CyberWire Daily - Rediscover trust in cybersecurity: A women in cybersecurity podcast. [Special edition]
Episode Date: December 5, 2021It's important for employees to be brought into the fold as security's allies, rather than as its adversaries. For cybersecurity teams that operate with an adversarial mindset appropriate for external... threats, it can be challenging to approach internal threats differently. You can't treat employees the same way you treat nation-state hackers. But employees play a pivotal role in preventing data leaks, making it important to create a company-wide culture of transparency. Transparency feeds trust, which builds a strong foundation for Security Awareness Training to be truly effective. The CyberWire's Jennifer Eiben hosts this women in cybersecurity podcast. Kathleen Smith of ClearedJobs.Net moderates the panel. Panelists include Michelle Killian from Sponsor Code 42, Sam Humphries of Exabeam, and Masha Sedova of Elevate Security. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Clear your schedule for you time
with a handcrafted espresso beverage
from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
Hello, everyone. I'm Jennifer Iben, Senior Producer at the Cyber Wire and Director of our Women in Cybersecurity Initiative.
I'd like to welcome you to this special edition podcast focused on women in cybersecurity.
We are joined today by our partners from Code42, who put together a group of industry leaders to discuss ways that we can rediscover trust in cybersecurity.
It's important for employees to be brought into the fold as security's allies rather than as its adversaries.
For cybersecurity teams that operate with an adversarial mindset appropriate for external threats,
it can be challenging to approach internal threats differently.
You can't treat employees the same way you treat nation-state hackers.
But employees play a pivotal role in preventing data leaks,
making it important to create a company-wide culture of transparency.
Transparency feeds trust,
which builds a strong foundation for security awareness training to be truly effective.
Let's begin our examination
of rediscovering trust in cybersecurity by introducing our moderator for today, Kathleen
Smith. Kathleen is a longtime friend of the Cyber Wire and especially our Women in Cybersecurity
Initiative. Kathleen helped us stream up the Cyber Wire's very first Women in Cybersecurity
reception, which began in 2014. Kathleen, we've known each other for quite some
time. Kathleen is the chief marketing officer for clearjobs.net. And as I mentioned, she's
serving as our moderator today. I'll let Kathleen introduce our panelists. Welcome, Kathleen. It's
great to have you back. Jennifer, it's so great to be back on another Women in Cybersecurity podcast.
Jennifer, it's so great to be back on another Women in Cybersecurity podcast.
We've covered a wide variety of topics over the years.
We've been at the Women in Cybersecurity conference.
We've done the Women in Cybersecurity celebration.
We've been at many of the different hacker conferences.
It's been a long, beautiful road, and I'm so glad that we're continuing it when many other podcasts
focusing on women in cybersecurity have maybe fallen by the wayside. I really commend the
commitment of Cyber Wire for continuing this initiative, and I know that it is a personal
passion of yours, so I really appreciate you, Jennifer, for doing this. I was so excited when I saw the panelists that we have for today's
podcast, because not only do we have new friends, but a friend that, gosh, I haven't spoken to in
years and saw one of her first presentations years ago that went off into just a great new
venture and just so proud of the many things that you have done, Masha. So
thank you for joining us. And Sam, you're out there in the community in Saudi Arabia right now
at one of the first conferences. So really appreciate that. And Michelle, it was great
to know you and listen to all of your great thoughts. So let's get started and have each
of you introduce yourselves because I could definitely not give
the right introductions. I'd stumble all over the place like I do all the time. So
let's kick it off. Who did we decide was going to kick this off today?
Masha. Masha, tell us a little bit about yourself. Thanks so much for having me on this podcast. I'm
so excited for this conversation. I'm Masha Sadova. I'm the co-founder and president of Elevate Security, a company that focuses on measuring and managing all aspects of human risk.
And I have spent my 20 plus career in cybersecurity focused on a variety of aspects of it,
initially starting with forensics and working as a cyber analyst for the DOD before really
beginning to get really fascinated about the
human element of security. I had the opportunity to build and run the security engagement team at
Salesforce before starting my own company in 2017, which is off and running and helping
redefine how we think about measuring the employee risk element of our organizations.
Great. And Samantha?
Hi, everyone. I'm also thrilled to be here.
So thank you so much for having me on.
So I've been also in cybersecurity for 20-something years.
I started as a receptionist a long time ago
and just fell in love with what we do.
And as a self-confessed nerd from a very young age,
I was hooked and I'm still here way, way into the future from a decade, no, two decades ago.
Last millennium.
Wow.
So my background's been all sorts.
I did incident response for too long.
I've dyed my hair since, so that's good.
And I've helped build products.
And now I work at Exabeam doing security strategy for EMEA.
And last but not least, Michelle.
Yes. Hi, good morning.
Thanks all for having me
and for having us here for this conversation.
I'm excited for it.
I've been in security again,
also a little over 20 years.
It's a point of pride
because I feel like I spent much of my life
saying like almost 20,
almost to give myself a little more like acumen
or so it feels good to actually be like, no, I'm here and give myself a little more like acumen.
So it feels good to actually be like, no, I'm here and I've been here for a long time.
My path to security was also a little roundabout.
I raised my hand.
It was something that sounded really interesting 20 years ago,
and I've never looked back and been really glad to be in this industry.
Today, I am a director of information security at Code42, and I oversee our risk incident and TVM programs,
our policy and training program, product security,
and then our identity and access management programs.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot. Yeah, with pools. And a go skating. Too icy. We could book a vacation. Like, somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Air Transat. Travel moves us. Thank you. your company safe and compliant. Wonderful. So there are so many different topics that we can touch upon now that we're on sort of another side of a global pandemic, a global crisis,
and one that really impacted not only how we live our lives day to day, but how we work and how
employers engage with their employees. So we're almost 20 months past the start of the pandemic
and we're taking a time to step back and reflect about this rush to remote work and all of the
technical and technology changes that we had to make in very short period of time. What do we all think is
the biggest impact this has had on security? Michelle? Yeah, I would say for what I've
experienced is visibility has really been impacted the most. We were lucky in that we were kind of
remote first or remote focused before the pandemic. So tools and tech were in place. And so it was
just getting our processes up to speed. And so for us, we found a lot of gaps around expectations around alerting
and monitoring. There was an eight to five workforce and that really changed when everyone
was home and they were juggling working around kids' schedules. So rethinking what potentially
suspicious behavior was became a new exercise for us.
I would say, and then related to that with visibility,
just situational awareness generally.
So much of what we do and how we're successful on our security team
is understanding the context behind something
or the side conversations where you might learn something
that you might not have known directly.
And a lot of that was lost in those hallway conversations.
And I feel like Slack has probably become the best space for situational awareness.
And while I don't recommend joining all of the channels and paying attention, I feel like it's the best way that we found to gain that situational awareness to understand what's happening more broadly.
Yeah, I think it's interesting that we talk about visibility because people don't think that we need to see each other.
But this actually really brought home this fact that face-to-face, even if it's Zoom, maybe not Zoom, but face-to-face, that one-on-one connections really does have an impact on security.
Sam, what were some of your things that you noticed as an impact on security?
Yeah, I think from my side, there's been good things and bad things. Definitely the communication
piece has been super tough. And people being in their home bubble rather than being in an office,
you kind of, you let your guard down, especially adding all of the distractions. And my goodness,
there's been many. And the stress of being in a pandemic
affects us as humans very much too.
So, you know, on the downside,
I think it's been tough.
You know, security people have had to go home as well.
And when it's remotely, it's harder to collaborate.
You can't just tap someone on the shoulder
and be like, hey, Sue, I've just seen this thing.
Like, take a look.
You know, you've got to then reach out
over a different method.
So that's been hard.
And it took the cyber criminals like minutes to pivot.
You know, the first Q1 of last year,
I think the top 10 phishing emails,
apart from the Valentine's one that we get every single year,
everything else had flipped to a topic
that was something to do with remote working.
So, you know, we're distracted.
The cyber criminals, they up their game immediately.
So that's been really hard.
But I do think there's been a positive as well.
There have been some really strange positives coming out of the pandemic.
But, you know, find them where you can, I think.
And what I've seen is like the business, IT and security
collaborating a lot better through necessity to start with,
because for organizations who are very much kind of on-prem,
to have to then flip to remote working and spinning up cloud apps very, very quickly.
The kind of the old adage, I think this is going away generally, thank goodness,
is the department of no insecurity.
It's been very much more a department of yes, but,
and actually helping the business find the things they need.
So, you know, in the older days,
if you'd found some good old shadow IT kicking around,
it would be easy to go, well, you shouldn't use this
because we have this thing over here,
or just don't use it because that's our policy.
Whereas now, you know, if you find that 4,000 people
in your organization have been using Dropbox and you didn't actually realize this,
well, maybe there's a good conversation to go and have.
Either let's find a sanctioned service
or understand more about the business needs.
And I think the pandemic's kind of forced that conversation more,
which is ultimately a good thing for us as security professionals
because we've got better relationships going on.
Yeah, I really like the concept of turning security
from being the department of no to the department of yes,
but let's look at the business aspect.
So Masha, I know you have some different insights on this
and I want to hear from you on what you saw
as some of the security challenges or opportunities that the pandemic brought us.
Yeah.
So one thing that Samantha said that really struck me was the change in the role of the CIO and the CISO in the land of work from home and the pandemic.
They really became first-class citizens in the executive boardroom because all
of a sudden they weren't just a cost center, they were a business enabler because it was not a no
but, it's that we can't get online if we don't figure this out. And it's been really interesting
to see how that role has very quickly evolved in the last year and a half to become truly a key stakeholder at the table in
a way that I think would have taken a decade to get elevated. But as far as the security landscape
goes, I think what's really fascinating is that identity is now our new perimeter. Our employees
are working from their couches, their coffee shops now, maybe, but before it was, you know, whatever internet connection you can get, you're using it.
And it's a totally different way of thinking about our ecosystem and how we secure it.
that only Google could get access to around boundaryless security.
Now, the idea of zero trust and work from anywhere is something we've all had to embrace.
And the employee is the epicenter of that.
Who is logging on and where they are logging on from
and what kind of risks they bring with them
is now how we think about security, which is a really exciting time on and where they are logging on from and what kind of risks they bring with them is
now how we think about security, which is a really exciting time because it's about
as far away as the defense in depth and the castle and moat model we all started with
a couple of decades ago.
And so it's really fascinating to watch how we think about the space and lean into securing it using new frameworks and new technologies that we haven't had a chance to before.
And it's really fascinating because I think awareness and training as a topic and as a framework has been around for a couple of decades and hasn't really progressed us to the place where I think any of us really have wanted to see it. And so as we take
the identity as a perimeter idea that we're seeing evolve, we get to also watch a lot of
these secondary frameworks around it, like the awareness and training space, co-evolve with it
to match the risks that both Michelle and Samantha were mentioning earlier as well.
Michelle and Samantha were mentioning earlier as well.
Awesome.
And one thing that I think that I love about the cybersecurity community is their culture.
And, you know, we've seen so many different kinds of cultures develop over the years. Sam and I were chatting about all of the security B-sides.
And, you know, there's that whole culture of we are a community.
And it's interesting when we get on the topic of culture, we talk about the community and then we
also talk about a company. So what do we want to talk about as far as culture and what advice
do we want to give our listeners on approaching a company-wide culture
of transparency? Sam? Yeah, I love that you brought the community bit up because I think
this is huge. And I've been at the moment seeing people in real life for sometimes the first time
that I know them from the internet and now seeing them in real life is just amazing.
And ultimately, security is just amazing.
Optimally, security is about people.
We've got our businesses and our assets that we care about,
but if you don't look after the people,
then the whole thing falls down.
It always makes me twitch when people say,
oh, yeah, the users are the weakest link,
and it's blaming them rather than embracing them.
Security awareness training has been, I think,
hit and miss over the years.
Some of it has just been, you know, you should watch this video.
Have you watched the video? Do the video. Video. Video. Nagging emails.
And that doesn't make it a pleasurable experience and you don't feel part of the process.
So I'm seeing some good shifts.
You know, people do lots of different styles now.
For some it's cartoony, for some it's literal Muppets.
The Cybermaniacs have got some great training.
They have actual Muppets they use for it.
And it just makes it a little more entertaining.
But ultimately,
if it's still just computer-based stuff,
it's one way.
You don't really feel a part of it.
So I think doing more to help individuals understand the part they play
and the importance of the part that they play,
giving them good routes to be able to report stuff if they're worried and make that a positive experience rather than saying like why did you click that link why did you do that why didn't
you tell us about this um that's how we bring people into the box better so you know the
department of no we talked about earlier i think getting the security
team out talking to to the other folks in the business generally and and being face faithful
rather than faceless i guess um and really embracing the humans and making this a positive
experience people are going to come to you more they just are they're going to see you as a human
as much as you see them as a human
rather than just being a user,
which is basically a login.
So there's more we can do.
But transparency, going back to that,
you have to explain to people
what you're doing and why.
And I think generally they'll get it.
If you start talking to them in bits and bytes,
maybe not.
But I think we all have a duty
to look after our business. If you're working somewhere and you
don't care about the place you work at, then that's not a great feeling. So, you know,
ultimately, I think this could be a good emotional investment as well for both sides of the security
team and for the users. So topic of culture, Masha, what advice, I mean, you look at culture and you've been looking at culture for quite some time.
Yeah, I think a great place to start thinking about this question is how do we define culture?
And for me, I think about culture as the things that we do when no one is looking.
It's the actions that our employees take and the decisions that they make when security isn't forcing them to do it, right?
It's not the quiz question that they answer at the end of their training,
but it's what happens when it's time to make a hard decision.
Do I ship late and securely my code,
or do I ship on time and just hope that there are no security bugs? And that's really
where culture really meets the day-to-day business requirements. And so having the ability to measure
culture is a really important thing. And when I think about measuring culture, it's understanding
these decisions that employees make on a regular basis and helping them understand where they stand.
these decisions that employees make on a regular basis and helping them understand where they stand.
What decisions do they make that they're doing a really good job in? And where are they sometimes missing the mark? And this information is actually available in almost every organization I've worked
with, phishing being one of them, but there's so many other data points we can start thinking about,
like how do you navigate the web? How do you handle sensitive data? How are you reporting? Do you try to download malicious software accidentally,
of course, right, without the blame here, but, you know, are you just a more risky driver on
the cyber road than your peers? And then the second thing is, well, what do we do with this
information as a security team? How do we help drive culture
knowing this information? And this is where the part of transparency and accountability comes in.
I actually don't think we need to be doing as much as we are around animated videos and humor
when we can treat employees like capable adults and we can have a heart-to-heart conversation of this is
where you are around security behaviors and this is how you can get better. And the place where
we're missing the mark today is that it's a one-size-fits-all. When you say this is good
practice but it doesn't apply to my work, then it's not relevant to me. But if you can show me that I
browse the web and navigate to sites that are blocked three times more frequently than my peers
and that introduces a certain amount of risk to my organization, that's a different conversation
for me. And so transparency here is actually really important because it helps the security
team become a partner with employees and let everybody know
where they stand and then gives them the tools to up-level them. And then there's a second piece,
which is an understanding that employees, like the rest of us, are human and they're going to
make mistakes. A security culture is not one in which everyone is flawless. A security culture is one where there is forgiveness and grace around how we are human as it relates to security.
When we make a mistake, how do we individually respond to it?
And what are the kind of support structures, technically speaking in this case, that are there to catch my mistakes?
If I regularly click on phishing, do I also use MFA and a password manager all the time, for example?
Maybe I have a web isolation browser technology that catches my risky browsing habits.
And working with security teams to acknowledge where I am on my own security culture journey
and matching to where I am related to my riskiness with the transparency
that we were just talking about, I think is a really interesting, exciting new way of thinking
about how we evolve security culture. And again, treating employees like they're part of the
solution, part of the ecosystem, and not as we said in the intro, as an APT for an attacker here.
What I love is, you know, Masha and I have been in the DOD world before,
and I remember, you know, 2007, 2008,
we were talking about security awareness training
and talking about security in general.
And it seemed that it was a widget, a device, a software, something that
was there that would be, as you said earlier, a castle and a moat sort of technology and not
looking at that it was the individual. And we're now moving, fortunately, a little bit faster into embracing the employee, even the customer,
into the security discussion. So Michelle, I loved what you were sharing before about
what your CISO did as far as embracing security. Want to share a little bit about that?
Yeah, yeah, definitely. Masha had mentioned earlier how the CIO and CISO are now seen as business enablers
through the changes with the pandemic.
And one thing that was exciting coming to Code,
we had a traditional security team prior
with an actual linked fence around their office,
to be funny, but it created a sort of like mood.
But so when our CISO came on
board, she created a security brand statement for our team. We're a team of yes, we're trusted
experts. We enable the company to be successful and we truly live by that. And what it's done is
it's both led the employees within our organization to come to us with questions because they don't
assume that
we're just going to shut them down. So they're more willing to say like, hey, here's this thing
I'm thinking about and get the security conversation started. But just as importantly,
it's enabling our team to remember that we're not siloed, that we're not just the security team
protecting the organization, but that we're part of the larger org and that the work that we do really is integral to the success of our organization. And then through that statement,
really it's allowed us to encourage our employees to engage with us. We have a really robust risk
management process where I would say a large percentage of what gets reported as risk comes
from people outside of security because to them, they're excited to talk about here's this thing that's keeping me up at night or here's this thing that makes me feel a little unsettled in the work that I'm doing. more importantly we're triaging it and we're talking about remediation and we're reporting
it to the executive team and so these employees who maybe you know steps removed from the security
team specifically feel like they're making a positive impact on improving the security of
the company that's great and you know as a marketing professional at heart, I'm always excited when someone says, brand actually has power and brand actually has a place. It's not just this pretty colored logo
or a t-shirt that a bunch of people wear around. That is actually a part of the culture. It's
something that people really embrace. We've all touched upon sort of
security awareness training. I mean, we all talk about the various different training that we've
had from, you know, harassment training to security training to, you know, that video that everyone
has to sit in front of and you do literally, you know, you can only make sure that someone's
passed it if they sat in front of it and took the quiz.
And we all know that that information goes out one ear and in the other and vice versa.
So security awareness training, fortunately, has had some success in areas like phishing.
But do we think that there is actually an opportunity to improve and expand on this area?
So Masha, this is one of your big areas.
Share with us. Yeah. So the way that I'd love to think about this problem is what gets measured
gets managed. And so from that place, simulated fishing has been revolutionary because it's
actually given us meaningful metrics around what people do, not just what they know. So before I tell you the
downsides of simulated phishing, I wanted to start with all the benefits of why I think there's,
there's, this has been a huge boost to, to measuring employee mindset and more importantly,
employee risk. But one of the things that I've done in my work is put together a research paper
that analyzes the security behavior of over 115,000 employees.
It's about 3 million decision points.
And I actually got to see how effective is phishing, how effective is training at actually improving people's security posture.
And what we found was actually very shocking.
The first thing is that both phishing, simulated phishing and training actually have a limited return of investment.
So if you send out more than 11 phishing emails to your employees, it starts to flatline,
and you're not going to move the needle anymore.
It helps up to a point, and then it flatlines at about 5%.
And you can keep phishing your employees until the cows come home,
and they're going to still click, a subset of them, 5% in fact.
Same thing with training. Training follows a U-shaped curve where the first three trainings
you give to somebody helps improve their behavior. Training four and five actually become
counterproductive and employees who have taken five trainings perform worse on phishing,
detecting and reporting phishing, than employees who have never taken any security
training to begin with. So my takeaway from this data is that they are good tools in our tool belt,
but up to a certain point, at which point they become counterproductive. And if we keep going
back to the same problem with the same solutions, wishing for a different outcome, that's insanity.
problem with the same solutions wishing for a different outcome, that's insanity.
And so we actually need to be thinking about our tool belt here in a much more broad way.
And those are two tools in our tool belt.
But what other things can we be introducing aside from these two and firing our employees,
which is another tool, but not one that really helps with our brand and our positive imaging in our organizations. But how do we think about other tools involving management and helping
with top line support, creating cultures of positive incentive and positive reinforcement,
reward and recognition of really great behavior is another way that I've seen cultures
be vastly shifted to the positive direction here.
All this is very, very valuable. I do think that the foundation of this, back to some of the things
we talked about earlier, really is measurement. You can't reinforce positively. You can't gamify.
You can't give people accountability, transparency around how they're working if you're not measuring
what people are doing. So we really do need to be thinking about how we more effectively measure
where we are from a security risk standpoint as it relates to our employee behavior. So that is
foundational, but the measurement piece isn't enough. The measurement enables us to create more
tools like being able to pull in secondary technologies to support our riskiest
employees. And we in general need to stop thinking, over-relying on one vertical of measurement,
which today is simulated phishing, because it really is one dimension out of many that
we need to be using to measure this risk in our organization.
that we need to be using to measure this risk in our organization.
Awesome. Sam?
Yeah, distilled on from that.
And I have so much agreement, so much agreement.
I think the simulated phishing thing has been bizarre because some organizations have been really focusing on who clicked the link,
not who didn't click the link.
So it's been a negative thing straight off the bat
rather than being like, hey, you know, you've done really well.
Like, this is a good thing.
So I like the gamification thing completely.
I think there's loads of different ways
you can do that within
not just kind of day-to-day user work,
but also with some of the teams
that might come to you
for help with the security side of things.
There's a whole load of different processes
you can put in there
to make it like fun and positive.
And one of my favorites,
and I did one recently that was just so cool,
is tabletop exercises and really get people involved from outside the security team
to kind of live through, you know, what does it feel like to have a ransomware attack?
What does it feel like to have a breach?
What can we do?
How can we be working together and not just scare the pants off them,
but see how the different teams need to interact
and just give them a
flavor of some of the things that can happen along the way which just gives that added benefit of you
know when it happens you're better prepared it's not just a case of well hang on a second we've
got a process somewhere can we dig it out oh no it's on the intranet and our computers are all
down you know people have had that some degree of experience without it being as catastrophic as it could be.
But they know their part.
They may come up with ideas outside of the security side as well.
I think you get great creativity from people who aren't in the security team.
That's how you can solve problems and it brings everyone together in a really good way.
Awesome. Yeah. I think that we've really talked about how security is moving people more in a
positive way rather than a negative way. And we've really had so many experiences,
even before things were advertised about how it's all negative. But I'm loving this theme
that we're having today about positive you know, positive and the statement of
yes and security impacts all of us. So Michelle, thoughts on security awareness training?
Yeah. Again, echoing a lot of what's being said, you know, I also run threatened vulnerability
management. And so one of the things that makes me go a little bit bonkers is metrics for the
sake of metrics, right? Which is what Masha was speaking to. And one of the things that makes me go a little bit bonkers is metrics for the sake of metrics, right?
Which is what Masha was speaking to.
And one of the things that I'm constantly educating on
is like, just because we got a whole lot of scans coming in
does not mean anything, right?
On the surface, that's just a number.
It's really, it's like the layers deep beyond that.
Like, what are those numbers telling us?
And that's where I feel like we could be
a little more resourceful or thoughtful with phishing.
It's not necessarily, I mean,
the click rate is an important metric,
especially in an immature program.
But when you're working with your employees
and that user base,
it's really more like what's the data behind the click?
Is it we're clicking more at night
or is it more that we're more risky
with our behavior on our phone versus our endpoint? Or is it that we're more risky with our behavior on our phone versus our endpoint?
Or is it that we're more susceptible to messages that are coming from a specific industry like retail or healthcare?
Okay, so then I can tailor my messaging to make it a little more impactful or adjust my security controls to try and account for where there might be a little more risk.
And then I think, again, this is a theme I'm hearing that I think we're talking over too, which is empowering users.
So I want, you know, going back to our brand statement,
we're part of an org and the whole org
is the security org, right?
And so we really have to make sure
that we're not being siloed in security,
that we aren't hoarding the knowledge
because we like to know all the things.
Because we do, right?
There's power with knowledge,
but that we're making security truly everyone's job
because what we're doing at the office on our computer
is the same thing that we're doing at home.
We don't have a security team to go to
when we're playing in our personal Gmail
or when we're trying to send files with our family
versus with our coworkers.
And so it's really,
I think there's more opportunity for us
to help our users help themselves, right? So when they click on that link, do you know about VirusTotal or here's this way that you can do some self-serving to see if something's malicious or not? Or did you recently interact with a company which would make you more susceptible to get an email from them versus not? So taking that next level of training and awareness with our employees.
from them versus not. So taking that next level of training and awareness with our employees.
So since we here in the United States just got done with one of our major holidays,
I remember a panel that I was part of a good 15 years ago. And people said that,
yes, the security team likes to have all of the knowledge because we're the most popular people at any of the holidays because our parents, our grandparents all want us to do the malware and the virus and stuff. And that's the only value and importance we have in our family is that we can come home and clean everyone's computers.
So it's nice to know that we all have a little bit more knowledge and we can share it,
and I'm glad we're sharing it here today. So employees don't always take an action
when their company is hit by a security incident. This is from Kapursky Research.
In fact, 40% of the businesses around the world, employees hide an incident when it happens. Hiding an incident may lead to
dramatic consequences, therefore increasing the damage that is caused. One unreported event can
lead to an extensive breach of the organization's entire infrastructure. This hide-and-seek problem
seems to be most challenging for larger companies, with 45% of the enterprises of having those large
employee numbers experiencing employees that are hiding a cybersecurity incident.
So given this risk from insider threats, what can we do about improving culture to lower
these risks?
Sam?
I think this goes back to so much of what we've been talking about.
And again, having that positive culture, I think solves a lot of this.
I mean, ultimately, if you're in a company that's got a reasonably mature security program,
they're going to have ways of finding you anyway and realizing that it was you. And that's not a
good place to be. I'd much rather someone came and said like, hey, oops, I've done this.
I need to let you know so you can do something about it
than sitting on their hands and going,
well, maybe I won't get found out.
Maybe I'll update my CV.
Maybe I'll go and live in a cave and this will all blow over.
But even with immature security programs,
if you're at a point where it's very at the tip breach level
and you've got agencies coming in to assist because you've had to notify, then it's going to be uncovered somewhere down the line.
And it's just it's not worth it.
I would, yeah, if you've got the right routes for people to report, you've got the face of security, you've got this positive frown going on.
I think that goes a lot to reduce these situations because people know where to go and they know who to talk to and they know where to get help. Michelle? Yeah, I think really a big
piece of this is removing shame from the equation. Many of us are in security because there's
no mastery. There's no like, I've learned all of security, full stop, right? Because the minute we know something, it changes.
So we know that in our world,
but yet we have this expectation
that our employees are just going to know
all the right things to do all of the time.
And if we can't establish mastery,
our employees can't either.
And so really, I think it's important to make sure
that we're encouraging all of the questions,
even the ones where we have the employees where like they ask all the questions all the time. Like we need to
encourage that and we need to thank them for asking because that's how they're going to feel
safe enough to report when something goes wrong or when they clicked on that link that they weren't
sure if it was bad or not. So that, I think that's, I think that's a key piece to encouraging the reporting.
Masha?
So I think the way that we need to get to the root of these statistics is understanding why employees don't report mistakes today.
And one of the best tools I've seen across this is the five whys, which doesn't necessarily stop at security, but finding people
who, you know, exhibit this kind of behavior, who don't report after maybe clicking or making
or introducing an incident and ask them, why? Why did this happen? Why did you do this? And keep
digging it, not just the top level. And over my career, I have found that it actually falls into
one of five categories.
They either think it's not their responsibility and that security is all over it. It's their job,
not mine. They can't be bothered to do it. They're really busy. They're afraid of the punishment. So
to Michelle's point, the shame, they didn't detect it at all. They had no idea anything even happened.
Or they didn't think that reporting actually had
the ability to change course. It doesn't matter. What's the point of me reporting?
And all of these root causes have actually a very different solution to them. And it's
understanding which cultural blocker is the reason you aren't getting the kind of reporting and open communication that we want to be seeing to get ahead of these incidents is going to be really, really important.
And some of it is going to be skill training, but some of it is reducing shame.
And a lot of the time I actually find that it's making it safe to report, making it safe to say, hey, I made a mistake and I need your help.
And knowing that there aren't negative consequences. In fact, there are positive
consequences. And the approach that I have seen to be very effective at solving actually several
of these bullet points and root causes is modeling positive examples of this. When someone has
reported successfully and changed the outcome of an incident, modeling that for the company.
I know about one defense contractor that would highlight this at their all hands and would even in certain situations with the employee's approval, name an employee who stopped an incident because of this reporting capability and explain what the impact would have been had they not done so. And so publicly modeled great behavior so that you're creating examples of,
well, someone did it and they thought it was their responsibility. They did not get in trouble.
They were thoughtful about detecting it and their input actually changed the course of it. And so
by modeling this in such a very public way, you actually overcome a lot of these root causes. And so I think understanding what's going on in your organization and then creating safety and positive reinforcement goes a long way in helping reduce some of the stats that you just shared at the beginning. I like that all of us can say easily that we've been
in the community for over 20 years. You know, fortunately, none of us have gray hair or wrinkles
or, you know, anything like that. But what I love is at the beginning of most of our careers, we saw security as this rigid, very negative, very secular kind of industry.
And it is now evolved into something that is actually a living being and that we can
and that we can model great behavior that can have a positive impact on an individual,
on a team, and on a company.
And I really want to thank each one of you for sharing your insights on how we can all change our organizations and change them to have a positive impact on our individual security and our organization security.
So thank you all, Masha, Sam, and Michelle, for your great insights today.
Jennifer, back to you.
Thank you, Kathleen.
I want to thank you for moderating our panel today.
With all of your thoughtful questions and your very meticulous preparation,
we would not have been able to have this conversation with such depth without you. I also want to echo your thanks to
Michelle Killian, Sam Humphries, and Masha Sadova for sharing your thoughts and experiences with us.
This was really great, you guys. Thank you so, so much. I want to thank everyone who helped put
this together and to our listeners for spending the time with us.
A special thanks goes out to our partner and sponsor for this special edition podcast, Code42.
I'd like to encourage all of you to take a quick moment to check out the CyberWare's monthly newsletter called Creating Connections.
It's our newsletter that is a collection of works for news focusing on women in cybersecurity.
And it highlights the significant contributions that women bring to the industry.
It's free for you to subscribe, and you can find us on thecyberware.com.
I'm Jennifer Iben for The Cyberware, and it's truly been a pleasure. Thank you all.