 Okay, okay, I think it's about time. So let's get started. I know everyone is hungry and want to go grab some beer. So I won't try and keep you too long. Hello everyone and thank you for coming and listening to me. My name is Kim Hinder. I work at City Network and I usually introduce it by saying, welcome ladies and gentlemen, but I was told that that's wrong to say because not everyone identifies as a lady or gentleman. So hello fellow humans and other life forms. It's totally inclusive. In school you were taught that you were supposed to have something personal to share in order for just to relate to each other. So my name is Kim Hinder. I'm security officer at City Network and I hear four distinct voices in my head at any given moment. Now you have something to relate to. Don't worry. It's no no danger to you. Only two of them is telling me I should eat you. So there's quite a minority, but with that said you look perfectly delicious today. Anyway, introductions out of the way. Let's talk a bit about security and what gives you actually the most bang for the buck. This assumes that you do have basic security. So you should have some type of perimeter protection. I mean anyone here not using firewalling? Yeah, you should use firewalling. If you don't, you're in trouble. So I'm telling you this from the perspective that you are actually deploying some type of firewalling. You are deploying some type of network surveillance to know do we have any open ports? Are the ports open then? Are they open for vulnerabilities? Have we connected everything? This is decently enough automated today. And this is totally open source and works just fine. IP tables and map open-vase works terrific for this situation. User authentication. Yeah, use SSH. Try and use multi-factor. Don't just use passwords. Over 99.9% of all password breaches are cleared by using multi-factor authentication. So multi-factor authentication clears away all the password shit you get from automated attacks. So enable firewalling, enable user authentication, enable multi-factor authentication. And you're pretty well set. This is the external threats that you might have. And if we have passed them, what are the biggest threats for data breaches then? So basically where does data breaches come from? What is the event that has actually tracked shit into your system? This is statistically validated data from a survey for over 1,000 enterprises that had been identified to have some type of data breach. And like you can see the biggest culprits are email websites, foreign USB drives that I was just forced to insert into my computer here. So that's a nice thing. So don't do that. Don't do as I showed you to do. So anyway, the major part you can notice with these things is it's only the bottom one that's where you're techy. That's still a procedure thing. So you can't get out rid of the people here. But still that's more realistic. So software vulnerabilities. Yeah, simple enough. Go CI CD. I am perfectly understand that it's not simple to implement of CI CD. Believe me, we know that one. But that's the simple solution for software vulnerabilities. And there are awesome, awesome talks, this summit about that. So go CI CD. The rest of the things, that's up to people. You can have hyper hyper tech all you want, but it's still up to people. And what do I mean by that? Yeah, for all the rest of the things, all the survey showed that there was a dialogue prompt that some user had clicked pass. Okay, check. You got the prompt. Are you sure you want to do this? And they say yes, because it's an automated thing. I want to get this done. This attachment wants to have this type of permission. Do we allow it? Yes, click. And then you're done. So it's some type of user error in this. So we are into the humans with all the rest of the stuff. I like to compare this to I bought a really, really premium high secure safe for keeping confidential files in that safe. Then next morning after the newly installed super secure safe that cost a lot of money, the confidential files were stored on top of that safe. So my investment in security. Well, it broke the first time it encountered humans because they forgot to lock the files into the safe. So that's yeah. So the human factor is the factor that will end up in trouble. Well, how do you then handle the human factor? Yeah. Well, this is also statistically proven that more than 99% of all critical daily breaches is due to human error. So it's the human part that fails. That's big part. And this is not something you can simply get away with by tech alone. Because it's not malicious intent. By far. The most common thing is a common mistake. We all make mistakes. Anyone here who says I've never made a mistake in my entire life. We all make mistakes. That's being human. And it's sort of hard to get rid of us. I know there are a lot of techie fantasies of not having any humans at all. But I mean, yeah, I really not found of that future. So how many here think we can script the humans? We can write a playbook that says do not do wrong configurations, do not do any mistakes and shoot them into the head of humans. How many here think that would be a awesome future? Yeah, a few are always a few that thinks that would be a awesome future until I tell you some mad Korean guy will hack you. And then you will have the mad Koreans army walking around there. And that's not a good idea. That's a very bad idea. So believe me. So no, we can, unfortunately not just grip and write a playbook that fixes the human mind. This takes time. This takes education. I've tried to look up a bit of the definitions of education. They say education on Wikipedia is information about or training in a particular subject. I dare say that I want to complement this a bit and say information education is information and training. We are pretty good at spreading information. We are in the information society. That's just data visualized and conceptualized in a manner. So the crazy Korean is here talking to you and you're all sitting here. So we are spreading information. But in order to actually get educated in a topic in order to actually get some type of changing behavior in order to know what you're doing, you need some type of training as well. Anyone here having a driver's license? Yeah? A few. Did you have to do just the theory and said, okay, I've read that now I'm ready to go drive? No, I bet you had to do some type of training as well. There are specimens in the human race that can actually just from theory learn how to function well in practice. But most of us cannot. Most of us need training. And this is something that we tend to neglect. We're good at going conferences. We're good at studying things. We are not as good as following up and having a training with them. How many here have an IT policy you have to follow? A bunch of you. How many here have regular training on following that IT policy? A few of you. That's great. You see, a lot of times, we end up just getting the information and not focusing enough on the training. So we are humans. We have human needs. When I try and tell people that professional sports and professional tech have a lot in common because they're human. People say, no, that can't be. And I say, what do we do to optimize the performance of a professional team? We practice. We practice working as a team. We practice our skills. And we take into account our human needs. Yeah, sounds horrible for techie people because we want to back to the playbook into the mind now, but still, this takes time. And unfortunately, there's no shortcutting it. It takes time. But if you want to work as a well functioning team, yeah, you need to practice that together. What are the key findings we had in our case, when we tried to test this and see, can we deploy the similar things that work for professional athletics into our company? Because are the people working in IT and a less professional than pro athletes that work? No, not really. You get a lot of pay to do work. Why shouldn't the company have invested interest in you having optimal performance? Well, you need to build a culture. What is the culture then? Let's get to the definition. A set of standards and beliefs that a group shares and values and hold each other accountable. In order for any type of training to work, you need to follow a set of standards as well. And you need to be able to call each other out and say, now you're deviating from this set of values that we hold each other accountable to. That's the whole idea how this can actually work in the long run. You cannot have policing on top that's going down all the time. You will spend enormous amount of resources just doing the policing groups and teams have to be self teaching, self reliant, self correcting in this sense. This can totally go the other way around as well. If the group start to get the values that deviate too much from what you want them. But yeah, that's another part. But this is culture. And culture drives habits. Habits drives behavior. And it's the behavior that gives you the results you're actually looking for. So this is needed insecurity. You really need this insecurity. What we started with City was a daily check. I want to know how are the staff feeling? So the staff in each team had to be open into the team. Have I had a bad day? Have I had a good day? Am I perfectly suited to do really, really complex firewall administration today or not? Perhaps not if they had a really suck a day. And we tend to think you shouldn't bring your personal life into work. Anyone here who can totally disconnect anything from their home when they go to work and say off now it's only work. Now, I don't think so. What happens in your life affects you. And we have to take that into account. So I get a lot of reports as head of security from the infrastructure. How is that feeling? How are the firewalls doing? And we tend not to get that many reports. How are the staff doing? And this is by me, a far more important report to get because we have ups and downs as humans. We change on a daily basis. So I want to know that every manager had had a check in with all their staff. And they have all reported check I'm fit for this and I'm fit for this. And I'm not fit for this today. And they know that that's a crazy important report for me to have this daily check that the staff are doing all right. We have an example from incident at one of our data centers. This was not we ourselves, but we were co located. So one in the neighboring racks, a staff member went in with a can of gasoline handcuffed himself to the rack and the servers and set himself on fire. I dare say that something has really, really been missed. All the days before leading up to this, you should have been able to catch this. If you're an attentive employee. So these incidents should actually be something you can see if you have a daily check in with your staff, you should know, are they feeling good? Are they feeling bad? So one of the biggest myth I will say with this daily check in is also taking away the myth of multitasking. How many here have heard it? Did you seek good multitasking? Good multitasking? How many have been employed that actually premiums a good multitasking multitasking as a human is unfortunately in totally impossible. We are not equipped to do any multitasking. That's a big myth. We have a good focus and we have a good way of shifting focus quickly, but it's still shifting focus. We only have a very, very small thing that actually reach your conscious mind. All of you here. Close your eyes. The wall to your right contains paintings. What do they picture? You've all seen them. You are all aware that you have seen paintings on that wall because you have all passed into this room, but no one can really describe the pictures on the painting. You can open your eyes now and that's because they don't stream into our conscious mind. We don't register consciously everything that goes into our mind. So we are bad multitaskers and this is something you can easily try and get away and avoid because what are the biggest, biggest problem in security by far? Yeah, multitasking is really dangerous from a security point because imagine if you have six priorities that have the same importance in your head. You have six tasks you need to do and you're doing one and you get distracted and believe me, we will be distracted. That's unfortunate with us as humans. Even if you are totally isolated, totally silent room or own mind will distract us. So we will be distracted. The thing is what happens when you go back to doing another task from which you were distracted. If you have six equally important things, there's a big chance you end up starting a new task instead. And that's when you end up leaving your keys in your front door. That's when you end up storing the confidential files on top of the safe. That's when you do something half done. That's when you do not go back and finish what you've started because in your mind, you have done the task in your mind. You recognize that I've done this also half finished tasks are crazy, crazy important things. So I will give you an advice about some training. Let's see, take a post it and write down the single most important task you have at hand right now. Place that posted somewhere where you remember it. And then when you're distracted and you will be distracted, a lot you will be distracted. You can always easily and quickly go back to that posted and see this is the task I have to finish. Once you finished it, put it on a trophy platter somewhere, store it as a trophy and then write down the next most important task for me right now to remember that I had need to finish. You will see that you will be a lot more efficient than not doing this. So this is my training and exercise. So just into you go home, start to practice this and see where do you get? Do you get anything from this? Because like I said, anyone who believes this is a safer guy than not being distracted. Distractions is a danger to security, but we will be distracted. That's just the fact of it. So most of the human bridges that we could see in our organization that were what we call Upsies, really these things that didn't lead to a breach but could have led to something catastrophic just by people tending to forget something. Why do we leave keys in the front door? Yeah, today it's usually something to do with the phone. That's the biggest distraction we have today where something is blipping in the phone or on your wrist today as we have clocks or an hour and watches that are blipping, but that's a huge distraction. And when you do that, that's when you forget this stuff and go back. So the exercise, go back, test this and see what you can do with it. So what more did we discover? We discovered that the Upsies we had in our company was actually based and clustered on the work hours before lunch, not after lunch. So we had this practice that we actually provide the breakfast sandwiches. It was mandatory for our staff to have breakfast sandwiches just to get the blood sugar correctly. We saw a drop in Upsies and believe me, this is now a case study. So we have moved away from scientifically validated stuff. This is what we experienced, but I saw a drop in Upsies when I could make sure that my staff had a proper blood sugar level. That's interesting because it doesn't cost that much to provide breakfast sandwiches. You might think so, but it's not the hotels breakfast buffet you need to provide. You need to provide bread and some type of thing to have on the sandwich that's nutritionally proper. So no white bread. If you just do that, they will sustain themselves until lunch. And in the meanwhile, there's a trick to it. If you provide something to eat for people, they tend to sit down for a moment. And during that moment, it's an opportune time to set what is my single most priority, write my post it, and communicate and do a check in with the team. This helped with our Upsies a lot more and cost a lot less than the wherever expensive SIM I actually purchased. And this running log analysis against I had to purchase that from a compliance perspective. But that has helped me far lot less than actually having focus on not multitasking too much. Focusing on having a good check in. And focusing on building a culture where we actually work. Safe. That's it for me. So I will not keep you that much longer. Any questions? Yeah. Absolutely. We. Yes, he has the he has a boss and the boss wants numbers. And I say absolutely. We have numbers. Like I said, you should be prepared that this is not scientifically validated because we have no far near enough case study. But we could see over 90% reduction on just working with the humans as a routine practice. And I have yet not had any Upsie stopped by our SIM and or SIM cost around around 300 times more than our breakfast practice. So yeah. So before you start to invest in the SIM is this hyper hyper intelligent machine learning stuff that this but the license for that is crazy in comparison to the actual things it has prevented compared to making a normal breakfast meeting sandwich where we actually value or interconnectivity as humans. Any more questions? I say the poster technique. It's start your day by taking a post it and writing down the single most important priority for you today. The single most important task you should do right now. Write it down on a post it and put it somewhere. Like I said, you will be distracted during the day. It will take attention away from that. But you know always what to quickly return to your mind will be programmed to quickly return to it. And the more you practice this, the better you will be of not being too disrupted when you're distracted and going back and most importantly, you will finish the task completely that you're doing and you will see that you will be more efficient. You will clear more tasks during one day than by not doing this. So this is a good training exercise. I recommend you to do personally. Any more questions? Yeah, the question was, how does this matter work with meeting days? Because you will be not disrupted by meetings all the time. And that's perfectly true. And that's perfectly honest. But like I said, this is a good thing to go back to to remember. Have I finished this or not? So if you're having a task that you will know will be interrupted with meetings. That's a good thing to practice because you know, is this finished or not? And that's really important to know. Have I actually finished it so not to start a new task? When there's one unfinished? That's never good. You should never have several uncompleted tasks at the same time. There is a huge, huge chance you will miss one of them. And then there will be easily a security failure somewhere in Long Island. So yes, we need to account for us having a lot of meetings. That's just the reality of thing. It's a matter of how quickly can we get back to what we should have on top of our mind. Then. Yeah. Any more questions? Thank you very much.