Challenge Accepted is a new podcast from Arctic Wolf that has informative and insightful discussions around the real-world challenges organizations face on their security journey.
Hosted by Arctic Wolf’s VP of Strategy Ian McShane and Chief Information Security Officer (CISO) Adam Marrè, the duo will draw upon their years of security operations experience to share their thoughts and opinions on issues facing today’s security leaders.
In the inaugural episode of Challenge Accepted, our two hosts dig into the findings of the most recent Data Breach Investigations Report from Verizon, discuss key takeaways that security and IT teams should implement, and encourage businesses in need of security advice to talk to a source many may not consider….the F.B.I.
Take a listen to our debut episode:
Subscribe: Spotify / Apple Podcasts / Google
Ian McShane 0:04
Hello everybody and welcome to this, the first or the pilot episode of the Challenge Accepted podcast, here’s where I’m going to be having conversations with people in and around cybersecurity. Or if you’re old like me, maybe you call it InfoSec and general security operations things.
My name is Ian McShane. Hello, I’m the VP of strategy at Arctic Wolf. But wait, hold on there. I’m not here to give you a stealth sales pitch that you’ve come to know and love or hate and loathe maybe from other vendor related podcasts. Really, I guess, I want to be a polymath. I just like talking to smart people and learning as much as I can from interesting people with interesting points of view, on topics mostly related to security. And it also gives me a chance to jump on the jokey cool guy bandwagon and say things like, ‘smash that button and refresh those feeds’, and other fellow kids type sayings.
In today’s episode, we’re gonna talk about Verizon’s data breach investigations report or DBIR, for short, and it feels like every security vendor and their dog has some kind of annual report. Right, there’s M-Trends from Mandiant, which is great. There are tons of companies, AT&T, Accenture, IBM X for Cisco CrowdStrike. And, of course, sponsored content that companies like Samsung and Ponemon put out, but very few of them provide useful levels of context. So perhaps even fewer give actionable guidance along with their insights. And that’s really one of the reasons that the DBIR is probably the one I look forward to most every year. And one honestly that every security researcher or security vendors should aspire to contribute to, it’s not a ‘hey, look at how great our company is.’
It’s not how you should have bought our next gen cyber war AI preventing XDR tool to avoid these threats kind of sales pitch. It’s a detailed look at the risks our industry is tasked with addressing and it’s written in a really approachable way. That avoids the usual tropes you associate with security vendor marketing.
Now, today’s episode, I’m joined by, well, I was gonna say the word ‘guests’ here, but honestly, this person brings way more intelligent things to conversations than I do. So I’m gonna go ahead and promote him to the lofty heights of today’s co-host, who is Arctic Wolf’s, Vice President and CISO, Adam Marrè, and I honestly love how varied people’s career paths can be. And Adam brings things like video game development, intelligence work with the military, Special Agent in the FBI, and of course, hands on experience in leadership roles in security operations and cybersecurity.
Honestly, his resume reads like a bucket list of things I’d love to do. So it makes me pretty envious and, on top of that, Adam’s rapidly become the best CISO I’ve ever worked with. Right. And I don’t mean that as a slight against former colleagues, but his energy and commitment to securing our organization here is so infectious, and I’m genuinely stoked that not only he’s part of the Arctic Wolf team, but he’s on this episode with me today. So Adam, thanks for joining me, man.
Adam Marrè 2:46
Well, that’s quite the introduction, I’ll try to try to live up to that Ian.
Ian McShane 2:52
No pressure, no pressure. So let’s jump straight into the DBIR. I already mentioned, I love reading it, I feel there’s always something for me to learn or even just confirm what I’ve seen, or what Arctic Wolf’s customers have seen. For example, you always say like, go to any conference, holy cow. And you hear talk about like zero days, you’ll hear people talking about social engineering, but there’s so few vendors that talk about denial of service, right. And this is one of the things that was the biggest incident generator in the DBIR. So it’s always interesting to see how vendor marketing lines up with the real world. So clearly it’s not always aligned one to one, but it’s a practitioner, Adam and a leader of practitioners, I guess, how do you use the DBIR?
How to Use the DBIR
Adam Marrè 3:36
That’s a great question. And again, it’s, I’m super excited to be here. This is great. This is fun. We’re starting this podcast, and hope to be able to maybe join you for future conversations with interesting people. So really happy to be here. Great. Yeah, so that’s a great question. I think, unfortunately, I do think a lot of people grab the DBIR. And they jump straight to the graphs and try to find those headlines, and then either whip up a quick sales pitch or article or whatever it is, there’s so much great rigor, and information in this report, and especially this 15th anniversary, one, they really kind of went all out. And it really is written in a way. I mean, there’s references to DeLoreans and all kinds of things to make it fun and a topic that could be rendered dry, or can be really pretty ominous. It gives a flavor that makes it fun to take down.
Ian McShane 4:34
It’s just approachable. Yeah, everything you mentioned here is one of the reasons why I enjoy reading it because it’s not just dry stats, it’s not like sales pitch-esque like thing of, here’s this number. And here’s this weirdly unique phrase that doesn’t really mean anything outside of this company. Right? It’s something I think that everyone can jump into and learn something from regardless of whether you read it cover to cover or just focus on the bits that are interesting to you.
Adam Marrè 4:56
Yeah, absolutely. And one of the reasons I do recommend really digging into it is not just jumping to the pretty graphs, I mean, they do look really good because you really need to understand the rigor and the baseline from having worked in the intelligence community. This is something I really appreciate, they really take the time to define their terms, define what an incident is, what a data breach is, and they’re trying to use standards that we can all use across the industry.
So like you said, when they’re talking about denial of service being the biggest thing that we’re seeing out there, they’re saying that’s an incident, maybe not necessarily in the data breach, but it’s an all incidents all I think it was almost 24,000 incidents they’re talking about in the report, but they make that very clear. And what that does is it make it feel like the report is not cherry picked, it’s not designed to push a certain agenda, it really is a catalogue of what is happening out there, at least as far as they can see across the 24,000 incidents, and all the different agencies and organizations that helped them put the information together.
You can even see who those agencies are there at the end, one of the appendices, so just a really great report for you to come to and really feel like you’re getting a sense of what’s going on, you can take stock of what’s happening in the industry today.
Ian McShane 6:17
Yeah, it’s almost like a checklist to confirm that you’re focusing on the right things. Like I know, it’s always a look back. Right. That’s one of the things that I think gets lost in the mix is that it’s a look back. It’s not a prediction. It’s not what’s happening today is the stuff that we saw last year, but there are lessons to be learned. And maybe if you weren’t impacted by some of the incidents that they call out, number one, you probably were, you should probably go and look at them.
But number two, if you are lucky enough to escape it, it gives you the ability to go back and think right, ‘How did I manage to prevent that from happening in the first place? What do we need to continue doing? And how can we build on what we’ve got?’
Adam Marrè 6:53
Yeah, this is a really common question I get from people is how do you stay up to date? And it’s funny, I use this report as a way for me to check are my real time feeds really feeding me the information that ends up being true?
In other words, is my current picture, I can go back and say, ‘was my current picture throughout the year pretty similar to what’s going on? And some years it is other years?’ Maybe I was focused on an edge case area or something like that. But this report is covering the Solar Winds era. And so I think it really did dovetail with that but it helps me understand on my Twitter feeds, or the articles I’m reading, are those accurate? So it is a look back, but I think it can help you diagnose if what you look at throughout the years, the right focus for you and for what you’re trying to do.
Ian McShane 7:39
Yeah. Interesting phrase to use is like focusing on an edge case, because there’s no one size fits all in security feels like I use that phrase every day. So what might be an edge case to you might be someone’s bread and butter, like very much their main focus, nothing. So again, it’s using these kinds of reports in within the context of your risk posture, your security posture, right? Because, again, not everyone’s facing the same challenges.
Adam Marrè 8:06
100% Totally agree. Yeah.
Ian McShane 8:09
I mean, if you’ve ever attended any kind of vendor presentation, you’ll have seen like, he said, the charts look great. And they get reused, and the headlines get reused, and people write white papers around phrases and words. So all kinds of stuff gets pulled from reports like these, and there are a bunch of it. Right?
There’s also, I mentioned some of them earlier, but we get some from Sans. And I always hear stats about you know, Ponemon and IBM’s. Research, there seems to be the second most quoted one behind the Verizon one. But what reports do you genuinely pay attention to?
Like, is it all noise apart from the DBIR? Or is there some other diamonds hidden in the call stack of vendor reports?
Adam Marrè 8:47
Yeah, it’s definitely not all noise, I think it’s really just important to understand what angle the report is coming at, like M-Trends is going to be different than what you’re going to get from a CrowdStrike and Ponemon. And usually really focused on dollars and cents, you know, the economics of it, these are all important. And you just need to understand, I think the better ones really kind of tell you, ‘hey, this is what we’re doing. This is what we’re trying to do.’
And we’re not trying to be the Verizon DBIR which is sort of this bigger catalog. And so there’s a lot of these I use and will kind of depend on what I’m what I’m after, of what I’ll look to and even some, even some smaller, more niche players, you can look at their reports.
Another place I love to go though, is CISA. And the FBI and the Secret Service, I mean, they produce some great things and even though some people accuse them that their stuff comes maybe out a little bit later than everyone else’s, I know the rigor to which, you know, that is put into those reports. And I really appreciate that. And I also like to engage with those partners. And also I do have friends there so I can also ask them for some off the record or in their personal experience remarks too. So, those are some places I actively engage.
Ian McShane 10:00
Yeah, I think some of the work that CISA are doing right now, you know, I think Chris and Chris Krebs and Jen Easterly are doing a great job of leading that kind of almost leap to transparency, I say leap, because it’s going from the government almost say nothing to here’s a list of all of the known exploits that are, the being sorry, the known vulnerabilities that are being exploited, like their catalyst is great, and I’m starting to see other I was gonna call them nation state, but that feels like a loaded phrase these days. But other government entities around the world are starting to be more transparent as well, I think it’s a really, really great step forward.
Adam Marrè 10:34
Yeah, we’re really bringing organizations together.
I mean, in the United States, we have the MS-ISAC, which are the various ISACs, which are really useful when they’ve increased in use, I think dramatically in the later years. And it really is due to what you know, CISA is doing. And the other agencies, frankly, I mean, in my local area, and I know, where our headquarters is, Article headquarters is great outreach from the FBI and secret service that we can belong to.
I know those kinds of things are happening in other nations as well. I mean, there’s reports in a lot of places, I think the bottom line, the original question, there is just understanding what that report is trying to do. And it can be very useful. But if you use it, if you use all of them as sort of like trying to be the ground truth, it might not be that useful, or even misleading sometimes, but I don’t think yeah, I don’t necessarily think that’s people’s intention.
I think he’s coming from knowledge, knowledge sharing. So critical in cybersecurity, like you mentioned, the ISAC and stuff, is that something that you highly recommend everyone gets involved with is it feels like a no brainer. But is it something that you wholeheartedly would be like if your industry has an ISAC get involved?
Adam Marrè 11:46
100%, I mean, it’s only by us becoming more involved. And, I mean, this is where some of the transparency within the government came from, as people were demanding that, hey, we want this engagement can only help us out because we know this is a team sport.
Whether it’s on a SOC, as a team, or the entire industry as a team, it’s a team sport, we’ve got to help each other. And as we’re getting better at this, we’re getting better at our reactions, like seeing what happened with a log4j is amazing.
When you look back 10,15, 20 years, what would happen in the old days, you know, so? So yeah, I think it is a bit yeah. So yes, to your question, and not just them reach out, you know, during the United States, reach out to your local FBI office, your analogous organization and other nations, reach out to them, build those relationships, because once you build those relationships, information can flow both directions, in some cases, and it can be very helpful, especially when, you’re in that hair on fire moment, you’re in the heat of it. You already know somebody so I also you know, yes, join the organizations and form personal relationships. Big recommendation from me.
Ian McShane 12:54
That’s really interesting. I’ve never been an outsider to the US. I guess, I’ve never really thought as the FBI as being someone, you could just call up and say, ‘hey’, and talk about cybersecurity stuff. But it’s as simple as looking in the phonebook and saying, where’s the local office?
Adam Marrè 13:08
Absolutely. So one of the things I used to do as an agent is I spent a lot of as a cyber agent, I spent a lot of my time giving presentations at companies, and I would just cold call them or try to get introduced. And the whole reason I was doing this, I would give threat, threat landscape slash security awareness briefing. And, tell them some fun stories to keep it engaging.
The whole reason I’m doing this was so they could see my face. And they know, ‘oh, I’m not going to call the FBI, I’m going to call Adam when things are bad’, because they trust me, but they have to call in the FBI can be scary, right? Yeah. And yes, outreach from an organization to the FBI is always welcome.
Because they know forming those relationships is how things actually get done. So yeah, I was giving out cards, like as quickly as I could, you can get the card of a local FBI agent, cyber agent in this case, and just be able to reach out to them and say, ‘Hey, I got this and that’ and they’ll certainly take your call and help you triage that situation is this something they’d be interested in taking is, rise to level their investigative guidelines, things like that, or direct you in the right path to go to get some help with with whatever it is you’re dealing with.
Ian McShane 14:18
That’s super interesting. And is as straightforward as just calling them saying, ‘hey, I I need some help. I don’t really understand what I should be doing for cybersecurity.’ Like, let’s take the example of an organization that’s just come back from RSA and it’s just confused with all the buzzwords or terminology like, can they use the FBI as a sounding board for truth?
Adam Marrè 14:37
So it’s a little harder than that, because the FBI is not in a position to really be giving out guidance and direction on their particular set, but it could be something like, ‘hey, I think we’ve been defrauded, or we’re having a ton of fraud attempts on us. I just kind of want to bounce this off someone.’
You can get someone on the phone for that kind of thing, especially for talking high dollar, but there are in the United States, other organizations that can help you do assessments. The Department of Homeland Security has a whole division that helps with this and CISA, and others, where you can get someone to come out and help you look at your organization.
But I also know if you form these personal relationships, you can certainly bounce it off an individual and say, ‘hey, you know, what are you seeing,’ whereas they cannot speak for the Bureau? Sure, we can all be human beings say, ‘well, from what I’m saying, you know, this kind of thing.’ So, it’s definitely worth your time. I think given the size of your organization, what you’re dealing with, it’s definitely worth your time to at least build those relationships for all the different things you can get from it.
Ian McShane 15:40
That’s excellent advice. I would never have thought of that as a viable path forward. How crazy maybe that says more about my home country than it does about the US, I don’t know.
Adam Marrè 15:53
I was gonna say, worked with a lot of great people, from Great Britain and from Canada. And I know they have very similar situations with reaching out to them. So I would be surprised if it’s not the same. But again, it just, it can’t hurt, especially when you’re not in battle mode to reach out and form those relationships.
Ian McShane 16:10
Yeah, absolutely. Yeah, I know. I jest but you know, I know the NCSC had been doing some really great work, not following in the footsteps. Maybe of CISA, I don’t want to say it’s a follow thing. But they’ve been certainly at the forefront of translating what we do from a cybersecurity perspective under the hood and making a lot more transparency, a lot more guidance, frankly, which I think is great for organizations of all sizes.
So think about the DBIR. Maybe think about the agile industry, like the biggest challenges at the moment, or it’s got to be like ransomware I think that’s the number one like top of mind for everyone.
It’s no surprise that a big issue that’s pointed out in the DBIR and every other research paper or presentation that you go to. So with it being top of mind for everyone, with it being in the headlines every day, there was something mentioned today about an adversary group claiming to have managed to ransom off Walmart, which Walmart are denying, and all of these interesting stories that keep coming up.
Is there a way, as someone that owns this security strategy for a large company, Adam like, what’s the best way that you can prevent that organization from falling victim to it?
Implementing Cybersecurity Basics
Adam Marrè 17:23
Yeah, that’s a really interesting question. And I do think there’s a whole topic on ransomware, and how it’s become commoditized commodified. And there’s even specialization out there on how this is being conducted. That’s very fascinating to me.
You know, I was still working in the FBI when this was starting to happen. It’s amazing. And we’re seeing kind of the fruition of that now of just how widespread it is. But I think what’s also really interesting when you look at the report is, I think it’s important not to focus too heavily on one type of attack. Like, just focus on, we got to protect ourselves from ransomware. I mean, that should be a goal.
But I think it’s more important to when you approach security is really to look at the security picture, that can protect you against a lot of things, not just one type of attack. And I think that becomes true as you look at the whole report, because where do most of these ransomware attacks come from? I mean, we’re talking about exploiting vulnerabilities in desktop sharing software, right, like RDP, and things like that. And then many of them are involving credential theft, right? And to protect those two things, you’re gonna do a lot of stuff that goes outside of the scope of talking about ransomware. Right?
So I know a lot of people say this, but the thing is, it’s still true for us, as an industry, you’ve just got to go back to basics. Are you doing the basic things to protect your credentials? Are you doing the basic things to protect things? Like desktop sharing software? Are you doing those things? Do you have a backup strategy? Have you tested the backup strategy? If you’re not doing those things, and that’s going to protect you against a lot of a lot of different types of attacks.
So, to me, that is where I drive the conversation, when I get asked this question is, let’s go back to basics. And you know, what, it’s the same thing for random humans, right? Because that’s another thing that we’ve seen with ransomware. And the commodification of these attack tools is random human beings are also being ransomed. Right?
This is happening to people, not just organizations, but the answer is the same. Go back to basics, cyber hygiene, are you using a password manager of some kind? And the answer is probably no. That’s what I say when we get to a specific and I would love to talk about the specific vector here, but that’s my answer is you got to go back to basics. Are you doing the basics and I guarantee you, there’s something in there that you could do better, more fully The more completely if you really look at it,
Ian McShane 20:03
Yeah, you articulate it much better than I do. Like, every time I get asked about ransomware, I always say ransomware is the outcome, right? It’s not, it’s not the thing you’re trying to prevent upfront, right? You’re trying to prevent the symptoms of ransomware. You say basics, I like to say foundational, as you get back to the foundational elements of security.
One of the things that baffles me is, especially when you think about the consumer side of things, and identity theft is an example. Are you serious? It tends to be end users that suffer, right? It’s the consumers that suffer when there’s a data breach, because it’s their PII. It’s their social security number. It’s their stuff that goes. And every time the company in question pays for whatever the fraud prevention thing is of the day, when the reality is most of the issue is going to be around credential stuffing, right? The reuse that those stolen credentials.
So instead of saying, ‘Hey, here’s the fraud prevention’, why don’t they say, ‘we’re gonna pay for you to have a lifetime subscription to this password manager or that password manager. And here’s some guidance on how to migrate your existing account to that with a new password. And here’s why you never have to remember passwords ever again.’
Adam Marrè 21:15
Yeah, that’s exactly right. It’s interesting to me. And this goes back to human nature. But the CEO saying, ‘How do I protect myself against ransomware? They don’t want to hear the answer. Well, that password manager, you don’t want to use, you got to start using it right. And we got to get everybody using, they want some whiz bang, super cool thing that we’re going to introduce. And it’s going to solve all the problems. And that’s just not the way that it works.
We’ve got to do the basics, we got to, like you said, the fundamentals. There’s a really interesting part of the report that I think people could kind of bounce off of, or go around where it’s talking about vulnerabilities, and patching vulnerabilities. And if you read if you read through it, it actually says, ‘Yeah, we’re seeing a lot more people patching regularly,’ which is the good news. But there’s this long tail of people who are doing it at very varying degrees of success. And that’s where all the attacks are happening in that long tail of people not doing the right thing. And that’s another thing we’re looking at here with ransomware. And more we’re talking about the basics is people are like, W’ell, how is password management going to help us?’ Like, that’s not some whiz bang thing?
It’s like, well, yeah, but you want to be a group of the 80% that are doing the right thing most of the time and get out of the tail. That’s trying to get out of the tail and get to a place where you’re much more safe. And yeah, it doesn’t solve all the problems. It’s not all of the security all the time. But that’s why we talked about defense in depth. That’s why we talked about doing many of the right things pretty well doing, you know, 80% of the things 80%. Well, 80% of the time, that’s what we’re trying to do. We’re trying to get you in that area, get you out of the the Kill Box, wherever you want to call it, the zone where they’re attacking
Ian McShane 22:59
Zone of terror. Yeah. Like, do you think there’s an element of perfection being the enemy of good enough insecurity? Like everyone’s like, well, it’s gonna be too hard to do all of their songs or throw my toys out the pram and do none of it?
Adam Marrè 23:11
Oh, absolutely. I had this conversation all the time with people. A good example. And this is a little going far afield, more physical security around but wearing access badges, with the picture on and stuff like that? And people talking about this? I’m like, ‘is it doing something?’ Yes, it’s doing something, we need to do a collection of things that lead to a more secure total picture, and not over focus on each and every solution doing 100% of the good, right? And we can’t get everybody to do this right? Well, can we get 80% of the people to do it?
Can we get 90% that is limiting our footprint to a much smaller area. And let’s focus on the basics and make sure we’re doing the fundamentals to that level. And again, get out of that fatal funnel, get out of that long tail so that we’re good, right? We’re not perfect, but we’re good. But what we don’t want to do is be as bad or mediocre. That’s what we don’t want.
Ian McShane 24:08
Yeah, it’s so the phrase, faster than the than the other guy. Like when when a bear is chasing you, you want to be faster than your friends, right, essentially.
Adam Marrè 24:18
Yeah, and I’m glad we’re working on the better solutions, like password, those things and stuff that can improve us. That’s awesome. And while we’re on our journey there, let’s make sure we’re in the group where we’re safe. And be waving our buddies into the good area that hey, everybody joined up here. Because that will force the attackers to pivot and off the pivot to much more sophisticated methods if stealing emails and credentials isn’t going to work anymore, which is where they go now because it works so well. And it’s so cheap.
Ian McShane 24:46
Yeah, so I mean, the flip side to password managers is it frustrates me to say it’s like multi-factor authentication because it feels like everyone knows that MFA or two factor authentication is something that’s solves a lot of the credential stuffing: the password theft, the reuse of accounts in compromises, like it addresses that.
I’m gonna ask you a question. And I’m going to come back and tell you a story of why I think our industry is full of s**t sometimes, right? But why do you think it’s so hard for organizations to adopt MFA? Why is it so hard for vendors to enforce MFA in things like Office or Google workspaces?
Adam Marrè 25:24
Yeah, I’ll be honest with you, I have no idea why this isn’t just totally normal and standard for everyone right now. I don’t get it. But there’s this idea where people don’t want to introduce too much friction into someone’s workflow. And that’s where these perfect be the enemy, the good things come up, because they go, ‘Oh, well, someone can get my code and they put it into, why should I even do this?’ And it makes it more difficult.
And I don’t understand, I don’t get it, I have to really dig deep to get that empathy to really talk with the person listen, because it just doesn’t seem that difficult for me to set up these things that have huge security implications. And I think that’s the picture. We’ve got to tell people. You know, why it’s worth it, and why it needs to happen. But yeah, I just think people don’t want to do it. They don’t want to be bothered.
Ian McShane 26:17
Yeah. So the reason I wanted to ask that is because he had a realization maybe a month ago, that. I’ve got two kids, right? One of them is 12. One of them is nine, they both love this video game called Fornite? They play all the time, we play a lot. And inside this video game, you can earn things like skins or items that stay in game, you can also buy them, and you can also gift them around.
But what’s interesting, what Epic Games have done is brilliant, really, from a security perspective, to be able to participate in a lot of that sharing, and giving things around, you have to sign up for multi-factor authentication.
So my nine year old and my 12 year old opted in to this because they wanted to do it. So they know what multi-factor authentication is. They know how to use a multi-factor token. They know not to share their username and password. They know not to reuse stuff because they don’t want to lose all the best things that worked hard for in the game so that they are already in a security-first mindset. But can you imagine? Because Because Epic Games are forced that, they’ve said ‘It’s on.’ It’s a it’s a condition.
But can you imagine the fury of middle aged white accountants around the world if Microsoft turned around and said, ‘you know, what, if you want to send emails outside of your enterprise, then you have to use multi-factor authentication.’
Adam Marrè 27:39
Yeah, I love that you brought this up, because it brings up a topic that’s near and dear to my heart, which is security awareness. Right. Huge, huge topic. For me, I love it. A huge part of this is education. Right? And we’ve got to get the people who aren’t the quote unquote, digital natives, to get to a point where they understand fundamentally what’s what we’re trying to accomplish.
We’re not trying to make anyone’s life more annoying. We’re not. We’re not trying to make it more difficult. We’re not getting in the way. This is literally facilitating paying down money now, so we don’t have to pay more expensive money later when there’s a breach. I mean, the report says 82% of the incidents involve a human being, right?
Ian McShane 28:25
I’m shocked it’s not higher, to be honest with you.
Adam Marrè 28:27
I mean, to be honest, it probably is. But you know, that’s the one where they can really stand behind it. So either a mistake or social engineering right at present. And I think it goes to the same thing. It’s a great thing that Epic did, because they’re using that sort of that nudge that, you know, I’m not a behavioral psychologist, but that nudge that atomic habits type of a way of encouraging people to do the right thing in ways that are that go right into blends into what they’re already doing. Right? It’s not this tack on that’s coming from outside, it’s born inside, and it’s integral to what they’re doing.
Ian McShane 29:06
Another analogy. I mean, it’s like the carrot to do the right thing. Whereas I think, security, certainly cybersecurity and maybe all kinds of security really is seen as the stick to beat people that make a mistake with, right?
Adam Marrè 29:19
Yeah, when I do security awareness trainings, which I’ve done in the past, I always try to switch the fear, uncertainty and doubt and I’ll just address it directly and say, ‘Listen, I don’t want anybody to be afraid, uncertain. And to doubt,’ I want you to be totally certain of what’s going to happen. Here are the attacks, I want you to be certain that this is coming, right? I have no doubt that this is what’s happening. But guess what, if you’re prepared, you don’t need to fear right? So let’s prepare you and then we can get rid of the FUD. Right? So we don’t deal with that. And now you know what to do. And you know, the things that can protect you against all this potentially scary stuff that’s out there.
One of the great things I’m gonna say. And by the way, if you set this up right, it can actually make your life easier, and try to paint that educational picture. For people, because once they get that vision, oh, it’s so great to see people jump on and say, ‘Oh, I can be secure.’ And this can be better. This is great. I think it’s those that are resisting, but still don’t want to be educated.
And that’s why it’s on us as security practitioners, to lead with empathy, to come in and really understand people, and then say, ‘let me meet where you’re at mentally, or whatever it is in your personal security journey, and help get you to the place where you want to do these things, understand their importance, and can be a partner. And then a lot of these people become champions, the most resistant will become champions, once they understand and really get it there on board.
Ian McShane 30:39
You hit the nail on the head, right? It’s just who is communicating in the right way, it’s communicating with them as humans and not idiot users, like as many, you know, I’m sure many practitioners have uttered those words once or twice in their careers. I think it’s also important, and we touched on this with the password manager to point out that the security practices they have at work and make them secure in their own lives as well, it’s not something that you have to do just for work, this is going to make you better off in your home life, not just more secure.
But it’s so much easier for me to use my password manager on my phone, it uses my thumbprint or my face ID to log in. And it automatically pastes the thing in there. It’s actually quicker than if I was to type something, even if I knew what it was, is quicker than going and copy and pasting it from a text file. It’s just easier.
Adam Marrè 31:26
Absolutely. I loved what you said that we need to address the whole human. Right? I think security awareness should be taught in elementary Primary School, wherever from, from the very beginning. So people are realize that in our new digital world, this is table stakes, they have to do these things.
It’s like wearing your seatbelt, locking your doors. Same thing, we’ve got to teach people. And until we get to a point where we’re training people at that level, and I’m glad Epic Games is doing what they’re doing for it. I love that. But until we get to that state, we need to bring everybody in. And one of the ways we can do that is through industry, right?
No matter what industry, you can start addressing the whole human and telling them ‘Oh, yeah, by the way, the things you’re doing here, you should do them at home,’ and even have maybe parts of your security awareness training focused on that. I know, we’ve done that at Arctic Wolf with our managed awareness product, where we do these nudge type videos that come out each month or each week and remind people and quizzes and things like that. Some of them are like, ‘Hey, go tell your friends and family, go share this with others, that while you’re on vacation, kind of security too.’
Because we also know bad guys don’t care if you’re at work. Or if you’re at home, if you’re on vacation, or you’re working. And sometimes they don’t even care if it’s your work account or your home account, we’re gonna attack all of them. Because we know they’re interrelated, we know that you’re logging into your personal accounts on your work devices, and vice versa. So we’re going to attack it all because that’s how we’re gonna get you is we’re gonna take the whole thing, they don’t see a different thing.
Ian McShane 32:55
Yeah. So it’s in your experience, like you’ve told us talked about, like addressing the human, I think that’s an amazing way of putting it.
One of the things that comes up so frequently when I talk with not just not just victims of cyber crime, or incidents like that, but friends as well is they don’t feel comfortable telling their employer, ‘hey, I think I did something wrong. I think I logged into the wrong place’ like this, almost permanent worry of like, ‘if I screw this up, I did a training last year. And if I screw this up, they’re just gonna fire me’ How do you avoid that? Because I think it feels like to me, as a security organization, you want to have more incidents, right?
Everyone talks about less incidents, less alerts less of this. But if I’m thinking about an organization that, for want of a better phrase, culture of security first, like, you’d want more incidents, because people are reporting things they see they seen something, they say something. So how do you get over that hump of if I say something, I’m incriminating myself?
Building a Blameless Security Awareness Culture
Adam Marrè 33:54
Frankly, fantastic question. Fantastic. And frankly, we’ve got to catch up to a lot of other domains in the modern workplace, certainly in tech.
Now, this is something they tackled in tech, years ago, and they’re doing it really well, in engineering departments, right? They get these blameless cultures where it’s like, ‘Hey, if you did the bad thing, if you push the bad button, you killed the whole datacenter, ‘whatever it was, just jump on. Let’s fix it. And it’s blameless.
And you might be the one writing the RCA for the whole team, stand in front of the CTO, but no one is there blaming everyone, they’re just saying, ‘what can we learn from this? What did you do?’ You know, and as long as we are all learning lessons, and certainly the person that did the dumb thing, or whatever, or didn’t understand the consequences of their actions.
As long as we’re not repeating these mistakes, it’s blameless culture. Right. And this has come into management, the modern management workplace. We’re talking about meeting people, where they talked about creating a culture of candor on your teams where people can speak openly and freely about this about people’s behavior about their own behavior. So all that we’re trying to do is all getting better, right?
Coming from a sense of assuming good intent, and no longer having a culture full of blame and fear, but a culture that’s open, transparent, where we can all grow together. And we need to do the same thing and security. And you get to a point where someone’s like, ‘oh, my gosh, I clicked on the wrong thing.’
The last thing we want someone to do is to try to hide it right? Like, close all my windows, turn off my computer walk away, pretend it never happened. No, we want the first thing that we do is to call up their friendly neighborhood security person, that’s not going to blame the person and is gonna say, ‘Thank you for telling me.’
Now, it would have been great if you didn’t click on it. But I’m not even talking about that. Because I’m just going to thank you for telling me. Let’s fix it. And then we can rewind to go back and say, ‘How can we all learn from this, including you, but me too, you know, maybe this is a vector I haven’t seen before.’ But really get to a place where people don’t do that. And that starts with culture, right? We’re building a culture.
And so leaders, whether security leader, certainly but also CEOs, everyone, we can’t get to a place where we’re flying off the handle if someone does the wrong thing, because we need to get to a place where like, ‘Alright, how do we grow from this? Because we know what’s going to happen? How do we grow from this? How can we support you and make sure you don’t do it again?’ Because certainly, in all these cases, when we have people who are doing the dumb things all the time, we’re making tons and tons of mistakes and not learning from it.
That’s a totally different situation where we need to maybe have some corrective action, but I’m talking about for most people, let’s create that culture where people can freely come forward and say, ‘here’s what I’ve seen. Here’s what’s happening. Let’s fix it together.’
Ian McShane 36:30
I love it. I love it. The friendly neighborhood security expert is a great phrase, that should be a job title for the help desk guys. Get rid of the help desk and call it friendly neighborhood security. Well, we’re coming to the end of the time today, Adam, and thanks. Thanks so much for hanging out with me today. This is an excellent discussion. I learned something as I always do when I talk to you.
Adam Marrè 36:47
Yeah, this was fantastic. Really appreciate it. Love it. And yeah, I hope everybody gets a chance to look at the report and gain their own lessons learned from it.
Ian McShane 36:56
Yeah, before you go, instead of doing the classic thing of asking you to share something you’ve enjoyed lately, I’m actually going to tell you what to plug. Because I saw you post on LinkedIn, maybe a few weeks ago about a leadership book. And what you wrote really struck a chord with me, I read the blurb about the book and went off and bought it and enjoyed reading it. Do you remember what that one is? And perhaps you can explain why you recommended it. And if you don’t, I can tell you what it is.
Adam Marrè 37:18
Yeah, of course I do, it’s kind of a big deal for me. It’s a book called When They Win You Win. That’s right. Yeah. And it’s by a gentleman by the name of Russ Laraway, who’s got a great career in in tech and was in the United States Marine Corps and was really just an incredible leader and a bit of a mentor to me.
He and I both worked at Qualtrics when he was chief people officer there and I was head of security operations. And he taught me a lot. And the reason I put a blurb, like I said in my book, I do not endorse things, certainly not leadership books, I have a long history with leadership books that we won’t go into here. But this is one that is that is really based in reality, but certainly results, right. And also an alternative working title for this was, Happy People Happy Results.
That’s another one Ross was considering because it really is kind of a people first approach. But it goes to what actually creates impact. And it tracks that back to if you have high employee engagement. And this is a ton of research that’s been done on high employee engagement, you have high employee engagement, you have higher impact. So how what drives employee engagement, and it comes back to the manager, right?
And so part of the goal, one of the goals of this book is to restore the dignity of the manager, right? And put them back in their place as being really fundamental to driving employee engagement, because nothing does it more than the manager the environment they create. So then it goes back. How do we measure that? How do we make it better, and that’s what the book is all about.
I love things that I can measure, I love things where I can work on and tweak and push and understand what I’m trying to do. And I can measure at the end of results so if I’m doing this, then I should have impacted employee engagement at the other end. And he kind of paints that whole picture. And it’s across tons of research that he did well, while he was at Qualtrics. From before. And so anyway, that’s why that’s why I’m plugged that book. And it’s what I would have said, if you asked me what I would have read recently
Ian McShane 39:23
Oh, that’s great. Yeah, I mean, I loved it as I was going through just even what you wrote, and then the back page blurb and first few chapters really describes a lot of the behaviors that some of my favorite managers in my career demonstrated and seeing all that come together. There was a few aha moments for me for sure. And you know, really enjoyed it. So super glad that you posted that.
Adam Marrè 39:46
Yeah, thanks for bringing it up. Because it’s really powerful. And it has to do with security because it’ll help you be a better security leader.
Ian McShane 39:53
Exactly. It’s building that culture, that level of trust with people and you know, openness and openness and candor, like you said.
Good times. Cool. So this podcast is called Challenge Accepted. And so your homework or challenge, if you like is to download and read the DBIR. And we’ll include a link to that in the show notes. And I promise you, you’ll learn something. It’s a great read. So really invest the time as a security professional. So thanks for listening. Thanks again Adam. And thanks to the producer of this and until next time, my name is Ian McShane. Thanks so much.