Bringing Red Teaming into the Board Room (Part 2)

Bringing Red Teaming into the Board Room (Part 2)

How many problems do we solve as cyber security practitioners that are truly unique? When I say unique in this context, I mean truly unique, like when we remove the infosec nuts and bolts, nothing like it has ever been encountered or solved before. My guess is, very few as a whole, but we likely encounter problems of slightly different flavors or variations, as most fields of study and application do.

Following up from part 1 of this series, I want to explore the idea of empowering our peers and ourselves by sharing security concepts, learning from them, and spreading awareness at the same time.

Sales Example

Have you ever sat in on a sales meeting where there is talk of getting into new accounts? I've always found it funny that the terminology used is "breaking into a new account" when, as someone doing security assessments, I would use the exact same phrases when on a new engagement. Having a conversation with someone in sales about how they think about new target accounts, how they profile people, cold email/call, etc. ended up leading to a fascinating discussion about OSINT and social engineering.

Sales and marketing teams are very good at finding people, finding their contact information, finding what makes them tick, and finding ways to motivate them to take some action. If you've ever done any work in social engineering then all of that probably sounds very familiar. In one of my own conversations with people in sales roles, I learned about some of the tools that they use to build contact lists, tips on cold calling, and most importantly how they get in touch with very high value individuals who don't handle a lot, if any unsolicited email. All of this was valuable for me, but what did I bring to the table?

In our discussion about OSINT I shared a few language profiling tools that I've used in the past for spearphishing, services that will help you craft more targeted emails based on the types of language that resonates with your target. We also moved into discussion about our internal security tooling and what we do about phishing attacks. This part of the discussion let me open up about some of the tools we use, why we use them, and more importantly some techniques that this individual could use to spot phishing emails in their inbox; going a step beyond your basic security awareness training slide deck or lecture. I pulled my laptop out and showed them some tests we had run as well as some real phishing examples and how I spotted them.

What's the Benefit?

There's a bunch of them! Selfishly, one of the biggest benefits I've found was the learning opportunities from an entirely different perspective. I love studying outside my core areas of expertise as that's oftentimes where I find the most useful and interesting things to bring back and apply in my day-to-day. There's three key benefits to trying this out however.

  • As mentioned above, you get to learn something new from a different part of the company. Building on that though, you get more insight into how that person brings value to the organization and through that, you may find a spark for additional ideas that help secure that role without impeding the user.
  • You get some true 1:1 time with somebody to talk about how you also provide value to the organization, why security matters, and put things into a perspective they may not have considered. As we know, many people view security as a burden to their roles, but if people understand the "why" then they may have greater empathy for the "how" in your organization. That is especially true if it spurs some dialogue on how things might be improved with regards to user experience.
  • You get the opportunity to receive tangible feedback on how security may or may not be impacting a user. If your tooling is negatively impacting somebody's experience at work, it's likely they (or somebody at least) will be trying to find a way around it. This isn't to hurt the company, but to do what they were hired to for, that thing that security seems to be getting in the way of.

Action Items

Try these steps out the next time you have an opportunity to engage with somebody who isn't working directly in your department or even your field.

  1. Flush out your personal narrative for why security is important to the organization. You need to be able to explain this to somebody who may not understand the technical details, so bring it back to business value, objectives, or personal details.
  2. Make a list of all the major departments and teams across the company and your rough approximation for how much that department/team works with or understands security at the company. This might help you find where you can prioritize your efforts.
  3. Find some time to chat with somebody outside of the security team at least once per week, if you're super busy, do it once every other week. A quick 30 minute chat over coffee or even at lunch is perfect as it's less formal and provides a more open environment for candid discussion. Remember to not dominate the discussion with talking about yourself, this is like making friends 101, but that side of the conversation will come naturally as you focus on your coffee companion.
  4. Summarize your thoughts and any possible action items after each chat that you have.

About Robert Wood