Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2FzyYux. Masha Sedova talks about how to measure an organization's current security culture and how to define where to go. She looks into techniques and cases studies of how to begin to shape an organization’s security culture to become more resilient and enable people-powered security. Filmed at qconsf.com. Masha Sedova is co-founder of Elevate Security delivering the first people-centric security platform that leverages behavioral-science to transform employees into security superhumans. Before Elevate, she was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners and customers.

1. Security Culture
Why You Need One and How to Create It
Masha Sedova
Co-Founder, Elevate Security

2. InfoQ.com: News & Community Site
• Over 1,000,000 software developers, architects and CTOs read the site world-
wide every month
• 250,000 senior developers subscribe to our weekly newsletter
• Published in 4 languages (English, Chinese, Japanese and Brazilian
Portuguese)
• Post content from our QCon conferences
• 2 dedicated podcast channels: The InfoQ Podcast, with a focus on
Architecture and The Engineering Culture Podcast, with a focus on building
• 96 deep dives on innovative topics packed as downloadable emags and
minibooks
• Over 40 new content items per week
Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
techniques-security-culture/

3. Purpose of QCon
- to empower software development by facilitating the spread of
knowledge and innovation
Strategy
- practitioner-driven conference designed for YOU: influencers of
change and innovation in your teams
- speakers and topics driving the evolution and innovation
- connecting and catalyzing the influencers and innovators
Highlights
- attended by more than 12,000 delegates since 2007
- held in 9 cities worldwide
Presented at QCon San Francisco
www.qconsf.com

4. Elevate Security 2
About me
Built and ran Salesforce
trust engagement team
Co-Founder, building the
Behavioral Security Platform
Passionate about the intersection
of security & behavioral science
Cyber Analyst for
defense community

5. Elevate Security 3
Customer trust is built on security

6. Elevate Security 4

7. Elevate Security 5
52% of all breaches in the last
year were due to hacking -VDBIR

8. Elevate Security 6
Culture

9. Elevate Security 7
What is culture?
Behavior
Artifacts
Beliefs
Values
Assumptions
Experiences
“The way we do things around here....”
Our experiences shape our
beliefs, values, assumptions
Our behaviors aredriven by beliefs

10. “Culture eats
strategy for
breakfast.”
-Peter Drucker

11. Elevate Security 9
Security Culture is a Subset of Enterprise Culture
Enterprise
IT
Security

12. Elevate Security 10
Positive vs Negative Security Culture

13. Elevate Security 11
Competing Priorities
Pick two

14. Elevate Security 12
Deadlines
Cost
Bonus
Security
Security FailureSecurity Debt
Opposing forces in an employee’s
business decisions

15. Elevate Security 13
The Competing
Security Cultures
Framework
Process Culture
Goal: Enforce Policy
Compliance
Culture
Goal: Pass Audits
Trust
Culture
Goal: Empower People
Autonomy
Culture
Goal: Get Results
ExternalFocus
InternalFocus
Tight Control
Loose Control

16. Elevate Security 14
Process Culture
Managed Coordination
Stability
Visibility
Standardization
Goal: Enforce Policy
Compliance Culture
Rational Goals
Conformity
Repeatability
Documentation
Goal: Pass Audits
Trust Culture
Human Relations
Communication
Participation
Commitment
Goal: Empower People
Autonomy Culture
Adaptive Systems
Flexibility
Agility
Innovation
Goal: Get Results
ExternalFocus
InternalFocus
Tight Control
Loose Control

17. Elevate Security 15
Results of SCDS

18. How do we
drive change?

19. Elevate Security 17
Root Cause Analysis

20. Elevate Security 18
Understanding the Problem
The Five Whys Tool
Ask the five whys to
get to the root of a
problem.

21. Elevate Security 19
The Five Whys- Example
Problem Statement:
My car battery is dead
1. Why? – The alternator is not functioning.
2. Why? – The alternator belt has broken.
3. Why? – The alternator belt was well beyond
its useful service life and has never been
replaced.
4. Why? – I have not been maintaining my
alternator belt according to any recommended
service schedule.
5. Why? I didn’t realize this had to be done.

22. Elevate Security 20
Investigate Root Cause
● Can this be solved with technology?
Do it! Changing mindset is the hardest way to go about enforcing change.
● “I didn’t realize that security was part of my job.”
Communication, marketing, awareness campaigns
● “I didn’t know what to do about it.”
Training and skills
● “I didn’t have the resources or support to do it.”
Management alignment
● “I didn’t want to.”
Gamification and incentives

23. Behavior
Change

24. Motivation
Ability
Trigger
Key components of behavioral science

25. Elevate Security 23
Behavior change model
*Dr. BJ Fogg
Motivation
Ability
High
Low
Hard Easy
Triggers
Fail
Triggers
Succeed

26. Elevate Security 24
Behavior change model
*Dr. BJ Fogg
Motivation
Ability
High
Low
Hard Easy
Triggers
Fail
Triggers
Succeed

27. Elevate Security 25
Remember 20 unique
characters across 40+ sites
Install a password manager
Install a man-trap or
in/out badging
Social accountability
Look up correct email,
reporting guidelines & send
Install a “report” button
Security action can be simplified
Have secure
passwords for all sites
Report
suspicious activity
Stop
tailgating
HARD
EASY

28. Elevate Security 26
*Dr. BJ Fogg
Motivation
Ability
High
Low
Hard Easy
Triggers
Fail
Triggers
Succeed
What about things that are hard to do?

29. Elevate Security 27
Most employees will not care about
security as much as we’d like them to

30. Elevate Security 28
People will do things
because they matter, they
are interesting, part of
something more
important.
Daniel Pink, Drive
What motivates us?
“
”

31. Elevate Security 29
How to Create Positive Motivation
Competition Altruism Access AchievementStatus

32. Elevate Security 30
The power of
social proof

33. Elevate Security 31
Social proof
in security
Control
Keep Your Account Safe
108 of your friends use extra security settings. You can
also protect your account and make sure it can be
recovered if you ever lose access.
Keep Your Account Safe
You can use security settings to protect your account
and make sure it can be recovered if you ever lose
access.
Social context
1.36x more successful
when using social proof

34. Elevate Security 32
Compromised Rates

35. Elevate Security 33
Password manager

36. Elevate Security 34
Applying Gamification

37. Elevate Security 35
Understand your security culture
Assess if its a positive or negative security culture
Identify the blockers to positive security culture
Reinforce and motivate positive behaviors
Takeaways

38. Elevate Security 36
Q&A
Masha@ElevateSecurity.com

39. Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
techniques-security-culture/