This webcast was originally published on September 25, 2024.
In this video, Josh Mason discusses the principles of influence and how they can be applied to cybersecurity. He delves into using techniques from Dale Carnegie and Robert Cialdini to build better relationships within a company, particularly focusing on how to gain support from upper management for cybersecurity initiatives. From understanding reciprocity to utilizing social proof, Josh provides actionable insights to help cybersecurity professionals be more effective in their roles.
- The importance of building genuine relationships and showing sincere appreciation in professional settings.
- The concept of reciprocity and how small gestures can significantly influence others to reciprocate positively.
- Utilizing social proof and proper messaging to influence and motivate others towards desired actions, such as cybersecurity compliance.
Highlights
Full Video
Transcript
Josh Mason
So welcome to my talk. This webinar, one of the things that I’ve learned over the years, it was a weakness that I’ve had for a long, long time.
The ability to interact with people and actually like get things done, have an influence in people’s lives, was difficult for me.
And I grew up very type a personality. I was a pilot, I was in the air force very, I know what’s right, I know the best things.
And then like just trying to convince and debate people to get things done of like, oh no, it should be done this way. And I got a lot of feedback on your hard work with I got feedback on you’re not going to get things done well that way.
At one point, I finally realized I needed to look out, reach out to mentors and get some help with it. And everyone, everyone said, read Dale Carnegie’s how to make friends and influence people.
And so that is now one of my favorite books. There’s several people out there who I might have sent you an ebook or an audiobook version because it’s one that I send to people all the time, because I think it’ll change lives.
And I listen to the book probably two or three times a year on audio, on my audible. And so like when I listen to it now, I think about how I can utilize some of those things in my life.
And I’ll go into more detail in a few slides. But I just want to start off with what we try to do in cybersecurity is often looked at as being additional to the company, being a cost center, being a thing that gets in the way of business.
And so much of what you’re trying to do in a company, in a relationship, in sales, comes down to messaging and how we approach the situation, how we approach the people, and how we approach kind of the relationship.
And so I’m, I’ve taken some of those principles and put them into the context of cybersecurity.
So let’s dig into that. So I want to start with what’s everyone’s favorite, cybersecurity, it or conman, movie or tv show.
I know they’re like, I like Hackers. Mister Robot. So a lot of people like Sneakers.
I’m, Sneakers never felt real to me. Whereas Hackers, for some reason does; IT Crowd is a good one.
Sorry, I am looking at chat, live free, die hard. That was a good one.
A lot of Mister Robot and Matrix fans and we have the state. Very nice. The Black Hat movie.
So in so many of these movies there is that exact challenge of trying to get a message across to individuals, to the business, to targets, in many of them you’ve got, we’ll say bad guys, who are trying to steal things or break things or get information.
And they’re going to utilize social engineering tools. Well, social engineering is just that.
It’s a tool. It’s neither good nor bad. A hammer. Hammers are neither good nor bad. It’s just a hammer. You could use a hammer to build a house or treehouse or a birdhouse.
Or you could use it to put a hole in the wall or in a person. And it’s really in how you use it. Right.
And even if you’re trying to do good things, you might smash a finger. so with a tool you can do good things and you can do bad things. It really comes down to the intent and what you’re trying to do behind it that will affect the results, how you utilize the tool.
So I want to break down a few scenarios, that we can use for context as we go through, a few different situations as we bring up some of these principles.
First, I want to introduce the idea of a new professional, someone who may be out of college, new to cybersecurity. maybe they transferred in from another, career field, and they’re trying to influence getting MFA across the network, across the, enterprise.
And some people who might be in chat have stories of trying to implement MFA everywhere. And the feeling that it gets in the way of business, that it makes things more complicated.
There’s worries about needing to add software that costs more money. there’s a lot of things that might get in the way of that. We will keep that as one example.
One, scenario that we can attack, we can work through. What about a manager, a, manager who’s trying to get a phishing filter put onto emails.
They know that our number one, vulnerability is through our emails. And that if we put in some tools, that were able to block malicious ip addresses, malicious URL’s and domains, or even stop people from being able to click into external links or download external documents, that would secure the business.
But again, running into a lot of backlash from other managers, from folks outside of it and cybersecurity.
So again, another scenario to keep in mind that then how can we attack that problem utilizing some of these social engineering and, influence techniques?
Sorry, shouldn’t be looking at chat, but Roswell did point out, I do have the flag right there for that reason. Exactly.
And then finally, let’s look at the executive. So, CISO, a director, of cybersecurity, one of the top people in the organization, focused on cybersecurity.
They want to make a new software investment, perhaps an EDR or an XDR solution, maybe putting in a new firewall or adding a new service provider for, a new security control that they want to implement on their roadmap.
But they, it’s a big investment, big capital investment. It’s not just that it gets in the way of, gets in the way of some people’s work, but they have to really budget for it.
So how can this executive sell to the CFO the value? Because we all know that it is a value to invest in cybersecurity, but too many companies look at it as a cost center.
So is there a way that we can change our messaging, that we can change how we interact and influence the company in order to meet our goals and make it the company’s goals at the same time?
Perhaps you’ve got the, you’re an incident response lead, and I’m trying to give a lot of different examples. That way, it helps you to frame whatever’s closest to you, because I know we’ve got all sorts of people in, in this webinar, all sorts of people are going to watch this.
So I want to give you several frames of reference that’ll help solidify this in, your life or help relate it to you. So, incident response lead, a security breach has occurred, and the leader, the incident response lead, needs to manage both internal communications and external communications, keep people from panicking and talk to the media.
Who are, when people start asking questions? How does this leader influence others to stay calm and trust the incident response strategy and process, rather than trying to jump in and take control and manage things from the outside?
How can they show what right looks like as the incident response professional whose job it is to be great at that?
And then finally, cross department collaboration. So much of what we do in cybersecurity is going to be based on other companies or not other companies, other parts, of the company.
So many organizations have a siloed structure. Sales to sales stuff, marketing does marketing stuff, dev does dev stuff, and cybersecurity does cybersecurity stuff.
Well, do we have emails going out that are going to get blocked by phishing? Do we have cybersecurity in our DevOps cycle, we have a dev sec ops cycle where they’re integrated.
What about our repositories and the whole CI CD pipeline? Not just is our software going out secure, but is our, infrastructure for managing that, is that secure?
Because that might be separate from the infrastructure for the rest of the company. How are people gaining access to GitHub or GitLab? Are there ssh keys?
Who’s managing those? All sorts of things that are going to be, cross departmental. So how can we best deal with those, with those challenges?
How can we foster collaboration and build a culture of shared responsibility for cybersecurity?
So I’ve presented a lot of, examples there. Did I miss anything or did any of those hit with you? Like, that is exactly what happened to me last week, or this is something that I’ve run into, or is there something that I missed that?
you’re like, I’ve seen this a lot and I think it relates. If you’ve got them, throw them into the chat again, this is way more interesting if we do this together.
Thanks, Linux girl. I see this a lot and I relate.
Apparently I did well because a lot of people are relating to this sales engineer. It’s all about persuasion. Yes. I happen to be the head of sales engineering.
This is my bread and butter. thanks, Ryan.
Hmm. Explain the cost of not doing anything. Yep. A lot of people see this with MFA and password policies, and everyone wants to know about money.
That’s. You’re getting to it. You’re getting to exactly what I’m leading into. Love it. Love it. So these principles are not my own.
They’re also not really these guys either. These are principles that have been, identified and highlighted in Dale Carnegie’s and Gildini’s books.
but they’re universal about humanity, universal about society. And I’m gonna put a little bit in there, at least western society.
Both of these guys are white men in the US in the past 100 years, so, grain of salt.
but Dale Carnegie, he started up teaching, a lot of this, how to make win friends and influence people. Back in the 19 eight, like 1918 I think, is when his class started.
So we’re talking about principles that are over 100 years old. When he put together a team to research how to influence people, researched how to make friends, how do we improve those relationships?
And the reason we’re talking about it now is because it is still so vital. Now. A similar and yet still wholly separate way to address it was what Robert Culldini did.
He’s a, psychiatrist, psychologist, one of those PhD who researched how people influence others, more modern, research, both in con men and social engineering, how salespeople are able to influence customers.
And in his book, it’s a mix of things that you could do if you wanted to influence people positively, and things that you might see where people are trying to control you and influence you, and things to look out for.
Again, it’s that hammer, if you, you can use it for good, to make good points and to help people.
Or you could use it to control people and convince them of things that they might not otherwise be interested in. We have, the whole, social engineering village at DEfCON and the CTF around that, where folks are utilizing a lot of these same techniques to gather information, to get details about a company.
And if you haven’t heard about it, definitely check it out. It is really cool. Alif won, a year or two ago, and she’s got an episode on Darknet Diaries and I think Philip Wiley’s show.
Anyways, a lot of those same, principles are things that we can use to develop and grow our relationships and improve, how we can work with colleagues, with CFO’s, with customers to be more effective.
So that’s what I want to get into. One of the baselines for ethical influence.
I’m a philosopher, I’ve got a minor in philosophy, so I like to claim, being a philosopher, Manu Kant said rational human beings should be treating as an end in themselves and not as a means to something else.
That means we don’t want to utilize people to get to something that’s wrong. We’re human beings who have value in ourselves.
If we try to take advantage of people to reach a thing, one, it’s just generally unethical, and two, people are going to notice, and those who catch on to it are going to then have a negative feeling about you.
And really, that is an abstraction from the golden rule. Treat other people as you would want to be treated. If you get back into Buddhism and Zoroastrianism and some of the, betas, it’s do not treat people how you do not want to be treated.
So if you wouldn’t want it to happen to you, don’t do it to others, right, let that frame then how we’re going to use these tools of influence.
If you wouldn’t want to manipulate someone negatively, or if you wouldn’t want to be manipulated, that we shouldn’t do that.
Number one most effective tool is to become genuinely interested in others. If you want to influence other people, make them enjoy your presence.
This is. I don’t know if that’s, like a breakthrough for anyone, or if that seems obvious, but it was something that I had to learn.
And, it is so powerful. If you can sit down and talk with someone and have that conversation of what they’re interested in, what they’re trying to get to.
let’s go to MFA. You want to influence getting, MFA on the. Across the enterprise. If you can connect to the leaders, connect to people who theyre at that company for a reason, right?
What is their genuine reason for being there? What are they trying to get to? Objectively, what are we trying to do? And if you find out theyve got a love for customers, they have a love for the product, they have, this thing that they really enjoy doing, and that’s why they’re here.
You can use that. Or if there is a, business goal or a business objective of making our customers trust us or handling their information and being good stewards of our customers and our clients.
Data that then becomes your ingest. Now, you’re not trying to sell MFA. Now you’re trying to help with ideas that will reach those objectives.
And it’s, again, we don’t want to be in utilize, people as a means to an end. Instead, we want to help them.
So your approach then becomes, you’re interested in this. How can I help you reach your goals and your objectives?
The crazy thing is, you do that for them, and you reach your goals and objectives because that’s where you got your goals and objectives from, right?
You’re at that company doing that thing, doing cybersecurity, for the purpose of what this company is interested in, right? So you’re trying to find that common ground, and if you can approach it from the friendly side, what are they like?
Why are they there? What are they trying to achieve, though? The really crazy thing is, it doesn’t even need to be business related. If you make friends with people in the company who are outside of cybersecurity.
They’re into mountain biking, they’re into fishing, they, do, I just saw, someone mentioned Lucifer show.
if they’re into improv, it’s like, well, if you attend an improv show with this person and get genuinely interested in who they are and what they’re about, I don’t want to say, then you can use them and have a nepotism means to an end sort of thing.
But, frankly, you’re going to gain a friend and probably an ally, someone who trusts you because you’ve invested in them.
That’s one of the things I want to hone in on. If you’re genuinely interested in others, others are going to be genuinely interested in hearing about you, what you’re interested in.
And I’ll get to reciprocity in a minute, but that is kind of a bit about it. Giving honest, sincere appreciation is another one of Dale Carnegie’s principles that works really, really well for what we do.
If we show that we appreciate the work that other organizations put in. You’re the CISO and you’re trying to get the CFO to approve this budget for the next year.
You go in and it’s your friend who you talk about, the soccer practice that they were at all weekend or the soccer tournament they were at all weekend, and your favorite shows that you both enjoy.
You start off your meeting with that, what we talked about for genuine interest in other people. And then you start with honest, sincere appreciation, like your CFO has put in a lot of hard work.
They are a big part of making sure the company is profitable and that we are not budgeting money here and that we’re meeting objectives there and that we can get funding.
They do a lot. And if you can show that you appreciate the effort that they’re putting in, that is wildly going to be more helpful for you, getting your budget, your budget item across the line than explaining how valuable it is to stopping, attackers.
Because you care about attackers. They care about bottom line and profitability for the business. And now, if you show interest in them, if you show appreciation for the work that they’re doing, they’re way more likely to be interested in hearing about your insights and your thoughts about this.
And that leads into a couple other principles of influence that I’m going to cover in a second that are less about, actions we can take and why they work.
So Cialdini spends a lot of time focusing on reciprocity. There is something within human beings where if someone does something for you, subconsciously you’re going to want to do something for them.
And it is so wild how well it works. It is. It doesn’t have to be grand gestures. It doesn’t have to be big things.
Both Dale Carnegie and Kildene talk about the power of, smile and a, hey, how are you doing? The ability to start off friendly.
and actually the comparison to a, puppy I’ve got, we got puppies by my feet right now. I was going to share them with you, actually.
Everyone likes puppies, right? When I wake up in the morning and get the puppies out of their kennel, they jump on me and want to lick my face.
And they are so excited to see me and it is impossible to be like upset about that.
it’s an amazing feeling. If you see a friend and they smile and they greet you and they’re excited to see you, it is really hard to not reciprocate on that, to not also feel excited to see them.
So in that same way, if we show up, willing to help, willing to help marketing, willing to help the CIO, willing to help the CFO to meet whatever their objectives are, the crazy thing is, it might not even be a lot from you.
It might be doing some research, it might be changing one of the like little rules that, that doesn’t affect security, but is set in a way that’s not helpful for them.
All we have to do is find out what it is that we can do to help. And one, it’s good, to help other people. So like let’s have that be the thing.
Cool thing is, if you help them, they are so much more likely to help you. There’s some of the research that Hildini did was like small acts, small acts of helping, people, like giving directions or holding a door and then turning around later and being like, oh, I dont have my wallet, could you buy my coffee for me?
And youre like, well, would that really have a big influence? And the wild thing is that it does a small thing like holding a door, which a lot of people might say it’s just good manners.
I’d be one of them. Still instills this triggers a sense of reciprocity, of oh, you helped me, now I’m going to help you.
Because it’s subconscious. It’s not an act of thought, it’s just something that occurs in our humanity. Knowing that if you go out of your way to try to help, just because of the case of reciprocity, so often other people are going to help you.
If you need a reason to be helpful, which I doubt you do, but if you need a reason, knowing that it’s going to have benefits in the end is valuable, think about how this can affect what you’re doing in some of your objectives.
Getting budget passed, changing software, getting MFA implemented, and even our messaging, our messaging during an incident response.
How can we be genuinely interested in other people while we’re handling an incident response. Well, what do stakeholders care about?
What do, our clients care about? Reaching out and being genuine with them and trying to give what you can.
We’re in crisis. We’ve got ransomware, a data breach. We’re trying to figure out how we seal things up, get the bad guys out.
But is there messaging that we can put out of? We care about what’s happened to you, and we are working towards making this better. And we know that it is our responsibility as the stewards of your information to do the best that we can here.
What we would also like to do is a small gesture of this, that, or the other crazy that works. those who tune into, the news on Mondays or Geraldozier’s daily cyber threat brief, often here there’s a data breach.
So you’re going to get an email saying, here is free, identity theft protection software that is still effective because of the case of reciprocity, even though it’s a tiny thing that might not actually help you.
It’s like the company holding open a door. And because they’ve held open a door, now, you’re like, well, a lot of people, you’re like, well, they’re trying, they give you the benefit of doubt.
Their reciprocity is giving you the benefit of the doubt. I isnt that wild? And thats why they do it. Not because, I mean, hopefully they do it because its a good step to take, its a good thing to do, but also it actually works really well in de escalating a lot of your external stakeholders, like fire and anger.
Social proof. The funny thing is, we utilize social proof all the time.
this whole talk is social proof. It is, utilizing principles that someone else has shared to explain to you why it should be valuable to you.
So the principle of social proof is, well, it’s worked here, here, here, and here. Let me share that with you. And when people see, oh, this has worked for these other people, subconsciously they start believing, even if they don’t have what they might call evidence, something that’s convinced them internally, you’ve still triggered a subconscious thing within them.
Some of the things that Cialdini talks about, though, with this, with social proof, is, how you do your messaging.
National, forests or parks put up, these signs of, only 5% of people, of visitors, do this thing. Maybe it was taking, rocks from a national park or taking wood from a redwood forest.
It was only 5% of people do this. One of the examples in Cialdini’s books is, he includes examples that people write into him.
Someone went to a national park with their girlfriend, who is a big nature lover, and they saw that sign, and they went, ooh, we need to get one.
We need to take one of these pretty rocks, because otherwise we won’t be able to get one later because other people are taking them. It’s like, wait, no, this sign’s supposed to keep us from breaking the rule of taking rocks.
And yet the sign influenced someone to take rocks because there’s 5% of the people who show up who are going to do it so wildly. If you change the messaging to, like, 95% of the people who come here, respect the rules, and leave nature the way they found it, it sounds a little passive, aggressive, and I I wouldn’t recommend, like, passive aggressive things.
But in changing that messaging, it changes a lot of, a lot of how people act. So think about your MFA rollout.
Think about, cybersecurity awareness training. think about how often people click on emails if you have a way of influencing this within the company.
Maybe in a town hall or maybe in emails about the social awareness, like, social cyber awareness training. If rather than saying, oh, there are 30 people who haven’t completed this, you said there are 250 people who have completed this training on time.
Thank you so much. We appreciate that you’ve been on top of this and that you care about the objectives of this company. Other people are going to be like, oh, man, I am.
I’m in the minority, and I need to fix that. That is utilizing social proof for good things. We want them to complete their cyber awareness trading.
That’s how we can do it. 95% of the company has enrolled in MFA. The deadline is Friday. We love it.
If people could get that done as soon as possible, like, whoa, 95% of the people have done it. So, like, that means I’m in the way minority, as opposed to 5% of our team hasn’t even started their cyber awareness training.
Like, oh, well, okay, so I’m not alone, so I’ll get to it. I’m not claiming that that’s how it works.
That’s kind of what Cialdini studied, and it has wild repercussions, knowing that framing, how you do your messaging, internal, external, can have big repercussions and the effectiveness of what you’re trying to do.
Authority. Authority is an interesting one. People will listen to an authority figure. However, trying to prove that you’re an authority figure can be difficult.
And again, it’s hit or miss, because it’s not what you think it is. There is, a lot of the studies that Caldini did included police officers.
How often do people, just because someone’s wearing a uniform, just because someone has a badge, do they listen to and do what the other person is saying?
And there’s a large amount of that. What’s even more effective is the person who shows authority without needing to, like, prove authority.
Like, frankly, you’re all here because you see me, I assume, as an authority on all this.
Now, it wasn’t because I boasted about degrees and experience working in this and studies I’ve done in that.
I know that I’ve built out a certain amount of authority on, just in this space, but not by claiming like, oh, I know all of this stuff, you should listen to me.
And I hope I never sound like that. I hope that’s never the case. Instead, and what I recommend is that building up trust as an authority, utilize some of those other tools, utilizing social proof and genuinely connecting with people and helping other people.
By utilizing those in your professional life, you gain a sense of authority. You’re looked at as this person knows things.
It’s one of those wild things. The person who shows up and is like, well, I’ve got this degree and I’ve done all this stuff. We turn away from.
We go, wow, this person is so full of themselves. And even if they’re giving good advice, your chances of wanting to listen go down. But the person who comes in humbly and listens and connects, and you go, well, why are you here?
They go, oh, yeah. So I’m here to give this presentation. I’m a consultant, and, I help companies with this problem. They go, oh, well, you’re so friendly.
And they go, well, so what I’m hearing is that you’ve got this going on and that going on. Have you all thought about this? They go, oh, that’s a great idea.
By starting with some of those other principles and then sharing some authority, having some authority, we can make those influences down the line.
The how can I help you with the problems that you have if you show up? Where did Bill Cosby come in?
was I making a face? if you show up in an organization, trying to help, working to help, and you wait until you have an opportunity of, oh, I’ve got an insight here that could be valuable, and then you share.
At that point, after you’ve built out some trust and, really connected with people, then wildly, they won’t care about your authority.
They’ll just be interested in hearing, they won’t care about your credentialed authority. They’ll be more interested in hearing your ideas. And through that, you gain, again that sense of authority.
It’s wild. I’m always kind of blown away by a lot of these principles and because they work.
Are there any of these that Fitzhe you all in the audience, is there anything in there where you’re like, I want to start doing that, or, I’ve done this and it’s worked.
You’ve got an example. I am always curious in those. Also, I’ve got examples myself. even this week, I just started a new job and I’ve shown up into a few meetings and it hasn’t been for, like, the thing that I’m, I’m the authority on yet.
And yet by sitting back and listening, I’ve been around, I know a few things. By trying to connect with other people and seeing what they’re doing, it’s been helpful to, jump and be like, have you thought about this one?
Or, I’ve seen this before. Is that helpful? I’ve gotten good feedback.
Chat is not going the way I thought it was going to be. being calm and confident while not proving yourself goes a long way for me. Nice. Thanks. So, good haircut, fish.
Make it work. Fake it if you have to. there’s a sense of that, like, sorry, puppies.
The idea of, lying to folks and being a con man in this, again, not a great idea.
it’s that treating people as a means to an ends rather than an ends of themselves. Don’t try these techniques in order to manipulate people.
It’s really unlikely to have, like, people are gonna see it. People eventually see it. we all know folks who have done that.
We can all think of, like, times where we’ve been manipulated. And I don’t wanna sound like I’m like, preaching that, no, there are ways that we can just make ourselves more effective in the good that we’re trying to do.
And hopefully, that’s what you all got from this. So let’s jump into those takeaways.
So become genuinely interested in people. And, one I left out, but I think just works in all phases because it’s a little separate than what we’re trying to.
What I was hoping to cover here with, like, business examples, but starting with a smile. I never want to be the white dude telling people to smile.
it’s not like that. I’ll say, Dale Carnegie identified the power of a smile and the power of, just being happy to see people.
It has wild effects on dopamine and, several of our different hormones related to relationships.
And it changes your mood as a smiler, and it changes usually in the mood of the people who, who see your smile. And you don’t have to use that just in business.
That’s, pretty good for life. some of these other ones, starting with, trying to help people and being genuinely interested in other people, don’t use that smile.
That’s, creepy hobgoblin from Spider man smile. yeah, let William Defoe have that one.
but generally, again, being genuinely interested in other people goes a long way. It builds a lot of that reciprocity down the line.
Again, if you show that you’re interested in people, they will want to interact with you. there’s, a lot more examples in both of these books, obviously.
So that’s kind of the whole purpose of the books. I kind of wanted to give you, like, some examples to get you thinking about this. and so that’s why tried to boil it down into this talk.
Wow, sorry. Discord chat is full of, creepy smiles. I’m just going to not look for a second, connecting with other people, finding out what they’re interested in, working some of that reciprocity, working some of that social, proof we, another good one.
If you’re trying to influence, putting tools into place, finding resources from Nist. Nice. Cisa.
On how many people put these things into place and how effective they are. I think about like, seatbelts. Seatbelts and speeding. I used to be a safety officer in the air force, and that included, like, having to know things and like, preaching things about ground safety, which included driving and something like 90% of accidents occur because fatal, accidents, 90% of accidents that are fatal go people because they’re driving too fast for the situation.
And then the percentages of people who don’t wear seatbelts, it’s also super high. Now, stating those numbers in that way isn’t really going to influence anyone to slow down or the people who don’t wear their seatbelts.
To wear their seatbelts. Instead, by changing how we message that we’re going to have a higher impact, it’s 90% of the people on the road wear seatbelts.
Like, if you are, 90% of the people who don’t get in crashes are not driving too fast for the situation, you start putting things into those terms and you’re like, well, I’m an outlier.
And social proof, as social animals will make more people be like, well, I don’t want that. Even not consciously, because we’re rebels, we’re hackers.
However, subconsciously, we’re still human beings, and it has a lot of impact. So your MFA, your putting tools in place, having good password management, clean desks, policies, a lot of the practices that we want people to put in place, you’ve got one or two outliers.
Rather than focusing on, hey, we’ve got two people who aren’t doing this now. You’ve just added social proof to them that they’re not the only one. And that backs up there like, well, it really doesn’t matter.
Whereas 99.9% of the company does this thing, it’s like, well, okay, maybe I should get in line.
There you go. There is some of the key takeaways that I want people to walk away with. If you enjoyed this, please let me know if there’s things that you would like to see or have me talk about again in the future.
Like I said, doing this talk again, in a couple months. Feel free to send those my way. I’m on discord. I’m, on LinkedIn.
Feel free to dm me. And, yeah, I think I left some time in here for questions. If anyone wanted to do questions or post show banter, address.
If there’s going to be a recording. Sorry.
Kathy Chambers
Yeah, there will be. Hi, everybody. Josh, thank you so much. Yeah, I really appreciated your talk and, learned a lot from listening. I think these are one of these talks that even if you’ve heard something similar, it’s always good to hear it again, because there’s so many good reminders, because I think sometimes we lose our way.
We kind of get caught up in all the stress of things. so thank you. This was really great. Yes, there will be a recording for that. Those who ask, it will be on YouTube, and if you are tuning in on Zoom, you will get an automatic recording sent your way.
So, Josh, thank you. There were some questions.
Josh Mason
Yeah, while you were going, I just pulled that up. It looks like, Shoshana Akshol asked, what do we do about the fact that it seems the higher up ones goes into management, especially the c suite, the more likely they are technology inept and fall for phishing or other social engineering scams.
I don’t know that they’re more inept. It does feel that way. because C suite and, higher executives get targeted more.
If they’re targeted more, it’s more likely to land and have repercussions. But I don’t think it’s a reflection of ineptitude. I think it’s just humanity.
that, again, is something that. The way that we message it to ourselves and within our community, rather than looking at it as they’re inept.
They don’t know technology, and they don’t know the harms. I’ll say I feel fairly technologically, what’s the opposite of inept?
skilled. And yet, I’ve, had my steam account hacked because of a DM on discord that led to free nitro. And it was like two in the morning, and I was like, I don’t know, let’s try this from someone in my discord community.
And I clicked on it and put in my creds, and then I realized I just got logged out of all my steam stuff. I was like, wow, I just got fished. I teach this stuff.
I talked about this stuff, and it happened to me, and at a company years ago, after the air force, where at least twice a year I did cyber awareness training, as a user and told people to do it as a manager.
an email came in at work and it had an attachment, and rather than, like, outlook, marking it as external to the company, which usually has those labels, it didn’t have that.
So I was like, that’s weird. Is this someone that I don’t know about in the company? And clicked on it. And then it had, when I opened it, it said, you’ve been fished, you’re.
Kathy Chambers
Not supposed to click.
Josh Mason
Here’s the training you need to do. And I was like, yep. So, so even I have done those things. That’s why what we try to do is make it so people can’t.
Right. If we do good, like that training, I remember it, and hopefully by clicking on the one from the team that was doing our internal security awareness, I now remember, right, I’m going to check for these things.
I need to be more vigilant at work, right? And a little bit of the messaging that comes out from there of, you saw this, we did it again, and you passed.
Nice work there. Genuine appreciation, right? And positive feedback that goes a long way. And being like, okay, cool.
I feel good now about what I’m doing, and I want to keep that going, even if you don’t consciously think that still has that effect.
Kathy Chambers
Josh, there were a few questions that came across in discord during your talk. So I just want to kind of touch on a couple of those code asked about upper management and trying to work with them and deal with them if they seem very dismissive.
So what are your, suggestions or ideas or thoughts surrounding how we can talk to people in the suicide a little bit better?
Josh Mason
Yeah. So people who are at that level, their concerns are big level business concerns. Right. So if rather than coming in with, hey, we’ve got this initiative, we’ve got this problem, we have this thing, and I’m trying to get your attention, and it’s hard because often when you get into these meetings, it’s for that reason they know coming in that that’s what you’re trying to do.
If you can change your messaging and how you run those meetings to be more of, let’s start with what we already know from them.
In the alcohol, in the company handbook, on the website, there are the company’s objectives, goals, code of conduct, all these things that the executives care about.
Right. The reason they have the company. Let’s start with those. Like, you’ve been doing this initiative. You care about these things. These are your quarterly goals that you shared with us.
we have some thoughts from the cybersecurity side of, this could help reach those goals. They go, oh, you want to help with what we’re doing?
Does that, does that make sense?
Kathy Chambers
I think that’s great. And CJ popped into the discord too, and said, speak their language. And I think that sometimes we have to make those adjustments and do that. So I think that’s great. another question that came through which I thought was awesome.
I’m sorry if I forgot who asked, but they said, how do you deal with situations like that over text? Text is tricky because everybody interprets it differently.
Right. I’ve got in trouble for texting stuff that I thought was funny. And it’s like, wait, that they didn’t take it as a joke.
Josh Mason
Right? Yeah, no, I would say, don’t do that.
Kathy Chambers
I would say, get on the phone, is what I would say. But what do you recommend?
Josh Mason
Get on the phone, get in person. one, of the things that someone’s recommended to me, I’m neuro spicy, so I know my brain works differently than other people’s brains.
and so something where I’m like, this is funny. If I send this to them, they’ll laugh and then they go, oh, what was that? It’s like, that doesn’t work.
I’m almost 40 now, so, like, I’ve learned a few things, but it hasn’t always been a smooth road. We have AI. If you’ve got, like, a thing and you’re like, what are they trying to say here?
If you don’t, you’re neuro spicy, too. And maybe you don’t pick up on the same cues that other people do, or your brain just works a little differently.
Throw it into AI and be like, hey, I’m interpreting this as that. Does that make any sense? Or ask a friend. Ask, a friend of like, hey, does this make any sense?
and then I’m thinking of responding with this. Does that make sense? If you have to respond in text, if you’re unsure, of, how it’s going, if it feels a little attacky, if it feels a little bit like, whoa, this person’s angry.
What I recommend, what I found always works, is like, hey, any chance we can jump on a call and then share your intention, like, your feelings, like, ill share things that have been shared with me either in premarital counseling or postmartal counseling or books.
I sense, or I have a feeling that this is what you were trying to say. What I’m hearing is this.
Is that what you’re trying to say? If you start with that, like, I me statements feel or heard or interpreting, rather than being like, hey, you’re saying this.
No, I’m not saying that. Like, it just changes the whole direction. So if you can take it, yeah, face to face, jump in a video conference or be like, hey, I’m interpreting this.
And that’s. Again, that’s a hard thing to do in text. Like, hey, I’m interpreting this might sound passive aggressive. Right?
Kathy Chambers
That’s great advice. Great advice. I think we have time for one more question, and I know you’ll have a long answer to this, because we’ve talked about this on other podcasts and stuff before, overcoming shyness.
And I’ll even go as far as overcoming social, anxiety. It’s a very common theme in the cybersecurity community as I’m getting more and more people, you would think that the people that you see on podcasts and webinars even giving talks on stage would be super social.
that’s not the case. They’ve all had to overcome. I shouldn’t say they’re all. A majority of them have had to overcome a lot of that social anxiety. So, Josh, what is your take on that?
Like, what kind of advice could you give? Because we’re telling people, hey, put yourself out there, introduce yourself, smile. And that’s hard for a lot of people.
Josh Mason
It is. It’s incredibly hard. This is funny. Wade Wells, Jerry and I were sitting around at, black hat having drinks, talking about this exact thing and how much we hate speaking in front of people, which is out there.
Kathy Chambers
You’re great at it, right? So people just don’t know.
Josh Mason
It’s hard for, like, I’ve got a fan on me underneath my desk because I’m, like, sweaty from being nervous. It’s like, kind of grossing me out.
but, like, and the other guys have shared, like, very similar feelings. Like, as much as we do this, you can’t get away from how your brain works.
All you can do is decide how you’re going to act. and if it’s like a big block that you can’t solve on your own, if it is, like, social anxiety, that’s clinical.
I know I’ve gotten good help. Sure, from. From folks, on stuff. So, like, if you need to do that, go get help.
If it’s. You’re just like, you’re scared and a little worried. Wow, farms. I’m sorry, what a great screenshot.
yeah, if it’s, just, that you feel scared, you got to take that first step.
Kathy Chambers
I think that’s where active listening comes in as well. So if you’re going to a wild west hacking fest, which is coming up, and you have a hard time talking to people, you’ll find little pockets, just little circles of people.
Just kind of walk up to the circle, insert yourself, say hello, and then just listen. Like, if you’re not ready to take that step of this is who I am, and this is what I’m trying to do, at least take the first step of just active listening, and, just be there and just have your presence and just let people see your face.
I think that might be a good.
Josh Mason
First step and all offer this at wild west hacking fest. If I’m standing around or sitting somewhere and you want to say hi, please come say hi. If I’m in a circle with people, because I don’t know, there’s a good chance that’ll happen because there’s a lot of good friends there.
and you see me, and you’re like, well, I don’t want to come interrupt, interrupted. Please, please come interrupt. Like, step in, be like, hey, Josh, you told me interrupt. I did. Better do it.
Be like, hey, I saw you on the anti cast or, I’ve seen you in discord or on LinkedIn. Like, cool. There’s a good chance I won’t know you unless, like, you’re, like, I’m haircut fish.
Oh, okay. Of course.
Kathy Chambers
Yeah. Please introduce yourself by your handle. We were talking about that if you guys missed the pre show banter, like, we just know a lot of you by your memes or your handles. So please introduce yourself.
Josh Mason
Yeah.
Kathy Chambers
Fully. All right, Josh, we won’t take up too much more of everyone’s time. I want to thank everybody for being here. Josh, you are more than welcome to come back anytime.
Thank you so much for everything. for those of you who are interested in Ama, you can click on the breakout rooms at the bottom of the screen there and come join us for Ama.
Josh, I welcome you as well to join for a little bit, if you can, if you have time.
Josh Mason
I might have to bounce.
Kathy Chambers
If you have to bounce.
Josh Mason
Just told me I’ve got a meeting. I forgot about that.
Kathy Chambers
Get back to work. Get back to work. Anyway, so thank you, Josh, and thank you for being kind, and thank you for being such a great part of our community. We appreciate everything that you do. So I will see everybody else back here next week with Jennifer shannon.
So have a great day, everybody. Bye, Josh.