Into the Breach: Why Companies Fail to Protect Data and What We Need to Do About It has been under development long enough! I have distilled the problem and presented a careful and easy-to-follow solution that will help companies improve their top line, protect their bottom lines and manage people, risk and information more efficiently. I am writing a book for business leaders to understand the fundamentals of how to unmask our human problem and take simple steps to reduce the chaos.

I’m ready to get this out there – and to share what I have learned and help more companies. So… I have decided to pack up the RV (it’s cold here in NY) and head down to Charlotte, NC. Why Charlotte? Why not. Seriously, though, my best friend lives in Charlotte – and he and some other good friends have suggested that we consider moving our base of operations to the Carolinas. The more the tell me about the region, the more I’m inclined to agree, so I decided it would be a good time to take 10-12 days to head down and check it out, while wrapping up the book.

I could use your help
If you live or do business in Charlotte – I would love to speak with you, or even meet with you in the next two weeks. I’m seriously considering moving our business there — and I’d like to learn about the business climate, partnership opportunities (or companies looking for a partner), family environment and the like. If you have a friend in Charlotte, perhaps an introduction would be possible?

Do you want a preview of the book?
I’m going to be hip-deep in finishing up the book. If you live in Charlotte and want to get a free preview – let me know and we can catch up. I’ll bring what I’m up to, and you can help me work through any rough spots while I get the manuscript finished off. I look forward to meeting you and working through the elements. This goes for business, personal… whatever. In fact… if you want to schedule some time with me and your team, I can share some of the keynote and strategies for success with you. I’ve been testing the book for the last year, and I know this works. I’m happy to share.

When you will get the book
I plan to have the galley copies out by the end of the month to my review team. I plan to have the entire project finished by the end of January and then it’s off to the printer!

If you can’t wait (for business or personal reasons)
I will be making a sample chapter available in the next few weeks. It’s seriously top priority for me. At that time, I’ll be able to accept pre-orders and take requests for autographed copies, too.

At the same time — you can book me right now for a dynamic keynote to prepare your organization now. In fact, we’re lining some up for December so that people can get this information before the new year! I promise I’ll do what I can to get this information to you and into the hands of decision makers as soon as I can.

I also am offering a limited number of my Information Protection Program to companies that want to implement the suggestions in the book to reduce the risk of breach, while reducing the cost of compliance. If you’re serious about changing the way people protect information, I’d like to have a conversation with you about how my program can help.

Sitting at the light, I wondered – would I dance in the rain, or would I scurry to get out of it? Thinking about the example I would set for my children, I realized:

I would dance in the rain; I will dance in the rain. You might call me crazy (if I wasn’t crazy, I would be insane – thanks Jimmy Buffett) – but absorbing and celebrating the moment is where passion is born. It’s where we can feel free, and we can be ourselves. I will appreciate and respect you for trying. Hopefully you’ll do the same for me; but if not, I’ll be confident that I am me…

During the rest of the drive, I realized it’s not much different for security. All-too-often, we’re so concerned with what people think, what they say, how we’re perceived that we focus all our energy of being someone or something else. We stopped living in the moment; we stopped having fun. We stopped “dancing in the rain.”

I feel like our industry is a bit tired right now. A lot of us feel frustrated and that perhaps the industry has lost it’s way. I’m an optimist – and I see a lot of opportunity. I dance in the rain, and I know that we’re able to make a difference. In the US, we’re heading into a long holiday weekend that marks the end of summer and the return to work, to projects and to our efforts. My wish for you this weekend is that you are able to take some time to refresh. Find your own way to dance in the rain (or sing in the shower).

Renew your passion for security. When you come back, I’ll be here with ideas and will share my research and experiences to support your organization, and to support you. We can dance in the rain together and change the way people protect information!

How well do you understand your users?  Are you aware of their needs, habits, and abilities?  Most security professionals understand the technology, but don’t have a clue about their user base.  All security professionals need user awareness training to ensure they understand their customers.

In the June 1, 2007 edition of CIO magazine, Publisher Gary Beach asks the question, “How social are you?” (http://www.cio.com/article/109302)  He references a new report by the Pew Research Center titled, “Typology of Information and Communication Technology Users” (found at http://www.pewinternet.org/pdfs/pip_ict_typology.pdf).  This report classifies Information and Communication Technology (ICT) Users.  Based on its findings, we in security can no longer assume that users are stupid.  From Mr. Beach’s column, “customers (users) are ‘wicked smart.’ They know what they want, they know how to get it, and they’re doing so by leveraging the poser of social networks to reach out to <others>.”

The report’s author, John Horrigan has classified ICT users in America into ten categories based on their ICT assets, actions, and attitudes.  The ten groups that emerge in the typology fit broadly into a “high end,” (31%) “medium users,” (20%) and “low-level adopters” (49%) framework. However, the groups within each broad category have their own particular characteristics, attitudes and usage patterns.

From the Report*,
  – 8% of Americans are deep users of the participatory Web and mobile applications;
  – Another 23% are heavy, pragmatic tech adopters – they use gadgets to keep up with social networks or be productive at work;
  – 10% rely on mobile devices for voice, texting, or entertainment;
  – 10% use information gadgets, but find it a hassle;
  – 49% of Americans only occasionally use modern gadgetry and many others bristle at electronic connectivity.

Do you know where your customers/users fit?  How about you?
You can take their on-line Internet Typology Test (http://www.pewinternet.org/quiz/) to see where you fit in the new typology of ICT users.  Once you know yourself, you can better understand your users/customers.

By understanding your users/customers, you can tailor you security program to fit their needs. The fear of the unknown is often the greatest fear amongst security professionals.  By having a little awareness training of your users, that fear will be lessened.

To paraphrase from Mr. Beach’s column, the big deal is this: As your firm continues to drive a growth-and-innovation agenda, your users and customers ultimately will determine the degree to which you succeed.  So CISOs need to ask themselves, “Is my infrastructure sufficiently robust to encourage and support the use of ICTs while protecting against the biggest and most prevalent risks brought on by these new technologies?”  CISOs should have an understanding and a vision of their users/customers to enable their business’ use of technology while protecting the critical assets.

What do you think?  Is the Pew Report accurate?  Respond either in the comments below on the Security Catalyst forums.

By helping each other, we all become stronger.

* Horrigan, John. A Typology of Information and Communication Technology Users. Pew Internet & American Life Project, May 6, 2007, http://www.pewinternet.org/PPF/r/213/report_display.asp, accessed on May 10.

Yesterday I had the opportunity to see the Great Rondini, an escape artist, dazzle and entertain the crowd. What I enjoyed (as much as the performance itself) is how he built the crowd, got the energy going and then put on a show – and in the end, he escaped his bonds. In addition to his humor and well-practiced quips, he stopped at least once, commanded our attention and issued a heartfelt thanks for supporting him. No, not the pitch for money… a true thank you for rewarding his efforts with our attention and applause. It was an honest emotional connection with the audience.

(I tried to insert a picture here, but my software bombed out – maybe soon!)

Beyond his excellent performance, I noticed that he held the attention of my children for the entire time (I also don’t recall any cell phone conversations or people using blackberries!). Better yet, when he was done, he came and thanked each child that came by – and rewarded them with a glow-stick style bracelet. It was genuine and classy.

On the walk back, I started thinking about how we could apply what I just experienced to our practice of security and how we protect information….

Rondini worked his timing, built interest, got people engaged and then put on a show. He waited until the sun went down (and people were less focused on finding the “right” spot. He waited patiently until the tight rope act was done, and then quietly stood on a chair and then blew a whistle. A bright orange get-your-attention whistle. SHOWTIME! He immediately engaged those standing right near him (including me) to form up at his line. He even said – look like you’re a crowd (to some laughs). He has a line for each of us as he invited us to participate. He threw out some practiced lines to get you to laugh… which is immediately disarming… and slowly, the crowd grew. When the crowd was right, he selected volunteers – got the crowd to support them and started the show.

It was clear that he was a professional. He’s practiced at his craft – and yet the show was different than I have seen in the past (so he’s still improving, changing and growing). Think about it for a second – how do you brief people? How do you explain what you do? How do you approach security?

Rondini smiled. He engaged. His passion for performing came through. As a security professional, this is an approach we need to follow. Rondini only gets paid when he puts on a good show. The larger the audience, the better the involvement and the stronger his performance, the more tips (and larger tips) he will be able to collect. He is motivated to improve and to perform. Most of us are lucky – the paycheck shows up no matter how well we do. Take a moment, though, and imagine ALL of your compensation based entirely on how you connected, engaged and entertained?

I don’t think it makes sense to tell people security is hard, complex heavy and something they _have_ to do. We can all learn something from the Sunset Celebration Performers – and bring a bit of entertainment to our efforts to make a difference. I am confident you will reap rewards from this approach.
Here is what I learned from Rondini – and how I think we can all benefit with our practice of security:

1. Choose the right time to perform (or deliver your message)
2. Engage your supporters and build them up (we need to find and build security champions)
3. Bring the audience into the performance and reward them (we need others to engage – but they have to be encouraged and rewarded)
4. Rehearse, rehearse, rehearse – so you seem practiced, smooth, confident – and really entertaining! (we *all* need more of this. period.)
5. Show sincere thanks and remain genuine and classy

Need help – shoot me an email: securitycatalyst@gmail.com. When this works, share your success with me!

As I have traveled around the country, hosted some informal gatherings and met with friends and clients, I’ve been struck by how people, in general, look and act. Most of the people I have met in security seem “down”, rushed, angry and lacking hope.

So we start a year where we feel down trodden, upset, dejected and hopeless?

Open Culture (http://www.oculture.com/weblog/2007/03/famous_stanford.html) recently ran a story about the (in)famous Stanford Prison Experiment. After reading it, I remembered back to the first day of my new job after college. My first boss sat me down and told me, “Don’t F*** up, because if you do, the whole world will crush you. If you do a good job, no one will notice, and that’s okay.” In my experience, those words have sometimes been accurate. Since I “got my start,” I have always remembered that first conversation – mainly in the context of watching how many people in technology have been treated and how they chose to treat others.

Practicing Security Today is like the Famous Stanford Prison Experiment

The Stanford prison experiment was a psychological study of the human response to captivity, in particular to the real world circumstances of prison life and the effects of imposed social roles on behaviour. It was conducted in 1971 by a team of researchers led by Philip Zimbardo of Stanford University. Undergraduate volunteers played the roles of guards and prisoners living in a mock prison that was constructed in the basement of the Stanford psychology building.
– Wikipedia entry (http://en.wikipedia.org/wiki/Stanford_prison_experiment)

In the experiment, the behaviors of both the guards and the prisoners escalated quite quickly as each took on characteristics of their role — to the point where the experiment was ended early.

You can learn more here:

Wikipedia: http://en.wikipedia.org/wiki/Stanford_prison_experiment
The Official Website: http://www.prisonexp.org/
interesting overview: http://www.holah.karoo.net/zimbardostudy.htm

Some of you are probably reading this, recalling the experiment from your college days and wondering… do I think that we are the prisoners or the guards? Short answer is: “yes.”

Reading about and remembering my cursory study of the Stanford prison experiment also made me realize that as “protecting information” has grown in importance, many people in the field of security have been given an opportunity they have never held – a chance to influence and sometimes to enforce. After years of receiving abuse, they find themselves in positions of power – and sometimes without guidance. So we take a reactive and negative approach to those around us. Perhaps some of our colleagues “assume the position” too much and get a bit carried away?

In some cases, we have folks that act like the guards; some act like prisoners and some, I believe, *were* prisoners that now have the role of guard – and they have a lot of memories guiding their actions.

Now, let me be clear – with all the plight in the world today, I’m not suggesting that we, collectively, take our practice of security to the extremes of the prison experiment. In fact, I’m not suggesting a direct comparison. I just happened to review an article on the topic a few weeks back and it has stuck with me that our practice of security might be allowing people to embellish their roles.

Regardless, this is a situation we cannot accept. Period.

We cannot accept this approach: reboot the industry

What happens when your computer doesn’t respond as you would like? Many of us check for run away processes and consult the logs. If you’ve ever worked with windows or supported windows users, a more common answer is: reboot the system.

In security today, I suspect we could “check the logs” and look for runaway processes, but I feel like we need a reboot. We have to flush from memory the bad blood and old experiences and get started with a clean(er) slate. We need a fresh start (or a least a fresh approach).

I believe that the better way to practice the protection of information protection is through a positive approach that stresses inclusion and builds partnerships. In the last year, I have watched people in our industry alienate the very people that have helped them. I have coached organizations away from taking a punitive approach to security. I have confessed that I love to learn, love to teach and truly enjoy working to simplify security and relate our concepts to people in a language they understand.

In Speaking About Security, we explore the power of the narrative. We learn through story (you can really see this in children). On a recent flight home, I was treated to “Night at the Museum” (http://www.imdb.com/title/tt0477347/). While it might not have been a movie I would have normally selected, I was amazed by the story. Without revealing details, the success came after abandoning a process of restriction and following a path of inclusion.

I’m not suggesting that Hollywood holds the answers, but we cannot ignore the fact that the “story” of this movie and the movie itself were both successful. They are natural to the human experience and something we need to strive for in our practice of security (and the protection of information).

After reboot: It’s time to get grounded and follow a new vision for security

I believe in a new vision. I see a way to practice security that minds the past while focusing on the basics. The future for us focuses on protecting information – and everyone has a role. Protecting information is dialogue; it cannot be simply a directive. The current strategy of relying solely on technology is not working, and it’s time to follow a better way. I believe that means we have to follow an inclusive strategy.

We have to foster a sense of trust among each other and our users. We have to reintroduce the concept of accountability and foster a culture that embraces and expects personal responsibility.

I tend to be the sort of person who prefers action to words. This approach influenced me to share more of my ideas through the blog and podcast this year and led me to create the inclusive and supportive Security Catalyst Community (http://community.securitycatalyst.com/forums/index.php). As that community continues to grow and thrive, I have met many other passionate professionals that have challenged and supported my growth – reinforcing to me that collaborating with others can be truly powerful.

I have decided to spend some time focusing on three key areas:

1. Architecting a shared new vision for approaching how we can protect information (security). It’s not *my* vision – it’s *our* vision and I invite you to join in the conversation and practice a new way.

2. Help security professionals find their voice. As a parent, I have watched my children struggle with communication and sometimes resort to hitting, tantrums or what we generally call “melt-downs.” I believe that our success in security is tied to our ability to successfully communicate in speaking, writing and presentations.

3. Providing organizations and security professionals the support needed to be successful at our jobs.

I have decided that for our profession to effectively protect information, I want to help each of you become more successful in what you do.

Supporting Your Growth and Development

Through a lot of conversations with clients, friends and even ISSA and Infragard chapters, it was revealed to me that I was already offering some of what people were looking for. As a result, I have improved some programs we already developed and accelerated the development of some new ones.

To help people get grounded, focused and be able to “do more with less” without burning out, we have updated “Are you making a living or making a life?” – which is now available in a keynote, workshop and private workshop session. It’s an approach that shares how we can break the cycle, lead more “integrated lives” – as opposed to seeking “balance” – and build more effective relationships with those around us. Rather than acting out the Prison Experiment, it allows us to pursue a strategy of inclusion, to work together to protect information.

In March, we launched “Speaking About Security” to improve the ability of security professionals to communicate more effectively, inspiring their colleagues to take action.

Mike Rothman and I just announced the formation of the Security Education Network (SEN), which includes the Security Salons I have been forming, as a method to provide the information, insights and support needed to bring your performance to a new level. I’ll be writing more about that in the coming days.

This summer I launch my book, “Into the Breach: Why Corporations Fail to Protect Sensitive Information – and What Can be Done About It” — where we explore breaches and propose an approach to protecting information that allows business leaders to shift their culture away from the “security diet” to a “mindset of protecting information.” I look forward to sharing this with you.

We’re currently working on some different ways to get some needed information, resources and training to you. As soon as some plans firm up, I’ll make some announcements.

I am excited about this journey. I am passionate about my focus and my ability to help guide you and your organization. I firmly believe we need to learn from the past and work toward a better way. I offer up my approach of positive reinforcement, inclusion and education. I look forward to blending my passion, insights and approach with yours and with those of others. It’s time for a change, and I’m excited!

We plant plants…

We show you how to improve your gardening skills…

You grow gardens.

PS: I think I have finally fixed the formatting issues. – Santa 11:19a

Of course, this is why a number of us came together to form the catalyst community

Anyway – I allowed my HTCIA membership to lapse. While I admire the group and their goals, when I moved to Albany, I was immediately disconnected, and as a result, didn’t want to keep spending the money for no return in value. I truly wish more organizations would start to understand that “meeting” does not mean everything has to happen in person. Many organizations would benefit either creating an online community – or at this point, getting engaged and helping to grow the catalyst community.

So this evening, I got this email message:

Dear HTCIA Member,

Our records indicate that your 2007 dues have not been paid. If payment is not received prior to April 15, 2007, you will be required to re-apply as a new member in HTCIA. Renewals can be done via our website at htcia.org, or you may fax your credit card information or mail payment to the International Office address below. After this date, 2007 dues renewals will not be accepted.

Thank you for your cooperation in this matter and for your continued support of HTCIA.

Sincerely,

So why did I bother to post this?

Perfect opportunity here was missed to demonstrate to me the value of renewing – instead, HTCIA decided to take a tactic of telling me that by not sending in dues, I would be forced to reapply. Personally, I would have asked why I didn’t pay the 2006 dues… and then remind me of some of the benefits and offered a telephone number to discuss what was going on, etc.

I read this message and instantly thought, “screw it.” I doubt that’s the reaction they wanted. But making me feel like an inconvenience to your organization doesn’t encourage me to want to stay. I still like and support the HTCIA – so this message isn’t about bashing them or suggesting that people not join. I think this is a great group and if you have a local chapter, you _should_ join. Yet this approach struck me as “the normal way of doing business” – and upset me. This message was focused on the HTCIA and not focused on me as a member – which is odd, since they are asking for money.

Is this how you treat your users? Are they inconveniences to you? Do you take the time to communicate in a way that meets their needs and demonstrates benefits to them (in their terms)?

Don’t make this mistake with your communications and opportunities to make a difference.

During the days when we have so much information to read and so much work to get done, taking the time to read about stress reduction, let alone actually practicing it can be daunting. I decided to read through the list and then selected a few that either reinforced something I have already started (or perhaps have gotten away from) or perhaps something new to try.

For me, I have recently found these to be useful and helpful, and so I will make sure to continue these:

Get up fifteen minutes earlier in the morning. The inevitable morning mishaps will be less stressful.

Don’t put up with something that doesn’t work right. If your alarm clock, wallet, shoe laces, windshield wipers – whatever- are a constant aggravation, get them fixed or get new ones.

Unplug your phone. Want to take a long bath, meditate, sleep, or read without interruption? Drum up the courage to temporarily disconnect. (The possibility of there being a terrible emergency in the next hour or so is almost nil.) Or use an answering machine.

And of the list of 52, these seemed interesting and are something I’m going to try for the next few weeks.

Relax your standards. The world will not end if the grass doesn’t get mowed this weekend.

Simplify, simplify, simplify. . .

Schedule a realistic day. Avoid the tendency to schedule back-to-back appointments; allow time between appointments for a breathing spell.

In my experience, making a change, focusing on taking care of yourself and reducing stress is important, but not always easy to do. We live our lives in patterns and grow comfortable with our “routines.” The first step is often the hardest, so here are some of the ways I work to incorporate these changes in my own life:

Stop. Read. Think.
Do yourself the favor to take a few minutes today and read the list. Close the door, don’t answer the phone, and allow yourself 5-10 minutes to stop, read, think and determine what makes sense for you. I find that with a list this long, my inclination is to scan the list and then decide “I’ll come back” — and then probably won’t. Want to make a difference in how you approach your days? The key is to stop fire fighting long enough to settle your mind and focus. I actually find it addictive to slow down and think; I bet your brain (and body) will appreciate even 15 minutes of being calm, thinking and planning.
Plan to Start Small
I don’t know about you – but sometimes I get so caught up in an idea (or a HUGE list) that I want it all. Now. About the time I decide I want it all, I then realize it’s too big, dismiss the ideas and move along (or carry on with whatever routines I have established). I have been successful in the past and even more so recently by reviewing the list and looking for one or two actions that I’m already doing – but maybe not regularly. I find it’s far easier to reinforce a behavior I’m already inclined to do. Once I have those elements down, I then seek to add another. It’s a “slow growth” process; I can adapt and evolve as needed, but I am working along a loose plan of progression to get me closer to where I want to be. In this case, having less stress, more time to think and to be more productive.

Enjoy the process and take it easy
The biggest step I have learned seems to make the biggest difference: treat this as a journey and take it easy. I’ve actually lost just over 20lbs this year (yup, since January) – and I have yet to diet. Dieting is an end-state goal. I’m looking to lead a better life and set the example for my children. I took some time to evaluate the decisions I was making – and realized that what I wanted and how I was acting were completely different. I am again making smarter eating decisions (traveling and eating out will kill you, literally), spending some time back in the gym, drinking more water and relaxing. That said, some days I don’t get it right – that’s life! Because I am not treating this approach as a “diet” – I have less stress and am less concerned. As we seek to make changes that are good for the long term, we have to go slow, enjoy the journey/process and understand that no one is perfect and mistakes are okay (as long as we recognize them and correct them).

Hopefully my experiences allow you to get started today and do one thing that brings you a bit less stress. When you CHOOSE to lead a less stressful life. You’ll be more productive and feel better.

Basically, he builds on the notion of the power of a “consumer” revolt. Then he argues that the answers aren’t boycotts, but taking your spending power somewhere else. His argument, which I whole-heartedly agree with, is that if you don’t like the RIAA, then don’t boycott CDs for a weekend, but shift to online music or something else. The point is subtle, but important – if you don’t take an action that has an adverse economic impact, your message or dissatisfaction will not likely be heard. If you keep spending your hard earned money at the place you are unhappy with – can you really be that unhappy?

Don’t get lost in the semantics on this one. I think the solution to the breaches we keep reading about is the same. We seem to be up in arms over the spate of breaches at TJX…. then we immediately wonder why nothing was done and if they get a pass on this one.

Well, i have more to say, but I think the punchline is the consumers have to vote. DSW breaches, they continue. Choicepoint breaches, they continue. TJX breaches, they continue. Why? Do consumers actually care?

See, I think that the “scale” of the problem is so large that we, as consumers, don’t know what to do. The average consumer doesn’t have the “time in seat” or experience to consider the implications. They know what they read. They feel outraged and helpless. Or they are apathetic, because “what else can they do?” So unless we guide them to proper action, nothing will change.

I was watching a local business show yesterday (which in Albany, NY, is truly something to experience). Anyway, they have a group called the GenNeXt council (and I catch hell for Security 2.0??). So they have two people on at the end of the program opining how great the local economy is (it isn’t) and how wonderful for our generation (again, I don’t see it) – then they issue this warning “It will go away if you don’t get involved. So… get involved!” I almost threw something at the TV. And you have to understand, I’m not like that.

But to tell me to “get involved” and not give me options, so me how or otherwise guide me? How absurd. Now, with me, I’m the sort that doesn’t really want to be guided. Hey, if I was, would I be a ‘catalyst’ — probably not. But give me something… and I can choose to follow, adapt or do something else.

How many times have you plain said “give me feedback” – to get nothing. But if you hand someone a page – they rip it to shreds with ideas? We are all easier to react to an idea, to a concept, to _something_ in front of us.

Well, it’s no different when it comes to discussing security and the actions we want people to take. As I write my book, “Into The Breach: Why Corporations Fail to Protect Sensitive Information – and What Can Be Done About It” — I am working to explain an approach that any business can use to reduce their risk of breach. At the same time, I am working to develop a toolkit for consumers; they need some guidance on HOW to take ACTION when their information has been breached.

If we don’t hold people accountable and demonstrate our disappointment in a way they understand (hit them economically) – then change is less likely. But just *telling* people to boycott or to change won’t work. Afterall, if people want cheap clothes, TJX is still a good option, right? We don’t change behaviors with words. We have to explain processes and lead the way.

The other day I was reading Photo Business News & Forum and was reminded that sometimes this works both directions. I think I’ve been conscious of this for a while now, and so far I haven’t done or said something in a lobby or hallway that came back to haunt me. I *have*, however, had some experiences in public places where I felt like saying something about someone’s behavior (and sometimes I have made some, um, suggestions) – and perhaps one day that will work against me.

As a speaker, consultant, trainer, sales person, etc., this is something we have to remind ourselves on a regular basis. I believe it extends deeper. Take this into the corporation – how do you act or what do you say heading to or from a meeting? Have you shared conversations about important projects on the elevator when strangers and guests are there? Worse, have you mocked users or colleagues when you thought nobody was looking? We’re all human and have dealt with emotions and situations differently. It’s common to want to talk out your experience, but I invite you to think more before you act.

Regardless, what we do in our protection of information is important – and how you act matters. Sometimes it’s nice to have even a simple reminder and I think that Watch What You Say and How You Act is a quick and well-written reminder.

A lot of us are plain unhappy with the quality of panels at the conferences we attend in security, and apparently in other fields, too. I think Doug nailed it when he pointed out:

The problems are threefold. First, conference producers tend to staff panels using speakers they don’t think are strong enough to justify solo sessions. Second, some producers use panel-slot invitations as payback/thanks for favors. Third, there just isn’t enough time. I’ve flown from one coast to the other, burning up the better part of three days, to be one of five speakers on a one-hour panel. How much value can I transfer in just 12 minutes?

When coaching someone who is going to be on a panel, my first question is ALWAYS: did you prepare? I always am amazed that people think being on a panel means “no prep required” (it’s worse, of course, when they are solo speakers and feel that way). Of course, if it’s your role AS the moderator, then you not only have to prepare yourself, but then you are responsible for actively preparing the panelists! I even think you need to be prepared to guide them or otherwise support their efforts in the event something bad happens (prepare for the worst, hope for the best).

I am shocked, no appalled, well, shocked and appalled at the number of people who present at conferences that don’t prepare. How can you present any message without preparing and rehearsing?? No one is that good. When speaking – the best thing you can do (besides having _something_ to say that others want to listen to) is to practice, practice, practice. Keynotes that I have delivered a dozen times get practiced and rehearsed as if it were the first time I am giving them.

Everyone prepares differently, so I’d suggest it ranges from 2:1 to 20:1 to be successfully prepared (so yes, a 60 minute presentation could take 20-30 hours to rehearse AFTER it’s been written). In Speaking about Security – we go into detail on how to prepare. If athletes practice their game, we need to practice our presentation. If you spend all your time practicing, refining your message, distilling the key elements… then when you actually get in front of the crowd, we will be wowed (or at least we won’t be bored or otherwise distracted). This is precisely why we were asked to create Speaking about Security – and I will unveil more to you in the coming weeks.

So – if you are a moderator of a panel, you’re the leader. It’s your responsibility to set the tempo long before the event. Talk to each panelist before hand and run some ideas by them. Gauge their responses, tempo and perhaps tailor questions that will bring out the best in them. Encourage everyone to prepare. Then practice – if only on a conference call. Have dinner together the night before and practice again. When you are presenting – have fun, smile and bring your value to the table. We’ll all thank you for your efforts and remember the impression you made.

Here are some additional excellent suggestions for how to moderate or participate on a panel:

Guy Kawasaki (who prepares as much or more than I do!): How to Kick Butt On a Panel

Mike Ma shares some ideas for Moderating a Panel (and some good ideas here that I hadn’t considered – I like creating a fake event to work through)

If you invest the time to make it happen, it will pay off in terms of value communicated and the way you connect with others. If you take this seriously and practice, then not only will your message will be heard, but you’ll set an example for others to follow. If more of us did this, then our conferences would be _awesome_ to attend and we can work together to really advance the profession. Now that just brings a smile to my face.

“But if you want the word to spread, if you expect me to take action I’ve never taken before, it seems to me that you need to do something that hasn’t been done before. It might not feel safe, but if you do the safe thing, I guarantee you won’t surprise anyone. And if you don’t surprise anyone, the word isn’t going to spread.” – Seth Godin

For years I have felt that as a security professional, I had to overcome a generally held negative stigma about the way “we” act: we ignore others, we skip meetings, we tell people what they can’t do. Most security teams don’t have carry a positive connotation with them… whether earned or not. When is the last time you heard someone say “oh good, the security team got invited.”

It’s time to change our approach. We have to learn how to communicate more effectively. We have to listen more. To build on what Seth Godin shares (hey, I happen to like bald New Yorkers) – we have to be remarkable. Whether you work as a consultant or are part of an internal organization, we have clients that we serve, and we have to “wow” them at every opportunity. Now I’m not suggesting this is easy, but it’s clearly needed and worth it.

You can get started today (or on Monday) by approaching the situations you take on with a different attitude. Do this enough and you will stand out… here are five suggestions to get you started:

Bring donuts to a meeting
I mean it. If you’re health conscious, bring bagels. Bring fruit. Food is a great peace offering, shows you thought enough about others to make a difference and is a nice gesture. But wait – when people have enough blood sugar, they think better, are generally less snippy and are able to focus better. Think about when your meetings are scheduled and cater to the needs of the people attending. So do you really have to bring donuts? You decide. It is important, though, to think about the others you are working with and work aggressively to meet their needs.
Answer the phone with a smile – don’t growl.
Seriously. When someone calls, do you sound annoyed and overworked? Maybe you are, but how do you feel when you call a company and the person on the other ends makes you feel that you are an inconvenience? I don’t know about you, but I get defensive, irritated and generally enjoy the experience less. Is that what you expect from your colleagues? You have the power to make a difference – answer the phone with a smile in your voice and actually focus on the person on the other end. You’ll both walk away with a better experience.

Ask a user what their biggest security challenge is – and then explain it to them in a way they understand
A lot has been written lately about users. Want to get a different perspective? When you find yourself with some time for lunch, invite a non-technical colleague to join you. During the conversation, ask them about a challenge they have at home with security (or at work). Let them explain it – don’t jump in immediately with the solution. Ask some questions, pay attention and then offer to provide some insight, like this, “would it be useful if I shared some of my experiences with you when I dealt with that?” – see, that sets you up to share – and not tell in a condescending way. Then take some time to find a common ground and language, and work to explain a possible solution to your colleague in their words. This is decidedly a challenge, but if you make a habit of this – you’ll truly grow your abilities to explain how to protect information.

Follow-up with a helpful solution
We’ve all been part of meetings where a solution isn’t immediately clear to us. When that happens, have you ever actually though about it a bit and then provided your insights to the group? In my experience, we in security always get knocked for stopping progress and not helping advance it. So flip it around. Many of us in security have broad access to the company and with it, broad experience. Bring a helpful solution back and be considered part of the success. Good things will follow (especially if you make this a habit).

Point out what is RIGHT with a solution, and then help improve it
In technology, most of us get hit about the head and body when a mistake is made – and therefore it becomes a common mechanism to how we deal with others. Someone makes a mistake (perhaps even one that we made a long, long time ago) and we jump all over them. Have you ever taken the time in a meeting to point out what you LIKE about the solution? How was security considered, or how the choices made really support the ability to protect information? By celebrating and acknowledging others, you are then able to contribute your skills, insights and knowledge to the solution. After all, isn’t that our job as a security professional?