Security Culture Why You Need One and How to Create It Masha Sedova - - PowerPoint PPT Presentation

▶

Apr 05, 2024 295 likes •657 views

Security Culture Why You Need One and How to Create It Masha Sedova Co-Founder, Elevate Security About me Cyber Analyst for Co-Founder, building the defense community Behavioral Security Platform Built and ran Salesforce Passionate about

SLIDE 1

Security Culture

Why You Need One and How to Create It

Masha Sedova Co-Founder, Elevate Security

SLIDE 2

Elevate Security

About me

Built and ran Salesforce trust engagement team Co-Founder, building the Behavioral Security Platform Passionate about the intersection

f security & behavioral science

Cyber Analyst for defense community

SLIDE 3

Elevate Security

Customer trust is built on security

SLIDE 4

Elevate Security

SLIDE 5

Elevate Security

52% of all breaches in the last year were due to hacking -VDBIR

SLIDE 6

Elevate Security

Culture

SLIDE 7

Elevate Security

What is culture?

Behavior Artifacts Beliefs Values Assumptions Experiences

“The way we do things around here....” Our experiences shape our beliefs, values, assumptions Our behaviors are driven by beliefs

SLIDE 8

“Culture eats strategy for breakfast.”

Peter Drucker

SLIDE 9

Elevate Security

Security Culture is a Subset of Enterprise Culture

Enterprise IT Security

SLIDE 10

Elevate Security

Positive vs Negative Security Culture

SLIDE 11

Elevate Security

Competing Priorities

Pick two

SLIDE 12

Elevate Security

Deadlines Cost Bonus Security Security Failure Security Debt

Opposing forces in an employee’s business decisions

SLIDE 13

Elevate Security

The Competing Security Cultures Framework

Process Culture

Goal: Enforce Policy

Compliance Culture

Goal: Pass Audits

Trust Culture

Goal: Empower People

Autonomy Culture

Goal: Get Results

External Focus Internal Focus Tight Control Loose Control

SLIDE 14

Elevate Security

Process Culture

Managed Coordination Stability Visibility Standardization

Goal: Enforce Policy

Compliance Culture

Rational Goals Conformity Repeatability Documentation

Goal: Pass Audits

Trust Culture

Human Relations Communication Participation Commitment

Goal: Empower People

Autonomy Culture

Adaptive Systems Flexibility Agility Innovation

Goal: Get Results

External Focus Internal Focus Tight Control Loose Control

SLIDE 15

Elevate Security

Results of SCDS

SLIDE 16

How do we drive change?

SLIDE 17

Elevate Security

Root Cause Analysis

SLIDE 18

Elevate Security

Understanding the Problem

The Five Whys Tool

Ask the five whys to get to the root of a problem.

SLIDE 19

Elevate Security

The Five Whys- Example

Problem Statement:

My car battery is dead

1. Why? – The alternator is not functioning.
2. Why? – The alternator belt has broken.
3. Why? – The alternator belt was well beyond

its useful service life and has never been replaced.

4. Why? – I have not been maintaining my

alternator belt according to any recommended service schedule.

5. Why? I didn’t realize this had to be done.

SLIDE 20

Elevate Security

Investigate Root Cause

Can this be solved with technology?

Do it! Changing mindset is the hardest way to go about enforcing change.

“I didn’t realize that security was part of my job.”

Communication, marketing, awareness campaigns

“I didn’t know what to do about it.”

Training and skills

“I didn’t have the resources or support to do it.”

Management alignment

“I didn’t want to.”

Gamification and incentives

SLIDE 21

Behavior Change

SLIDE 22

Motivation Ability Trigger

Key components of behavioral science

SLIDE 23

Elevate Security

Behavior change model

*Dr. BJ Fogg

Motivation Ability

High Low Hard Easy Triggers Fail Triggers Succeed

SLIDE 24

Elevate Security

Behavior change model

*Dr. BJ Fogg

Motivation Ability

High Low Hard Easy Triggers Fail Triggers Succeed

SLIDE 25

Elevate Security

Remember 20 unique characters across 40+ sites Install a password manager Install a man-trap or in/out badging Social accountability Look up correct email, reporting guidelines & send Install a “report” button

Security action can be simplifjed

Have secure passwords for all sites Report suspicious activity Stop tailgating

HARD EASY

SLIDE 26

Elevate Security

*Dr. BJ Fogg

Motivation Ability

High Low Hard Easy Triggers Fail Triggers Succeed

What about things that are hard to do?

SLIDE 27

Elevate Security

Most employees will not care about security as much as we’d like them to

SLIDE 28

Elevate Security

People will do things because they matter, they are interesting, part of something more important.

Daniel Pink, Drive

What motivates us?

“ ”

SLIDE 29

Elevate Security

How to Create Positive Motivation

Competition Altruism Access Achievement Status

SLIDE 30

Elevate Security

The power of social proof

SLIDE 31

Elevate Security

Social proof in security

Control Keep Your Account Safe 108 of your friends use extra security settings. You can also protect your account and make sure it can be recovered if you ever lose access. Keep Your Account Safe You can use security settings to protect your account and make sure it can be recovered if you ever lose access. Social context

1.36x more successful when using social proof

SLIDE 32

Elevate Security

Compromised Rates

SLIDE 33

Elevate Security

Password manager

SLIDE 34

Elevate Security

Applying Gamifjcation

SLIDE 35

Elevate Security

Understand your security culture Assess if its a positive or negative security culture Identify the blockers to positive security culture Reinforce and motivate positive behaviors

Takeaways

SLIDE 36

Elevate Security

Q&A

Masha@ElevateSecurity.com