Masha Sedova, Co-founder, Elevate Security
The human factor is maybe the biggest unsolved problem in cybersecurity. How do you fix people so they can do security more effectively? How do you fix security so it fits people better? Masha Sedova ran the team whose job it was to change security behavior at Salesforce from 2012 until Dec. 2016. At the end of the year, she co-founded Elevate Security, where she tests user behavior and puts them on campaigns to practice new security behavior.
Can you talk about where we are today versus where we were then on human behavior and awareness and cybersecurity? It seems like a different environment but what have you seen actually working on this?
It’s been slower than I’d like it to be. Security professionals have been trying to solve the people problem for decades. We’re not very good at it. We’re really good at security, we’re not really great at people. We’ve rolled out what you could see as traditional awareness and best practices which involves posters, regular emails and video based training. The only metrics associated with this are how many people have finished the training, not really change behavior. It’s not a surprise but it hasn’t worked, so security people have thrown up their hands and said ‘humans are the weakest link.’ I hear that all the time, so it doesn’t make sense to those people to invest in them. That’s one camp that says, ‘I’m just going to keep focusing on technology.’
There’s a second group of people, and I see this growing more and more now, saying, ‘I haven’t invested in people the right way.’ Last decade we gave up on them, we kept investing in technology and the technology hasn’t saved us. Mistakes are still happening, cyber incidents are still going up. Maybe we should revisit this people component.
The programs I’ve seen that are most successful have pulled in expertise from different industries and different specialties to start applying this program. Things like marketing and advertising figured out how to influence behavior decades ago, how to get you to buy another pair of shoes when you already have ten. That’s behavior change. Things like psychology and motivation, game theory and game design are all elements that understand human psychology. The programs that I’ve seen as most successful have diversity of skill sets in their programs as well as clarity around what they’re trying to achieve around behavior change.
It’s slow but it’s happening. People are asking the questions around, ‘Everything I’ve tried around people hasn’t worked and I want to try to try something new because I might not have the right answers.’
I saw a great talk recently by Tom Lowenthal from the Committee to Protect Journalists who addressed these ideas. Specifically, he talked about how laymen are supposed to look at two pretty much identical web pages and somehow instantly know that one is phished. The talk gave life to the idea that humans are the only problem. This idea that maybe just piling on the human factor isn’t the best approach.
We’ve tried it for ten years and it hasn’t worked. This is another one of my pet peeves: Security people want everyone else to also be security people. I always say that’s BS. Sales people don’t want you to be a great salesperson, marketing people don’t want you to be a great marketing person, why are you expecting us to be a great security person? It’s an unrealistic expectation and the fault is with us a security profession and not with the other users.