Get Tickets
Juan Felipe Rincón, Google

Juan Felipe Rincón

Global Lead — Search Outreach, Google

Juan Felipe is Global Lead of Search Outreach for Google’s Trust & Safety team. His team’s mission is to help website owners create great fast, mobile, safe and secure websites. Juan Felipe is from the Americas, and currently lives in Dublin. Prior to joining Google, he spent the better part of the previous 15 years in the mobile and wireless industry and startup ecosystem, focusing on developer evangelism in the mobile web and app space.

How Do You Teach 10 Million Hard-to-Reach Website Owners the Essentials of Website Security?

Some key audiences can be really difficult to reach. Those of us who focus on helping website owners keep their sites safe from hackers know this well — those who we think we could help the most are often the least tuned-in. Through the years that Google has been chipping away at the challenge of teaching all webmasters how to be security-conscious, we’ve learned some lessons we like to share — the challenges, techniques that have worked, approaches we tried and haven’t been quite as effective, and how this ties to our own philosophy of focusing on content that is relevant, targeted and focused on solving the user need.





[00:00:07] My father runs a small online newspaper in his hometown. He lives in a small town in northwestern Colombia called Támesis, Antioquia. This town is so high up in the Andes it's literally above the clouds, and his online newspaper is something he painstakingly puts together using 1990s desktop publishing tools. He creates a PDF and then proceeds to e-mail it to all of his readers. You might call it a zine if it were in the 90s. There's, you know, something about it that is rich, because he's talking about poetry and the culture of the town, and revitalizing sort of a sense of place that they've lost a little bit through conflict over time. And the main issue, though, that I have a little bit is that his paper isn't crawlable, searchable, indexed and found on search results, which is a little bit ironic given the work that I do.

[00:01:07] My name is Juan Felipe Rincón and I lead the search outreach team for Google's Trust and Safety team. And our job is to teach webmasters how to make good content and make it accessible universally, and useful and usable. In fact it's so ironic because we're going around trying to help build tools and resources to help people's websites and we're doing things around the world. I lead a team of people in five different countries around the world with global footprint. Just in the last couple of weeks we ran a conference in India for webmasters who are publishing newspapers in Hindi, and who are traditionally publishing newspapers that they are putting out on PDF and then putting up on search - and it's not crawlable and indexable - so we're going out and helping them figure out how to make it discoverable for their users, to make sure that there's actually a really good voice for Hindi content creators in India. And that's the beautiful irony of this right? I'm leading a team of people who are teaching newspaper creators how to make their content editor and my own dad has a website that isn't online yet. And they've been publishing this - they're on issue 300 now - they publish it every two weeks. The fact is there's a little bit of me that feels a sort of tension between that desire to have his newspaper be online - because it's pretty neat - and a deep dread. And that dread is not just about what happens when I decide that I'm going to set him up with a beautiful CMS - something like what Jane Austin was discussing yesterday - that would be perfect for him. But just the deep dread. Not that I'm going to become the tech support side but that his website is gonna be hacked, and it's going to be compromised. That it's somehow going to become vulnerable and that that's going to harm him. It's going to harm his information, it's going to harm his readers. And that's pretty intense, because the reality is hacked websites today are used for a large number of very bad things. At the very least, it's just irritating, right? You end up with a phone that starts vibrating out of your hand with some ad for a supermarket. They didn't even actually put it in there. It's somebody else pretending to be there. But in the worst case you actually get more horrible things, things that are trying to take money, that are trying to install software that try to steal data, that are trying to to try to pull people into horrible scams, that are taking advantage of good content creators, good website owners who are just trying to sell their story out and now all of a sudden are paying for somebody else to distribute nonsense, and this problem is on the rise, alright, and that's the thing that gives me concern.

[00:03:42] Earlier this year in May we published a report on our hacked recovery efforts from around the world and we discovered that in 2016 we'd seen 32 percent more hacked websites than we had seen in the previous year. And our detection improved, but not so much that it accounted for that volume increase we just saw. Way more websites are being hacked by bad players. And this is now, there's no inclination that this is actually drastically decreasing. But there's a greater issue as well which is that 61 percent of the website owners, we had no way of reaching them. We had no way of telling them "Your website is compromised, your website is vulnerable." And that's not because we haven't been trying for years to do so. I mean we certainly have a team that encourages people to get on Search Console, or other teams that encourage them to get on Google Analytics, or use some kind of security monitoring tool. The challenge is that these are really difficult people to reach sometimes because they're not connected to that space.

[00:04:41] There's some part that gives me hope though, which is that when somebody actually gets notified, and when they actually get involved and get connected, 84 percent of Webmasters who recognize they have a problem and start fixing it are able to do so, and they're able to do so successfully and actually in an amount of time that would seem less onerous than you'd think for somebody starting from scratch. And so the thing we know though is that there's that challenge that we have of trying to actually educate people ahead of the game. How do we get people to build their websites in a way that's secure and protected from this kind of behavior? And how do we go about incorporating the technical know how to prevent themselves, aside from the technical know how from how to actually fix the problem? And we do this by encouraging non-technical website owners or small business owners - these are folks who have not spent the time, or haven't had to spend the time and probably shouldn't have to spend the time, developing the technical expertise that we assume from CS experts or security experts - encouraging them to adopt five best practices. They're simple, straightforward things to implement to a certain extent.

[00:05:57] The first one is the value of notifications. Get yourself on something that will let you know there is a problem. We talk about Search Console a lot because we know at the very least that if we detect it we can tell them through that, and it's a very direct channel for us to communicate to a website owner. There are other tools as well, other search engines. Bing has great ones, Yandex has great ones. We'll notify people of this. There are security alert notification systems. And we just encourage them to get something on there, so that you know that there's a problem, so that you know before your clients call you.

[00:06:28] Second practice we encourage is to use HTTPS on your website across the board, because that takes away a huge number of risk factors. That just eliminates a whole bunch of ways in which somebody can take over your site. Not only that, but you're protecting your users' data, you're protecting the transactions they're having, you're not unnecessarily exposing the conversation they're having with you to third party players in the middle.

[00:06:51] Third practice we encourage is backups. Backup all of your data, backup all of your software, have a regular synchronized system to keep a replica of everything you have on your system. Because if your system does get compromised, having a backup that is very recent - as recent as possible - is going to make recovering all that much more quicker.

[00:07:14] The fourth practice is what we call Update, Patch, Validate. Always keep your software updated, always patch everything that you install and always check on something you're going to install. And for a small business owner this can be onerous because you're saying, "how do I know to update?" And we encourage them to turn on the auto updates on software that has it. Actually do so. If you're hiring a software developer who is telling you "oh I can't do this because we are making changes to it and it's going to make the patches break," get them to do it so that it doesn't work that way. Like you know that's not an acceptable coding practice. Just break a common platform that's being updated for security practice and make it difficult. Make it happen, make it a priority.

[00:07:52] And the last thing we encourage small business owners, small site owners, is have good passwords and use two-step verification. A good password doesn't have to be some complicated set of symbols with numbers and digits and things that you so easily forget that then you write it down to a poster on your computer. It can just be something long and memorable that has enough combination of spaces and commas and other things in there for you to remember it.

[00:08:18] So we have these five practices, we know that if we can simplify these and if we get people to adopt these, they actually protect them. We know how much that helps reduce the likelihood that a website gets compromised in easy ways. The challenge is that, as I mentioned before, there are more than 60 percent of these folks we can't even reach. We haven't been able to get the message to them already. And that's the challenge. The big challenge that we're trying to solve. It's such a big challenge that in fact I make it an interview question for anybody who's joining my team: "How do you teach 10 million website owners who are hard to reach the essentials of website security?" And I ask that question for two reasons.

[00:08:59] The first one, the obvious one, which is that it test for the knowledge and it tests for good ideas, because great ideas in this space are valuable. Extremely valuable. And if any of you have any great ideas, please let me know. The other thing though is that every time I ask this question it reminds me of the fact that, to fix this problem we have to go back to the very basics of our of our discipline in terms of developer outreach, developer relations, or technical communications. And I think it's such a big challenge and also that reminder is so strong that I think it's very valuable for me to share some of the lessons we've learned with you about it. It will also help us perhaps figure out what we're missing in the proces.

[00:09:46] In text marketing, and tech marketing, and product marketing, and sales, we often talk about the adoption of innovation curve, and we see it as the s-shaped curve and you've all seen it before. You've seen this in plenty of startup pitches, and plenty of startup discussions, and we talk about the people who've already joined in and how they accumulate over time, and after a certain volume of adoption you reach an inflection point. And there's a moment when traffic takes off and then that's when you start hearing phrases like "hockey sticks and viral spread." In fact Andy Young had a whole great presentation about how hockey sticks out don't just magically happen. Right.

[00:10:26] And this conversation usually talks about the roles of early adopters. Early adopters, and sort of influencing change, and driving viral growth and viral spread. But in order to sort of tell you where I'm going I need to go a little bit back about how this connects to my dad. And to connect with how this goes to my dad I have to talk a little bit about potatoes. So, during my childhood, my dad worked at a research institution in Peru called the International Potato Center. This is a fantastic research institution, has been in existence for decades. They run great projects where they have plant pathologists and plant geneticists and agronomists who study ways of creating better practices for farming potatoes, to eventually help farmers protect their potato crops. And they run programs. They had a program in Bangladesh and India that improved food security for 100,000 families. They doubled potato production sub-Saharan Africa since 1994 through some of the programs they support. It's a fantastic program. And the main thing about it is that the process that my dad - who was leading the communications unit that basically would take the scientific work from the potato security researchers and try to take it to the people who are sort of running potato farms - isn't all that different from the work that I do taking the material of website security research to website owners. In fact, not to put too fine a point on it, but the work that I'm doing almost seems like the 21st century version of the work that my dad was doing, which is also a little bit interesting given the following facts.

[00:12:11] The overall name for this discipline, this process, is called agricultural extension. And agricultural extension started in Dublin in 1845. Again, ironies in this presentation and coincidences. I live in Ireland right now and this process started as a result of the potato blight in Ireland in 1845. And the seminal, or key textbook, in this discipline is called Diffusion of Innovations, by Everett Rogers. How many of you are familiar with this textbook? I see a handful of hands now. I think you all really need to become familiar with this textbook because the phrase "Early Adopters" was first put in this book. Right. And Rogers who was the son of a farmer in Iowa in the United States, whose father failed to adopt some drought resistant corn and therefore their family suffered greatly for years. And he got into this as a passion, and he got his master's degree in Iowa State University in scientific and sociology statistics. That's also where my dad got his master's degree in communications, but that's a different story. And there's an interesting curve in this book, along with the s-shaped curve, which comes from this book as well, which is the the Innovation Adoption curve. And you see, instead of taking cumulative adoption, you take incremental adoption and you start seeing how it tapers down over time. You're familiar with this, and if you're looking at the churn of your adoption of your product you sort of know that it does decline over time.

[00:13:48] But the fact is that, if we start seeing this as the people who are adopting this and then we start seeing it over time, we could eventually look at this as a way of actually segment the audience, segment these people: who are these people? And Rogers does this in this book, because the first group of people, the first two percent to adopt any new practice - whether it's new potato farming techniques or new antivirus software or Twitter - are the innovators. And these folks, in his book, tended to have larger farms, they were wealthier, they super super risk tolerant. They could basically take all sorts of risk and stuff and try new stuff because if it failed it was no big deal to them. They're also a little bit off on the social network - like they weren't connected broadly. They weren't generally broadly respected except by a small group of people. These were the early adopters who tend to be younger, more educated, tend to be community leaders or also tend to be people who are really really really really in tough spots and who can afford to take a risk because they basically have nothing else to lose. The early adopters generally are willing to take the risk. Listen to what the innovators are looking at - they connect that community. But it's the early adopters that basically stimulate the early majority who are more conservative but are open to new ideas, and therefore tend to follow along. But when we go back to talk about website security practices and the people that we're trying to target, it's none of these folks. So folks on the other end, the folks we don't often talk about in the market discipline right? And Rogers has names for them. He calls them the "late majority" and the "laggards.".

[00:15:27] Now the "laggards" word has given him a lot of critique because it seems loaded. But in fact they're just lagging behind in adoption. And when we think about our process of teaching website owners who haven't been on the early adoption of website security or technology, they've basically joined the game later. It's a different audience and we need to look at them and their dynamics a little bit differently. So our focus is on improving our reach for things like mentoring, and improving our messaging for that, and really talking about late majority and laggards rather than sort of trying to drive the new adopters and so on. This forced us to do some major reassessments of both how we do our communications work to website owners and how we actually adjust and engage.

[00:16:10] First thing is that we had to reassess the audience. And as you saw, in insecurity communications for website owners, basically the language tended to be about SQL injections and about Day Zero attacks and about particular vulnerabilities. And if I started reciting those many of you would look at me and kind of know where I'm going, a few of you would know exactly when talking about, most of you would sort of be just right on the other side of the comfort fence in the terminology. You wouldn't feel comfortable explaining it, and think about the business you're in. You're in digital marketing. You wouldn't probably feel comfortable explaining it. Now a small coffee shop owner whose website has been hacked isn't anywhere close to that usually. So we had to adjust our language.

[00:16:53] We first of all had to stop talking to sysadmins and webmasters. You know that image of somebody sitting in a data center that has root access and that can basically sort of magically fix everything in a VI terminal, and instead talk to small site owners, to small business owners in their language, in their terms. That's a shift for people who have been talking a lot about robots [inaudible], and site maps, and link practices and the like. The other reassessment we had to do is reassess our language. As I said, we had to shift from talking about SQL injections, zero day exploits, to recovery guides and practices. How do you know your websites hacked? How do you fix it? Here are the different ways in which your site might have been hacked. These are the three steps you need to take. Which for us was a change in the conversation because you had to get a lot more didactic. And how did we do this? We also had to change how we talk to them. We had to reassess our data as well to understand what folks were experiencing. We had to look through our patterns and our website forms in a different way, look at search console communications in a different way. We had to interview website owners to really go and understand their journey very deeply. And that way we had to augment the way we spoke about it, we would still have security researchers talking about security problems that were discovered and sort of really advancing the field, but we had to talk to people to fix it, and we had to educate, and train, and teach and popularize the practice.

[00:18:25] The other reassessment we had to do is reassess our notion of reach, because we had been talking about reach in terms of broadcast. And broadcast is fantastic for information dissemination, but it's not necessarily a great way to ensure that you're driving practice or driving change in practice. And so we had to essentially get out from behind the desk and in front of the camera. We don't have a team of Cooperative Extension agents going around and talking to individuals one by one to sort of teach them these practices, but you can at the very least be a lot more open. They're a lot more visible, a lot more readily regularly available to people to help them out, and they also start engaging much more with the community who are pushing these practices to help reinforce their efforts in some way. And then we also needed to know when we would start pulling back, because at some point these efforts do get momentum of their own. You do start getting an adoption curve with that set of people. That's a little bit different.

[00:19:22] So the reassessments we made in terms of the way we think about reach, the way we think about our language, the way we think about our audience, also led to some changes in how we operated. First of all we had to re-commit to strengthening our own feedback loop. We had been for many many years engaging constantly with the SEL and listening to issues that were coming along. We had a whole team that we were talking to, our ranking engineers and our crawling engineers, to make sure that we were fixing problems. We had to go back to talk to website owners. And early on in my in my Google days - I've been to Google three and a half years - my team that was thinking about this started proposing that what we should do is just have direct one-on-one consults with webmasters that are going through a really difficult hack reconsideration. I was a bit trepidatious at that. For me those were early days, still early in the discussions of sort of how do we talk about search and search ranking. Certainly we've always known that having conversations about what Google wants or doesn't want can be difficult conversations for us to have because it's not like we want anybody to do anything particular, just give us the website and we'll try to figure it out and service to users. But I'm glad that my team pushed through and convinced me to make this happen and to do this because they learned an intense amount. The biggest thing about it was that it reminded them, it gave them back that empathy that they had never lost but it's really sometimes difficult to look when you've been in spam fighting mode with some hack recovery to think about hack recovery. That's a result of spam. That's a shift in mindset and that empathy to the problem that a small business owner is having when you send them a message saying your website's been injected, we detected some kind of sneaky cloaking redirect, and then going "My funnel is dead, I'm not getting any more clients into because people aren't coming through it, because there's some awful content on my page and I don't know what to do."

[00:21:15] And then those conversations also gave us more insight as to the nature of the problems they are having. We sort of were able to categorize them into two. One was "I just really have no idea what you're talking about." Which clearly communicated to us that we had to change how we did things, in terms of the way we wrote our recovery guides, or the way we sent our nifty notifications to webmasters. We're still working on it and still iterating on this, and we always want to hear what on this is helping or not helping. The other thing we found out is that for companies that maybe are a little bit more resourced, they still have problems in terms of getting in for doing the fixes, which seemed odd to us. We just thought it was obvious that a security fix needed to be done, that you just needed to patch things up. If you've been in the computing space often and long enough, you kind of just believe that. But people would keep on talking about the fact that, "Well, I'm being asked for the ROI when I'm doing the security patch." Right. Or "I can't get approval and focus on the updates because we have this development pipeline that's on the go, and every time we want to do a patch it sort of puts a halt on development because operations needs to sort of keep everything stable for a while and that just means that we can't move on, and the CMO won't agree, and the CTO, and the CMO are at odds on it." That helped us also recognize that, you know, aside from getting resources we also have to help create allies for the security practitioners that are pushing for this. And if we go back to Everett Rogers, he has this phenomenal list of generalizations in his book that come from doing vast literature reviews of people who have been in cooperative extension, innovation adoption technology in a variety of different disciplines.

[00:22:56] On Generalization 9-2 from Everett Rogers says that a change agent success is positively related to a client orientation rather than a change in CO orientation - i.e. listen to your customers, give them what they need, right? But it's good that there's theory that's been going around for 200 years that confirms that and that we all believe to be true and that is actually a very empirically supported.

[00:23:15] The second change we had to do is we had to revisit the value we were offering and how we were communicating. We were always encouraging people to get on Search Console because that's how we know when you have an issue crawling your website, and if you have questions as to how you show up on organic search results this is how you find out the data that makes you be better on that. And we realize that for small business owners that actually is a very important thing to them, if they're thinking about their organic search presence at all. When we were talking about website security and said "Why don't you implement these practices?" we realized if we connect one and the other and we sort of drive and say that, "oh by the way you get this notification thing for your security website that will help protect you," it drove the adoption of this practice. We really think it's very important for the health of the ecosystem while addressing that individual need of a business owner, that pressing market how do I get an audience viewpoint? How do I get them to know where I'm located?

[00:24:16] Again Everett Rogers has a beautiful generalization for this: Change agents success is positively related to the greed to which the diffusion program is compatible with clients needs - i.e. give the users what they need. All right.

[00:24:29] Change number three is to really focus on the barriers that we encountered and that webmasters were encountering and then remove them altogether. So we did things like Search Console. It's straightforward to get Search Console connected to a website, but we also realize that we think is very straightforward if you have command line access, or if you have access to your domain registry, or if you're able to put a file on your server. But for some folks that actually is takes a few steps of learning and we realize there's something we can do here. So we started collaborating with CMS providers and hosting providers and so on to sort of say "hey there is an API you can use to integrate on this, it's open and it's available if you facilitate this registration. We can also send you as a hosting provider notification when your websites are compromised, and you can send them to your website owners and they'll know about it" and all of a sudden everybody is healthier as a result of this.

[00:25:20] And we continue to work with other players in the ecosystem as well, like CMS providers and plug-in developers, to help them understand where there may be vulnerabilities and get those to go away altogether. And we'll continue to work on that. You shouldn't have to use any specific product to have a secure website to the extent that we can help people through whatever tools we're promoting. We want to do that.

[00:25:42] Complexity of innovation is negatively related to its rate of adoption. Make it easier and it will get adopted more readily. Right?

[00:25:49] And then the fourth change which is what brings me today, is to recruit allies. Particularly on what we call a decentralized system of diffusion, which is what we're seeing. We're not the only players talking about website security. There are many other players. Everybody believes this is important. The fact is, the more these folks get connected and engaged with each other, the more likely we are to actually address this problem because it's a significant challenge and that's why I'm here. Because I think that there's a role that you can play here, in particular as you're promoting marketing strategies and branding strategies. This is important for your efforts. Certainly no amount of investment in brand or in conversion funnelling or in client delight is going to be worth much if it's built on infrastructure that becomes vulnerable. All of a sudden it puts all of that at risk right. Or if it actually happens and becomes compromised all of that investment is lost, and the easiest way of avoiding that is to just think about it ahead of the game.

[00:26:47] So best request to you and why I'm here, is to ask you to become the ally of the most security-minded person in the organization you work with. And if you're not that person, think about it. You don't have to become an expert about it. You just have to ask the question at the beginning. What's the security plan on this? Because there will be somebody in the organization that's thought about and sometimes that person is seen as the gadfly that's always just saying "hey did we think about security? Did we think about the security plan?" And then people just moan and sort of clutch at their heads. But oftentimes that person just needs somebody else to validate that what they're saying is important and it will be accounted for, and then they'll move on and just make sure that the right things are in place. That is probably the biggest piece to incorporate - make sure that as you're going through creating campaigns for your clients, as you're going through developing your own products, as you're going through talking to your own customers about their own online presence, throw in that bit of security. Know that you can actually talk about it just a little bit and drive awareness of it because even that little bit of awareness makes implementing the remaining five practices - notifications, HTTPS, update, valid, and patch, secure passwords and two-step verification - all the more all the more easy to implement.

[00:28:10] You might ask now sort of at the end like, "Well, what about your dad's website? Have you fixed it yet?" To be honest I haven't yet. I was going through this, part of me is like "oh I need to go here, I need to go to Turing Fest and say here's the happy epilog, like I went and set up my dad's website. Now it's online. Here's the wonderful glowing CMF site." But frankly it's still a project. But I'm more committed to do it now than I was before if only because I want to make this consistent. Right? I want to make my language consists with my actions. But in any event it's still working. I think it's still very important for him to do so and I'm hoping that he will.

[00:28:45] So with that, thank you to photographers who kindly kindly generously give in to this sort of common wealth of knowledge and information and content that we all share. That we're all trying to protect. And thank you all for your attention and time. I appreciate it.

Videos are great, but nothing beats being there...

Sign up to the Turing Fest mailing list, and be the first to find out what we've got up our sleeves for 2018 — and first in line for exclusive ticket offers and special announcements!

Turing Fest 2018 was brought to you in partnership with...

Platinum Partners

Administrate — the platform to manage your entire training operation

Gold Partners

Airts — intelligent resource planning software
Care Sourcer — free care matching service
iZettle — Tools to build your business
Nucleus — the adviser-built wrap platform, supporting financial advisers in creating brilliant client outcomes
Silicon Valley Bank — the bank that helps you build your business at every stage
Smartsheet — the leading work management platform you need to move from idea to impact – fast
Snap40 — Automated Remote Patient Monitoring. That Just Works.

Silver Partners

BBC Blue Room
CivTech — driving daring and innovation in the public sector
CodeClan — Digital Skills and Coding Academy
Cyclr — Developer platform for rapid SaaS integration
Float — Cash Flow Forecasting
FreeAgent — accounting software, simplified
Scotland Can Do

Bronze Partners

Attendify — event technology for the entire attendee experience
Bureau — innovative furniture solutions
CodeBase — the UK's largest technology incubator
Mallzee — the fashion shopping app
Monax — an open platform for small businesses to create, prove, and operate their legal agreements
Wistia — video hosting for business

Official Charity

The Turing Trust — a world of equal opportunity, with technology-enabled education for all