It takes an advanced degree to understand the psychology behind why users hate security controls, so we got someone with two: Dr. Nikki Robinson, DSc Cybersecurity, PhD Human Factors. Nikki joins us to break down the real reasons security implementations fail—and how to fix them.
Episode Highlights
Listen Now
Tune in to hear our discussion on dr. nikki robinson: why security teams fail at human factors.
Full Episode Transcript
Joe Patti (0:01) Welcome to the Security Cocktail Hour. I’m Joe Paddy.
Adam (0:04) Adam Roth.
Joe Patti (0:06) Adam Roth with the background, you you’re shaming me with that thing. You’re showing much more spirit than I have in the show. I’m starting to feel bad. I don’t want to know what’s behind it. Actually, I know what’s behind it, but whatever.
Adam (0:12) Well, you want the full transparency?
Adam (0:16) I know what’s behind it. I was hanging from my ceiling in my bedroom. mean, you know Joe, we gotta get a-
Joe Patti (0:20) Now you don’t have to make the bit anymore when you record. Is that why you got that?
Adam (0:24) We have to get at least 500 more viewers in order for us to get a studio.
Joe Patti (0:29) Yeah, at least easily.
Adam (0:31) Either that or we’re going to Nicky’s house to use that. I’m not driving all the way down there, but still.
Nikki Robinson (0:34) Yeah, you can use the screen you can borrow the screen
Joe Patti (0:35) that’s right you’ve got a screen too. boy. Okay so we obviously have a very high-end guest here. We have Dr. Nicky Robinson. Nicky, welcome.
Nikki Robinson (0:49) Thank you so much for having me. I’m very excited to be hanging out with you both.
Joe Patti (0:53) Well, thanks. And I am, I guess, very honored that you even have screen. So good. Excellent. Thanks.
Nikki Robinson (0:59) Yes, it came with the many years of podcasting, so I retained the background.
Joe Patti (1:06) Well, you’re a smart person. You’ve got not one, but two doctoral degrees. And you’ve written books and had patents and all. But before we get into that, we’ve to start with the drink on this one. Because this drink is a little, I guess it’s not complicated, but it’s got a little technique to it. Huh? The way you make it. Yeah, when we did the prep call for the show.
Nikki Robinson (1:25) There’s a little technique. Yeah.
Joe Patti (1:33) We always say to the guest, okay, it’s guest choice. What do you want to drink? What do we have? And Nicky was like, no hesitation whatsoever. says tequila sunrise. I’m like, okay, what’s that?
Nikki Robinson (1:44) That’s what it’s one of my favorites. That’s if I don’t drink a lot of cocktails, but if I do, it’s going to be a tequila sunrise for sure.
Joe Patti (1:50) All right. Okay, so let’s mix it up here. So you start with tequila, right? All right, Adam, let’s do this.
Nikki Robinson (1:55) Yes, yes, you add a little bit of tequila. That’s up to dealer’s choice how much you’d like to add.
Adam (2:03) Well, I gotta work on my chapter one for my doctorate, so should I add like four ounces?
Nikki Robinson (2:07) So maybe a little bit.
Joe Patti (2:10) All right, I got nothing to do. It’s the weekend, so okay. right, so you got tequila and then it’s orange juice. Okay.
Nikki Robinson (2:13) There you go.
Nikki Robinson (2:20) Little bit of orange juice. Little bit of orange juice. And then I’m gonna help you guys hopefully try not to make the same mistake I did when we get to the next step.
Joe Patti (2:31) So guess I should show people. Okay, so this is the orange juice. What’s that?
Adam (2:33) think eventually what we’re going to have to do Joe, is we’re going to have to collect the drinks on all our episodes and have a podcast edition on how to make each of those drinks.
Joe Patti (2:43) Hey, that’s content. We got to do clips. You know, there we go. We can do a whole clip show like a bad TV show or something. Let’s do all clips. Okay. So then it’s grenadine. Okay.
Nikki Robinson (2:51) There you go. And then it’s grenadine. And so try to, if you try to drip it down the inside and you’ll see, I made the mistake, I didn’t do that, but try to drip it down on the inside so that it pools at the bottom and you get a nice gradient. I did mine backwards. There you go. He’s got it.
Joe Patti (3:00) drip it, drip it down the inside.
Joe Patti (3:08) Okay, I got it. I don’t do it. Okay, that’s a lot of pressure. I got to make sure I don’t get this on my keyboard actually.
Adam (3:14) I have a doctorate in tequila sunrise.
Joe Patti (3:19) Is it doing it?
Nikki Robinson (3:21) Let’s see it, Joe.
Joe Patti (3:23) Is that? Is that? Okay, I’m cheating, I’m turning it around. Is that the idea? How about I need more?
Nikki Robinson (3:27) Yeah, yeah, and you can add a little more if you like. It’s up to you. Yeah, however you like it. yeah, Adam’s got it. This is what not to do. It was what I did. So there you go.
Joe Patti (3:32) I have no idea what…
Joe Patti (3:38) Okay, you know what? I’m not going to push my luck. That’s his hair. I’ll turn it right there. That looks really good. All right. That’s right. Cheers. Nicky, have a third doctorate now in mixology too. Congratulations.
Nikki Robinson (3:42) That’s perfect. That’s perfect. Nicely done. Cheers. Yes.
Adam (3:44) Can we cheers?
Nikki Robinson (3:51) Ha ha ha!
Adam (3:54) Well, the parent company to security cocktail hour is what Joe?
Joe Patti (4:00) security mixologist LLC.
Nikki Robinson (4:02) I should get a certification in that. I’ll have to work on that next. If you could, please. Yeah, I’ll hang it on the wall.
Adam (4:07) You want us to make you a certificate? All right.
Joe Patti (4:07) There you go. Yeah, we can issue a doctorate. I don’t know if it’s going to be recognized very far, but…
Adam (4:14) Well, maybe we can visit the petition the middle college Organist Association that that’s the one yeah, yeah
Joe Patti (4:21) Middle States Association of something or other, I don’t know.
Adam (4:26) But you’re have to write five chapters, Nikki.
Joe Patti (4:27) Okay.
Nikki Robinson (4:29) that’s alright. I feel like once you’ve done it a couple of times, you’re like, okay, I can make it happen. The first one’s the hardest, the second one is a little bit easier.
Joe Patti (4:39) You mean the first assassination like James Bond? Or do you mean like the first book?
Nikki Robinson (4:43) The first book. The first doctorate.
Adam (4:44) No, the first doctorate. Joe, there is one person, think, I think there’s one person at our school that just got their sixth doctorate.
Joe Patti (4:49) Come on, that’s James Bartlett. Yeah. Sixth doctorate. Does this person ever actually practice his or her trade or do they just get doctorates all day?
Nikki Robinson (4:58) Yeah.
Adam (4:59) and he lives in New York.
Adam (5:04) This person is really active in the industry. mean like super active.
Joe Patti (5:14) Wow.
Adam (5:15) Yeah, I didn’t meet him through cap. I didn’t meet him for the school I don’t know where she didn’t say the school but I met him online. I’m like you go to my school You have six, go you have five doctorates who goes I just finished my six You might even see this for I know I think he’s part of the podcast list
Nikki Robinson (5:33) Yeah, it’s it’s, I switched from doctorate degrees, I felt like two was good, and then I started writing books. I was like, I’ll switch into the different, different area of writing.
Joe Patti (5:44) Yeah, know, advanced degrees, been there, done that, I can see we’re done.
Adam (5:48) I think if you get seven doctorates you get to be honorary president. kidding.
Nikki Robinson (5:48) Yeah.
Nikki Robinson (5:52) Yeah
Joe Patti (5:53) Yeah, really. Okay, well, you guys will forever be ahead of me in the race for doctoral degrees, because I’m going to keep putting up a… I plan to keep keep up my goose egg right there. But in the meantime, so, Nicky, actually, your two degrees are in two very interesting things that I think not enough people talk about. Why don’t you tell us a little bit about your field or fields?
Nikki Robinson (6:19) Yes, I would be happy to. So my first degree is a DSC in cybersecurity. And I actually started pursuing that when I was still in IT operations. So I was on the IT side, but I was managing pretty large systems. And so I got really heavy into vulnerability management because I owned the risk of my system. And I thought, well, that seems scary that somebody is allowing me to own this risk. What do I need to do? Yes.
Joe Patti (6:45) That was your first mistake to own the risk. You always got to give it to someone else.
Nikki Robinson (6:49) Yes, that was a lesson learned right there. But yeah, so I discovered vulnerability chaining at the time and I was really interested in understanding how people scored vulnerabilities. How do they understand and score vulnerabilities? So that led me to the DSC. And while I was pursuing the DSC, the PhD in human factors was released at Capitol Technology University. And I was really intrigued and I started looking into human factors engineering, the discipline. And what I was lacking in my DSC was the understanding of how people or why people scored the vulnerabilities the way that they did. You know, I was so intrigued by how they scored them. They scored them essentially way higher than I would have ever anticipated that they did. They scored everything nine and above. And I was like, whoa, wait, what what happened? And I didn’t have that qualitative understanding of what happened. So I went for the PhD in human factors. I pushed my my research a little further to understanding cognition.
Adam (7:38) You
Nikki Robinson (7:49) and how we as people understand vulnerabilities based on our own experiences, our own skill sets and kind of education in the environment. And so I kind of took that further into human factors and I found that it takes me, it’s a very complimentary to the technical controls and implementations that we do as practitioners, but it helps me understand my users a lot better and even the security practitioners I work with.
Joe Patti (8:18) Right. Now, the human factors that you’re doing, we should probably explain a little bit. It’s especially for IT people. It’s not like user interface design or usability. You’re talking about the psychology of things, and there’s a real engineering discipline to how people interact with stuff,
Nikki Robinson (8:36) Yes, for sure. It was one of the things that drew me to human factors initially, because it’s used very heavily in aerospace industry. So it’s used a lot in aviation, how pilots are able to fly planes, but how do we understand them as individuals, as human beings, when human error is a factor or when they’re tired and they’ve got fatigue, all of these things. So it’s taking in all of the psychological aspects and human behavior components of us as people. but also building a much more, I would say, a better framework for engineering for what we do in cybersecurity. You know, even years ago, when I was hearing the term security engineering, I thought, is that really engineering or are we talking about development, right? So yeah, I got really interested in that.
Joe Patti (9:23) Yeah, like computer science isn’t really a science. Anything with science in it is not science. Same thing with engineers, you know.
Adam (9:33) Don’t know but let me ask you this Nikki since you know, I’m like chasing that doctorate From the human factor side from the PhD side That would be more of like I guess and I know we should probably not be diving deeper into it, but that would be more of the Quantitative study right because you had to actually interview people in order to figure that out,
Nikki Robinson (9:57) Yeah, qualitative. I did, I did more interviews, but I also did a focus group. Cause I wanted to see one of the benefits of doing a focus group and talking to IT and security professionals at the same time is that I was able to kind of get them all into a room together and open a dialogue, right? Cause I wanted to see, they agree? Did they disagree? What are their different perspectives? And without doing that, didn’t, you I wouldn’t have never had the insight into.
Adam (10:00) qualitative, okay.
Nikki Robinson (10:24) why they felt the way that they felt or based on their experiences. yeah.
Adam (10:28) Any, yeah, any biases that you think of or like did some, yeah, that’s what I’m wondering. Like, like, you know, as an IT, as a guy that was in IT, but then I went to cyber security, though everybody lumps cyber security into IT, people automatically have these biases about, vulnerability should always be here or there or that or this or that, you know?
Nikki Robinson (10:32) Yes.
Joe Patti (10:33) the
Nikki Robinson (10:51) Yeah, the study of different biases in human factors, but also just as a cognitive function, understanding how people, from unconscious bias to, know, imperative bias, there’s like a number of different forms of bias that we can experience. But it’s interesting to see how it’s really based in people’s experiences, right? So from the IT perspective, and I can say this as someone who was an IT practitioner, My job is to make sure the systems are functioning. If they’re not functioning, if people can’t get access or systems are down, I’m getting yelled at. So I don’t want to be yelled at. That’s my like number one directive in life. I don’t want to get yelled at. so yeah, so they have people build this inherent bias of, my gosh, if I do this thing, I’m going to get yelled at, or, you know, I really have to do this because this is how it functions.
Joe Patti (11:31) Yeah, welcome.
Nikki Robinson (11:43) And I think one of the biases I see most often is that security negatively impacts functionality or operations. And I don’t see that as always true. But that’s definitely an interesting piece of it.
Adam (11:58) That’s interesting, right? So what we’re saying, let me step back a moment. Just so you know, full transparency, Joe was my boss at one point in my life and Joe did yell at me and I feared not doing the right thing. this is, I had that conscious bias of dealing with Joe. But that being said, yeah, right? There’s always that impression, especially when I worked for Joe, had, had, we had,
Joe Patti (12:16) Thank
Adam (12:27) lack of a better term a hundred CEOs or more 200 CEOs everybody was a CEO in that company you could figure out what type of firm it was and their problem okay it’s a law firm and I try to be careful and the thing is wait do you realize when you put that security function in place it’s prohibiting me to do my job and we would be like your customer
Joe Patti (12:35) was a law firm. You can say it was a law firm. It’s okay.
Adam (12:54) wanted us to put that in place and we did put it in place as it should be and whether it’s data loss prevention, whether it was getting access to a records room online where they shared records between each other or whether it was I got to download data to a USB for a tribunal. Those are the things that we had to deal with constantly and fight that social
Nikki Robinson (13:14) Mmm.
Adam (13:22) bias like no you should be making it easier for me and We get it. We want to make it easier for you, but you have to find that fine line where You know where the security practice is in place But the user is able to do what they need to do as well
Nikki Robinson (13:39) Yeah, usability versus security. find that people see them as, you know, kind of combative or, you know, on differing sides versus security can enable development. can enable, you know, IT and technology, but it has to be done in the right way. Right. So forcing someone to rotate their passwords every 30 days, it’s probably not going to make them very happy with me. Right. If I force them to do that, maybe I can come up with a better way, an alternative so that they don’t have to rotate their passwords as much. but I’m still implementing security, MFA or some other mechanism that I can make sure that they’re protected in a different way.
Joe Patti (14:16) I think that in the past, a lot of people have been confronted with security systems that are really cumbersome, really hard to use, and also often not very effective, which doesn’t do much help. things have really changed a lot. And think we’ve gotten to the point where a good security system is actually easier to use than a less secure one. biometrics when they’re supposed to work and be easier to use and make it easier for you. I remember I’ve been through this so many times people when Face ID came out on phones, they’re like, another new security thing. I don’t want to use this. Whatever. This is too cumbersome. And I’d say, well, what you have to do is look at the phone. Yeah, I’d say, how are you going to use the thing without looking at it? This is designed to be so seamless it can’t get any easier, you
Nikki Robinson (15:10) designed to be so seamless it can’t get any easier.
Adam (15:13) wait but then throw a pandemic into it. and then you have a facial mask and people are asking, why can’t it identify me through the facial mask?
Nikki Robinson (15:21) You to identify me. Yeah, it is. It’s a delicate balance. It really is. It’s this delicate balance of helping and enabling our users, but also making sure that they’re protected, right? So that if something goes wrong, that I don’t know, that we’re more enabling them. We’re not necessarily taking things away. I feel like that was really the, I don’t know, really the impetus for me doing the work is I was like, I don’t want to take things away from users. I just want to help them make, I want to make security easier for them. And human factors is a good vehicle for that.
Adam (15:52) Yeah. So we had a user that got mad at me and I implemented a DLP for email and basically you were really only allowed to send to business email addresses. And obviously there’s a fine line between what’s business, what’s not. Some organizations do use Gmail. That’s who they are. They don’t have personalized domains. But this one individual said, look, I’ve been forwarding my emails from my corporate email to my personal email. Why is it still blocking? After a while, it should learn that this is my norm. It’s not working correctly. I’m like, it’s working correctly because you should not be forwarding your corporate proprietary information to your personal email. It should never go there.
Joe Patti (16:39) That’s right.
Nikki Robinson (16:49) Yeah.
Joe Patti (16:50) Yeah, well that sounds like a case that’s interesting. mean, does this count as human factors when it’s something like, okay, something like that is a policy decision? It’s like the company has said, you should not be doing this. And people just disagree with it or don’t understand it because it seems like people don’t want to follow stuff that they either don’t agree with or don’t understand. I mean, do you have to pick apart a lot of that stuff in what you do?
Nikki Robinson (17:14) Yeah, this is very funny that we’re talking about this very specifically because we were talking about writing. I was literally writing about this this morning. this aspect is so interesting because it’s kind of where, you we talk about people process technology, but this is where people in process have to align really well when the technology is implemented. Because I’ve read security policies in the past that are 600 pages. That to me is wild. How is someone supposed to be able to understand, digest, and then act upon a 600 page document? And that’s just for a security policy, right? That’s not even all the other procedures and things that they have to take in. So yes, I think process alignment with user functionality and understanding is super critical because if we have inherently complex processes or procedures, I think that’s sort of in one bucket. The other is sort of what you’re describing where our policy is in place to protect our users and it’s more about either they don’t understand or it feels like they, if to them it feels like it’s impeding their functionality. So to that user, I would say, why do you have to send it to your personal Gmail? Is it because it’s too complicated to log into your organizational email, right? Is it, you have too many tokens, you have to reset your password how many times, do you have to log in from a specific browser? Are you limited, you know, in what you can do in the client? do you not have access to like Adobe professional or something that you need to be able to do your work. So you’re trying to do it from your personal laptop because that’s where you have your resources. So I think that’s part of understanding what that user’s use case is and why they feel like it’s easier to operate from their personal email account versus their corporate account.
Adam (19:02) And that goes to a perfect place, right? Because you can work in one organization and you can be divided. And they’ll be like, listen, I only want to have one device. I want to be able to have my corporate email and everything on here. And I only want to carry around one phone. And then you get another person who says, I don’t want one phone. I want to be able to divide my corporate from my personal life. When I’m home, I don’t want to deal with this. I don’t want another laptop to carry for my office and my company’s only giving me either a laptop or a desktop. So if I’m gonna have a laptop and I need it when I travel for business, I’m not gonna bring it home. So I’m gonna forward my stuff to my, and you can get all these documented excuses, but at the end of the day, you’re not gonna make everybody happy.
Nikki Robinson (19:51) No, but I do think, no, for sure, you’re never gonna make everybody happy, but I do think it’s interesting to survey and understand your population for what their biggest, even if it’s perceived impediment to their job is, right? Even if it’s just a perception and you can say, well, actually you can access through 0365 online and here’s how you log in, right? So sometimes it’s perceived, sometimes it’s actual or factual. So anyway, but this is…
Adam (20:17) You’re right.
Joe Patti (20:18) Thank
Nikki Robinson (20:20) we’re digging into where the actual problem statement is. I think it’s super important and why I was really glad I did the DSC, because I learned how to craft a really good problem statement. And that also helped me to probably annoy my users a little bit, but also ask them a lot of really good questions to try to help figure out what kind of solution was actually going to work for them, or if it was perceived or factual.
Joe Patti (20:43) Okay, so how do you work through a case like that? Because sometimes you have things where you say it’s perception. That’s like, okay, there may be some perception, maybe they don’t know, you know, but then I know that at least anecdotally, a lot of times in my career, people say, I need this thing where you don’t have to do my job. And like you say, you’re like, well, yeah, but you want to use this, you know, you want to use your… your Apple word processor, whatever, pages, whatever they call it, but we’re giving you office at work. And it’s like, you know, is that really productivity or is that personal preference? Is it level of comfort? Fear, just not wanting to do something new? mean, how do you sort through all that and do it in a way that, you know, without the draconian thing, you know, that I’ve always had to say is like, Well, the company bought this, they’re telling you to use this and what do want from me? You know?
Nikki Robinson (21:37) Yeah, think it is. I start with, which I feel like there’s been such a big, there’s been a big push in the industry talking about empathy and emotional intelligence, even in the last three, four or five years, we’ve seen, you know, kind of bringing emotional intelligence into what we do as cybersecurity professionals. I think some of it is starting with that. I think some of it is seeing, okay, is it that they’re uncomfortable with the technology if it’s that, but this is what the company is paying for? Maybe I can provide them some free online training or something to help them understand how to use the product or how it maybe they can transfer their skills from a different product to this one. Or maybe it’s helping them see that whatever, I’ll give a good example, different browsers. I had a case where someone was like, well, this webpage looks different from this browser to this browser. It shouldn’t. It should be the same across both. I should be able to see the same functionality, the same radio buttons, right, that I’m expecting to be able to fill out this form. Why is it different between browsers? And I said, well, that’s actually an inherent functionality of the browser itself, right? They have chosen, based on their interface, how to consume and visualize your content, or the website’s content. So sometimes websites will use radio buttons or that’s the only way that they’ll use it. And some use like a list or a dropdown or something. I will say that was years ago. Websites have gotten a lot better to be consumed between different browsers and mobile devices. But I think people still have that same inherent thing. Why doesn’t it look the same? And it’s like, well, different companies built and maintain these browsers. They’re gonna be a little different, right? It’s not the same developers that did the same thing.
Adam (23:18) So you were just discussing how a web page might look different on a browser on a mobile device than it would look on a desktop. Let’s take that a step further. There are people out there who think the app on the mobile device should look exactly like the web page on the desktop. And what they don’t realize is that sometimes apps are either more enhanced as an app or less enhanced and with more functionality in the browser. And sometimes organizations gear you towards an app or the web page for certain reasons as well. And that becomes an issue because you might not be the creator of that app or that web page. You’re a consumer, that’s your vendor, and they expect you, go fix that right now.
Nikki Robinson (24:08) Yes, I feel like, especially in my IT operations life, but certainly in cybersecurity as well, that it’s like, hey, why can’t you fix this thing? And it’s like, well, I can explain to you how the technology works and I can do my best to help you work around it. But in some ways, it’s, I think, helping people understand the technology or why it’s different. Sometimes you’re not going to win. I’ve lost many a battle. I’m sure I will lose more.
Joe Patti (24:33) You
Nikki Robinson (24:34) I take the time to at least explain it and provide resources to help people understand knowing that, you know, I can at least try. And then, you know, if they don’t understand for some reason or they’re still unhappy, then, you know, maybe I can try to figure out something else for them, some alternative, but, you know, sometimes it is what it is.
Adam (24:52) Yeah. Let’s take a detour for a second, right? We’re talking about social behaviors and that’s an issue, right? We spoke about vulnerability, but let’s talk about like compromise if that’s okay for a moment. Maybe you don’t focus on that, but we all in cyber have had that issue where we’ve tried to educate those people that are users and consumers and some of them more than others. And they don’t necessarily understand basic health and hygiene. And it’s hard for us to put ourselves in their place because like it’s inherent in us. And even we make mistakes sometimes too, right? But they might not understand when I say they, mean, like, like regular users, the people that normally don’t really interface with technology, but they have to cause it’s part of their role. Whereas technology is our role. So that that’s gotta be a little bit interesting, right? Nikki.
Nikki Robinson (25:50) Yes, I actually, so to back up a little bit in my education, the roundabout circle that I took, I started in psychology before I went into IT and software engineering. So I was a psych undergrad, I know, and then I went like full circle back into human factors. So, but I was interested at the time in abnormal psychology. So understanding, you know, different types of things. I was particularly interested in schizophrenia and trying to come up with some kind of solution for that.
Joe Patti (26:01) you did. Okay, now it’s coming clear.
Joe Patti (26:21) so you went from abnormal security or abnormal psychology to cyber security. That’s not so odd. That’s a perfect step. Yeah.
Adam (26:24) 14 slip 14 slip right Joe is that a 14 slip?
Nikki Robinson (26:24) Yes. Yes. Yes, I it was funny how I kind of made the roundabout, but I think kind of taking that arc in my career, seeing that technology plays a big part in what we do. Of course it does, right, that we are consumers of lots of different types of technology. And what I find with with understanding the technology is really one piece. The other piece is really understanding the people that I’m working with. So compromise to me comes. in a lot of different ways. I’ve worked with lot of developers, product owners, system owners, HR people, administration people, understanding them as an individual and saying that there isn’t always a one size fits all solution to what’s happening. Every person has their own experience with technology. Some people may be really frustrated with password management because it’s become far too cumbersome for them. or maybe somebody doesn’t like the MFA challenges because they’ve been targeted for MFA type attacks, right? SMS based MFA attacks and they are just completely fed up with it. They think that it’s ineffective, whether it’s because of the MFA technology or because of the person that was targeting them with those types of attacks. So I think helping to understand why that person feels that way at least gives a little bit of validation to saying, hey, I understand your frustration. I get it. you know, maybe we have this law or regulation that tells us we must act in this way because of, you know, self attestation or NIST, you know, requirements. Maybe we’re in a federal environment. We have to follow certain protocols. But to me, there’s always a way to find a way to help people. I’ll give an example. I’ve worked with a lot of developers who are just like, I can’t implement secure code. I can’t do it.
Nikki Robinson (28:20) It’s too difficult. can’t update my Java libraries. I can’t do this because of X, Y, and Z. And what I find is it’s when I speak with them is it’s a co it could be a combination of things, but usually it’s because it’s like every time I patch something, it breaks my application. I have to then go debug and figure out what happened. And it could be an application that’s been maintained for seven years, something that they inherited that they did not build. And they can’t figure out why it’s broken or why it breaks. And they don’t have the resources or the funding to build a new application or start from scratch. So they’re kind of, you know, reliant on making this thing work as long as they can. That source of frustration leads to insecurity because of this old package. Maybe it’s end of life software, maybe it’s, you know, EOS. But me helping them understand why the package is failing, because I’m a developer. If I can come in and say, okay, show me where this is failing. Let’s actually debug this. That changes the tone of the conversation versus me throwing over the wall. Hey, you’ve got to do this thing. You have this vulnerability. Why haven’t you fixed it yet? You know, that’s a very combative start to a conversation versus, hey, I’d like to understand why this is breaking. Can you help walk me through like what you’re actually seeing in the code so we can figure out how to update this package without breaking your application.
Joe Patti (29:43) What I find difficult in a lot of those situations is, we’re talking about an exercise in problem solving here that especially developers are supposed to do. That’s a lot of the job. And IT people very often can be incredibly tenacious and creative when the problem is interesting to them, but when it’s not, and when they’re really not that interested in it. They don’t tend to do it like, you know, the person who said, I can’t figure out how to secure this a bit. They figure out how to do things they don’t think they can do all the time. But for some reason there is that barrier with security. They’re like, it’s too hard. It doesn’t make sense. I don’t see the value in it. That’s in my career. That’s been really tough to break through.
Adam (30:20) benefits them.
Nikki Robinson (30:31) I would, sorry, I was gonna say I would argue to, you know, working in the vulnerability management space a lot because I hear, you know, it’s like, well, you know, they don’t understand these vulnerabilities and this risks and this and that. And sometimes I question, but do they have to? Have we made it so complicated to understand what these vulnerabilities do, why they’re exploitable, how they interact with the environment? Cause most of the time people don’t care, right? They’re just like, I have another patch to implement.
Adam (30:31) Well, yeah.
Nikki Robinson (30:58) and they’re so over-patching stuff that they’re just like, ugh, they’ve made this so difficult for me.
Adam (31:02) And that kind of goes back to what I was going to say, right? We talk about separation of duty sometimes. Sometimes it’s just important enough to know how to implement something because somebody else understood why you have to implement something. You don’t always have to know why, though it helps, but you don’t always have to know why. that also goes back to something like, what if the person, if you have a developer, but you have a security person, but then you start doing secure DevOps and those roles start to blend. You’re not focused on one over the other but sometimes you might be biased like look I got to get this code out I don’t think it’s gonna be an issue if we do this this and this from a security standpoint whereas as security people People look at us like we’re wearing Superman capes and we have and we’re fighting every single battle that we have to do but We understand why we understand when compromises happen. It happens because of certain things that constantly happen over and over again And what I mean by that is, you don’t want us to do two factor authentication or you want us to make this application available to the whole internet or, you know, open up this port to everything? No, we want to know those IP addresses. want to, and if possible, we want to have some VPN instead of opening it up to even a destination or source IP. So yes, not everybody knows what we know. And it’s almost like a few good men. You need us on that wall. You want us on that wall. You know, so.
Nikki Robinson (32:37) Yeah, yeah, think I think it is sometimes it’s I mentioned perception a little bit, but I think sometimes it’s also perception of, you know, the security team, right? Are they helping me or are they just telling me to do a thing that feels arbitrary to me and I don’t understand why? Right. So are they helping me to get to that end state or are they just saying do the thing? Why didn’t you do the thing?
Joe Patti (32:58) Well, sometimes we are, but I also find it frustrating because we say, we like to say, well, security is everyone’s job. Well, yes, but realistically, a lot of the discussions that I’ve had over the years with people, especially in more recent years, it’s like, okay, you’re a system administrator, whatever, you’re running the Windows machines. patches have been coming out for them once a month. for the past, I don’t know, 15 years, 20, however long it’s been going on. It’s like, I to say, dude, that’s part of the job. You got to know this stuff. You’re developing things that are internet-facing. You’re writing web apps or something. It’s like, this is part of what you do. You can’t be an engineer at a… Sorry, the tray just went by. got to restart. You can’t be an engineer at Ford or GM or something. designer and say, you know what, I don’t have to deal with those bumpers or those airbags or anything. Of course you do, and it is restrictive, you know, but that’s just the way things work. At least that’s the way I’ve always seen it, and it’s not a very popular stance among some people, I will admit.
Nikki Robinson (34:05) Yeah.
Adam (34:15) I feel like, you know, if we go back to basics, like a system administrator should have a basic understanding of security in administration and a network engineer should have a certain amount of understanding implementing ACLs and why it’s important and what ports are more vulnerable than others. We as cybersecurity people, whether we’re in incident response or whether we’re in you know, reversing malware or endpoint detection or whatever it is. We know more, but it’s like being a doctor, right? You know, if you’re, if you’re an eye doctor, you should know what issues are happening around eyes. But if you’re a general practitioner, you’re not going to start diagnosing eye issues. You’re going to send it to a specialist. And that’s how cybersecurity has become. We’ve become general practitioners for certain things. and specialist for others. And depending on the size of the organization, it gets to be very siloed. you know, we were in a very different world we were in cybersecurity than we were 10 years ago. And we’re in a diff in two years from now. Who knows what’s going to happen? Like, oh, get the IE, the AI security engineer in here for agentic AI. We need them in here right in that right away. I mean, oh, we have one now, you know.
Nikki Robinson (35:40) Yeah, I do think, I agree. We as security professionals, I think have to have a very deep pool of knowledge that we can pull from, both from a technology stack perspective and from a threats, attackers, vulnerabilities and exploits perspective. I do think it’s one of the… One of the reasons I’m very happy that I did get a background in IT operations, because I think it gave me that full technology stack understanding. So when I went into security, it was like, yeah, that’s why we do all of those things. Because all this bad stuff could really happen if we don’t. But yeah, I agree. I was on the IT side, I was responsible for patching and automation. But you know what I find when I talk to, just in general, IT practitioners or developers, they don’t always, they do plenty of times, but they don’t always leverage automation in the way that they could. I think sometimes we get scared of automation in operations because we’re afraid that if we automate too many tasks or patching things like that, that it’s going to impact our functionality or our operations environments. But I’ve done it very successfully in multiple environments. You can do it. And so I think I’ve… I’ve spent quite a bit of time helping people to understand automation and scripting and how powerful that can be to alleviate a lot of the manual tasks that you end up doing over and over again. just something super simple, like automating the patching of your dev environment. If you’re patching it every week on, you know, Sunday night or Monday morning or whatever, that expectation is there, right? It’s like, Hey, every Monday from 8 a.m. to 10 a.m. we’re patching the dev environment. It will be unavailable. That’s it. Set expectations, right? So I don’t know, think something simple like that can be really impactful.
Joe Patti (37:34) Okay, but here’s a psychological question for you. You know, yes, there we go. I’ve dealt with, I feel like I should have a PhD in vulnerability management. I’ve done so much of it at this point. But, you know, when it comes to things like patching and automation and doing stuff like that, yes, it can make your life much easier. It makes the process more efficient. I remember in the old days, you’d be like, oh yeah, that guy who’s the…
Adam (37:36) I was just gonna say yeah.
Nikki Robinson (37:36) Yes, ooh, hit me with it.
Joe Patti (38:03) CUNYX sysadmin who’s got nothing but a bunch of shell scripts that he sits there and reads the paper all day. He’s a god. But more often than that, what I’ve seen are people don’t want to do the automation, you know, and you kind of refer to it mostly out of fear. They’re just afraid that it’s going to break and they’re going to get in trouble with something they didn’t catch. And that’s it, you know.
Adam (38:24) There’s one is another step Joe. There’s another step. You like let’s take it even a step before that I don’t want I don’t want automation. I’m gonna lose my job. I don’t understand automation I’m afraid of automation if they start automating You know the sock analyst level one like and we’re looking up now Malware, which was my job to write a report and see if this malware is bad and now we’re using I don’t know like
Joe Patti (38:33) there’s that too.
Adam (38:52) whatever automation tools that we’re using today, then what am I going to do?
Nikki Robinson (38:58) I would say upscaling is even more important now than it ever has been because I think if To the first point about automation. I think if you’re not leveraging automation You’re potentially really limiting yourself skill wise as far as like what’s possible, right? Because I’ve walked into I’ve walked into environments Taking a look around and it’s kind of seen what’s going on, right? I within six months can automate or fix things. There was one job I had in particular. Within six months, I had fixed the entire vulnerability management program. We went from 60 to 70 % like patching rates every month to 99 % every month. That didn’t limit my job, but what it did was they saw me fix things and then they were like, ooh, can you fix this other thing? Ooh, can you fix this other thing? Hey, you fixed this one thing. Can you also do this and that? So I understand the inherent fear behind that, but I also think being a a problem solver and an implementer can be really powerful. You’re right, I understand there’s some fear based there, but I think if you can show yourself as a problem solver and a fixer, that opens yourself up skill wise to continue to learn more and do more in the environment.
Adam (40:12) You ever see a spy like us? Dan Ackroyd’s downstairs and he’s in the basement of like whatever Department of Defense and he goes, dude where those reports goes? I think he said something like I automated that I got that done a week ago. Well do something else. I already did that. Well do something else. I already did that clean this place up It’s a mess, you know But the thing is people get mad like if you’re more efficient and still doing if you’re able to all your work But finish it sooner
Joe Patti (40:34) You
Adam (40:41) They’re abortions like, what are you doing then? I’m not saying that’s the right answer, but I’m saying there’s unfortunately people out there with that mentality.
Joe Patti (40:46) But there is.
Nikki Robinson (40:46) Yeah.
Joe Patti (40:54) Yeah, but look, the way things work in security and even in IT in general, there is so much work to do. There are so many things that could get done. I mean, you we have the whole concept of risk management that a lot of it is based on us not being able to do as much stuff as we think we need to do. You know, so yeah, I don’t think there’s any, there’s any shortage of work for people, put it that way. Even if you automate everything to death, you know?
Adam (41:19) Automation, yeah. Automation allows for scalability if you are doing the same task every single day and there’s a way to automate it Then you’re doing your organization into service by not finding a way to do it I’m not saying those tools are always available, but there are people out there who can write things For free with certain things whether it’s Python whether it’s doing things with Windows I mean and you can automate certain tasks Of course, it’s nice to have automation software to work with your SIM and everything else. That’s really the way to go or XDR or whatever we want to use. But, know, XDR being that, you know, the superset of managed detection and response, you know, looking at malware or whatever else we’re doing, it’s a way to go. mean, you don’t have to hire another another seat, a person in a seat, and they can still do their work. And that allows that person actually to grow higher. if they can automate the support.
Nikki Robinson (42:20) Yeah, that’s what I’m saying. You build them. Yeah, you just constantly build that skill level. know, I find, you know, when I started in IT, I was on Help Desk. I would say Help Desk is primarily a function of the past, right? That’s not a thing that you see a lot anymore. You do see, you see a lot of automation around IT support, password resets, things like that, that I used to do when I was on Help Desk 17 years ago, right? So, you know, I… I don’t think that I would be on help desk today, right? I think it’s kind of what I’m saying. So I think it’s good to be able to build your skills over time. And, you know, a lot of the automation that I learned even as a sysadmin, senior sysadmin, as I was kind of making my way into security, a lot of those skills I still use today, helping enable IT and developers, because if they don’t have those skills, I’m like, hey, here’s how you do this. I already wrote this window script for you. It’s PowerShell. Just take it, use it, right? And I find that that also is really helpful. I’m gonna take it back to the security angle. It also helps me if I need to find someone, if something is going wrong, if I need to get in communication with someone and they already know who I am, because I help provide them a script, I can reach out to them and be like, hey, I’ve got this thing. I kind of need this information. They’re like, yeah, sure, what’s up? Let me help you out.
Joe Patti (43:35) you
Nikki Robinson (43:38) So it’s nice to introduce yourself to people or help people out before something goes wrong.
Joe Patti (43:46) Yeah, well that’s one of the basic tenets, I think, of security, especially in security management. One of the things that’s most difficult about starting a new job in security is people are always very wary of you. They’re like, is it going to be a pain? Is it going to be difficult? And you also have to start banking some favors and getting some credibility, especially in security because it’s something that is so driven by influence and not authority.
Adam (44:07) Or that that… Yeah.
Adam (44:13) when When all of us were younger and I wow I’m dating ourselves, right? But when we were younger and we got into the field we all started out more on I think we did like we started more on the system side and then we kind of went to the network side and then we went to maybe the cyber security side and it was kind of like a you know, a rite of passage, but now people are graduating and like I want to go right into cyber security But that’s not how it was I think for us And it’s a very different world. And going back to about getting rid of help desk, this is why we have things like agentic AI and other types of AI software, right? Now this AI software is actually doing a lot of those tasks because the LLMs understand what to do. As long as, that’s, and that becomes another vulnerability is my, you know, yeah.
Nikki Robinson (45:02) It’s all, yeah, yeah. So agentic AI, I’m glad we’re talking about this, because I think it is fascinating, both from a development perspective and a consumer perspective. It’s really, really beneficial for very specific tasks right now, what I would say, right? Like it needs a very specific purpose, but if you hone it and do your prompt right, it will do its job wonderfully. But you’re absolutely right. API sprawl is a real thing. And that is the thing. If you were to ask me one thing that keeps me up at night is API’s brawl. That in like credential leaks and secrets everywhere, that kind of stuff keeps me up at night. And agentic AI is only increasing that.
Joe Patti (45:45) totally. And, I was actually thinking of that when you were talking about help desk and all. seems like, it seems like help desk, anything user or customer facing is basically going to go into AI. mean, even a lot of the services that, you know, I use, know they’re not big companies, they’re startups and everything, but, know, you got to go through at least one or two chat bots before you can even get their email address to ask them something. And I see that only increasing, you know? Yeah.
Adam (46:03) Yeah.
Nikki Robinson (46:09) Yes.
Adam (46:11) Like your Amazon, your eBay, right? Amazon and eBay. Can you just give me a person? How can I help you? I don’t want to speak to somebody, but what is your problem? I want to speak to somebody. Please tell me the topic first so we can get you the right person. Shut up!
Joe Patti (46:19) I’m here for you.
Joe Patti (46:29) Yeah.
Joe Patti (46:33) Well, this is a lot of fascinating stuff. mean, I’m sure it could keep going on, but you know, I guess it is a bit cliche. It’s the people who are difficult. The machines are, you know, they can be complicated and temperamental, but when you bring in the human factor, wow, that’s when things get dicey.
Nikki Robinson (46:49) Yeah, it keeps it interesting for sure. And I do hope that we continue to integrate it into what we do in technology, really understanding the people that are using technology so we can build better technology for people.
Joe Patti (47:05) Yeah, absolutely. One of my favorite quotes that I’ve used in security for years is Yogi Berra supposedly said that 90 % of the game is half mental. You’d be surprised how much security is really a lot of psychology, both the organizational side and also the social engineering tricking people and usability. That’s a huge field that probably doesn’t get
Nikki Robinson (47:15) Mmm.
Nikki Robinson (47:21) Yeah.
Joe Patti (47:28) enough attention. you know, Nick, you rack up a couple more PhDs or doctorates and you’ll have this covered. So it should be cool.
Adam (47:32) I was just gonna s- yeah. I was going to say maybe if I go for a PhD after my DSC, I’ll talk about how to socially control people on the threat side who were nation state actors that eat chocolate. I something crazy, right?
Nikki Robinson (47:54) Yeah, you could do it. Hey, I would bet that the pool of research is wide open for that. I bet you’d have a nice open lean for that in research.
Adam (48:01) Yeah.
Joe Patti (48:02) There you go. All right.
Adam (48:05) Well, that’s always the issue, right? know, like they tell you don’t research the whole entire world, right? You know, you need something specific. He has to be honed. Yeah.
Nikki Robinson (48:13) You have to be focused. Yes, you have to be focused. But I also think that a lot of the work that I did in the DSC and PhD as far as scope and purpose, like why you’re doing what you’re doing, but also scope is super helpful because especially when you’re trying to remediate a vulnerability or fix one thing, it’s like, okay, let me just try to focus on this one thing right now and get this thing done. And then we can move on to the next thing. So sometimes scope is helpful.
Adam (48:38) And when I’m doing my dissertation is focusing on cyber warfare and ethical cyber warfare. And that’s funny, right? Cause you know, people like they don’t go together. I’m like, but they kind of do. And that’s the same thing with vulnerabilities and everything else in the human factor. How far is somebody willing to go? So that makes me think about what you’re saying about the social factor part of it. You know, people’s perceptions in different cultures are very different. And that’s no different from people within IT themselves. The IT person has one focus and it’s usually generalized. It’s biased, right? I’m a developer. These security people are not here to help me. And then the help desk might say, these developers don’t understand what we have to go through every single day to fix their issues. So there’s a lot of psychology and sociology involved in all these different aspects of our IT overall community that makes sense
Nikki Robinson (49:39) Yeah, for sure. I actually, the first book I wrote, Mind the Tech Gap, was very specifically focused on the sometimes combative nature between IT and security teams and sort of where that comes from. So I sort of like laid the groundwork for where I think that a lot of these issues kind of came from, some of its perception, some of its, I think, differing education paths, right? Like security teams are focused on security. Yes, we care that the… the systems are functioning, right? The CIA triad availability is part of what we care about. But we also want to make sure those systems are secure and available. know, versus IT and development, they may have project deadlines. They’re worried about maybe a customer or an executive level, you know, sort of directive and trying to make things happen. So, you know, sometimes security comes secondary and not just because, you know, maybe it’s not even because they don’t care. They just may say, I’ve got this deadline. I’m going to implement the basic controls I need to and then I got to go. You know, I got to do other stuff.
Adam (50:40) I would argue that a lot of the issues with human factors and all these different departments is really about team building. And what I mean by that is, you know, one of the things I always focus on is from like the forming, like storming, norming, performing. If organizations understand each other’s roles a lot better, then they understand why. But if they don’t have an idea, this goes back to the beginning of our podcast, right? If you don’t understand why somebody’s doing what they’re doing Then you might have this I don’t know like this disdain or this fear or whatever it is but if you get all these departments into one room and Everyone does a little bit of a presentation and says this is why we do it Even the security people like us we’re biased right like these help desk people. They don’t get it But sometimes we don’t know what they went through that day and if we understood what they go through sometimes because even though we might have been there We forget right everyone forgets where they’ve been sometimes some more than others But you know, we really need to have an understanding of what we do in order to help each other
Joe Patti (51:56) You’re going to end us on a big kumbaya. That’s fantastic. Well done. We’re getting good at this. please. No, don’t sing because you’re to get us a copyright strike. So no singing. OK? Well, that’s great. Well, Nicky, thanks so much for joining us. This is some interesting stuff. these are some of the toughest problems in security and technology is how to deal with all this. You have taken on quite a task.
Nikki Robinson (52:00) love it.
Adam (52:00) Well, you want me to start singing?
Adam (52:08) Okay, sorry.
Nikki Robinson (52:25) Yeah, thank you both for having me. This was such a great conversation and happy that I got a chance to chat with you all about human factors and security and just some complicated problems.
Joe Patti (52:36) And we learned how to make a tequila sunrise correctly. So awesome. All right.
Nikki Robinson (52:39) There you go.
Adam (52:41) I’m gonna to get my book signed now. From Nikki.
Joe Patti (52:44) That’s right. Okay, I’ll have to read your books. You mentioned one. There’s another one too, right? Yep, there’s two. Okay.
Nikki Robinson (52:44) There you go. That’s right.
Nikki Robinson (52:51) There’s two, yeah. So there’s Mind the Tech Gap, there’s Effective Vulnerability Management, and I am writing a third book that is specific human factors in cybersecurity.
Joe Patti (52:59) Okay, run out and buy those books and like and subscribe and tell your friends about the show too.
Adam (53:05) and we’ll put the book links in the comments.
Joe Patti (53:09) Absolutely. Okay. Thanks a lot, Nikki. Adam, see you next time. Okay. Thanks everyone.
Nikki Robinson (53:12) Thank you all.
Adam (53:13) Thank you. See you next time.