people-centric security: transform culture, reduce risk, drive success
TRANSCRIPT
SESSION ID:
People-CentricSecurity:TransformCulture,ReduceRisk,DriveSuccess
HUM-R04
MashaSedovaSeniorDirector,TrustEngagementSalesforce@modMasha
Dr.LanceHaydenManagingDirector,SecurityCulturePrac4ceBerkeleyResearchGroup@hay_lance
Today’sAgenda
Introduc?ons
Understandingandmeasuringsecurityculture
Casestudy:Securitycultureinprac?ceatSalesforce
Howtotransformyourownsecurityculture
Applica?onandcalltoac?on
Q&A
2
IntroducFon-LanceHayden,Ph.D
3
ManagingDirectoratBerkeleyResearchGroup
LeadsBRG’sCybersecurityCulturePrac?ce
Researchandconsul?ngtohelporganiza?onsunderstand,measure,andtransformsecurityculture
IntroducFon-Masha Sedova
4
SeniorDirector,TrustEngagement@Salesforce
Runateamof6+peoplefocusedonsecurityculture
Scopeincludesinternalemployees,engineers,developers,customers,andvendors
#RSAC
UnderstandingandMeasuringSecurityCulture
ACommentonTheory…
Intheorythereisnodifferencebetweentheoryandprac4ce.Inprac4cethereis.
YogiBerra
6
Depositphotos
WhatisSecurityCulture?
“Thewaywedothingsaroundhere…”
Invisibleun?lyouclashwithadifferentone
Incrediblyhardtochangeunlessyouarestar?ngonefromscratch…
7
CultureandBehavior
8
“Cultureeatsstrategyforbreakfast.”
PeterDrucker
Depositphotos
WhatisSecurityCulture?
CorporateCultureandPerformance(KoYer&HeskeY)
Research(andanecdotal)evidencethatcultureimpactsorganiza?onalperformance
9
Revenue +682%
Workforce +282%
Stock +901%
Income +756%
“Good”Culture
Revenue +166%
Workforce +36%
Stock +74%
Income +1%
“Bad”Culture
SecurityCultureandSecurityRisk
10
Cultureisaboutvaluesandpriori?es(assumedandunspoken,“invisible”)
Securityriskincreaseswhendifferentvalues,priori?es,andculturescompeteforscarceresources
“Ihave3goalstoaccomplish,andthe?meandresourcestocomplete2…”
Securityo[enlosesouttothecompe??on(efficiency,usability,profit)
Depositphotos
CultureandPerformanceinSecurity
11
For the source of these findings, see http://securityispeople.lancehayden.net/2015/11/the-cost-of-a-bad-decision-measuring-the-impact-of-security-culture/
TheCompeFngSecurityCulturesFramework
ThinkoftheCSCFasapersonalitytestforyoursecurityprogram…
Isyourprogramacontrolfreak?Aconformist?Acowboy?Acommunitybuilder?
Howdodifferentpersonali?esgetalong?
12
Process Culture!Managed Coordination!Core Values:!
Stability!Visibility!Standardization!
Cardinal Directive:!Enforce Policy
Tight Control
External!Focus
Internal!Focus
Loose Control
Compliance Culture!Rational Goals!Core Values:!
Conformity!Repeatability!Documentation!
Cardinal Directive:!Pass Audits
Trust Culture!Human Relations!Core Values:!
Communication!Participation!Commitment!
Cardinal Directive:!Empower People
Autonomy Culture!Adaptive Systems!Core Values:!
Flexibility!Agility!Innovation!
Cardinal Directive:!Get Results
From People-Centric Security by Dr. Lance Hayden
MeasuringandMappingSecurityCultures
Ameasurementinstrument(SecurityCultureDiagnos4cSurvey)providesdataallowingvisualmappingofasecurityculture
Priori?es,biases,andcompe?ngpriori?esbecomevisualized
13
People&Centric-Security:-Transforming-Your-Enterprise-Security-Culture-by#Lance#Hayden
SCDS:#Instructions#for#Survey#Owners# # page#2#of#4#
#
1. What’s)valued)most?) Score)
A. Stability#and#reliability#are#valued#most#by#the#organization.#It#is#critical#that#everyone#knows#the#rules#and#follows#
them.#The#organization#cannot#succeed#if#people#are#all#doing#things#different#ways#without#centralized#visibility.#
#
B. Successfully#meeting#external#requirements#is#valued#most#by#the#organization.#The#organization#is#under#a#lot#of#
scrutiny.#It#cannot#succeed#if#people#fail#audits#or#do#not#live#up#to#the#expectations#of#those#watching.#
#
C. Adapting#quickly#and#competing#aggressively#are#valued#most#by#the#organization.#Results#are#what#matters.#The#
organization#cannot#succeed#if#bureaucracy#and#red#tape#impair#people’s#ability#to#be#agile.#
#
D. People#and#a#sense#of#community#are#valued#most#by#the#organization.#Everyone#is#in#it#together.#The#organization#
cannot#succeed#unless#people#are#given#the#opportunities#and#skills#to#succeed#on#their#own.#
#
Total)Score) 10)
2. How)does)the)organization)work?) Score)
A. The#organization#works#on#authority,#policy,#and#standard#ways#of#doing#things.#Organizational#charts#are#formal#
and#important.#The#organization#is#designed#to#ensure#control#and#efficiency.))
B. The#organization#works#on#outside#requirements#and#regular#reviews.#Audits#are#a#central#feature#of#life.#The#
organization#is#designed#to#ensure#everyone#meets#their#obligations.))
C. The#organization#works#on#independent#action#and#giving#people#decision#authority.#There’s#no#one#right#way#to#
do#things.#The#organization#is#designed#to#ensure#that#the#right#things#get#done#in#the#right#situations.))
D. The#organization#works#on#teamwork#and#cooperation.#It#is#a#community.#The#organization#is#designed#to#ensure#
everyone#is#constantly#learning,#growing,#and#supporting#one#another.#
)
Total)Score# 10)
3. What)does)security)mean?) Score)
A. Security#means#policies,#procedures,#and#standards,#automated#wherever#possible#using#technology.#When#people#
talk#about#security#they#are#talking#about#the#infrastructures#in#place#to#protect#the#organization’s#information#
assets.#
)
B. Security#means#showing#evidence#of#visibility#and#control,#particularly#to#external#parties.#When#people#talk#about#
security#they#are#talking#about#passing#an#audit#or#meeting#a#regulatory#requirement.#
)
C. Security#means#enabling#the#organization#to#adapt#and#compete,#not#hindering#it#or#saying#“no”#to#everything.#
When#people#talk#about#security#they#are#talking#about#balancing#risks#and#rewards.#
)
D. Security#means#awareness#and#shared#responsibility.#When#people#talk#about#security#they#are#talking#about#the#
need#for#everyone#to#be#an#active#participant#in#protecting#the#organization.#
)
Total)Score# 10)
SCDS available from lhayden.net/culture
MeasuringandMappingSecurityCultures
14
1
2
3
4
5
6
7
8
9
10
0 1 2 3 4 5 6 7
5.5
5
4.5
5
3
6
2
3
5
4 1
2
3
4
5
6
7
8
9
10
0 1 2 3 4 5 6 7
1.5
3
2.5
1
2
2
2.5
4
1
2.5
1
2
3
4
5
6
7
8
9
10
0 1 2 3 4 5 6 7
1
1
1
1
3
0.5
2
2.5
1
11
2
3
4
5
6
7
8
9
10
0 1 2 3 4 5 6 7
2
1
2
3
2
1.5
3.5
0.5
3
2.5
Process Compliance
AutonomyTrust
External
Loose
Internal
Tight
0
11
2
3
4
5
2345
Process Compliance
AutonomyTrust
External
Loose
Internal
TightGranular SCDS response visualization Allows for more intuitive cultural “shapes”
Which become comparative cultural “maps” showing potential conflicts and cultural risks
#RSAC
CaseStudy:SecurityCultureinPracFceatSalesforce
PercepFonisReality
16
pixabay.com
flickr.com [martin]
pixabay.com
flickr.com [sean macentee]
SalesforceandtheCultureFramework-WhereWeWere&WhereWeWantedtoGo
17
Process Culture!Managed Coordination!Core Values:!
Stability!Visibility!Standardization!
Cardinal Directive:!Enforce Policy
Tight Control
External!Focus
Internal!Focus
Loose Control
Compliance Culture!Rational Goals!Core Values:!
Conformity!Repeatability!Documentation!
Cardinal Directive:!Pass Audits
Trust Culture!Human Relations!Core Values:!
Communication!Participation!Commitment!
Cardinal Directive:!Empower People
Autonomy Culture!Adaptive Systems!Core Values:!
Flexibility!Agility!Innovation!
Cardinal Directive:!Get Results
pixabay.com
pixabay.com
Assessment revealed a Compliance Culture
Company has a Trust Culture
Mismatch!
GamificaFon:It’sNotAboutPlayingGamesatWork…
Though70%ofexecshaveadmiYedplayingvideogamesatwork…
Informa4onSolu4onsGroup/PopCapWhiteCollarGamerSurvey
18
flickr.com [downloadsource.fr]
flickr.com [wlodi]
GamificaFonElements
19
3
1
4
5
2
Autonomy:welikehavingchoices
Mastery:welikege4ngbe6eratwhatwedo
Feedback:welikege4ngfeedbackonhowwearedoing
Purpose:meaningamplifieswhatwedo
Social:allthismeansmorewithothersBased on “Reality is Broken” by Jane McGonigal
GamifyingSecurity
20
PickVitalBehaviors
ConnecttoPurpose
TestAndGiveFeedback
Reward/Recognize
orEducate
Socialize
VitalBehaviors:Phishing,ReporFng,BadgeSurfing
21
ConnecFngtoPurpose
“Canyouholdthatofficedooropenforme?Myarm’sbrokenandthispackageisheavy…”
“Holywow!Checkoutthisvideoofagiantsnakeea?ngazookeeper!”
“Ifyoudon’tpaythefine,yourfileswillbelockedandyouwillbereportedtotheFBI.”
22
How attackers exploit bugs in “human hardware”…
TestwithFeedback
23
RecognizingBadge-SurfingAwareness
24
Reward:SecurityChampionProgram
25
Basic awareness Novice
Successful Testing Apprentice
Doing Knight
Teaching Master
Innovating Grand Master
Trust Points
#RSAC
HowtoTransformYourOwnSecurityCulture
EvaluaFng&ImprovingSecurityCulture
Youhavetoknowwhereyouarebeforeyoucangetwhereyouwanttogo
Culturalmaturityisaboutop?mizingorganiza?onalself-awareness
Ifculturewaseasyenoughtochangewithanawarenesscampaign,everycompanywouldbeinnova?ve,fun,andsecure
27
Depositphotos
CultureasanOrganizaFonalCapability
Cultureisacapability
Maturityisaboutmeasurement
Howdoyouknowcultureischanging?
Howdoyouknowwhenitneedschanging?
Howdoyouproveit?
28
1 - Instinct
2 - Awareness
3 - Visibility
4 - Transformation
5 - Mastery
Start
Security Culture !Diagnostic Project
Security FORCE!Project
Security Culture !Transformation Program
3 months
6 months
9 months
12 months
MappingoutaTransformaFonPlan
Observetheterrain
Orientthemap
Takeabearing
Startmoving…
29
EvaluaFngCulturalChange
Mapsshowyouwheretogo
Theyalsoshowyouwhereyou’vebeen(andhowmuchprogressyouhavemade)
Culturaltransforma?onprojectsmustregularlyself-evaluateRepeatedSCDSsurveysover?metoseechangesinshapeTyingcultureandawarenesstobehaviorsandac?vi?esAnalyzingculturalROIbytyingbehaviorstothebusiness
30
SalesforceCultureTransformaFon:OutcomesandImpacts
Increasequan?ty/qualityofrepor?ng
Socialaccountability
Rela?onshiptofailure
31
Depositphotos
IncidentDetecFon
32
• Salesforceemployeestrainedtoreportanysuspiciousac3vity.• Customerreportsalsowelcome.
“Someone just badge-surfed into 3 Landmark…”
“My browser proxy settings were changed…”
“My mouse cursor is moving by itself…”
“Is this email really from American Express..?”
Results
33
52%
82%
Less clicks on malicious links by champion program participants than the average Salesforce employee.
More reporting of threats than non-security champion program participants.
350% Increase in reporting rates in 6 months period across all employees
CommunityandCommunicaFons
34
ApplyCulturalTransformaFontoYourOwnSecurityProgram
NextweekAskcolleagueswhichcultureyouhave(process,compliance,autonomy,ortrust?)Doyougetdifferentanswers?Aretherethingsthatalwaysgetpriori?zedabovesecurity?Why?Reviewyourexis?ngawarenessprogram-isitaimedatchangingwhatpeopledoorwhattheythink?
Overthenext90daysDownloadtheSCDSandconductyourowninformalsurveyofyoursecurityculture;giveittoyourCISOAssessyourorganiza?on’ssecurityculturematurity-canyoutracespecificbehaviorsbacktopriori?esandvalues?Iden?fythreeimprovementstoyourawarenessprogramthatareculturallyspecific(gamifica?on,champions,etc.)
Overthenext6monthsDocumentandevaluatehowo[ensecurity“loses”tootherpriori?es-isitalot?Measurehowwellyourawarenessprogramimprovementshavechangedthe“shape”ofyoursecuritycultureFormallyexpandyoursecurityawarenessprogram,usingyourresults,todrivecultureandnotjustbehaviors
35
#RSAC
ThankYou!AnyQuesFons?