IoT Product Security Program Part 2

00:00

Hi, I'm Matthew Clark. This is less than 2.3

00:04

developing Coyote Products Security program, Part two.

00:10

In this lesson, we'll look at business transformation.

00:13

Much of The Simpsons role will require organizational transformation activities,

00:18

and the Simpson has to depend on both saw skills and hard skills to make that happen.

00:24

We'll also look at the similarities and differences in products, security and enterprise security. So let's get started.

00:32

I love this quote by Peter Drucker. If you want something new, you have to stop doing something old. It's such a simple quote, and I found the advice in it to be absolutely true in life.

00:44

You know, it's up to the sip. So to help the organization know what's old and what's new

00:51

and more important, it's up to the sip. So to help the organization, I understand why you would want to stop doing something old in order to do that new thing.

01:00

And sometimes the hardest thing is helping them understand how that could be done.

01:07

Business transformation means change,

01:10

and change is seldom easy. Usually it's pretty hard.

01:14

Some organizations are really good at adapting to change. They can change their business processes pretty easily. In fact, I've worked for some organizations in which changes so embedded within the business culture that is readily, usually readily accepted.

01:32

In several organizations changing the culture it's very difficult.

01:37

And with all types of changes, business transformation can have unintended second or even third order of effects. In other words,

01:46

a change here today may also cause an unintended change tomorrow in something that you haven't even foreseen.

01:57

While some organizations may be better at change than others, everyone has to process change, and there rarely found that to be a completely painless experience.

02:07

I told you that in this course if we would mix technical knowledge and skills with business acumen, and this is an example of that

02:15

transformation requires both hard skills and soft skills.

02:20

If you're a leader responsible for implementing a transformational process, then you're going to need some non technical tools in your so called security tool bill

02:30

in order to deal with issues like change.

02:32

I think it's a natural response to meet somebody to meet change with resistance. And so his leaders, we have to plan how to address change,

02:42

so we shouldn't find it completely unexpected to hear someone mutter Great! Another roadblock immediately after we finish announcing our latest and greatest product security initiative.

02:55

Ah, lot of acceptance for change is going to depend on the perspective of the person who has to implement the change.

03:02

Does that person see the sip? So is someone that genuinely cares about them that genuinely cares that they also have a job to do. Ah, product to design an A P I. D code or a firmware package to test.

03:16

And do they perceive that the Simpsons efforts are going to make that process better or worse?

03:25

One of the best ways I found a counter resistance to change is to borrow some training from improv comedy, which is strange as it may sound. But there's a technique and improv comedy that's called the yes end technique

03:39

Andi. What it does is that basically improv comedy takes a lot of trust between the actors because you really don't know what the other guy's gonna say, and you have to respond to it. You know, of course, in a humorous way, and you have to keep the dialogue moving forward.

03:54

So, for example, one actor might say, I have a ball and Then the second answer actor might answer back and say yes, and the ball is going flat. And so therefore they built a dialogue together, feeding off of each other's responses. Well, this kind of fits into a business setting

04:14

because it kind of counters that reflexive No,

04:16

um, that many security people kind of have a reputation for having, uh I don't think any of us ever admitted to doing that, but we tend to have the reputation

04:26

for for being the people, people who say no a lot

04:29

on dso

04:30

If you were to take this type of mentality, which is what I've done on dry toe, assume positive, attend right. And when somebody comes and brings a brings a situation which maybe they want to do something new are maybe they're challenging something that you're trying to do. Um,

04:48

being able to start off from that positive standpoint

04:51

and then work together to understand, How do you build consensus and how do you understand what it is that their concerns are assuming that positive intent and looking for the way to actually enable it on help the business move forward? Because, you know, quite frankly, businesses don't get in business to do security, they get in business to accomplish their goals.

05:12

S ipso is also responsible for providing support. The resource is tools, processes people in time necessary to make transformation project successful. And another concept is important to fail forward the ability to for the organization to be comfortable with failure

05:29

because failures, but ultimately brings you towards success.

05:34

Okay, I recognize that a slight title called Not your C So cyber Security can be taking kind of controversial. And I didn't mean it that way, but I recognize it probably is now,

05:46

um, but basically Stephanie Domos and hopefully I said her last name correctly. She is the sip. So And executive vice president at Med SEC, she spoke a r s a 2020. And she said this and I thought this was really, really great. She said that surgery isn't just surgery.

06:05

It matters. What you're operating on

06:09

in cybersecurity is not just cybersecurity. It matters what you're trying to secure. And I thought that was just amazing. Quote it really just kind of succinctly put this idea together forming

06:20

so we can't possibly expect our ceases to know everything about everything.

06:26

Um I know that because I'm Aceto and I don't know everything about everything.

06:30

And I do know that there's lots of subject matter experts that work alongside me who know vastly more than I do about the topic that they're engaged in. And I'm grateful for that because there's a leader you don't necessarily need to be the person who knows everything you need to be able to know how to lead and Thio

06:50

have people who

06:53

are very knowledgeable and professional have them work together to be able to, you know, have a free exchange of ideas and to be able to work together to secure what whatever it is that you're trying to do.

07:04

So, she says, need help. And and that's the reason why. You know, many organizations have kind of brought in people who understand security and the built the security apparatuses because it can't just be a one man person. So we need to be careful about trying to pigeonhole cybersecurity and every type of cyber security under a single roof top.

07:25

Unless, of course, that ripped off is

07:27

broad enough to be able to hold it.

07:29

But then that's gonna vary from industry to industry and organization within the industries. But it's very important just not to say, Oh, that looks like cybersecurity. Therefore, it must be cybersecurity. Therefore, they see so must must control it. And that probably doesn't fit in every case.

07:46

So products, security and enterprise, information security. You're going to share some of the common things they're gonna share common processes and technologies. They're gonna have a shared lexicon. Shared theories. Um, they're gonna have a different focus, though one is gonna be focusing on the enterprise and securing that. And the other one is gonna be focusing on developing products that are gonna be sold to,

08:07

um,

08:07

to cuss. Consumers are other individuals and used within different environments.

08:13

They're going to use unique security frameworks. There's very specific frameworks for product security organizations to be able to help them design and build those products.

08:22

And they're gonna have unique product security tools as well. Some of the tools will be the same, right? Obviously, but some of them could be more focused, and the use of the independence of the tool is gonna change. Based on you know what it is that you're you're really looking at to secure enterprise or product security.

08:41

Okay, so that's it for the lesson. Today we talked about

08:45

transformation. We discussed some tools for success around that. We've introduced this so superhero earlier in the previous lesson, and we still continue to talk about her here in Part two.

08:56

We discussed transformation as a whole. We found some inspirational quotes. We shared that both in this lesson and in part one of the lesson, and we kind of discuss the transformation within the business with an engineering and enterprise security. We talked a little bit about the differences between those both in part one and part two.