HOW TO EAT AN ELEPHANT TRANSFORMING SECURITY AWARENESS ONE BITE AT A TIME

Transcription

1 HOW TO EAT AN ELEPHANT TRANSFORMING SECURITY AWARENESS ONE BITE AT A TIME Masha Sedova Director of Trust Engagement, Salesforce.com

2 WHO AM I? Masha Sedova Director of Trust Engagement, Salesforce.com Life is not a rehearsal. 2

3 MY VISION What If Our Employees: Realized That Security Was A Problem That Concerned Them Knew What To Do About It And Then Did It Because They Wanted To to Instead Of of Had To To Create Exceptional Security Performance, Even In The Face Of Extreme And Persistent Targeting By Attackers 3

4 IT S ABOUT UNLEASHING OUR DISCRETIONARY PERFORMANCE Want-To Performance Discretionary Performance Minimum Requirements Have-To Time 4 Source: CLG

5 r3bds 5

6 QUESTION 1: How Is Security Perceived In Your Culture?

7 PERCEPTION IS REALITY 7

8 5:1 8

9 IT S NOT ABOUT PLAYING GAMES AT WORK (Though 70% of Execs Admit Playing Video Games at Work) 9

10 GAMIFICATION PRINCIPALS Autonomy: We Like Having Choices Mastery: We Like to Get Better at What We Do Feedback: We Like Getting Feedback on our Progress Purpose: Meaning Amplifies What We Do Social: All This Means More With Others 10

11 QUESTION 2: What Incentives Resonate With My Culture?

12 INCENTIVES AND REWARDS Competition Achievement Status Self-Expression Altruism 12

13 ON MONEY Social Norms vs Market Norms 13

14 QUESTION 3 Who is Your Target Audience?

15 GROUPS New hires General Employees Executive Staff Managers Role-Based teams (IT, R&D, Sales) Geography 15

16 QUESTION 4: What Are Your Vital Behaviors?

17 VITAL BEHAVIORS Pick A Few Behaviors: Specific Measurable Relevant 17

18 SOME VITAL BEHAVIORS WE CONSIDERED Reduce # of employee incidents Virus Social engineering attack Phishing s Report Attacks/ Potential Anomalies Tailgating Sensitive data handling Social Networking Awareness Safe browsing Portable Devices Locked Screens Secure Development 18

19 QUESTION 5: How Do We Measure Success?

20 METRICS Meeting minimum frequency of vulnerability scans. Remediation of vulnerability in agreed window. # of people who fall victim to a phishing attack # of people who detect and report a phishing attack # of infected computers. # of employees understand and are following security policies, processes and standards Happiness Quality of interactions with Security team # of Security Champions in Org Metrics Matrix by SANS Awareness Program Planning Kit: STH-RESOURCE-AwarenessPlanningKit.zip 20

21 SO WHAT DOES THIS LOOK LIKE IN ACTION?

22 SECURITY CHAMPION PROGRAM Apprentice Basic awareness Padawan Successful Testing Jedi Knight Doing Jedi Master Teaching Jedi Grand Innovating Master 22

23 Item Point Value Receiving a Trust badge 50 Reporting phishing / social engineering call 50 Read security newsletter and chatter about it 50 Completing SEC-101 course 100 Completing SEC-201 or Sec-301 course 200 Identifying a vulnerability (P0 - P3) P0 =500, P1=300, P2=200, P3=50 Attending a Security lunch and learn 200 Winning a bug bounty event 500 Attending hands-on security training course 600 Teaching/Presenting on Security topic 1000 Presenting at Conference on Security 2500 Security Patent 3000 Interning with Trust 3000 Completing a security project -More points for solving security projects ad hoc and not currently assigned to you Read a security book, wrote a security blog, escorted someone without a badge to reception? Let us know so we can give you Trust points! Tbd: Let us know what you did and we will give you the points! us! 23

24

25 MY VISION What If Our Employees: Realized That Security Was A Problem That Concerned Them Knew What To Do About It And Then Did It Because They Wanted to Instead of Had To To Create Exceptional Security Performance, Even In The Face Of Extreme And Persistent Targeting By Attackers 25

26 THE POWER OF EXPERIENTIAL LEARNING Got Results Tried & Gave Up Did Not Try Average Retention Rate 5% Lecture 10% Reading 20% Audio-Visual 30% Demonstration 50% Discussion Group 75% 80% Practice by Doing Teach Others / Immediate Use Most training falls into these categories and much of it just does not work. We ve all had to endure boring lectures and Death by PowerPoint. VERY LITTLE STICKS Adults learn best from experience and highly effective activity based discovery learning works. From Corporate Universities, Jeanne Meister 26

27 27

28 MY VISION What If Our Employees: Realized That Security Was A Problem That Concerned Them Knew What To Do About It And Then Did It Because They Wanted to Instead of Had To To Create Exceptional Security Performance, Even In The Face Of Extreme And Persistent Targeting By Attackers 28

29 RESULTS 350% 48% 80% Increase in reporting rates in 6 months period across all employees Less clicks on malicious links by DE participants than the average SFDC employee. More reporting of threats than non- DE participants. The stories were the best part of the exercise The stories generated the most engaged and passionate discussion, including sharing our own personal experiences. 29

30 BECAUSE THEY WANT TO 30

31 Q&A Masha