Rules are made and policies are established. But the “how” of implementing and meeting those regulations or policies will be very context specific. In this episode of the Great Security Debate, Dan, Erik, and Brian cover a number of key policies and requirements and some different ways to think about implementing them and how the specific situation, company, risk will affect the way you meet the rule. From driving a car to incident response and everything in between. We debate the need to look back at old rules and see if they all still make sense (a great programme called Kill Stupid Rules), and flexibility in control implementation to meet evolving business needs, to move quickly, and keeping the whole picture of the business, customer, and employees in mind.

Thanks for Listening!

Show Notes:

1. Passing on the right in Michigan: https://legislature.mi.gov/Laws/MCL?objectName=MCL-257-637
2. Overtake time in Triathlon: https://www.triathlete.com/training/race-tips/9-race-rules-didnt-know-breaking/
3. Reflex Security (Agentic Tabletop Exercises and Training): https://reflexsecurity.io
4. Kill Stupid Rules: https://www.wsb.com/blog/employee-retention-secret/
5. GM Dress Code Change (2020): https://gmauthority.com/blog/2020/06/how-general-motors-ceo-mary-barra-changed-the-companys-dress-code-for-the-better/
6. Silly State Rules: https://www.buzzfeed.com/rhiannacampbell/weird-old-american-laws-you-wont-believe
7. Sex in Full Self Driving Cars (Clean): https://www.cbc.ca/news/science/sex-distracted-driving-1.3562029
8. Movie Recommendation - The Usual Suspects: https://geni.us/wVrLOCB
9. John Bingham, COO, Speak by Design: https://www.speakbydesign.com/about-us
10. Movie Recommendation - Gremlins: https://geni.us/qE6NAC
11. Movie Recommendation -Die Hard: https://geni.us/eMASs
12. Movie Recommendation - Love Actually: https://geni.us/yj8Fqh

Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Welcome to the great Security debate.

This show has experts taking sides to help broaden understanding of a topic.

Therefore, it's safe to say that the views expressed are not necessarily those of the people we work with or for.

Heck, they may not even represent our own views as we take a position for the sake of the debate.

Our website is greatsecuritydebate.net and you can contact us via email at feedbackreatsecuritydebate.net or on Twitter.

Twitter at Security debate.

Now let's join the debate already in progress.

Do you guys remember the five man electrical band?

Of course.

Sign.

Signs everywhere.

A sign.

Yep.

Oh, locking up the scenery, Breaking my mind.

Don't do this, don't do that.

Can't you.

Can't you read this sign?

Now, granted, we're not doing curiosity.

Hey there, mister, can't you see you got to have a shirt and tie to get a seat?

No, you can't eat.

You ain't supposed to be here.

Sorry.

I do like that song.

Yeah.

All these rules.

Exactly.

When we were talking rules and the first thing that popped in my high my head was that song sign.

Because I used to use that as a.

It was.

This definitely was not my father.

So I'm not putting my dad on the spot here, but somebody explaining to me why they go faster in certain areas, I'm like, yeah, but it's 35 miles an hour.

They're like, so the sign says 35.

Doesn't mean that road was built for 35 miles an hour.

Right.

They're like, just an hour ago, I was coming back from Ohio.

And in Ohio, as you come up 23 toward Ann Arbor from Toledo, it's.

It's 60, 65 miles an hour, and everybody's going, you know, 70.

And then you get to the big sign that says Michigan and everybody accelerates and the speed limit goes from 65 to 70, but the people go from 71 to 84.

It's just.

So they're suggesting.

I mean, Chicago.

Same thing.

Speed limits, speed signs.

There are just suggestions.

The speed limit is the base speed.

You should be going.

I totally agree.

Is that like msrp?

This is the.

Suggested.

Wrote suggested speed for not getting run off the road by Daniel.

That's how I can tell I'm getting older, though.

Like my irritation on the road with people on not understanding the sequence of lanes the further you go left.

It's not just about being fast.

Well, it is.

It's about being.

It's not relative to the speed limit.

It's about being faster.

Than the lane next to you.

And the left is always the fastest because you're passing.

If you're not, get out.

But that's a very European mindset because that actually isn't how American roads work.

Because you can't overtake.

Let's use the, the mainland Europe, not the, not the, the right hand drive UK directionals here.

But in Europe, if you go left, it is only to pass.

And you can never overtake somebody from the right.

And like it's.

This is how it is.

Every European I know that comes.

Here goes.

It's crazy.

You're going left to go right.

People overtake me, they undertake me.

It's crazy.

And it really is.

Here in Michigan, it's not legal to pass on the right.

Is it really not legal or just a.

Or is it a.

Or is it legitimately just a suggestion?

I honestly don't know.

You know, that is a good question.

I'll have to research that.

I hear myself saying it as fact, but it might just be something I've always believed could be.

Yes, passing on the right on a Michigan highway is legal, but only under specific conditions.

The vehicle being passed must be turning left.

Or you're on a highway with multiple clear lanes in the same directions, like a freeway.

But the freeway is the situation that I'm talking about.

Like the passing on the right on a, on, on a, on a dual carriageway on a two lane or three lane each direction.

Passing on the right in Europe is absolutely forbidden.

But passing on the right on the left is the only way to do it.

But here I really do believe it is not illegal.

It is just not.

It is recommended that you go to the left to pass.

But the other part is if you're gonna pass like in, in triathlons, there's things like 15 second overtake rules when you're on your psych on your bicycle.

When you start to pass, finish the damn pass.

Don't just sit on the corner, keep going.

And Brian, how does section 257.637 overtaking and passing on right of another vehicle or bicycle.

Conditions violation as civil infraction.

And it goes through to explain it.

Well, it says it is legal.

It puts a little bit of pause there.

Right on what the conditions can be.

Yeah.

At the end of the day, like Eric, this goes back to where you just said it was illegal.

These are things that over time somebody instilled in you, whether it be a parent, whether it be one of your first driving instructors, whether it be somebody that drove you to School or you were on a highway trip and you were like, hey, just pass them on the right.

And they're like, no, it's illegal to do that.

Here's why.

Right?

And whether or not that was true, the logic is sound.

The logic is good, right?

So like the, the teaching of somebody to drive, you get better and better at it.

It's, it's like a really good cab, right?

It gets better with age, right?

And when kept cold, you know those conditions, that's why Michigan drivers fare better than somebody in Florida visiting Michigan.

We are like that Cabernet.

Oh, is a Cabernet.

Because all those same things apply to cabs, like change advisory boards too.

So, you know, so how are we gonna.

Brian, how we do we bring signs and rules back to infosec.

Are there really rules to infosec?

Meaning when I say are there rules?

There's regulations, right?

How you meet those regulations?

There's no rule that says thou must use pao, right?

Thou must.

You, you, thou must be in the cloud, right?

Thou must be on prem.

All the conditions are different for every organization.

Also legacy organizations that have been around for X amount of time.

The, it's like having an old car, right?

And the ability to say, like you said, you know, if you're trying to make the pass on the left, right?

And you got that dotted, not dotted, that, that dashed yellow, right?

So you're on a two lane traffic going in opposite directions.

You got the pass.

Now it's, it's, it's dotted on your side, legal to pass you, you care over a little bit to the left, coming downhill.

You can see at the top of the other hill there's a truck.

The car you're in's a Pinto.

Maybe not the best idea to try to get over in the left and hit the gas thinking you're going to overtake the guy in the right who also may speed up just because there's people that are kind of dicks, right?

We can use that word Meat has I, I, I don't know the best word to use there.

Not nice people.

But maybe you're in over.

Let's go with overcompensating over.

Or maybe you're in an old GT 5.0, right?

You look over to your left.

Yeah.

And you're buying.

There was a rule, you followed it.

You had a legacy vehicle, but it still worked, had a nice five liter engine.

You're able to get right by him and go right.

So you still follow the rule.

But I think, and I think that it's a, it's an interesting parallel to the way we have to think about things today is that if you put that rule as policy.

Just think about this in terms of the way we structure a security program inside an organization where the policy is the, is the rule and it says you can do this, you can't do this, you must always do this, you must never do this.

But the prescriptive nature of you must overtake again.

I'm going to come back to the two.

The, to the two lane dashed.

I'm passing around you because it's a school bus or sorry, no, let's not do a school bus.

It's a slow car on a, on a 65 mile an hour.

Let's go one lane each direction.

No, no, school buses have different rules.

And you, but you.

The rules are you must do it only when there's a yellow dash lane.

The rules are you must do it when safe.

So you know, you pull this back to, you know, the policy is you must always create a secure password.

The regulation, even the policy are you must always create a secure password.

You must have, you must protect data appropriately.

But the how, the, the how fast you overtake, how much time you take, how big you know, how much you, how close you cut the car and the car you just passed when you come back into the lane, those are all up to you as the developer, as the person who, sorry, as the organizer of the security program, as the driver of the car to figure out how to do that in the most safe mechanism for you.

If I'm in a Pinto, I have a very different answer.

If I'm passing somebody in a Pinto or if I'm in a Tesla or with high, you know, high acceleration.

It's some different answers, some different cautions.

And I think this is the same kind of thing, you know, this is there's no single answer for how to secure my organization.

Anyone boards will ask you, CEOs will ask you H I H, how do we get, how do we get secure?

Right?

And there's no single answer to that.

And as more and more these things are now in the public consciousness, as more and more things are showing up in, you know, news stories, etc, it's, you know, we have to be able to come up with answers to that and talk about it in context and which is why it's, you know, even more important that we have good explanations for the why of how we're doing things and how they fit into the overall regulations and the overall big must.

The must dos.

This this goes back to something we've said in the, in the, in the past, right.

That be defensible.

Right.

That when you're taking a position and how you're building the program, make sure you can tell the narrative that there is an explanation behind it on why you made those decisions.

Because this is where historically that I get ticked off at some of the frameworks out there that are way too prescriptive and then don't get updated quick enough to evolve with the times that actually force us into think about it.

You started talking about passwords, right?

That we know that if we were to think about it logically, that the further out we go with a password that it becomes harder and harder to crack.

Sure.

But what happens at the same time?

Well, now that we're forcing special characters, it has to have a capital A, lowercase, a number.

All of these things now introduce, at least within a Windows environment, that, hey, I can use facial recognition as my password to get in.

So I never actually typed my password.

So therefore, if I actually have to type it anywhere now I got to go through a convoluted set of steps to do a reset or whatever.

It's because these frameworks have never really evolved with it that we actually get to a point where in the name of security, we keep pushing further to the right without taking a look at the human response of that, that we actually created a higher propensity for somebody to.

I'm just going to write down my password in the notes on my phone or I'm actually physically going to go back to the sticky note and have it sitting behind my monitor, that we start pushing people in that direction because of our stupid rules in the name of security.

Well, we've put, we.

This goes back to something we talked about years ago in the show, and I'll see if I can find the exact reference.

But the idea that when you squeeze the hose, the Ukraine, you, You move, you move something down the way, it's going to create kinks further down.

So we're just moving the, you know, to your moving left in process is one thing, but it also is that you, you just shift where the risk is.

Or you may, if you don't think about the implications, downstream implications to implementing a particular control, it.

You may shift the risk in a way like you just described.

We now, we've solved this problem, but we now encourage people to write down passwords.

I think it's a great example of this.

Look what happened when ChatGPT came on the scenes, right?

That it became Huge.

What did majority of companies do within their.

You can't do that.

You can't use it.

So what happened?

Right?

Or why?

Why did we do it?

Well, we did it because, you know, of this fear that personal information, company sensitive, confidential information is going to go in there and then it's going to be lost.

They're.

They're using it to train and then, you know, enters kind of exponential number of conspiracy theories.

But in all actuality, what do we do?

People were going to use it anyways.

So now we force them to use it on an unsecured device.

They're doing it on a personal device where we have no visibility, no control in what's going on.

So we created an even bigger risk than the one that we thought we were preventing.

This is great.

So what.

You know what this reminds me of?

You ever pulled into the parking lot of like a strip mall that has like, we'll call it like the 5 below, then it's got like, Michaels, and then it's got the next door, and there's 20 stop signs within, like 100 yards of each other.

And not a single car.

Not a single car.

But they.

People have been hit, right?

Yeah.

Because the culture, the logic of we need to drive slow in the parking lot.

And when you see a pedestrian, the rule is the pedestrian has the right of way, but nobody follows it.

There's no stop sign.

So I'm going to race through this parking lot as fast as I can, right?

And then I've been in parking lots where they have the yield sign everywhere that just says, you know, yield, in case you.

And that's almost like if you had a password, where it's like, Eric, your company says, we suggest that you do this with the password.

The second someone hears the word suggest.

Like, yeah, right.

Like, yield has become like the.

Well, it's yield doesn't say stop, right?

I'm going 35.

Right.

And then they put in all these stop signs.

You know what?

That forced what you just said.

Now, if you go to the back of the strip mall, right, where there's no stop signs, it's like the big freight trucks and everything, which I am guilty of this, but it gives me great visibility into some of the younger and older folks out there that are flying at like 50 miles an hour because they're like, there is a single stop sign in sight.

There's not even a dotted yellow.

I can drive as fast as I want.

So I thought I saw you back there.

You'll be in charge.

It's.

I Mean, it's totally true.

And I think the other, the other really important element in this is back to context is king is you think I was having a conversation about incident response plans recently and like this performative.

You know the idea that we do things, so many things just for show or we do some things just to tick the box because of regulation, because of rule, because of a committee, because whatever, whatever the reason.

But these things are, you know, a set of steps.

And here's the, here's the, here's the thing.

You can have a plan and you should have a plan and it should guide you, but I promise you, you will never use it the same twice.

You'll, no two incidents are alike.

So you put the guidance, you make sure you, you, you, you shift them along on the, on the right path, you know, and make them not forget things like I've talked about last week, which by the way, if you're interested, the company was Reflex Security that we talked about last week that does, the AI agents are pretty cool and I, I really like what they're doing.

But the, but you know that, that whisper in your ear that says, you know, hey, make sure to follow these high level things.

But I, at the same time, I also don't want to constrain the, the, the creativity of my incident responders.

So, you know, the context of the day is going to be important in taking the important pieces out of a plan and using it in an appropriate way.

100%.

Yeah.

If I look at the way that, that I've built programs in the recent past, it was, hey, here's my monolithic document.

We're not actually going to use this thing, but it checks the box because cyber insurance wants it or some, somebody else.

What we actually use is onenote.

Why?

Because it's living.

And what do we have in there?

It's broken down into the phases of incident response.

And then it's just a reminder that when you're in the thick of it, hey guys, as you come up with different controls, different actions that we could take, just add them to the list.

Just so we have it in front of us, we can go, hey, oh shoot, I forgot about that.

That I can completely turn off the Internet and Take, you know, isolate a site or something along those lines.

It's just to remind you in the thick of it, because a lot of your muscle memory and everything, even though that's what we're trying to create with tabletop exercise and everything, it goes out the window, right?

Because every incident is unique.

Absolutely.

Plus you'll have AI Clippy and he'll be in there going, hi, it looks.

Like you're doing an incident.

Advanced persistent threats.

AI Clippy is an advanced persistent threat.

He'll start waving.

It looks like you're trying to create an incident.

How can I help?

I was going to say when you were talking about incident response.

So now going back to vehicles, right?

And there's an accident, somebody tried to overtake a vehicle, didn't make it really bad.

Fire department comes out, your incident response, maybe it's the sheriff along with the local police department.

Fire department comes on site.

They train in multiple scenarios, right?

And they've learned a lot, right?

They've been doing incident response, you know, based on that person's age.

If he's been there for 20 years, he's basically been doing it for 20 years.

If he's only been there for five years, he's been doing incident response for five years.

But you think about where some of their tooling came from, right?

Like the jaws of life and some of the bigger vehicles, etc, and you come upon a scene and you need to get somebody out and time matters, right?

When that ambulance shows up in the severity and the condition of the people inside the accident, hence the reason jaw is a life was born or invented and the ability to rip that vehicle open to get somebody out to, you know, patient zero.

And it's ever changing.

Right now we're going into this new world of when you look at vehicles, electric, electric vehicles with the large battery systems and the ability to fight those fires or get people out safely or, or what you're even allowed to do when you come upon one if you don't have whether it's the right gear, etc to spray down to, you know, respond to the incident, right?

And so it's ever changing in that world.

Same thing in cyber security, right?

Like you said, no, no one accident, no one incident is the same.

But you train.

And that goes more importantly also to what you were talking about in Tabletops.

Those people working together, right, on that truck when they show up, let alone these other people that show up, the police department and then these people that show up, they train together and work together, that everyone has a job.

So that when they get there and everyone has a task and they've done these things together repetitively, right?

Because when these things happen, being able to get traffic diverted, right?

And continue like we talk about work, right?

Business still needs to operate.

So divert traffic, get three lanes, close this down.

We'll route everybody off there.

We need two guys down there, fire sticks up, coming around, so that then the people working on the incident can really actually work on the incident and the crews that need to come in can get in there with an ambulance and etc.

That's why there's rules, right?

When you see flashing lights or you see an ambulance, you move over to the right, right?

And you park.

And you know, it's gotten even worse with the loud music and the sound inside a vehicle where people can't hear what's coming up behind them, which hinders the ability for someone to come in to do incident response when those things happen.

Anyhow, I was seeing all the parallels, thought I had to throw that in there.

I think there's another angle to it too.

You know, lots of rule or we have rules and you know, to your point, the stop sign is there because somebody did something at that point the pen says do not put pens in I.

Because somebody somewhere, you know, put a pen and an eye in a lawsuit and now there's a sign that says don't put a pen in your eye.

But, but there's also, you know, a need to look back at these rules and, and, and eliminate the things that no longer make sense or that are unnecessarily inhibitive or no longer are applicable.

You know, I had a, had a. I was at a bank and the person who ran retail banking started a program.

It was my favorite title program ever, Kill Stupid Rules.

It was KSR Kill Stupid Rules.

And it was one of the things that came up that a teller came up with was we need to check your driver's license at three different points and we have to enter that data in three different places.

But we can't do it all at once because it is not presented in that way.

And so it was extra time and things like that that I don't think we do enough of either.

In security, again, we think inward, we think about protection by default and we don't think about the impact on users, customers.

Right.

Colleagues, the organization, society, you know, some of those kind of things.

And it all makes perfect sense to us because we're protecting.

But going back and looking at stupid and killing, killing stupid rules and doing it quickly.

Don't mess around with it for two years, put it in, see what happens, Play a B testing, you know, mess with it, you know, and see how it impacts.

But at the end of the day, regularly look back and say, no, this is no longer.

This is no longer applicable.

Or these four things all do the same thing, and we're making everybody do all four.

Well, that's why I think we got to be careful about how we write said rules, right?

That if we think about the concept, the law of the horse, right?

That if I was to write a law that was specific to governing the horse and carriage, by the time it actually becomes a law, and now we start moving into the automobile and everything, we're back at square one where we've got to revamp everything because it cannot evolve with the time.

So we do the same thing in security, right, that we debate over and over again.

We make something that is so strict that by the time we actually get it out there, it's no longer applicable to what's moved.

You know, I, I think of the example, and I can't remember if it happened, if it was GM or whatever, that came from hr, right, that had a very prescriptive dress code and what you were expected to do and their, their chief people officer.

Chief human rights officer.

I forget exactly what the title was.

Came in and changed it to.

It was something like dress appropriately, right?

That if we can write things.

Now, I'm not saying in security that we need to go that vague, but we can use that context and how we're actually writing rules or guidance to the organization so that it can evolve over time without creating a bunch of just perfunctory crap work of constantly having to play update on documents.

Absolutely.

So I, I put a little buzzfeed in there for you guys.

Because now imagine, right, that you're in cyber security, work for a company, you understand different regulations.

You went from this hospital to now this one working.

But you move states and the state you're in.

Let's use Arizona, for example.

You can't have a donkey sleeping in your bathtub after 7pm why?

Because it's pretty specific.

And hundreds of people had to save it.

So they just put a rule in place.

Can't have donkeys sleeping in bathtubs.

Kansas has.

It's illegal to serve ice cream on cherry pie.

Somebody clearly, I mean, that would be like Tiger Stadium where it's like, you know, you got the guy where you won't serve you ketchup.

It has to be mustard.

Which I'm gonna be honest, I'm someone in favor of.

I don't know that I would actually make it a rule like a law that if you break it, you're in trouble.

I think it's Chicago.

I think in Chicago it should be a law that ketchup just doesn't exist.

In Michigan has it's illegal to be drunk on a train, but it's okay on a plane.

To me that kind of sounds like the automotive companies back in the day being like, make it illegal, but everybody can drink and drive until that law changed, right?

Like we just need to sell more cars to keep these guys off the trains.

Right?

Like, well, let's even come from.

Let's even move this into a modern, a modern example.

So in my car I have autopilot where autopilot being that it's cruise control, but it'll keep the lane.

It is not full self driving.

It doesn't claim to be full self driving, but we've become.

So the rules have been set that I can't do anything.

Like if I pick up a soda and start drinking it for too long, it's going to yell at me and say, put your hands, pay attention.

So the net effect is I turn off the auto steer and do more risky.

Like it's a riskier drive because it's not automatic when I go to drink a soda.

So now I'm even more.

It's even greater risk.

Like, hold on.

These are the kind of things I'm talking about translating.

It's because.

And this isn't.

Oh, I know.

It's because people were having sex in the back seat while the, while the thing was driving and they put that.

They want to make sure that you're paying attention.

I get the origin story, but the implications.

This isn't the, that's not the, that's not the issue.

The issue is what are the automakers willing to accept as responsibility.

This is why, like I, when I was running adas at Aishin and what is adas?

So that's all your advanced driving autonomous systems.

Okay.

Right.

So I remember being out in California, in, in you got the autos in Detroit and then you got all the tech companies and we're all, you know, they, they would have like the ADAs, whatever, summit, right.

And you got all these guys are like, yeah, we're going to be level five next year.

And I'm like, no, there, there's going to be no level 5 on the roads ever in our lifetime.

They're like, you are so out of it.

I'm like, how?

Name one OE that's going to agree that yes, we will take full responsibility.

Right.

For the autonomous system.

We may get to level four.

Right.

And that plays into the automotive, the OEMs.

Right.

Ford, GM, Toyota, Volkswagen, etc, accepting X amount of responsibility, but the driver is still responsible for these three things or five things.

And I, I'm, I'm just throwing a number.

Oh, absolutely.

But the reality is, if you were truly level 5, and remember this, OEMs don't build vehicles.

They assemble a lot of the hardware that goes in, in those ADAS systems.

All that software is developed by Tier 1 sub suppliers and that's where all the tech companies want to get in.

Like we're, we're going to be able to do this.

And Tesla saying, we're a tech company, yeah, we can do this.

But the reality is, even Tesla would you want to accept full responsibility for level 5 on the roads?

Like the idea of the Ford buying the train station and building the first autonomous roadway or Michigan putting it in from Ann Arbor to Detroit I thought was genius because it would be completely isolated from all other vehicles.

So you remove out a ton of what if scenarios.

Right.

This is why technically high speed driving is the easiest part of ads.

Right.

Highway driving, it's that zero to 25 miles an hour.

That's very difficult.

Sure.

Because that occurs in areas that have a lot of people, stop signs, yield.

Site, there are students popping out from in between cars.

Yeah, yeah, right.

And that's why San Francisco is always used as a test bed for some of those scenarios because of the hills and the different, all the different types of vehicles, trolleys, etc, to be able to maneuver.

So the rule there, Dan, and the idea of why you have to be attentive is it's trying to tell you you are still 100 responsible.

Right.

And you're in all these lawsuits and everything else.

At the end of the day, level three, there's only a little bit that the actual OEM is responsible for.

Right.

Because even if you have like the little thing in the mirror that lights up, right.

To tell you that, hey, there's a vehicle here that you can't see in your blind side, that's an ADAS system, letting you know, and it's giving you some type of UX UI that's either shaking, vibrating, bing, bing, bing.

Right?

And people are like, oh, that annoys me.

So I'm going to turn it off.

Right?

Yeah.

Your password manager might be annoying too, right?

And you just want to have the same one, right.

But that little bit of friction saves lives.

It does.

And this is the idea that goes back to culture, right?

And all the stop signs in front of, you know, ten stop signs in front of one store, other countries.

And I'm not going to point out which ones culturally, when they say, well, no, you don't drive fast when there's people around, so you need to be very slow and give those people the right away.

I'm like, yes.

You mean all the other, all the other countries.

Yeah.

Here we're like, I don't care that it's a 92 year old man.

I'm in a hurry, right?

And I'm late because I had to stop for my double ice latte, peppermint mocha with whipped cream.

And now I'm really late because there was a line because 50 other people wanted the same damn mocha, right?

And now I'm going to beeline through.

The reality is that those checks and balances, the friction we put in place in security is the same reason why that friction exists in ADAS systems.

Telling you, hey, I get that this feels really good and it feels like it's autonomous and it's going to drive itself, but the reality is you're not capable to let that vehicle 100% drive.

But we don't get that grace.

We don't get that same grace when it comes to putting in a security system.

All the things you said, all the things you said can be boxed into the, into the parameter.

The lawyer says that our liability is greater than the safety of the, of the person.

We in the information security world get the opposite, which is this is causing friction.

Take it out.

I don't care if it makes it riskier.

But it's that I go back to.

Aren't a lot of those cases really our own fault?

Right?

Because I go back to probably one of our first conversations where we talked about the evolution of the cso, that you still have a lot of security practitioners that are the propeller head, right?

We create some of our own issues that we create our own friction because we don't fully understand the context of the business and what we're trying to achieve and the risk that we're actually going after so that we can Craft something that both has less friction and greater security.

Right.

And this, this is why I always maintain security is really an art that when we start thinking that it can be completely prescriptive that hey, you just graduated security school, here's your manual.

Go do this at a company.

Yeah.

That's not how the industry works.

No how it should work.

No, not, not, not, not at all.

And we also tend to operate as an industry.

We're not looking or I guess there's a com.

It's a combination of we don't have enough strategic thought.

And the reason why can be debated whether or not it's.

We're too focused on tactical things and never get to strategy.

We don't have, you know, propeller heads are not as strategically minded in looking at the long term, but we tend to.

No, I, I use the map example.

I'm leaving Chicago and I know I'm going west and I think I'm going to la, but I don't know the exact path.

And so I start taking roads.

It's head southwest but on the way instead of taking a direct route, I end up in Albuquerque and I end up in back in Denver and then I finally end up in la.

And because we don't have that big picture and I think in.

I don't know that we're always afforded the luxury of getting to build out the strategy in the way we think about it because the world changes around us.

But all of that means that we oftentimes have to put plasters band aids on current problems and don't get to do things in the way that, that we want to.

Again, some of this is own goal, some of this is, you know, our own inability to think long term as an industry.

And some of it is, you know, some of it is situational but I think all of it leads to where we are today in this.

Yeah.

And I go back to.

It's all in how you tell the story, right.

The usual suspects.

And I, I put the little link up there, right.

Kaiser.

So say the greatest trick the devil ever pulled was convincing the world he didn't exist.

Right.

It's all how you tell the story.

And I think when I look at the maturity in security and some of the leaders that have been put in place.

I'm going to use Michigan as an example.

And there's been a lot of great leaders put in place over the last five years because their ability to explain risk, right.

But also understand the business.

Right.

Like what their actual outcome is.

And that's why I always Say like it's, it's great to get into the manufacturing side to truly.

And like people are like, we have no budget, we have no this.

Well, at the end of the day, what's the one thing that matters, right?

And it's how many widgets are coming off at the end of the line at this time, right?

And then let's take this even a step further.

Not just security, but it in general, right?

And I think Eric, you had an experience of this over the last two, three weeks.

And the Genshin boots who go to the plant, walk the line, meet with the different people, right?

And find out what's working, what's not, not in the sense of it, but like what's, what's, what's working, right?

When it comes to building what.

What pain points do you guys have?

If we were to try to make a process better, right?

Or if the customer demand is they want more variation in xyc, right?

Like this goes back like you.

Whether it's cabinets or cars, right?

Like people want options, right?

They always have.

But when you add in that all those additional variables, you have more room for quality problems.

Changeover has time and cost, etc, and then you have to train people, right, to get better at understanding how to do that variation quick and the changeover fast.

And where do you do that in the assembly line, etc.

And if technology can help them, right.

Be able to do that faster, do that better, right?

If it's in sequencing, right.

And the ability to say, well, what would be the best way to do this?

The human mind can look at it and say, well.

Or the computer would say, well, this is the best way to do it.

But then when you get there and you're like, hands on, that's not as easy with the equipment we own today and here's why.

And when they show you, you're like, makes total sense.

I get it now, right?

We're going to have to look at this a little bit different and it's pulling that all together and that is what makes great leaders, right?

The ability to go work together, right?

That's the idea of the fire department, the police department, everyone coming together, right?

And when they get there, it's like, hey, I know what I'm good at.

I see he needs some help.

This is where I can offer my 2 cents.

This is where I can offer some help, et cetera.

So I.

That's.

I'm right there with you.

I.

One of my favorite comments was from John Bingham that he was being interviewed and said that he was the chief storyteller.

And it's so true, right.

I think I was just on a podcast recently and one of the comments that I made on there that my primary role is connecting, right?

You're connecting people because there's a unique perspective for security and it in general, right.

That you are tied in across the organization, that if your first inclination is, I got to push a technology on you, you're not going to be in the role long, you're not going to be successful.

Right?

But leaning in, listening, understanding some of the pain points, and being able to bring people together to have the conversations you need to solve a problem.

And oh yeah, there might be, you know, a security or technology or some control that's part of it, but it's having those conversations and bringing the people together.

Because context matters in everything that we do.

Unless you're protecting nuclear arsenal, by all means, create all the friction you need.

To be able to protect us.

Right?

So, Dan, when we, when we did our last.

No, no, not the last episode.

Two episodes ago, and we were talking dspm, right?

What's, what's funny is there's a lot of scenarios that I've seen where a security team is starting to work on a data protection project, right?

Or a DSPM project, but there's this whole other team over here that's already working on a project for like backup disaster or recovery.

And it's like, hey, you might want to pull that team in over there, right?

Like, and I'm telling the advisor, hey, the reason I'm telling you to bring that team in is that team over there is looking at a solution on the backup side that has it already, comes with it.

Like, you don't even have to pay for it.

And it's pretty darn good, right?

But this team doesn't know that.

And it's not even one of the ones on their radar, right?

Because they have a smaller budget and we're thinking X, Y or Z that might actually solve for what they're trying to do.

And they were like, well, we'll bring them in when it's appropriate, but we want to focus on.

It's like, oh, but they're getting really far down.

Why not just tell them?

Right?

Because they're spinning cycles and wheels.

Be wise to do so.

Yeah, this goes back to leadership.

I'm having trouble debating this topic.

Yeah, no, no, I'm not debating it.

Yeah, no, this is what I'm saying.

But you see this in organizations where security and I t. Right.

Or other groups don't Work together, right?

It's like, I have this project.

I'll pull you in when I need your.

Your advice.

Or it's like in today's realm, right?

Like you going to a manufacturing plan as an I T. Leader, right.

It's like, well, somebody could be like, well, I don't really have time to go down there.

Right?

Like, I mean, I'd love to, but.

You don't have time not to, right?

Yes, that's the point.

But again, now this comes back to big picture, little picture, cardboard box.

Those of you Bob fans.

Well, it's a.

And Brian, I agree with you that it's a leadership issue.

It's also a cultural issue.

Right?

Because in a lot of companies, what we don't do is we don't help people understand where they sit in the context of everything and how it all flows together.

Right.

So like one of the debates that we're having internally right now that last year we rolled out, we.

We started talking about customer delight, right?

And as we thought about customer delight, it was all externally focused that, hey, this is the customer selling to.

We have to delight them.

That's good, right?

Because now we're talking on time and fall in otif.

So on time, in full otc, on time, complete, great metrics.

Right?

But as you start to peel it away and think about that, well, what does it take to delight a customer?

Well, there's all of these steps along the way and in fact, you start touching people that never actually touch or talk to the end consumer, our final customer.

So that's what we're working through right now and starting to think, well, how do we help the organization understand that, hey, I'm just doing this within an ERP or I'm just in accounts payable.

This doesn't matter to me.

I don't talk to the actual customer.

Accounts payable, maybe.

So maybe that was a bad example, right?

No, but helping the organization understand that, hey, you are part of something way bigger than just the task that you're performing and helping them link it all together.

Because then I think it starts to break down those silos that, yeah, of course I'm going to go talk to that team because it doesn't make any sense for us to have duplicative technologies or wasted time trying to implement something else or running our own program.

Yep.

Dan, can I jump in on the accounts payable part, please?

So let's use that as an example.

That's the piece you're jumping.

I want to see where he's going.

I say this because it came up recently in like the last year.

I'm not going to say recently is like the last month, but use this as an example.

So accounts payable is following up with a customer because they haven't paid their bill.

And then when they finally get in touch with the customer, the customer's like, well, I'm not happy with the delivery.

There was damage here.

And I didn't hear from somebody for two, three weeks and I'm still waiting for this.

I'm not paying you till I get it right.

And the accounts payable is like.

So there's two ways accounts payable could handle that is.

Well, I'm sorry, the bill was due today.

Well, now the customer experiences really bad because they're like, really?

You're going to force me to do this, right?

I'm the customer and I bought this.

And you didn't actually deliver the product I wanted.

It was damaged.

Right.

Or the accounts payable would be like, oh, wow, completely understand.

Let me route this right.

And get back to you.

Even though it's not their job, maybe.

Right.

And then they get to the shipping and delivery team or whatever, team, fulfillment team and say, hey, following up on order number xyz, we haven't been paid.

Apparently customer had some damage, isn't happy with the response.

Right.

And sometimes it takes CCing somebody up here to get like, light of fire.

Right?

Because culturally it's like, ah, I'll get to it when I can.

Right.

Instead of that, customer is the most important person today and tomorrow and forever.

Right?

The customer was the most important person.

We need to figure out how to make this right.

So the accounts payable person by routing it through.

Right.

And this goes back to culture.

Right.

And I could use this as an example for it.

I can refer to some people I worked with in years past that said some of the Japanese were the worst drivers.

And I asked why and they're like, they drive so slow, they stop for everything, blah.

And I'm like, huh?

Most cautious drivers, right?

Like, like your interpretation of worst was that they're too cautious.

And why?

Because you want to get from point A to point B, you know, five seconds faster.

It's the whole joke about, like, the guy who stands up on the airplane as soon as the ding goes off, right?

Yeah.

He got off the plane one second faster.

Right.

And you blocked like five people that were trying to get a connecting flight.

Culturally, everybody in other countries sits down and lets all those people through, along with the elderly, and then you stand up.

But here it's like, it's the same thing with the, the escalators.

And yes, Kelly is like, likes to walk like 20ft behind me, away from me, because I'm that person.

When I get onto the escalator, I do a carry bag.

I do not do the rolling wheel bag.

Right.

And the escalator, the right hand side was for you and your bag.

The left side was for walking up.

Yeah.

And I come walking up, and if your bag is planted there, I say, excuse me, coming through.

And people will turn and look at me, and I will move right through your bag and move it over.

And people will make the sign like, sorry, your bag should be on the right.

Now.

There isn't a rule for it.

It's just common sense.

And if you traveled internationally, everybody does it.

But here in the United States, everybody thinks they own this, my bag.

And it's.

I'm planting it right there.

We are a wider country, and therefore we need the extra width for us and our bag.

Truth.

Truth.

And I went on a total rant there.

But it goes back to the culture.

Like you said in Accounts Payable, you're like, well, maybe that's not.

But yeah, they do interact.

But it could be.

And when it happens, how do you route it?

Well, and this, this comes back to philosophically and understanding who is your customer.

Right.

That if we think about customer in the context that it's somebody you're trying to influence to create some type of repeat service or tell somebody else about the incredible experience they had, therefore creating somebody else buying for service, coming back, whatever that is, then you start to get expansive and realize, well, I have customers too.

My customers sit across the organization.

And what I want to do is get them to continue to come back to us, that we want to be kind of think about the consultant of choice, right?

There's.

There's a million different companies out there that can implement security controls.

They can build some application for you or sell you something, Right?

But if you can continue to get them to coming back to you now, you've got rapport, you've got a relationship.

You're built on trust, and you start to understand the impact you're having downstream.

So pivot that back to security.

This is one of the things that we lack in the security community.

In a lot of programs, they sit in a silo.

It's a bunch of gremlins.

Turn off the light and hey, here's my list of controls I have to go through.

Because this framework or this governance policy says I have to do this.

I just push it out, hope for the best and I don't care if it's causing you friction because it's not impacting me.

I'd argue there's a couple of things we need to, we need to think about in the industry.

One, we are as you said, part of a much bigger set of processes and therefore the things we do, we need to understand the implications of top or top, top to bottom, left to right, beginning to end.

I think we also.

I also want to come back to your customer delight idea and say that pure, I love that companies are starting to think about customers as the driver and not just profit or that customer is a component of long term profit.

And this is a great place to think about things like the metric the dollar impact of a happy customer versus the negative impact or smaller dollar positive impact of an unhappy customer and use that to look at the costs.

Yes, I can't produce as fast.

Yes, I can't, you know, bring outputs as fast.

If we do this, we've added friction but it ends up with this end result of a net higher big picture revenue and calculating that in at all ends of it.

And then the idea of somebody looking at the end to end processes from start to finish outside the silo.

I've had the opportunity to work in large enterprise and I've had the opportunity to work in very small startups and medium startups or medium companies.

And I think the most important piece of culture is everybody understanding what the goal is.

Understanding the goal and always thinking about the impact that what they do may have on that in an organization in which everybody understands that revenue car nar, whatever the revenue, whatever the revenue number you're using is and EBITDA are important.

And thinking about the impact that decisions you make, even if you are just a piece in the middle might have on that and I'd argue it can be done.

And then as you go to larger organizations it becomes much more difficult, much more opaque, much more.

I'm just a piece in this much bigger process and I don't even know what our goals are other than the wordy HR style goals that are to be the most, most this of that to be the premier whatever.

And I think those are not helpful.

I think those do not help to give people the drive to look at the impact of what they do on the bigger picture.

It may help with some storytelling but I think it's at the expense of giving everybody an understanding that if we, that we row the boat this way and that that is the finish line down the river and we will all want to be heading toward that.

Yeah, I totally agree.

One thing I will say, damn, where I somewhat disagree, but I do agree on that notion of EBITDA in, in the dollars and cents, etc.

Money, the, like this fiat currency is, is man made.

And if our driver, understanding the business is critical and understanding what's important to the business is critical, etc.

But culture, right, also comes in when you say, okay, what's good for the business, what's good for revenue, etc.

But also what's good for people.

And you got to have a people aspect to it.

And this is what makes Japanese companies very different from a culture aspect.

Because there's always this part about people and I use this and I, I look back on those 16 years I got to work in an organization and travel over to Japan, etc and something that, when you were saying that, Dan and I was trying to think culture.

Imagine when you show up to work and you're running late and you pull into the parking lot.

Typically in North America or in the United States, if you're running late, your parking spot's probably in the very back.

You got to run it.

In Japan, typically if you're running late, the parking spots up front are open.

Why?

Because the person who shows up early parks in the back.

Why?

Because he was early.

And culturally, if there's someone running late, they're going to get here after me.

And they may need that spot so they can get into work sooner.

It's looking out for the people that you work with.

And if that's it's, it's something that's taught, right.

It's not a rule, right.

Like we were talking about, like you said, it was illegal to pass on the right, Right.

Maybe it should be.

Maybe it should be illegal.

Like we say, well, I was the first one here.

I'm getting that damn spot.

Right?

It's like, but what about Jim, who I work with?

I have no idea what kind of day he's had and maybe his son was sick and this happened, etc.

And he's running late.

It'd be great if Jim was running late, if that spot was open for him to be able to get in.

It's looking out little things on the human aspect.

So it's a little things we do in our jobs.

Insecurity, right in it.

That also isn't just business.

And this, that's really important.

But how does it impact people?

Right?

And how you tell the story.

I'll never forget, Eric, when you told the intune story right?

And the idea of until you got the opportunity to explain it to a larger audience and someone was like, well, I don't want you spying on me.

You're like, oh no, that's not the idea.

It's this way you don't have to log in every day.

Right?

It's set.

Oh really?

That would be great, right?

You removed friction in a process while adding more security.

And it's how you tell that story that's important.

And I also like to call out and I don't want to get long winded.

Eric said the word gremlin.

20 points to Eric.

I had not even considered that Gremlins is also a Christmas movie.

Way to tie that in there.

One for the Gipper.

Disagree.

There are only three Christmas movies.

Die Hard and one of them is Die Hard and the other one and.

Die Hard 2 and Die Hard 3.

And the other one is national and Poon's Christmas Vacation.

The third one you may insert your own, but of those two are staples.

And on that note, unfortunately, we're out of time.

Eric, Brian, thanks so much for being here.

Having another great debate.

And thanks to you, the listener.

We really appreciate all that you do, all that you've shared with us and you're being part of this community.

2025.

You can find us on distillingsecurity.com you can email us security debateistillingsecurity.com you can find us on YouTube.

YouTube.com the little at sign Great security debate and all the other places you want to find us.

Tell your friends, subscribe on podcast, subscribe on YouTube and we will see you again in the new year.

Thanks so much.

And we'll see you again on the next great security debate.

It.