Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Culture: Why You Need One and How to Create It

19 views

Published on

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2FzyYux.

Masha Sedova talks about how to measure an organization's current security culture and how to define where to go. She looks into techniques and cases studies of how to begin to shape an organization’s security culture to become more resilient and enable people-powered security. Filmed at qconsf.com.

Masha Sedova is co-founder of Elevate Security delivering the first people-centric security platform that leverages behavioral-science to transform employees into security superhumans. Before Elevate, she was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners and customers.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security Culture: Why You Need One and How to Create It

  1. 1. Security Culture Why You Need One and How to Create It Masha Sedova Co-Founder, Elevate Security
  2. 2. InfoQ.com: News & Community Site • Over 1,000,000 software developers, architects and CTOs read the site world- wide every month • 250,000 senior developers subscribe to our weekly newsletter • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • 2 dedicated podcast channels: The InfoQ Podcast, with a focus on Architecture and The Engineering Culture Podcast, with a focus on building • 96 deep dives on innovative topics packed as downloadable emags and minibooks • Over 40 new content items per week Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ techniques-security-culture/
  3. 3. Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
  4. 4. Elevate Security 2 About me Built and ran Salesforce trust engagement team Co-Founder, building the Behavioral Security Platform Passionate about the intersection of security & behavioral science Cyber Analyst for defense community
  5. 5. Elevate Security 3 Customer trust is built on security
  6. 6. Elevate Security 4
  7. 7. Elevate Security 5 52% of all breaches in the last year were due to hacking -VDBIR
  8. 8. Elevate Security 6 Culture
  9. 9. Elevate Security 7 What is culture? Behavior Artifacts Beliefs Values Assumptions Experiences “The way we do things around here....” Our experiences shape our beliefs, values, assumptions Our behaviors aredriven by beliefs
  10. 10. “Culture eats strategy for breakfast.” -Peter Drucker
  11. 11. Elevate Security 9 Security Culture is a Subset of Enterprise Culture Enterprise IT Security
  12. 12. Elevate Security 10 Positive vs Negative Security Culture
  13. 13. Elevate Security 11 Competing Priorities Pick two
  14. 14. Elevate Security 12 Deadlines Cost Bonus Security Security FailureSecurity Debt Opposing forces in an employee’s business decisions
  15. 15. Elevate Security 13 The Competing Security Cultures Framework Process Culture Goal: Enforce Policy Compliance Culture Goal: Pass Audits Trust Culture Goal: Empower People Autonomy Culture Goal: Get Results ExternalFocus InternalFocus Tight Control Loose Control
  16. 16. Elevate Security 14 Process Culture Managed Coordination Stability Visibility Standardization Goal: Enforce Policy Compliance Culture Rational Goals Conformity Repeatability Documentation Goal: Pass Audits Trust Culture Human Relations Communication Participation Commitment Goal: Empower People Autonomy Culture Adaptive Systems Flexibility Agility Innovation Goal: Get Results ExternalFocus InternalFocus Tight Control Loose Control
  17. 17. Elevate Security 15 Results of SCDS
  18. 18. How do we drive change?
  19. 19. Elevate Security 17 Root Cause Analysis
  20. 20. Elevate Security 18 Understanding the Problem The Five Whys Tool Ask the five whys to get to the root of a problem.
  21. 21. Elevate Security 19 The Five Whys- Example Problem Statement: My car battery is dead 1. Why? – The alternator is not functioning. 2. Why? – The alternator belt has broken. 3. Why? – The alternator belt was well beyond its useful service life and has never been replaced. 4. Why? – I have not been maintaining my alternator belt according to any recommended service schedule. 5. Why? I didn’t realize this had to be done.
  22. 22. Elevate Security 20 Investigate Root Cause ● Can this be solved with technology? Do it! Changing mindset is the hardest way to go about enforcing change. ● “I didn’t realize that security was part of my job.” Communication, marketing, awareness campaigns ● “I didn’t know what to do about it.” Training and skills ● “I didn’t have the resources or support to do it.” Management alignment ● “I didn’t want to.” Gamification and incentives
  23. 23. Behavior Change
  24. 24. Motivation Ability Trigger Key components of behavioral science
  25. 25. Elevate Security 23 Behavior change model *Dr. BJ Fogg Motivation Ability High Low Hard Easy Triggers Fail Triggers Succeed
  26. 26. Elevate Security 24 Behavior change model *Dr. BJ Fogg Motivation Ability High Low Hard Easy Triggers Fail Triggers Succeed
  27. 27. Elevate Security 25 Remember 20 unique characters across 40+ sites Install a password manager Install a man-trap or in/out badging Social accountability Look up correct email, reporting guidelines & send Install a “report” button Security action can be simplified Have secure passwords for all sites Report suspicious activity Stop tailgating HARD EASY
  28. 28. Elevate Security 26 *Dr. BJ Fogg Motivation Ability High Low Hard Easy Triggers Fail Triggers Succeed What about things that are hard to do?
  29. 29. Elevate Security 27 Most employees will not care about security as much as we’d like them to
  30. 30. Elevate Security 28 People will do things because they matter, they are interesting, part of something more important. Daniel Pink, Drive What motivates us? “ ”
  31. 31. Elevate Security 29 How to Create Positive Motivation Competition Altruism Access AchievementStatus
  32. 32. Elevate Security 30 The power of social proof
  33. 33. Elevate Security 31 Social proof in security Control Keep Your Account Safe 108 of your friends use extra security settings. You can also protect your account and make sure it can be recovered if you ever lose access. Keep Your Account Safe You can use security settings to protect your account and make sure it can be recovered if you ever lose access. Social context 1.36x more successful when using social proof
  34. 34. Elevate Security 32 Compromised Rates
  35. 35. Elevate Security 33 Password manager
  36. 36. Elevate Security 34 Applying Gamification
  37. 37. Elevate Security 35 Understand your security culture Assess if its a positive or negative security culture Identify the blockers to positive security culture Reinforce and motivate positive behaviors Takeaways
  38. 38. Elevate Security 36 Q&A Masha@ElevateSecurity.com
  39. 39. Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ techniques-security-culture/

×