment I think we have up we have a miscommunication problem yeah misalignment miscommunication on uncertain expectations you know if I ask somebody today generally describe for you what a CFO does or generally describe for me what a CEO does or us the chief marketing officer or what is the head of sales do we kind of know so cool what's the seaso do yeah we don't know yet we're not we're not that well doesn't know I think maybe five ten years ago that money yeah yeah the more common answer I think today that's gotten a lot better but what it's funny that you bring this up I'll just share what I started working on last week with one of the clients is a model to say so what does a business centric seaso need to look like and and we're specifically looking at how do we how do we develop the capabilities in their business so that everybody can still be as technical as they want but can interact and collaborate with the business but they've got a couple people that raised their hands and said like I want to be a CEO someday how do we get there yep we're looking at building that pathway out because it's for precisely that but what I'm looking at then is what everybody calls the soft skills that usually make me cringe but that's I'm looking at how do we build a business centric function in security which is a welcome change so that's what we got all right well so we're gonna take a quick break which is a good chance check us out security weekly comm you can sample our shows check out the on-demand content you can interact with those let us know what's up and when we come back and the Conway is gonna join Paul they're gonna discuss intellectual property protection

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *