 Let's give our attention to Michael Zenko. Thank you very much. It's a daunting thing to speak after Billy and before you get to leave and go drink. So I understand the sandwich that I'm in. I actually, this is my fourth time coming to SC Village and I applied to speak here after having heard Billy Helen Thackeray and Jason Street speak a few years ago and I thought, you know, I've failed to get into so many cons. I sent papers too. I thought they might be the one that I actually get into. I'm grateful for this opportunity. I want to talk about red teaming which is going to be a little different than the red teaming you're used to because to me it is not a cyber thing. As you'll see in a second, I have no certifications. I'm an imposter in the hacker world. But red teaming to me is really a mindset. It's an approach and a series of techniques. So I'm going to talk through a couple of those and sort of demonstrate how you can apply some of these to your own life and to your own jobs. So first, who am I? I work at a 120 person consulting firm outside of D.C. where we do a lot of change management within organizations and leadership development. I spent a lot of time doing national security writing in my background at Harvard at the Council on Foreign Relations. I write a column at foreignpolicy.com. I do have a Ph.D. in political science in Wisconsin bartending license and as I mentioned, I have zero certs. These are some of the books I've written. One on the far left side for you came out of Yale University Press three months ago. It's basically a document how to avoid fear mongering that political leaders and corporate leaders try to instill upon you. But before we get started, I just want to invite you to take some time and to read this quote and to think about it. If you don't know who Thornstein Vaiblan was, he was an economist born in Norway out of the University of Chicago. And what he's talking about is a time when people were coming out of craft and agricultural traditions and coming to work in manufacturing. So if like me, you ever grew up working on farms, you literally have no idea what you do each day on a farm. It depends on the weather, on the crop rotation, whether livestock have gotten out, whether your machinery is broken, whether you have fertilizer or seed, you have to apply a lot of thinking and a lot of strategic planning into farming every day. What Vaiblan realized was that people were coming out of craft and agricultural positions. Basically two thirds of all Americans did this in a 50-year period. And the goal was to de-skill the American human. The goal was to make them do easy replicable, repeatable, and teachable skills over and over again to break them down into component parts. If you know Frederick Wilson, Taylor, and Henry Ford, they were sort of the perfectors of this. But the goal was to de-skill people to avoid critical thinking at the job site. And the way I like to describe this is you do this also at your jobs. So think about what you do each day, whether you work from home or you go to a job, right? Nobody decides then and there what to do at 9 a.m. each day. You have a series of expected dress. You have expected rituals. You have norms and cultures. You greet people in an expected way. And over time, all of these behaviors, these customs, this conventional wisdom, the culture, it shapes and limits the way you think. You go from being a free-thinking individual to the person you are at work, which is not a free-thinking individual. The best demonstration I had on this from me was a woman who was the deputy director of intelligence for the CIA for many years. And if you've ever been to the CIA headquarters in Langley, Virginia, you turn into this wooded lot and you go around a long driveway and you park by the old headquarters building. And she said to me, every day I turned right into the wooded lot, I changed. I became a CIA analyst and I stopped thinking. And I thought, well, that's serious. But that's the way we go through life all the time is that we simply become ossified in our jobs. So why red teaming? Well, there's two reasons. The first is what's between our ears and the second is what's between all of us. So the core reason you can't red team, and this is the theme of my research and all of my work, is you can't grade your own homework. If you asked me if I'm smart or charismatic or handsome, you shouldn't believe me, right? Because I have no reason to be honest with you and I have no ability to evaluate myself uncritically. But similarly, all organizations are systematically incapable of identifying their blind spots, challenging their assumptions, really seeing things from adversarial perspectives. But a lot of organizations think that they can grade their own homework, but they actually can't. And there's a couple reasons you can't. Again, the first one is what's between our ears. Cognitive biases are these mental shortcuts, these heuristics, these rules of thumb that have developed over time that allow us to get thought through the consequence of everything you did, what's called effortful cognition, you literally wouldn't walk outside of your door, right? So you allow these shortcuts to happen all the time. The problem is when you have to make consequential, novel, and strategic important decisions, that's when cognitive biases interrupt your ability to think. I just want to talk about two. And the first one is the man on the left you should all know, Christopher Latham-Scholes, we have Christopher Latham-Scholes invited, he invented the Kordi keypad. He was a typesetist in Milwaukee, Wisconsin. He was basically looking for a way to do newspaper printing faster. And he came up with Kordi as a system after about 30 different patents. The system that he came up with, it's a big debate within historical technology, science scholars whether Kordi was designed to make typing slow, but the truth is it is slow. Because it's left-hand dominant and the letters that commonly appear together in words are spread throughout the keypad. Scholes sold the Kordi keypad to the Remington rifle company in 1870 and over time it became widely adapted in all keypads that exist. Basically through early printing exercises, if you wanted to become a typist you sent away for subscriptions to become a typist and then over time every keypad developed Kordi. There is no reason for Kordi to be the keypad you use. You can use any keypad you want. It takes about three to four months to train yourself out of it and you will type 30 to 40 percent faster. And I promise you nobody will leave here and do it. And the reason is you have taken Kordi to be morally correct. It's the most efficient and effective way to do this, but I always invite people to think about within their own lives and their own jobs, what is your Kordi? What is the thing that you take for granted but is in fact a horribly inefficient way to do this because we have these over and over and over again and that's the first bias, status quo bias. The second one is blind spot bias and this is the metabias of all cognitive biases. This is the belief that I'm less biased than my peers. So this is demonstrated in this famous study by Irene Scoboletti. If you get a chance to look at it they looked at 7,700 Americans. Only one in 7,700 Americans who took a cognitive bias test said that I'm more biased than the people who thought they were less biased. I have really bad news for you. You're all roughly equally biased but we all like to believe we aren't. Similarly if you ask doctors how many of you as an individual doctor are influenced by pharmaceutical sales gifts that you get from sales people? 20% of doctors admit they are. They say how many of your peers are influenced? They go 80%. Because I am able to be shielded from the influences that I have. So blind spot bias is one found in all peers. The second is organizational pathologies. And the first one is group think. So if you know about the history of group think this was invented in 1972 by Irving Janis. And it's basically the illusion of unanimity. And the truth is we care tremendously about the impressions we make upon our coworkers because we spend a third of our lives at work. And so we do not tell people we work to maintain unit cohesion, morale, a good culture, you don't want to be an outlier. And subsequently we basically refrain from telling people what we think. And the truth is you can get the most diverse composition of people. Age, race, gender, historical experiences, background. And over time you put them together they start to think alike. This has been demonstrated after study, after study, after study. The second organizational pathology is hierarchy. And I love to read leadership profiles because they're pretty absurd. And every leadership profile I've ever read basically makes the same, every leader claims the same three things about themselves. One, my door is always open. Anyone can come in and tell me bad news and in fact I welcome it. The second thing is I have a relatively flat organization. And people who just came in or have been here for 50 years can equally come in and tell me the bad news because I want to hear that. They think they know what their coworkers and their employees think and they think they know what's going on in their organizations but we know they don't because as people reach higher and higher level positions they become highly overconfident and they become less willing to listen to bad news. And the truth is people actually don't voice up dissenting viewpoints to their leaders. In survey after survey the reason they don't do it isn't because they think they're very tallied against the idea or dissenting appealing is pointless you stop doing it. And what business scholars find is you start doing what's called voicing sideways which is basically gossiping with coworkers. And the point of all these pathologies as Pac-Man demonstrate to us is you can have the best strategies, the best plans, the best processes, the best people if you have the wrong culture it destroys them. And culture is harder to measure because it's in the walls of where you can get your information or rate and data or spread sheets. So most of us have difficulty capturing it or understanding it but it's the most single biggest inhibiting factor in organizational productivity. Now the interesting thing is we like to tell ourselves that we could sort of like blind spot bias overcome these sorts of inhibitions between ourselves, between our ears. If I wanted to I could think about it but the truth of the matter is in every organization I have studied Mavericks are systematically hunted down and killed. And the reason is they are a problem. They're a difficulty to the conventional wisdom, they challenge leadership, they challenge the core beliefs of the organization and the mission and the values and either Mavericks are hunted down and killed, they're shunted off to themselves. You probably know one Maverick or two, you may have been that person. It's really, really hard to be a Maverick. It's exhausting at your workplace, the surface acting you have to do, the way you have to inhibit yourself, it's really, really hard but we like to believe that we could be free and I always like to show these this is advertisers know this about ourselves so this is an advertising campaign for a lot of these people. Right. But we can't. Right. And red teaming is basically an acknowledgement that we are systematically incapable of grading our homework and organizations are as well. So it's a way to become semi-independent from institutions in order to better understand them and I just want to talk about two historical examples of it to get a sense of if you know the history of the devil's advocate this is the first example of an institutionalized red team in the United States. And the first example of this is a red team that was formed by the local people basically decided through acts of proficient face who would become canonized as a saint. What happened was Pope Gregory the 11th, I'm sorry the 9th and the 13th century he decided no, no, no this isn't going to work. I want to centralize this with the Vatican because the reason people were made saints locally was designed to do nothing but find disconfirming information about somebody who was nominated to become a saint. In 1982 the position was eliminated by Pope John Paul II and subsequently more people were canonized in the next 25 years than had been in the previous 1900 years. And the lesson is the independent adversarial check within the institution was eliminated and subsequently the incentive structure of the organization changed overnight and Pope John Paul II himself was canonized 12 years after his death which is the fastest time ever for basically any proficient member of the faith. Second if you know the history of red teaming it was basically started in the late 1950s. Red was the Soviet Red Army and at the Rand Corporation in Santa Monica California and in the early days of the Kennedy administration the Pentagon they started to model how would the Soviet U.S. strategic army come through the full gap so red became synonymous with adversary so every time you hear red teaming it basically traces back to late 1950s as the Soviet Red Army. If you want to spend a little time this wall of old white men is sort of the foundations of the basic underpinnings of red teaming. It's brainstorming, behavioral sciences, game theory and or theory. Take some time to read some of the works of scholars almost either patents have run out or people feel free to copy it. So there's a couple types of red teaming and I'm not going to spend any time on vulnerability probes because that's what you all do for a living. You break into things but the sort of red teaming that I'm most interested if you think in a 2 by 2 quadrant you can red team operational or ideational you can red team yourself or an adversary. Which is how does a bad guy break in. The hardest red teaming to do is your own ideas and your own thinking. And pentesting your thinking is essentially what the sort of red teaming that I'm going to talk about is. So the first type is simulations. This is basically if you have a playbook, if you have a runbook, if you have a product coming out, if you have a strategy coming out, the people who write a plan, a strategy are thinking about it. If you have a market they simply cannot see the downsides of it. They become boosters, enthusiasts and cheerleaders of it so you have to use simulations to try to envision all the ways it could fail to test the roles and responsibilities when it happens. I do this for large banks largely because one of the things we have found is when banks suffer data breaches the default position of the board is that they are involved everybody in the C-suite as well as the board. And so we force the board to come to uncomfortable decisions that the CISO can't make because they don't involve simply technical issues and network issues. And you do these sort of simulations again to clarify roles and responsibilities and to build trust. Because in all of my research the single biggest thing I've discovered is you don't build trust in crisis. If you don't test it ahead of time you think through the downsides of your strategies or your plans you're going to miss out. The third type of red team is alternative analysis and these are a series of the techniques. If you want to learn more about these just Google red team handbook volume 9. This is the U.S. Army's handbook. They have some examples of this. It's a common language the techniques I use are a little more tailored for the private but these are some of the exercises that we use as alternative analysis. And to give you one example of how this has worked recently within my field. I did a one day red teaming event just a couple of months ago for a 100 chief nursing officers at a huge healthcare company. These nurses had learned that their rounding strategy had failed. So if you know what rounding is it's when the doctors, the nurses, the pharmacists, the physical therapy they've learned to patient to patient to patient all together because they've learned when they have a common picture of patient care the improvements are markedly higher on two metrics that they care about which is days of patient in bed and patient satisfaction in post event surveys. So these nurses had found out that their rounding was not working and the reason it wasn't working was because the doctors didn't show up. Basically if you know anything about it, so the doctors systematically didn't show up and it was failing and it was failing so I led these nurses through a pre-mortem analysis strategy. I said I want you to imagine that we're back in this room a year from today and the rounding strategy has failed completely. It's been a total failure. Now I want you to write down all the causes and reasons that could fail and I said but you can't blame the doctors. And it was interesting because their pen you could hear them screech in midair because they were primed to blame because what they learned was that they actually had a tremendous number of problems that had nothing to do with the doctors which was that they weren't trained to a common standard. There was super high turnover. If you know anything about nursing turnover is really really high. A couple thousand dollars can move hundreds of nurses from one organization to another. The third thing they learned was they had never connected in real time with the patients families and so what they did as a result of this exercise was they trained to a common standard. They paid for the nurses to reduce attrition and then they set up a system where they would notify 24s in advance by text the patients family members to be in the room at the same time. And within three to four months they noticed tremendous difference in patient satisfaction and the reason was I'm a disinterested outside facilitator. I have no vested interests in the outcomes. I'm just good at facilitation and I changed the way that they thought about the problem and that's when red teaming changed. It's when you have an ah-ha insight that the participants reach collectively that suddenly changes the way that they see problems and every engagement I'm in that's what I'm ultimately fighting for. I just want to share a couple best practices of red teaming. In my book Red Team I have like six of these but and I have this warning by Greg Fontenot, old friend of mine who created Red Team University at Fort Leavenworth. We don't trust anyone who tells you best practices especially a consultant. But two of the most important ones is first senior leadership has to care. And as I pointed out earlier senior leaders often don't care and the reason they don't is because they think they know what's going on in their organization. But if the boss doesn't buy in resource a red team, authorize their access and then do something with their findings literally nothing else matters. So I'm often spending a lot of time with CEOs and COOs because I always describe the first act of red teaming it's really therapy which is what do you think you care about most because they don't actually know what they care about most. You have to leave them through a series of questions to get to the root cause of what they're trying to defend, protect or think differently about. You have to be really really sensitive to do this because they have big egos. The second and the last best practice I'll just share here is you have to be willing to do something with the findings because I always tell people to do red teaming and to ignore what the group tells you is worse than not doing it at all. Because you have signaled to the organization that this is a place where dissenting and challenging viewpoints aren't welcome. And if you don't do it if you don't do it once try doing it a second time people won't even participate. They won't even engage with it faithfully. Finally just a couple tips on how you can be a mini red teamer in your own life. As I said earlier you can't grade your own homework so be skeptical of what I'm telling you. But this is what I have found and I've been studying writing and doing red teaming for a dozen years and this is what I have found tends to work best at a sort of individual level. The first is recognize and mitigate against your biases. This is the list of cognitive biases on Wikipedia. It's a great great website. There's over a hundred documented cognitive and social biases and the thing they've learned in de-biasing or mitigation bias training is that it basically doesn't work when the prompt is evaporated. So you can be trained to de-biase but once you're deployed in the field and the prompt is not there for you it doesn't take effect. The same biases inhibit your decision making and your judgment. So what you really need to do is bookmark this page the next time you're making a consequential decision look at it. Be honest with yourself. Try to understand which biases is it anchoring is it confirmation bias is it endowment effect. What is the thing that's making me make the choice and the judgment that I'm making and they're all there and they're all free second and this relates to confirmation bias is you basically have to read outside of your interests. Most people the internet has limitless opportunities for you to read. The average person looks at 10 to 12 websites a day and over the course of a one month period there's almost no variation in what people look at. If you simply read about your own profession and your own interest that's maintenance that's not critical thinking. You have to actively listen and read outside of what you typically do and these are just eight things that I recommend I try to rotate my eight outside interest every year or so. All of these are free you can read a tremendous amount of things because it's when you get outside of your problem set when you read about things that you don't nearly experience every day when you read history when you read sociology when you read behavioral sciences scientific interest that's when you see your problem differently so you have to make an active effort to read listen to watch outside of what you normally see. Third and the final one last thing after this is you have to learn how to voice up effectively and as a senior leader as you get older is how do you receive voice. This is one of the things that I teach and I train at McChrystal group which is most senior leaders think their doors open it isn't why not well the reason is they exhibit a lot of behaviors that tell us I don't want you to come in so these are things like power cues. Power cues are nonverbal signals that tell people I'm not interested in talking to you. This can be being really well put together in your dress having a cold and distant office setting having an online social media profile where you're like free climbing up the side of El Capitan like that's terrifying. If that's the if that's the image you want to impose upon your coworkers they will not voice they will not come to you with bad news similarly there's ways to voice up that is more positive that is pro-social that is tied to the mission of the organization because if you don't tie it to the mission of the organization you have a plan to do something about it just sounds like bitching and this is the final slide which is and this is really the next step of my research into innovation and create individual creativity is how do you create adjacencies in your life and remember I said earlier you really think about your problems differently when you get outside of it so the first thing we have learned is if I tell you to sit at your desk and think outside of a box it's impossible you have to physically remove yourself from where you work every single day in order to think differently about your problem set similarly the create moments of transition if you know the University of Chicago philosophy professor and I love to say his name Mihai Ciazmi hi he wrote flow and creativity and he admitted that the highest performance creativity activities take place in moments of transition so it's not when you're working on it it's when you walk away from it it's when you go from a jog it's when you have as I notice here incidental concept crystallization it's when you talk to somebody outside of your sphere your business unit your team about the problem you're working on and then suddenly it comes to you and the final thing is incubation problem set you have to step away from it especially if you want to have a novel and creative and different approach to it you have to be willing to dive into it immerse yourself in the details and then forget because the further you dive in the further you immerse the more anchored you become right so these five sort of techniques that I have found tend to be and there's a lot of terrible social science when it comes to creativity studies that don't replicate or you ask really creative people science known as selecting on the dependent variable doesn't tell you how to live your own life but these are the five that I have found to be the most consistently useful in a lot of studies so with that I'll stop and take questions I finished on time I've learned the surest way to make nobody ask a question is you say if there's no questions we can all go home so you all literally get to drink but we have a question how do you offer criticism most people tell you about the quote shit sandwich which is give something uplifting and positive then give you the bad news then leave on something uplifting and positive a lot of research finds that we receive criticism better from peers than from senior leaders so if you're a senior leader and there's a problem with a co-worker or there's advice or there's insights you need to give them basically have somebody at their level tell them because they're much more receptive to it they don't feel the anxiety, they don't feel the threat and similarly it has to be they both direct and actionable if you give people fuzzy imprecise advice on what you can do differently you literally have no idea what to do with it it raises doubt and confusion about them it makes you think that the advice given is not helpful so find a peer to do it make it actionable yes sir that's a really good question which is how do you get buy in for people who are going to engage in a red team exercise I'm leaving on Sunday to do a three day red team engagement with a Fortune 10 company they're about to do one of the most capital intensive investments they've ever done I have spent there's 22 participants in it 10 people from the strategy itself and then 10 outside cold eyes people I have spent the last 6 weeks interviewing every single one of them I've flown and met with them I have sent I have created the emails that their senior leaders send to everybody to make sure that everyone knows why they're there it's not a waste of their time there's no it reduces the probability of gossip or uncertainty and you have to have that sort of pre-gaming care to I would say assuage the concerns that normal people should have when they experience red teaming because the leader of this group I'm about to red team he worries that people are coming to grade their homework his homework so he's really resistant to it and I've seen nothing but try to make him recognize this is not about what's wrong with your strategy this is about finding vulnerabilities and risks that you otherwise could not see in order to reduce the probability that they occur do you need multidisciplinary effects or personalities in cybersecurity information security yes people with high technical proficiency there's this phenomenon called the tyranny of expertise so to become an expert you have to learn a ton about your field you have to become deeply immersed in it you have to learn a lot of trade craft techniques you have to learn a lot of language you learn acronyms you learn vernacular you learn mores over time that makes you really really really good at one thing but it makes you harder to see discontinuities and wrinkles in your problem set so that's why you need diverse teams including people who have no backgrounds whatsoever in information security alright I think we're done and I'm grateful for everybody for grabbing me afterward I'm obsessed talking about red teaming tell me why I'm wrong thank you