 All right, so thank you everyone for your patience, rookie mistake on my end, but I like to take Shane on his day off for helping me get set up. So I'm very excited to speak here at the Ethics Village, and as you can see by the slide, I am talking about ethical disclosure and the reduction of harm, and I will tell you what that means in a bit. But first, my name is Jen. I am the Chief Marketing Officer of a company called Flashpoint, and I know a lot of you don't necessarily work closely with a lot of marketing teams and might be wondering why is there a marketing person giving a talk here about this, but I'm going to explain that. So I'll, he told me to do this. There we go. See you too. Yeah, so this is what many people think, especially in the tech community about marketers. We're scary. There we go. Hold on. I'm hiding the toolbar. I'm doing something wrong. We're just going to deal with it like this. We're just not going to waste any more time. You know, we're scary allegedly. We create a lot of chaos, et cetera. But the reality is that to build an industry, you need marketing, you need sales, you need all those things that necessarily, you know, folks here aren't necessarily interested in doing, but they might be employed by folks that need those very mechanisms to move their companies forward. The reason I'm doing this talk right now, I've been in security marketing now for almost 20 years. I've seen a lot of stuff go well. I've seen a lot of stuff go really bad. I've made mistakes myself, and I am extremely passionate about making my people, so being marketing and business leaders, behave more responsibly. It's not about how you disclose, but be more responsible in the way that they run business decisions when it comes to disclosure. So they're not jeopardizing the user. They're not jeopardizing the community. They're not discrediting research. And that's worked with a lot of different organizations that I've been at on their coordinated disclosure policies. Wink to Katie. And so that's why I'm here today. I think there's a lot of opportunity for marketers and business leaders and the technical community to work together for a more ethical approach to business. So whether you work for a manufacturer where you might be putting something out that, just to sell it to a consumer audience, or whether you work for a security vendor and you're looking here on the defender's side and you're responsible for reporting things out or keeping things protected, then, oh, I have a helper now. Thank you. So really simplified, and we could probably argue or fight all day about the nuances around these, but just some questions to think about as I head into this talk. What do manufacturers do? They try to make stuff that doesn't harm. Now, we all know we're all here at DEF CON because we know that is not always the case, but I doubt anyone's ever creating something for a child that they want to be malicious, I hope at least. Maybe I'm just naive or ethical. What do security vendors do? Sell stuff intended to reduce harm. I know that's a big well of crazy because, yeah, but in general, in theory, that is what their goal is most of the time. What are researchers, engineers, practitioners? That's usually a word that I just land on, work to reduce harm. Now, the different ways that we do it, the different ways that they go about it, whether they're offensive researchers or whether we're reverse engineering, et cetera, we can get into the ethics of all of that, but we're not going to go there now. But what do marketers often do? Create risk. We create risk and sensationalize. We try to do what's best. Our job is to amplify the message, build a narrative and amplify the message for our company. The problem is that too many marketers in our industry are not taking the time to understand what the companies are intending to do, and even the marketers that are maybe on risk or on columns teams for larger manufacturers that are responsible for reporting when there's some kind of disclosure that's necessary are thinking more about how much noise can we make with this, not how do we get this out in a way that doesn't hurt anyone, that doesn't reduce harm, and they need to get there. I'm very passionate about that. I mentioned that already. And there are some good folks out there, obviously, but this is going to tie into why we also need the research community to help us and how, on top of that, the research community needs to be empowered by us to advocate if you work in an organization, for instance, that doesn't have someone on the business leadership team or the marketing team that gives a shit about ethics, how do you go to them and how do you appeal to their senses and scare them into what's going to happen to the business in terms of if they keep violating court and disclosure? Yes? So, Chris Hopp just asked if the marketing behavior is bleeding over from logo disclosure, essentially. Every time there's a new vulnerable or something disclosed, there's a logo or something. I'm actually going to talk about the patient zero of that in a couple minutes. So bear with me for a second. Oh, thank you again. Ha! That wasn't even a setup. So everybody... So, I assume everybody knows what this is. No. Exactly. So, this was, as I was talking to my friend earlier, called patient zero for the worst logo disclosure and what sent marketing teams on a tear thinking that this is a good idea. So we all know about Heartbleed. We all know that OpenSSL called it a heartbeat flaw, codenomicon, now part of synopsis, I believe. One head, their marketing person was like, we're going to register that domain. We're going to hire someone to do a logo. We're going to do that because we want to help educate and inform. That's called branding. And that was a quote from a CMO. She's full, yeah, unethical, right? We just want to help educate and inform but it created so much chaos because what would happen is this stupid heart showed up everywhere and then people started making assumptions. So many response teams and all kinds of different teams actually were thrown into a tizzy that got on the radar because it was all over every business channel, news site, CEOs, CFOs, et cetera, were calling their CISOs, calling their security teams, screaming and yelling about this thing and distracting them from actually doing something to protect their users. We can't have this anymore. And I know that there are some companies, I know that there are some teams, some research teams that I love and work very closely with that still do branded disclosure. I don't, even as a marketer, I don't support that. I think it tracks from the seriousness of the situation and I think it just creates a lot of noise that gets in the way of good people trying to do their jobs. Next slide, thank you. So what I just said, I would like to put a lot of that stuff. I can't do this just myself. I need other business leaders, other marketing leaders. I need folks in the tech community to think about some of the business side of stuff. We all know that marketing sucks. I mean, I love it. But we know, I do a podcast with a few people, every con, and there's a joke about how often I use the hashtag fire your marketers because it's just a bunch of fluff and noise a lot of the time, but it can be good. And this is not to talk to you guys about how to do good marketing because you probably all run out of the room, that's not your path. But what we need to do is work together to get rid of that old approach to disclosure when it comes to not necessarily, again, disclosing the vaults and how to disclose them, but when they come on the radar of business and marketing leaders, what do we do with them? How do we make sure that there's a process, there's an approach that doesn't break more shit? So this is something I'm very big on. If you, I'm not going to paraphrase what's on here, if you work in the security industry, whether you are in marketing, you're in finance, any other back office, HR, and you don't care about the end game, the mission of securing people, get out. There are plenty of other things you can market, right? Flobies, are those still around? So, I mean, get out. Security needs to be everyone's responsibility. Now, it's a little different when you get into those larger organizations, those manufacturing firms I was talking about where not everybody at a huge, I don't know, video game company is going to care about security. But if you are on a team within that company and part of your job is to work with the security engineering team, et cetera, if they're like, this is just a job, I don't care about security, you should probably find something else to do. Because it's important that we understand what we're doing and the impact of what we're doing. And really, if I may say so, and I will because I'm holding this microphone, it's kind of a marketing 101 thing. If you don't understand your audience and the impact of what you're saying, you shouldn't be saying it. So maybe you should go work with Flobi. So that's kind of where this starts. So this is what I really want to focus on today. This is my, as a CMO, I'm extremely artistic, as you can tell. But this is my disclosure decision tree. And someday I will hire maybe the same graphic artist that I hardly kidding, to make it prettier. But this is my thought process. And this is how I operate when I'm working with the researchers and the security teams in my companies. And when I work with our researchers with other companies on coordinated disclosure. So YRX would have been one example of that where we had to work together on the coordination there. So we applied this methodology. So there's Vuln. Was it shared with the company that is vulnerable or has a vulnerable product? No. Stop! Don't do it. Good example of this one. Recent, CTS Labs versus AMD. You guys remember that? Where CTS just went ahead and disclosed everything and made a whole bunch of noise and sure there were actually vulnerabilities but created a lot of nonsense that was unnecessary. And then also the way that the CEO that kept saying well I'm not a marketing person but I'm going to tell you why you're wrong and I'm like maybe you should hire a marketing person in this case, but just don't do it. If you haven't disclosed to the organization that has a product that needs to fix. Obviously there are exceptions here. This is not black and white. Just stop, at least stop and think about it. If it's a malware vulnerability if it'll tip off a cyber criminal so if you're one of those companies that likes to break news that you have a ransomware vaccine and you want to share with the whole world that you figured out that there is a flaw in this ransomware who do you think the first person is that's going to realize that's going to take this information and fix their stuff? Threat actor, the author, right? Don't run out with it. Don't do it like that. Work with the community that you're in. Work with your research teams, coordinate all that stuff. Don't just put it out there. I've seen that so much and then I get really angry when I see the journalists writing about it too because they should know better but we'll save that for a therapy session at some point. So if it's shared with the company yeah, consider it. Okay, you agree timeline, blah blah blah. We all know how disclosure works is it coordinated? Are you on agreement of when? How? Who needs to be notified? What needs to be done first? What is the timeline? Are you in agreement on the timeline? Are you in agreement on how you communicate it? Who communicates it? Is it something that needs to be shared with customers? Always share with your customers first, right? Don't make a media circus before your clients are taken care of. So if it's not coordinated stop. Then you ask the question is this actually going to help people if we put it out there broadly? Is this just creating something that we're hoping is going to drive traffic to a website or is going to make us look like the biggest baddest security company in the world? If it's not educational if it's something that's just like hey, we found this thing, I don't know what to do about it you're screwed. Bye. Don't do it. Stop, right? If it is, there's value if there's something that people can learn if you're going to do an emergency I sound like a marketer, but that's who I am an emergency webinar or something like that on what you need to know about this immediately we spin those up a lot then there's something that you can do there that actually helps people then go for it message not scary or spun otherwise known as FUD if you're uncertainty doubt just don't do it if you have to I've said this a lot, I'll say it again if you have to scare someone into buying your shit it's not good it's not a good product you shouldn't have to scare anyone into using your technology or using your stuff so there's no reason to go out there and scare users a recent example of this where it wasn't necessarily scary or spun it was more stupid it was bit-fi you guys familiar with that story they're unhackable crypto wallet there were all kinds of issues with that I will only get into the whole technology side of that because that is not my wheelhouse I'll let you guys all research and debate that but never call something unhackable because whether you offer a bounty or not you're just inviting an army of people to rip you apart you look ridiculous and the other part of it is sure to us in this community where we're aware and we know that that's a bad thing to do and we're going to question it and you guys are going to rip that stuff apart that's one thing, but they're also marketing that to people that know nothing about security and won't question it and I know you guys saw the whole thing about the hologram stickers we have hologram stickers now and if there we go, thank you we have hologram stickers now and if you already have a device, we'll send you a sticker to put on your device to show that it's secure what? so there's the whole message was wrong on that for so many reasons that wasn't really a disclosure, that was just bad marketing but it's been annoying me so much that I had to share it with you all this one, I can't step over because I'll get in trouble are the researchers credited there's so many companies that are like oh, this is great thank you for this discovery it really looks better for the company if we put it out in the CEO's name or such and such company research team do not allow that it's your work, you're the one putting your ass on the line your opsec, your time all of that stand up for that and I'll go a little bit into checking time just as we started late a little bit more into how you might be able to do that researchers are credited? yes researchers not credited? no I ran into a situation not at my current company but a previous company coordinating something with another company and they were adamant about not putting the researchers' names on it and we pulled back our support from the disclosure they decided to do one on their own it was a flop, they got ripped apart the comms person got fired from that other company it's a good lesson learned and they deserved it quite frankly so you're like what is this chick babbling about this is obviously those of you that aren't especially those of you that aren't on the business or marketing side which is probably most of you I appreciate you sitting through this and actually taking an interest in this it's coming kind of out of left field it's very rare for someone in my position to be like you know what my people need to do a better job and we need your help to do a better job and all of that so I just wanted to take a breather for a second before we can get into what are some ideas I've talked about what we shouldn't do giving examples of what's gone wrong I've talked about the flow chart which is kind of dipping into what we should do but now I want to talk about how we actually create this like disclosure utopia that I'm talking about thank you so this is just an idea I have so a lot of major news organizations have standards desks basically the folks on the standards desks are ombudsmen or ombudswomen and they are responsible for looking at articles looking at content news stories before they go out to ensure that that everything's solid it's fact checked it's a story that needs to go out it's a story that's not just go out and create chaos right it's not something that's going to put anyone in further danger it's not something that's going to get them sued there's all kinds of other things on there but what if we had the concept of a standards desk for any team that was responsible for working with the researchers on disclosure and again this is really focusing this piece is really focusing on those vendors that are working with other companies more than independent researchers and so on that's a different topic but what if we could do that what if every company had some kind of standards initiative or standards desk when they were looking at how to take this stuff out similar to the flow chart I just showed this is very similar to what we do at our company and one of the things I love about it is that everybody buys into it it's very natural we're a very security focused company for a threat intelligence firm that's obviously important so never use you know your analysts, your researchers your engineers as a content repository don't just take their stuff oh wow I just saw this we see a lot of intelligence reports roll through it would be very easy for us though it wouldn't last long I'm sure for us to take those reports and just publish them as blogs one there's a lot of information in there that would need to be sanitized to protect tradecraft to protect sources to protect a customer and so on so we don't do that but a lot of companies do that they'll look and say oh so and so did a paper on this I'm not going to talk to them about this because they work for our company and therefore it's ours and I can do what I want with it that's not okay so you need to collaborate and that's another way to ingratiate yourself and if you're on the research or engineer or on the practitioner side like I said you have every right to request and demand that that not happen in my team case we work really closely with our intelligence and research teams so when we see those reports and we're like ooh shiny I want to market this first we do a read through for our own go checks then we work directly with our head of intelligence and I'm like alright is there anything in here is there any reason why we shouldn't do this the only thing he always asks me is what's the point what do you want to do with this then so I'll tell him whatever my hair-brained idea is and if it's safe and if we can sanitize and if it makes sense then we'll go ahead and put that out that's just one example challenge everyone I talked about this a little bit everybody in the org needs to care about security outcomes everybody needs to be responsible for security outcomes we had this conversation the other day too around enforcing everyone to care about or be responsible or accountable for security if you work at a company where they're a business part business units they're going to be executives that are in charge of those business units a lot of times they're officers of the company which means they have a fiduciary responsibility to protect the company and that means protecting the company so they should be held equally accountable for educating their teams and also making the right decisions like running any new tools that they buy that especially might have dated it through their security teams to make sure that they're you know they're okay to use double check with multiple folks to ensure that there's no FUD proper attribution to the analysts or the researcher OPSEX never compromised sources are protected and trade draft is protected that's the way it really should work at least in my view of the world and it works pretty well I think thank you you know like still why should I care about this we can go to the next one there's a lot of stuff that you know there's a lot of stuff that the more technical teams can do to help with this initiative most of the time it's marketing sucks why do they do this did you see this thing that this marketing team did start explaining why create a culture shift talk to your you know colleagues employers so for instance if you're looking at this and you're like yeah am I I work with these people or maybe I don't work for a vendor right now but I know someone or whoever and they think I think they really need to see this or I think they need to understand this talk to your manager or talk to that person or talk to that colleague in the next week or so like just have a conversation hey I saw this talk at DEF CON this crazy lady with chickens and demons and stuff was talking about how wait a second it's not all on us and we're put in bad positions and we need to educate them on how to better treat our research and any disclosures that we need to do start with that bring that up in a conversation it's not a very common one which is probably why I'm here giving that this talk if they don't have coordinated disclosure policy build one take the initiative if that's a position that you could be in or are in or push someone to do it we are not a security company is not a good answer we hear that sometimes just because you're not a security company doesn't mean that you shouldn't have some kind of disclosure policy as long as you're selling if you're selling something that could potentially cause harm if anything bad happened to it require credit for your work I've already been on that a bunch call out the marketers but like I said earlier focus on sharing how to do better like hey this is what happened because we made this decision not you did it again you suck this is what happened because we did this if they don't have an oh no response again that goes back to should they be working in security that's probably not for you to tell them or decide I don't advocate that but helping to educate is a big divide that everyone can benefit from if we got much smaller and I think starting to actually communicate and recognize that we really are on the same teams just different people have different experiences and understandings of what we're trying to do and it's all of our jobs to help each other so we can go to the next slide so oh my animation is not going to work now that's okay so we don't want to create risk and sensationalize anymore and again like I said I keep saying business leaders as well sometimes CEOs are the ones that are having a marketing teams because they say no we have to do this now they need to be educated as well now it might be easy for me to say as a CMO to be like I'm just telling my CEO no not everybody's in that position and that's where some of the collaboration and education can help because other folks that aren't maybe a senior organization or aren't as mouthy as I am in conversations as openly next slide thank you so I would love this to be our state where we actually reduce harm through the ways we work with our research teams to disclose by providing better education by ensuring that we're not scaring the end users we're not scaring anyone who's consuming the information and that we're not just you know putting up logos and theme songs as Chris said just to try to get more attention I'd love that to be the state I realize that is very far off from where we are now but I think we can get there and then everybody's happy it's not that simple obviously this is just kind of a primer just a discussion for this village but you know I think there are there's so many more opportunities that we have as whether you're a hacker whether you are an analyst whether you're an engineer or a marketer, business leader, sales person etc to actually understand in this industry to understand what the other folks are doing and how we might be hurting each other at times largely my side of the fence and in order for that to change we just need people to speak up and say hey stop messing with us you're actually hurting people more that's all I got and I'm happy to take how are we on time I kind of rushed through since I was late any questions? thank you so the question is have I compared the super basic yet fantastical disclosure decision tree against other frameworks like SEI etc for disclosure I have looked at those absolutely and in building this out I really thought about it more from their perspective disclosing actually doing the disclosure of a breach or something more about how to maintain discipline and structure on the business side so they're not pushing the research team to do something that they shouldn't do I don't know if that makes sense or not so they align but they're going to be much different steps and different thought processes in the world I live in at least so yeah any other questions? so marketing and so obviously the sales teams take the messaging and marketing which oftentimes the engineers of the same company have to get in front of customers to talk about usually when you're getting a presentation oh let me skip through these first four slides because they're the marketing side right but the challenge I think is part of the disclosure process is when marketing is just a conduit for the need to make your numbers from sales perspective especially the public side at least this one demand generation so how do you solve that it would be interesting if the sales person would be the same POB about their love or hatred of marketing because I think that's the other at least one of the other indexes so would you see a significant gap between what the person who is in sales talking about uniforms pretty much do you think that they would have a marketing different perspective I'm not even sure how to recap that question really so if a sales person were to give this talk how different would it look given the gap between marketing and sales there are different perspectives because marketing is primarily a driver for sales to meet your number so how was that marketing so you know it's interesting that you ask that marketing sales always have a love and hate relationship and there's going to be friction needs to be healthy friction I tell my team all the time they're going to blame us for everything we're going to blame them for everything that's how it works and accept it don't take it personally just keep being better than they are and I do have some of these conversations with our head of sales who's great again there's still the healthy friction and we have I think if a sales person were to give this they would say it really depends on who it is if they live and die by the number and they're like we've got to meet the number at any cost because I've got to get my team paid and I've got to keep them motivated and the board is going to be breathing down my neck so I need to do this they'll be like fuck this tree right? I'm doing whatever I want and that's where I come in nothing goes out unless I say so but not every organization is like that but there are other sales folks like ours I'm pretty sure I've never seen this where I can say hey I know you guys out I know you really want to do this we need to train people going back to the comment actually earlier in the question you said a lot of times marketing develops messaging if an engineer has the same deck they'll skip through the marketing messaging go straight into the stuff no one should ever make an engineer do marketing messaging by the way that's not their job I don't know that's a bad marketer fire your marketer it's a long-term gains and if we miss this quarter because we decide to do something ethical it's going to pay off longer in the business and if we explain this to the board in a way where we're protecting their long-term investment they're going to understand so you just need to basically have people that are willing to speak up and not shy away from someone that's like trying to scare you with I need to make the number any other questions? yes sir can you repeat the situation in which that doesn't get reviewed by your okay so the question is is there any instance so if it's something created by an analyst etc that doesn't go through the decision tree the mistakes have happened they are quickly rectified and then we put more process in place to ensure that doesn't happen again sorry repeating the question what mistakes happen to stuff go out when it shouldn't most of my team in my current environment is pretty anyone that has any responsibility or any ability to get anything out without my approval or my eyes on it or one of the other senior members of the team's eyes on it are very well trained well versed have spent a lot of time with the researchers have spent a lot of time with security teams etc so there have been situations before especially around the topics of physical security where something's gone out and the quality of the content was really good but I've been like why the heck are these images in there we shouldn't be perpetuating these images take those out things like that where it's just a gut check thing and then they learn as they go but there's lots of other content obviously that goes out from companies that don't necessarily need to go through this if you are working on an RFI that's not going to come through marketing the client's not going to want that we don't want that either it's just before it goes out to a broad base or on the website or through media etc etc that's where you want to apply this and make sure that you're involving those decision makers um I think one more question and yes sir sorry can you repeat that can you hear us the door this violation and communicate with marketing so do you have the advice on how to report an issue sure so the question is how does a code monkey quoting communicate with marketing or whomever more effectively when they see something that shouldn't be done because it sounds like from what you're saying that they don't listen or they or you say no and they run with it anyway or massive misunderstanding got it okay so it's just bad communication either sensationalized or it's belittled and it's not as effective as it could be so some advice there would be and you may already be doing this but just for like the broader room anyone else might have this question start by asking questions why do you want to do this this way why do you think it's important to put this out this way they might not even have an answer they might say well this is the way we've done it in the template sadly why don't you think about this another way sounds familiar right so that's one way to go about it the other thing is to especially if it's something for instance that's customer facing if there's something you disclose to customers say look it is your responsibility to make sure that we communicate clearly to our customers and make sure that they understand because this is where you appeal to their pain point if they don't understand we don't properly inform them we don't help them the right way we're going to churn these customers and it's going to be because of bad marketing so marketers I just said it myself churning customers and it hurts because you're responsible for not making that happen so I think a lot of us in delivery appealing to a lot of times I think what I've seen with code monkeys as you said coming to the marketing teams I've said you can't do this because of this and I saw this and this and that they don't understand what any of that means I don't understand what any of that means I just understand this conceptually which is what I'm here to do quite frankly but if you appeal to the things that are important to a marketer making the numbers, good reputation telling the right story for the company not pissing people off not getting in trouble for getting the way of sale conversations and if you're talking to someone and they're not listening and it really is an issue escalate it go over their head alright I think that's it so what am I doing with this I have a packet squirrel nuts for networks give away to whoever actually I'm going to give it to you because that was a really good question I'm going to give it to a code monkey question right