No! Non! Nein! Niet! Or in multiple languages, what a lot of people call the Cybersecurity department. If you're tired of hearing podcasts, conference talks, or CISOs prattle (disclaimer: this was written IN London - apologies from the writer who seems to be having a bad case of language osmosis) on about how Cybersecurity must align with the business and how Cybersecurity needs to move away from being the department of no...that's gonna work out great! Because we have Nada of that in this episode. This episode is about how you should use the word NO - but not in the way you might be thinking.
Listen in as we talk about how using NO is just as important as using YES. What Cybersecurity does (you know, the yes part) and what Cybersecurity doesn't do (the NO part) are equally important. And, of course, we have the usual suspects of pop-culture references and pain-in-the-rear acronyms.
Disclaimer [00:00:05] The views expressed by Paul during this podcast are his alone and do not necessarily reflect the views, opinions or positions of his employer. The views expressed by Jason Wait, do really? This is what you want me to read? Okay. The views expressed by Jason are his alone and frequently do not necessarily reflect reality. His opinions are often annoying, scattershot in their application, and can resemble more of a Virginia wall short story than a cohesive argument. He is currently undergoing therapy and rewatching Westworld Season three to resolve his storytelling issues.
Jason [00:00:31] Hello and welcome to season two of Offsides. This is the annoyingly award lacking number one cybersecurity podcast, according to Muscle Car Poetry magazine, and the most money-losing not for profit venture. This side of starting in airline.
Paul [00:00:46] And F sides focuses on the human side of cybersecurity. Every episode I'm going to do it and a different announcer voice Jason.
Jason [00:00:56] In a voice that raises the hair on my back. Casey Kasem You are not.
Paul [00:01:01] So I'm working on it.
Jason [00:01:03] Like, like Paul Like Paul said, we we talk about things. We don't talk. We try not to talk about the tech. It comes into it. We try to get things, everybody. It's really about, you know, moving the elephant in cybersecurity, moving the elephant in this analogy to change. How do we affect change? How do we affect people? How do we affect their feelings? Really represents the emotions that we try to get into that in cybersecurity. And sometimes we talk about work life, really the universe and everything.
Paul [00:01:28] This is a very full feature podcast.
Jason [00:01:30] This is this is you know, here's something a lot of people may not know. Those of you that have been in security or corporations, you actually may know this, but you may not know it. But security gets a bad rap, right, Paul?
Paul [00:01:41] Oh, you mean like musically?
Jason [00:01:44] No, but I love that you're finally going to the music.
Paul [00:01:46] Reference and.
Jason [00:01:47] You're getting down there. But. But true.
Paul [00:01:49] Yes, you're right. Jay-Z. Security, unfortunately, in some organizations does have a bad reputation. I would agree.
Jason [00:01:55] Yeah. It's it's often called and this is an old term for for the last couple of decades it's. It's called the department of no.
Paul [00:02:02] Are kind of like the Dilbert comics reference where they had that one character who basically did everything they could to prevent people from doing their job. Right. Using it.
Jason [00:02:10] Yeah. What was the acronym was something that information set or prevent?
Paul [00:02:15] I think it was preventative information services. So it was verified.
Jason [00:02:19] So security can be that is like, Hey, can I install this thing? No. Hey, can I go? No. You know, it's this whole culture of No, but hey, guess what we're going to talk about today, Paul.
Paul [00:02:29] I don't know what.
Jason [00:02:31] We're going to talk about. No. And why it is such a powerful tool and it needs to be in your toolbox and every so should have it at the ready.
Paul [00:02:40] I totally agree. And that's. No, not okay, A.W..
Jason [00:02:44] Yes, I know. Paul. Paul, When we were writing this episode, Paul's like, Let me get to you. I really wanted that joke. Can I please get Joe? And I'm like, G.I. Joe. It's great. It's not even a joke. Like it's, you know, knowing it's half the battle but not knowing why.
Paul [00:02:59] And Jay said, well, it was a funny and he often does that actually, that I'm not funny. So that.
Jason [00:03:04] Well in hindsight now that we just talked about it, you bringing it up in a weird way would have been.
Paul [00:03:07] Great. Oh, it would have been great.
Jason [00:03:09] But so what are we talking about? No, here, Paul. What kind of talking about?
Paul [00:03:14] So it's not No. As in No, you, you can't do something and we're not going to talk about it because, you know, I'm going in to think about a problem in one way. This is about managing expectations, which is incredibly important in an organization, especially the higher up you go. So managing expectations with your internal and external customers and then prioritizing your work. And because you are able to say no to the extraneous things or the things that don't directly lead to you, providing services now know could also mean, hey, you know, I can't take this without some conversation. Meaning, you know, we can't do that unless we stop doing this, right. So if you you know, if someone asks you to do something extra, well, you may have to stop doing one of your core services. And people need to understand that.
Jason [00:04:01] Yeah. And I think this comes up for almost any any business line or department in an organization is the ability to say, no, I'm, I'm at capacity. I'm, I have my priorities work. What do you want me to drop off? But a lot of times, you know, we're either it's intimidation or it's just you want to be a good company person to be like, Yeah, let's do it. Yeah, we can do everything. You'll get burnt out. You'll burn out your team if you're taking on too much. And security especially needs to prioritize based on, you know, what kind of risk is this really representing? Do I care if Johnny Appleseed downloaded MP for file to his laptop? Probably not in the big picture of my security stuff. So do I want to go apply resources because somebody said, hey, we need to go check that out? I'm going to say, No, we don't.
Paul [00:04:47] Oh, that's a great that's a great example, actually, Jason, that, you know, often, you know, I don't know why security people like doing this. They'll say, oh, well, you know, we can't let people go visit social media sites. It's like, well, there's not really a security reason for that in most places. Right. It's there's not really security reasons. So, no, I don't I am not going to define those rules. Please talk to H.R.. Here's the person in human resources you can work.
Jason [00:05:12] With and not knock off. There's not risk. It's so much low risk that in the big picture of US and security, we know what the big risks are. And it's not somebody visiting Facebook Productivity Summit, whatever else you want to argue outside of is our information secure? Hey, that's our job. No, it's not that big of a.
Paul [00:05:29] Risk, but that's the power of say no being able to say, yeah, no, that's not really. Yeah. You know, it's not really primarily security risk. Let's get the right people involved. I'm happy to help, you know, and to provide information. As much as you know.
Jason [00:05:43] I want to hit on this as much as it said, we said no. What it really focused on is what do we do? We are not human resource police, We are not productivity police. We are not setting policies for how people interact with the outside world, whether at our company. So knowing what you do is critically important. You know, we talked about this like we never know when we release our episode, so it could be in a future episode or we talked about in a past episode, but we talked about this concept of laying out what you do in information security. And this maps directly to that because, hey, you know, unfortunately that's not something we do. And security. Paul you know, this become can become a dumping ground for stuff other teams don't want.
Paul [00:06:22] Yeah and I've seen that where I've come into organizations and security basically did a lot of the stuff that didn't really make sense that wasn't the biggest risk for instance, right? Like, hey, you need to tell us what sites, what social media sites we can't look at. So again, secure and that's a great example of one is like it's not really a security thing, but notice them. I know. By the way, was a soft no. Hey, no, we don't do that. We're happy to help. Here's the right person to work with. Right. It's not just the traditional securities, the office of no and saying no and just kind of sitting there with the blank. It's not.
Jason [00:06:56] That you're.
Paul [00:06:57] Not. Yeah, it's like it's not a Z, like. No. And now the conversation's over. You're still being helpful and collaborative, but you're you're also making sure that it's clear that that's not a core role for you. But yeah, dumping ground. I've seen it a lot. Like, you know, sometimes security teams will get dumped. Fraud stuff, right? Like, hey, it seems security like let's have them do a review of the fraud stuff. Like, well, we're really not. Yeah, know, my team could do it. You could ask anybody in I.T. or some other part of the organization, do it. Security doesn't have any special expertise. Is that really where you want to spend our time when we have all these other services?
Jason [00:07:33] Yeah, And when it when security budgets are under fire, when we're constantly, you know, outgunned, outmatched and understaffed, you really if you're working in security, you really want to prioritize what you're working on. And any leader or any manager or any department that's going to ask you these things, when you can tell that story of prioritization, they're going to understand it. You say, Look, I have all these priorities right now. I'm worried about external hackers on our Web entity, or I'm worried about ransomware because we're we don't have these things in place, which is one of the biggest risks if you're not turning on the news that's out there. Do I want to worry about somebody visiting Facebook? No, I don't. So I think, you know, you know, bear with me here. But no, I don't think we should do that.
Paul [00:08:12] Yeah, totally agree. And again, the key thing so that you're still seen as a collaborative person are not the office of No, is to make sure that there's a way to get to know right. Like you always hear people Oh, let's get to yes let's figure out a way to get to Yeah.
Jason [00:08:26] You need to write a book on getting together.
Paul [00:08:28] Oh, that's a good idea. I want that. Can we commit?
Jason [00:08:32] Because we talked about it here. This is our copyright, our trait. What? Yes. Yeah, we copy.
Paul [00:08:36] Copyright copy here or whatever. Copyright. Actually, that would be an interesting book, but unfortunately, I think people wouldn't buy it. So get to know like in No, don't buy this book now, which I guess so.
Jason [00:08:47] Oh GI Joe again.
Paul [00:08:49] Guinea getting good So getting to know there's a there's a right way to get to know. Yeah right. The first step is understanding what you do right when in a previous or future podcast again Jason was right we sometimes we're at least I'm a little out of order.
Jason [00:09:03] We talk about like our lives by the way.
Paul [00:09:06] Yes, we talk a little bit about that. But getting getting to know is very important and making sure that you understand what you do as an organization. What would you say you do here? The famous office space quote. So you know what? You have to understand what you do. And it doesn't have to be some very long, you know, operational level agreement, service level. It doesn't have to be a super long document. Just say, okay, here's the six things we do. We provide incident response services, we provide this information, security, whatever, right, so forth. And so once you understand what you do, then you can have meaningful conversations. People say, well, you know, my team does this while that's not in our our services that we do, if you want us to do it, something else has to get we have to get, you know, or we have to hire a consultant because we don't have the skill sets in this. I mean, you can actually have there's a lot of power in in understanding what you do. And it sounds really simple. And so like everyone's like, well, it's super intuitive. It's actually not. You need to sit down and write down what you do and then you get to know.
Jason [00:10:05] And it's not just our team, but what you know, who should be doing this work is what is the follow up question. Hey, for example, and I've had this at a previous organization that I took over cybersecurity program. My team was tasked with this very, how do I say, algorithmic continuous thing called a user access review. If you work for a company, you had to do this where, hey, an audit auditors love the auditors, the Bobs, they come in with glasses, nerve. You know, I don't know if they come into glasses anymore with their their notepads and notebook. I need you to show me everybody who has access to this h.r. This accounting system. Give me the list every quarter. You have to pull up this list, and you have to show why that person needs access. It's called a user access review. And I came into this organization, and my team was doing user access reviews, and now I have a team of very highly paid engineering and director level resources that are doing a basically checking a list of people and then sending emails out to figure out who needs access. Probably not the best team and not the most efficient use of corporate funding to have somebody who's trained in cybersecurity to be doing an audit of who has access to a system. Plus they don't contextually understand the system. So really something like that, You know, the first conversation I had was, well, hey, you know, I definitely feel we shouldn't be doing this. This isn't really what security does, but really who should be doing it are the people that own that system, that know who should or should have access to it, like the accounting system, the accountants, the ones working on it, the manager, the accounting department would know better than we would. And so that's the ability to say, no, we shouldn't be doing this and talking to them, to the groups to say, you know, who really should be doing this are the system owners. Once we explain that, they're like. Oh, yeah, I get it. Like we're the ones that really control access and should know who does or doesn't have access.
Paul [00:11:48] I'm going to make you very I'm going to get a reaction out of you here in a second, because I would tell you. That's not to say that. No, it's just a fender bender. Oh, yeah. Oh.
Jason [00:11:59] Tune in to our vendors episode. That is a great one. You should listen. Yes, I go on some great rants.
Paul [00:12:06] Yes, it was actually very classic, Jason. But, you know, races are actually on in here. And let me let me explain what a race is. It's a chart that outlines what the responsibilities for different activities are between different groups. Right. So a racy is the first letter. It's an acronym of the different things. So R is responsible, meaning you're this group or person is responsible for the activities. The second one is accountable, meaning that person is accountable and held accountable for making sure the activities completed properly. C is consulted, meaning you are before the before something can move forward. You have to be part of the process or part of the discussion, and informed means you just kind of are made aware of what goes on. So what's your thoughts on races? J I think.
Jason [00:12:56] It's missing a letter. I think it's missing W For worthless.
Paul [00:12:58] That I think.
Jason [00:13:00] I think they are a great one time exercise, like a trust fall. I think what I think what happens and it's not that the idea of what it's doing is absolutely critical and important who is doing what across certain. I get it. But these things get in my experience, they get created once in this very energetic, very great meeting with a lot of back and forth and conversation and debate. You go, All right, here we have it. And then it gets filed away in a locked filing cabinet in the basement. And nobody ever looks at the thing for like three years.
Paul [00:13:27] But you see that I and I disagree. I think you're you may be using them wrong. You may be using them. Yeah. We had talked about this in the past. You may be using a flathead screwdriver to butter toast. Right. That doesn't mean that the tool raci, the flathead screwdriver isn't good. It just means you're using the wrong tool for the wrong activity. But explain why before you react. Because you're about to react. I can feel it coming.
Jason [00:13:51] It's working right over you. Of course I know.
Paul [00:13:54] But you know, Tracy. Tracy is a meant to be looked at every day, right? I think we can both agree to that. I don't think it should ever be filed away. Right. You should look at it, period.
Jason [00:14:03] Writing that down, right?
Paul [00:14:04] Yes. You say that's a that's a one. So that's a that's a pro tip, Jason. Know the first, you know, putting it look trying to use it every day doesn't make sense, but it does establish clearly who is responsible for something. And then, you know, as new people are brought in, you look at it or every year I like to look at say, hey, as the processes evolve, they're matured over the OR over this period of time, are we still all in agreement that this still is the right thing to do and it helps to solve misunderstandings? So, for instance, if you're manager or the manager of another area comes and says, Hey, I need you to do this right, you could pop over the case. Say, Well, actually we're just informed. Right? And the good thing about this, by the way, is that it gives you the power to say no RACI chart because you can say, hey, no, you don't have to wait to get my approval. I'm an informed right, meaning you don't need my approval and it's okay to move the process forward and being able to say no, that you don't have to be consulted and go through my my approval. That actually is a very good thing for some customers because it's like, oh, okay, I don't need to do that step And you've already thought it through. Great. I have confidence that, you know, this is the right way to do it. I haven't convinced you, have I?
Jason [00:15:13] I have hope that there's a better way in lieu of there being nothing else out there that I've seen. Like heat maps. Heat maps are. If you're still using heat map, which, you know.
Paul [00:15:23] Oh, here we go.
Jason [00:15:24] If you're still using heat maps, guess who's using heat maps? This guy. But it's just because you've been doing it for so long doesn't mean there's not a better way. No, I don't have a solution for this, but I just. Some races get filed. Never looked at yet to dust them off. Oh, yeah. Let me challenge.
Paul [00:15:40] You when you do a racy look at it. Whenever a new person comes in, or at least every twice a year and say, Hey, does this still make sense? Are we all still in agreement? Because you'll be surprised how people's memories change and they'll be like, wait a minute. I'm like, I guarantee you don't remember everything.
Jason [00:15:56] I do not disagree with you on this, Paul.
Paul [00:15:58] Oh, that was almost in agreement. I do not disagree. Is a very passive way. A pretty. No, that's a very passive what you're saying. I agree.
Jason [00:16:05] Now, you're right, you know, and that feeds back into what Paul and I will preach is a one. There's one takeaway. There's probably 17 you should get from this podcast. But or I'll say it's my take away and Paul will shake his head. Security is about people process and then technology. So he just mentioned was the process of that. RACI and I went immediately to tech. Oh, it's got to be a solution for this. Let me find a technical solution, but have a good process. Make sure that you're repeatedly checking it twice a year. You go in and look at it. You set that process.
Paul [00:16:35] Yeah. I mean, because again, technology only makes a bad process bad faster. Right. And, you know, I was actually in a conversation with someone not too long ago and I was talking about, hey, we need here's a problem we want to solve. And the person was in I.T. and the first thing they went to was, okay, we got to find a piece of technology. It's like, well, you know, we don't even know what we're trying to solve yet. Let's let's figure out the process and then find a technology that supports what we want to do. Because here I've had this I've done this myself early in my career is I had something a complicated thing that need to get done. I was like, well, let me just buy my way out of this. Let me just buy technology that's worked at 500 other Fortune 500 companies and I'll just use whatever process they have in place. It never works. That's almost why, you know, the AI people always say, well, SAP implementations are so difficult. Well, if you buy an S a P, if you buy s A, people expecting it to work out of the box, right? You're not going to get it.
Jason [00:17:30] Here's a good analogy for SAP. I just thought of SAP as like you see this amazing wardrobe dresser and you buy it like this thing is amazing, but it comes in an IKEA box.
Paul [00:17:41] Oh, well, it's also it's you need to hire ten.
Jason [00:17:44] Contractors to come in to install it. You can't read the instructions and you need to go and pay somebody 100 grand to put it together for you.
Paul [00:17:50] And it takes special hangers and you can't use any other hangers or the electronics, right? It's like it's so very specific and, you know, trying to buy your way out of process design. If you're a security person and you you want to buy your way out of process design, you're going to suffer.
Jason [00:18:04] Because if you can't do it manually, oh man, you're not going to be able to do it automatically or automatically or any taxes are going to save you if you don't know what you're doing in the first place.
Paul [00:18:12] But it's very hard to prioritize.
Jason [00:18:15] Here we go. We just our I swear we did this are.
Paul [00:18:17] Week Yeah this is another Yahoo that you're right now we have squirrels squirrel squirrels. Yeah.
Jason [00:18:24] Okay. So it's about managing. Yep. The power of a great leader is the ability to say no. I should get that on a T-shirt. But that is an amazing power to have. And getting to know is probably the key way to think of that.
Paul [00:18:37] In a collaborative manner. Right? Because again, of back the old school security. No, was No, it's in our policy. You got it. Let's not have it. That's not what that is.
Jason [00:18:46] This conversation, takeaways. It's not about that. It's not saying no to say no. It's not saying no to be mean. It's not saying no. Our policy say that's a get to yes. You know what? Let's figure out how we'll solve this. This no means doing the right work and making sure your team is doing the right work and prioritizing that work and that the right people are doing the right work at your organization. And then it also brings up another question. Should you even be doing the work that happen is like, you know, I think we gave the example of the social meeting and maybe not social media, but the MP for download. No, you know, they really need to pay attention to that. Let me explain to you why.
Paul [00:19:16] Yeah. And then you can have those reasonable conversations with people versus well, it's it's I don't know if it's something we do or don't do, but nope, that's that's all right. This has been a good conversation.
Jason [00:19:27] Yeah, this is a lot more exciting than I thought it was going to be. I thought it was all just negative. Nancy Negative. Ed No, no, no.
Paul [00:19:35] But it's actually yes, yes, yes. Everyone's got no yes, right. That's the greatest part. Jason, is this the greatest podcast you've ever been a part of? Supposedly? What's the answer, Yes or no? Let's get let's get to it.
Jason [00:19:47] Let's get to know the.
Paul [00:19:48] Okay, yes. So now this been a great podcast. So Jason, I think you want to tell our listeners about a special thing that we're doing at our last podcast this time and answering questions.
Jason [00:20:00] No, if you check out RACI Paul for this podcast, it's actually shows that I am not responsible for that. I am just informed.
Paul [00:20:06] But you're no, you're accountable. So with that, I'm going to pass the baton to you. Because I will say no.
Jason [00:20:12] I think what we're realizing is you is who should be doing it is not Paul.
Paul [00:20:17] That Grace should.
Jason [00:20:18] Be doing this work is Jason.
Paul [00:20:19] Tucci.
Jason [00:20:21] Season two We had a lot of people in season one saying that they wanted to ask us questions about a certain or wanted to ask a guest host that we had on a question. So we are playing funnel and filtering those questions. So if there's a guest you've seen on season two that you wanted to ask a question or any question you want to ask Paul or I or any topics of conversation, you go, Hey, I'd love to see you to talk about this. Send your questions in. You can go to our home page at f sides dot com that f. S idea dot com and you'll see the email address to send them to the email address itself is f side's questions. All one word at I 70 tech dot com that's t h dot com or again go to our homepage. Please send us questions. Right now I think we have to. I think my gardener's wondering why I leave my window open when he's watching my lawn. That was a question. He's like, Hey, I can hear your podcast. What are you.
Paul [00:21:06] Doing?
Jason [00:21:07] So we really need some more quality from you listeners. So please send send them to send them if you got them. He's the elephant in the room.