How to Eat An Elephant Transforming Security Awareness

Anuncio
HOW TO EAT AN ELEPHANT
TRANSFORMING SECURITY AWARENESS
ONE BITE AT A TIME
Masha Sedova
Director of Trust Engagement, Salesforce.com
WHO AM I?
Masha Sedova
Director of Trust Engagement,
Salesforce.com
“Life is not a rehearsal.”
2
MY VISION
What If Our Employees:
Realized That Security
Was A Problem That
Concerned Them
Knew What To Do
About It
Because They Wanted
To
to Instead Of
of Had
Had To
To
And Then Did It
To Create Exceptional Security
Performance, Even In The Face
Of Extreme And Persistent
Targeting By Attackers
3
IT’S ABOUT UNLEASHING OUR
“DISCRETIONARY PERFORMANCE”
Performance
“Want-To”
Discretionary
Performance
“Have-To”
Minimum Requirements
Time
4
Source: CLG
http://www.youtube.com/watch?v=SByyma
r3bds
5
QUESTION 1:
How Is Security Perceived In Your Culture?
PERCEPTION IS REALITY
7
5:1
8
IT’S NOT ABOUT PLAYING GAMES AT WORK
9
(Though 70% of Execs Admit Playing Video Games at Work)
GAMIFICATION PRINCIPALS
Autonomy: We Like Having Choices
Mastery: We Like to Get Better at What We Do
Feedback: We Like Getting Feedback on our
Progress
Purpose: Meaning Amplifies What We Do
Social: All This Means More With Others
10
QUESTION 2:
What Incentives Resonate With My Culture?
INCENTIVES AND REWARDS





Competition
Achievement
Status
Self-Expression
Altruism
12
ON MONEY

Social Norms vs Market Norms
13
QUESTION 3
Who is Your Target Audience?
GROUPS
New hires
 General Employees
 Executive Staff
 Managers
 Role-Based teams (IT, R&D, Sales)
 Geography

15
QUESTION 4:
What Are Your Vital Behaviors?
VITAL BEHAVIORS

Pick A Few Behaviors:
Specific
 Measurable
 Relevant

17
SOME VITAL BEHAVIORS WE CONSIDERED

Reduce # of employee incidents



Virus
Social engineering attack
Phishing emails

Report Attacks/ Potential Anomalies

Tailgating

Sensitive data handling

Social Networking Awareness

Safe browsing

Portable Devices

Locked Screens

Secure Development
18
QUESTION 5:
How Do We Measure Success?
METRICS










Meeting minimum frequency of vulnerability scans.
Remediation of vulnerability in agreed window.
# of people who fall victim to a phishing attack
# of people who detect and report a phishing attack
# of infected computers.
# of employees understand and are following security policies,
processes and standards
Happiness
Quality of interactions with Security team
# of Security Champions in Org
Metrics Matrix by SANS Awareness Program Planning Kit:
https://www.securingthehuman.org/media/resources/planning/
STH-RESOURCE-AwarenessPlanningKit.zip
20
SO WHAT DOES THIS LOOK LIKE
IN ACTION?
SECURITY CHAMPION PROGRAM
Apprentice
Padawan
Basic awareness
Successful Testing
Jedi Knight
Doing
Jedi Master
Teaching
Jedi Grand
Master
Innovating
22
Item
Point Value
Receiving a Trust badge
50
Reporting phishing email/ social engineering call
50
Read security newsletter and chatter about it
50
Completing SEC-101 course
100
Completing SEC-201 or Sec-301 course
200
Identifying a vulnerability (P0 - P3)
P0 =500, P1=300, P2=200, P3=50
Attending a Security lunch and learn
200
Winning a bug bounty event
500
Attending hands-on security training course
600
Teaching/Presenting on Security topic
1000
Presenting at Conference on Security
2500
Security Patent
3000
Interning with Trust
3000
Completing a security project
-More points for solving security projects ad hoc
and not currently assigned to you
Tbd: Let us know what you did and we will give you
the points!
Read a security book, wrote a security blog,
escorted someone without a badge to reception?
Let us know so we can give you Trust points!
Email us!
23
MY VISION
What If Our Employees:
Realized That Security
Was A Problem That
Concerned Them
Knew What To Do
About It
Because They Wanted
to Instead of Had To
And Then Did It
To Create Exceptional Security
Performance, Even In The Face
Of Extreme And Persistent
Targeting By Attackers
25
Did Not Try
THE POWER OF EXPERIENTIAL LEARNING
Average
Retention Rate
Tried & Gave Up
5%
Lecture
10% Reading
20% Audio-Visual
Most ‘training’ falls into these
categories and much of it just
does not work. We’ve all had to
endure boring lectures and
Death by PowerPoint.
VERY LITTLE STICKS
30% Demonstration
Got Results
50% Discussion Group
75% Practice by Doing
80%
Teach Others / Immediate Use
Adults learn best from
experience and highly effective
activity based ‘discovery
learning’ works.
From Corporate Universities, Jeanne Meister
26
27
MY VISION
What If Our Employees:
Realized That Security
Was A Problem That
Concerned Them
Knew What To Do
About It
Because They Wanted
to Instead of Had To
And Then Did It
To Create Exceptional Security
Performance, Even In The Face
Of Extreme And Persistent
Targeting By Attackers
28
RESULTS
350%
Increase in reporting rates in 6
months period across all
employees
48%
Less clicks on malicious links by
DE participants than the average
SFDC employee.
80%
More reporting of threats than nonDE participants.
“The stories were the best part of the exercise… The stories generated
the most engaged and passionate discussion, including sharing our own
personal experiences.
29
BECAUSE THEY WANT TO
30
Q&A
Masha Sedova
msedova@salesforce.com
@modMasha
Descargar