Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How are you doing today? Um Welcome to the show.
As you can tell from the background, it's a little bit different.
It's gonna be a little bit quicker today because I am here at Sect in Toronto um about to kick off with uh the second day keynote at 9 a.m.
So that's why I'm pushing this out early. That's why you can see. I'm actually right up on stage sneaking a couple of minutes to talk to you in today's uh show. I really want to talk about delivering tough messages. So I'm actually ironically, that's just me, love it. Uh For those of you on the podcast, I just popped up screen, which is super cool. I've been really excited to be here at this conference. One of the things that I find really tricky and this is sort of the key of the keynote is delivering hard messages.
Sometimes there's bad news, sometimes you have to deliver something that people don't want to hear. Now, that sounds really interesting in the context of where I am today and about to deliver a keynote to 1300 security professionals, but it's important. So Today, I'm talking about security culture. I'm talking with the constraints and perceived constraints and sort of the organizational design, the technology choices that have come out of those constraints and whether or not we should be questioning them.
Now, I don't think it's a bad topic. I've got a ton of data, a ton of research to support all these points, but it is a message that's going to run sort of counter to what people are used to. It takes them out of their comfort zone. And this is something that happens quite often, especially in security. Your day to day, you're going to be talking to the board, you're going to be talking to users, you're going to be talking to business units and tell him about probably bad stuff, right?
You're going to be coming and tell them that there's an insecure design or that customer data was exposed or any number of bad things and how you deliver that message is absolutely critical. Now, I'm no expert, but I will share some of my opinions on it and some of my views on it as I will vote to do this to a massive room full of people. The key is really sticking to the facts, sticking to the data and making a structured argument and taking the personalization out of it.
So not blaming people. I'm not saying, you know, this is your fault, this is why it's a problem, but explaining the choice not to encrypt data at rest has less this exposure. And previously, when we did the risk evaluation here is why we made this choice or here, you know, the risk evaluation wasn't done whatever the context around that information is and making sure that you take the personalization out of it. As soon as you make it personal people will get defensive and they're not going to listen to the information because it's a tough sell.
Anyway, you're telling them bad news, you're telling them something has been a mistake or something has hit the fan. So sticking to the data absolutely critical. It's something we're going to be doing today. Also keeping it light hearted. So, you know, I'm not going to be sitting here just yelling at people though. I'll probably get energetic about it. I'm going to try to keep it as humorous as possible. I'm going to make sure that the information is delivered in a compassionate and empathetic way, but also a light hearted way where appropriate.
Absolutely critical, where appropriate. And then other that last, the last point is really around that word I just said is empathy. People are honestly trying to do the best job possible. So this is a scenario I deal with all the time when people are talking about security vulnerabilities being created in code. And my answer is always the same very simple thing that I've never met a developer who woke up and said I'm going to go write crappy code today.
They're trying to do their best and humans make mistakes. So, being empathetic and understanding and demonstrating that empathy when you're delivering a tough message really goes a long way. Now, I could just be talking out like, you know what we'll see. It's going to be interesting. I'm broadcasting this about 45 minutes before the keynote fingers crossed that the keynote is accepted. Well, that it resonates that it gets the point across.
We'll see. I'll talk about it online later. Hopefully, people will be talking about the delivery and the message and the talk. If you follow the hashtag sc, you'll see in real time how it's going and of course, I'll follow up on tomorrow's show. So that's it. How do you deliver tough news? How do you tackle these challenging subjects in a group discussion? How do you make sure that you're empathetic? How do you make sure that you can stick to the data and depersonalize it?
Let me know, hit me up online at marknca in the vlog in the comments down below. And as always for podcast listeners and everybody else by email me@markn.ca. I hope you're set up for a fantastic day. I'm set up for an exciting day. Um I'll see you uh talk to you online, hopefully here at Sect in the show today and I will see you on the show tomorrow. Have a great One.