It's Not What You Know, It's What You Do: How Data Can Shape Security Engagement

Presented at Black Hat USA 2019, Aug. 7, 2019, 1:30 p.m. (50 minutes)

When it comes to security training, one size does not fit all. Company-wide and even role-based security trainings do not acknowledge the strengths and weaknesses in an individual's security performance. It is redundant on topics where users are proficient and often appeals to the bottom denominator of understanding. This approach does not respect an employee's intelligence or recognize the successes and strengths in fulfilling security tasks. The end result is mediocre and unmotivating training that fails to empower users with the motivation and skills to defend against current threats.

In early 2019, Autodesk, in partnership with Elevate security, rolled-out an innovative new approach to security learning. By leveraging the security behavioral traits of each employee, they created ongoing security snapshots with recommended security trainings and action items for each person.

This behavioral data was used to highlight when employees were excelling at security tasks and where they needed most improvement. This gave each individual a quarterly security finish line, the opportunity to acknowledge when employees were meeting or exceeding a security task and provided customized follow-up when an employee had room for improvement. Further, data analytics were used to drive "social acceptance" of key security behaviors by demonstrating a comparison of performance between groups.

This talk will walk through the Autodesk case study of how to create and deliver data-driven security snapshots. It will also go through an exploration of what data was chosen, how to effectively showcase this data for maximum impact in behavior change and share the successful measured outcomes on security behavior change from this initiative.


Presenters:

  • Aika Sengirbay - Senior Security Engagement Specialist, Autodesk
    Aika Sengirbay is the Senior Security Engagement Specialist at Autodesk. She is building an awareness program that is driving a secure mindset amongst all employees by using security behavior testing and data analytics. The scope of her work runs the gamut of general security awareness such as phishing and reporting activity to secure engineering practices by developers and engineers. Aika and her team are building security simulations, company-wide campaigns, and custom lab environments to drive effective learning of key security behaviors. These efforts are enabling successful changes to security behaviors company-wide in Autodesk. Prior to Autodesk, Aika was a member of the information security team at Gap focusing on strategy and governance with rotations to the incident response and red team. She holds a BS in Journalism.
  • Masha Sedova - co-founder, Elevate Security
    Masha Sedova is an industry-recognized people-security expert, speaker and trainer focused on engaging people to be key elements of secure organizations. She is the co-founder of Elevate Security, delivering the first people-centric security platform that leverages behavioral-science to transform employees into security super-humans. Before Elevate, Masha Sedova was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners and customers. In addition, Masha has been a member of the Board of Directors for the National Cyber Security Alliance and regular presenter at conferences such as Blackhat, RSA, ISSA, Enigma and SANS.

Links:

Similar Presentations: