I've been in the security world for 17 years, starting from my university days. What drew me to the field initially was the idea of defending the good guys against the bad guys. I was motivated by the fact that my work could help thousands of people protect themselves against cyber attacks.
I initially started my career as a cyber analyst in the defense industry. Having seen the ability of state-sponsored attackers, I knew that compliance-mandated training did little to defend against threats. I also saw first-hand how training did very little to drive behavior change in employees and could even hurt the internal brand of security teams. It was then that I started to develop my belief that as long as security is perceived as a burden and a chore, the “bad guys” would always win.
In 2012, I started a team at Salesforce that focused on creating a security-first culture. I couldn’t get the question out of my head – “can we get people in organizations to want to focus on security instead of having to and will this improve security culture?” I saw both sides in pain – the employees and the security teams – and I could empathize with both. That question led me to study the fields of behavioral science, positive psychology, and game design, which I used to create a new approach – people-powered security across Salesforce’s employees, developers, and customers.
In 2017, I co-founded a cybersecurity company, Elevate Security, based in Berkeley, California, that combines individual security performance data with behavioral science methodology including nudges, social proof, and gamification. Our Behavioral Security Platform measures strengths and weaknesses within an organization and provides actionable insights to help change behavior, which I fundamentally believe will be the only thing that will protect organizations from security risk now and in the future.
I believe that security culture is a core capability in security defense, and this is one of the reasons why we created Elevate Security. Strong cultures permeate people’s mentality and the way that they behave, their receptiveness to new ideas and thoughts, and their motivation to do security tasks. If our security teams are part of an organization with a positive security culture, their ability to motivate behavior change in employees increases exponentially.
Every organization has a security culture, either good or bad, even if the security team has never invested in it. It is the underlying driver of why people choose to do what they do around security. This is exactly why security teams need to take ownership and proactively shape the culture into a direction that supports the security well-being of the organization.
Unfortunately, standard Computer based security training cannot shape security culture. Security teams should focus on shifting the beliefs and assumptions using case studies, simulations, positive reinforcement to help create a strong positive security culture.
Visit here to subscribe to the Verodin Cybersecurity Effectiveness Podcast, winner of the 2020 Cybersecurity Excellence Awards in the category of best cybersecurity podcast for a company with 1,000 to 4,999 employees. Listen in to our latest podcast series and gain insights from some of the most powerful women in cyber.