HOW TO EAT AN ELEPHANT TRANSFORMING SECURITY AWARENESS ONE BITE AT A TIME Masha Sedova Director of Trust Engagement, Salesforce.com WHO AM I? Masha Sedova Director of Trust Engagement, Salesforce.com “Life is not a rehearsal.” 2 MY VISION What If Our Employees: Realized That Security Was A Problem That Concerned Them Knew What To Do About It Because They Wanted To to Instead Of of Had Had To To And Then Did It To Create Exceptional Security Performance, Even In The Face Of Extreme And Persistent Targeting By Attackers 3 IT’S ABOUT UNLEASHING OUR “DISCRETIONARY PERFORMANCE” Performance “Want-To” Discretionary Performance “Have-To” Minimum Requirements Time 4 Source: CLG http://www.youtube.com/watch?v=SByyma r3bds 5 QUESTION 1: How Is Security Perceived In Your Culture? PERCEPTION IS REALITY 7 5:1 8 IT’S NOT ABOUT PLAYING GAMES AT WORK 9 (Though 70% of Execs Admit Playing Video Games at Work) GAMIFICATION PRINCIPALS Autonomy: We Like Having Choices Mastery: We Like to Get Better at What We Do Feedback: We Like Getting Feedback on our Progress Purpose: Meaning Amplifies What We Do Social: All This Means More With Others 10 QUESTION 2: What Incentives Resonate With My Culture? INCENTIVES AND REWARDS Competition Achievement Status Self-Expression Altruism 12 ON MONEY Social Norms vs Market Norms 13 QUESTION 3 Who is Your Target Audience? GROUPS New hires General Employees Executive Staff Managers Role-Based teams (IT, R&D, Sales) Geography 15 QUESTION 4: What Are Your Vital Behaviors? VITAL BEHAVIORS Pick A Few Behaviors: Specific Measurable Relevant 17 SOME VITAL BEHAVIORS WE CONSIDERED Reduce # of employee incidents Virus Social engineering attack Phishing emails Report Attacks/ Potential Anomalies Tailgating Sensitive data handling Social Networking Awareness Safe browsing Portable Devices Locked Screens Secure Development 18 QUESTION 5: How Do We Measure Success? METRICS Meeting minimum frequency of vulnerability scans. Remediation of vulnerability in agreed window. # of people who fall victim to a phishing attack # of people who detect and report a phishing attack # of infected computers. # of employees understand and are following security policies, processes and standards Happiness Quality of interactions with Security team # of Security Champions in Org Metrics Matrix by SANS Awareness Program Planning Kit: https://www.securingthehuman.org/media/resources/planning/ STH-RESOURCE-AwarenessPlanningKit.zip 20 SO WHAT DOES THIS LOOK LIKE IN ACTION? SECURITY CHAMPION PROGRAM Apprentice Padawan Basic awareness Successful Testing Jedi Knight Doing Jedi Master Teaching Jedi Grand Master Innovating 22 Item Point Value Receiving a Trust badge 50 Reporting phishing email/ social engineering call 50 Read security newsletter and chatter about it 50 Completing SEC-101 course 100 Completing SEC-201 or Sec-301 course 200 Identifying a vulnerability (P0 - P3) P0 =500, P1=300, P2=200, P3=50 Attending a Security lunch and learn 200 Winning a bug bounty event 500 Attending hands-on security training course 600 Teaching/Presenting on Security topic 1000 Presenting at Conference on Security 2500 Security Patent 3000 Interning with Trust 3000 Completing a security project -More points for solving security projects ad hoc and not currently assigned to you Tbd: Let us know what you did and we will give you the points! Read a security book, wrote a security blog, escorted someone without a badge to reception? Let us know so we can give you Trust points! Email us! 23 MY VISION What If Our Employees: Realized That Security Was A Problem That Concerned Them Knew What To Do About It Because They Wanted to Instead of Had To And Then Did It To Create Exceptional Security Performance, Even In The Face Of Extreme And Persistent Targeting By Attackers 25 Did Not Try THE POWER OF EXPERIENTIAL LEARNING Average Retention Rate Tried & Gave Up 5% Lecture 10% Reading 20% Audio-Visual Most ‘training’ falls into these categories and much of it just does not work. We’ve all had to endure boring lectures and Death by PowerPoint. VERY LITTLE STICKS 30% Demonstration Got Results 50% Discussion Group 75% Practice by Doing 80% Teach Others / Immediate Use Adults learn best from experience and highly effective activity based ‘discovery learning’ works. From Corporate Universities, Jeanne Meister 26 27 MY VISION What If Our Employees: Realized That Security Was A Problem That Concerned Them Knew What To Do About It Because They Wanted to Instead of Had To And Then Did It To Create Exceptional Security Performance, Even In The Face Of Extreme And Persistent Targeting By Attackers 28 RESULTS 350% Increase in reporting rates in 6 months period across all employees 48% Less clicks on malicious links by DE participants than the average SFDC employee. 80% More reporting of threats than nonDE participants. “The stories were the best part of the exercise… The stories generated the most engaged and passionate discussion, including sharing our own personal experiences. 29 BECAUSE THEY WANT TO 30 Q&A Masha Sedova msedova@salesforce.com @modMasha