How to Build a Security Culture - Whiteboard Wednesday

Imperva
11 Oct 201707:47

Summary

TLDRIn this Whiteboard Wednesday, Beau Kim emphasizes the importance of a strong security culture for organizations, highlighting the need to balance people, technology, and processes. He discusses the significance of leadership support, department champions, effective security awareness training, active security posture testing, and continuous communication to foster a shared sense of security ownership and reduce vulnerabilities.

Takeaways

  • 🛡️ The necessity of a strong security culture is underscored by the fact that it involves people, technology, and processes, with a focus on the human element.
  • 👥 A company culture, particularly a security culture, is defined by the collective beliefs and behaviors of its employees.
  • 📊 The 2017 Verizon DB report highlighted that nearly half of all breaches began with a social attack, emphasizing the importance of focusing on people in security strategies.
  • 🔝 Leadership support and buy-in are critical for establishing a strong security culture, as it sets the tone from the top down.
  • 📊 Effective security awareness training is essential for employees to understand what constitutes suspicious activity and how to report it.
  • 📈 A tiered approach to security training can help cater to different levels of risk and roles within an organization.
  • 🔍 Actively testing security posture through social engineering campaigns can help identify and educate on potential vulnerabilities.
  • 🔄 Continuous improvement of security awareness training is necessary to adapt to new risks and organizational changes.
  • 📢 Transparent and continuous communication is key to maintaining a strong security culture, with quick responses to employee reports.
  • 🏆 Recognizing and rewarding employee efforts in security, whether it's an incident or a false positive, helps build a shared sense of ownership.

Q & A

  • What is the main focus of today's Whiteboard Wednesday discussion?

    -The main focus is the importance of a strong security culture and the four essential components needed to build one.

  • Why is it crucial to have a strong security culture within an organization?

    -A strong security culture is crucial because it helps to ensure that all employees understand what's right versus wrong, how to report suspicious activities, and promotes a shared sense of ownership for security, thereby reducing the risk of breaches.

  • What are the three major components that need focus when building a strong security program?

    -The three major components are people, technology, and processes, often referred to as the 'people, technology, and processes triangle'.

  • According to the Verizon DB report mentioned, what percentage of breaches start with a social attack?

    -43% of all breaches covered by the 2017 Verizon DB report started with some type of social attack.

  • How can a company's leadership support the development of a strong security culture?

    -Leadership can support the development of a strong security culture by providing buy-in, clearly communicating the company's security posture, and aligning security initiatives with larger company objectives.

  • What is the role of department team champions in building a security culture?

    -Department team champions provide feedback on new security initiatives and help to reinforce security practices within their teams and departments.

  • Why is effective security awareness training essential for a strong security culture?

    -Effective security awareness training ensures that employees clearly understand what's right versus wrong, what data to protect, and how to report suspicious activity.

  • What is a tiered or targeted approach to security awareness training?

    -A tiered or targeted approach to security awareness training involves providing different levels of training based on the roles and access levels within the company, with more in-depth training for those with higher risk and access.

  • How can social engineering campaigns help in testing a company's security posture?

    -Social engineering campaigns, such as internal phishing campaigns, allow companies to test how well employees can detect and report suspicious activities, thereby identifying areas for improvement.

  • What is the importance of continuous communication in maintaining a strong security culture?

    -Continuous communication ensures transparency, approachability of the security team, and quick response to employee reports. It also helps in building a shared sense of security ownership.

  • How should a company respond to failed phishing attempts during social engineering campaigns?

    -Instead of punishing, companies should use failed phishing attempts as an opportunity to further educate employees on what could have happened if it were a real attack, reinforcing learning and improving security awareness.

Outlines

00:00

🛡️ Building a Strong Security Culture

Beau Kim, Senior Director of Information Security at Imperva, introduces the concept of a strong security culture and its importance in today's business environment. He explains that focusing solely on technology and processes can lead to a weak security posture, and emphasizes the need to balance this with a focus on people and company culture. A strong security culture involves employees understanding what constitutes suspicious activity and how to report it. Kim highlights that people are a significant attack vector, citing a 2017 Verizon DB report that 43% of breaches began with a social attack. He stresses the need for shared ownership of security within an organization, rather than it being seen as someone else's responsibility. Kim suggests starting with leadership support and buy-in, and using a high-level security domain dashboard to communicate the company's security posture and initiatives. He also mentions the importance of department team champions to provide feedback on new security initiatives.

05:01

📚 Security Awareness Training and Continuous Improvement

The second paragraph delves into the necessity of effective security awareness training for employees to understand what is right and wrong in terms of security practices. Beau Kim suggests a tiered approach to training, with general awareness at the bottom and more targeted training for those with higher risk or access to sensitive data. He also discusses the importance of adjusting training as new roles or business units are created. Kim then talks about the need to actively test security postures through social engineering campaigns, which can help employees detect and report suspicious activity. He differentiates this approach by advocating for remediation over punishment, using incidents as learning opportunities. The final component discussed is continuous communication, emphasizing the importance of transparency, approachability, and quick response to employee reports. Kim suggests distributing internal reports to show the company's security posture and reinforce new initiatives, encouraging a shared sense of security ownership among employees.

Mindmap

Keywords

💡Security Culture

Security culture refers to the collective attitudes, values, and behaviors that govern how individuals within an organization approach cybersecurity. In the video, Beau Kim emphasizes the importance of a strong security culture as a key component in preventing breaches, particularly in the context of human error and social engineering attacks. A strong security culture involves employees understanding what behaviors are acceptable and unacceptable, and how to report suspicious activities.

💡People, Technology, and Processes Triangle

This concept describes the three fundamental areas of focus for building a strong security program within an organization. The triangle represents the balance needed between people (employees), technology (security tools and systems), and processes (policies and procedures). The video script points out that security professionals often focus more on technology and processes, neglecting the people aspect, which can lead to a weak security stance.

💡Social Engineering

Social engineering is a type of cyber attack that relies on human interaction and often involves manipulation or deception to gain access to information or systems. The script mentions that according to the 2017 Verizon DB report, 43% of breaches started with a social attack, highlighting the significance of training employees to recognize and report such attempts to strengthen the security culture.

💡Leadership Support

Leadership support is crucial for establishing a strong security culture. The video script explains that company culture is defined from the top, and leadership buy-in is necessary to drive security initiatives throughout the organization. Beau Kim suggests that security professionals should communicate the current security posture and upcoming initiatives to gain this support.

💡Security Domain Dashboard

A security domain dashboard is a tool used to visualize and monitor the organization's security posture. In the context of the video, Beau Kim describes how Imperva uses a high-level security domain dashboard to break down their security program into major domains, score them, and track progress through supporting metrics and KPIs, such as failed phishing attempts or multi-factor authentication rates.

💡Security Awareness Training

Security awareness training is a program designed to educate employees about cybersecurity risks and best practices. The video script discusses the necessity of such training for building a strong security culture, emphasizing the importance of a tiered approach where training content is tailored to the level of risk associated with different roles within the company.

💡Data Classification

Data classification is the process of categorizing data according to its level of sensitivity or importance. In the video, Beau Kim mentions data classification as a key element of general security awareness training, ensuring that employees understand the value of the data they handle and the necessary precautions to protect it.

💡Account Takeover

Account takeover refers to unauthorized access to a user's account, often through phishing or other social engineering tactics. The script uses the metric of systems behind multi-factor authentication as an indicator of a company's defensive posture against account takeover, illustrating the importance of strong access controls in security culture.

💡Social Engineering Campaigns

These are internal initiatives designed to simulate real-world social engineering attacks to test employees' awareness and response. The video script suggests using such campaigns to actively test the security posture of an organization and educate employees on how to detect and report suspicious activities.

💡Remediation

Remediation in the context of cybersecurity refers to the actions taken to address and correct security vulnerabilities after they have been identified. The video script highlights the importance of using remediation as an educational opportunity rather than punitive measure, to reinforce learning and improve security culture.

💡Continuous Communication

Continuous communication is the ongoing process of keeping employees informed about security practices and initiatives. The video script stresses the importance of transparency and approachability, encouraging quick responses to employee reports and rewarding their security-conscious behavior to foster a shared sense of ownership over security.

Highlights

The importance of a strong security culture and its four essential components are discussed.

A strong security program requires a balance of people, technology, and processes.

Security professionals often focus more on technology and processes, neglecting the people aspect.

A company culture is defined by its beliefs and resulting behaviors.

Employees in a strong security culture understand what's right versus wrong.

People are a major attack vector, with 43% of breaches starting with social attacks.

A weak security culture leaves the organization vulnerable to attacks.

Security should be a shared responsibility, not someone else's.

Leadership support and buy-in are crucial for building a strong security culture.

Company culture is defined from the top, and leadership sets the tone.

Security professionals need to communicate the current security posture and upcoming initiatives.

Imperva uses a high-level security domain dashboard to score and represent security.

Department team champions help provide feedback on new security initiatives.

Effective security awareness training is essential for a strong security culture.

A tiered approach to security awareness training is recommended.

Continuous adjustment and improvement of security awareness training is necessary.

Actively testing security posture through social engineering campaigns is important.

Remedy, rather than punish, is the approach to take after a failed phishing attempt.

Continuous communication and transparency are key to a strong security culture.

Rewarding employee behavior for reporting helps build a shared sense of security ownership.

Internal reports showing the company's security posture and new initiatives should be distributed.

Transcripts

play00:02

[Music]

play00:08

hello everyone and welcome to today's

play00:10

whiteboard Wednesday my name is beau Kim

play00:12

I'm the senior director of information

play00:15

security here at Imperva and for today's

play00:17

topic we're going to be discussing the

play00:19

importance of a strong security culture

play00:21

and four essential components needed to

play00:23

build one so to begin let's talk about

play00:26

the reason why we need a strong security

play00:28

culture as with any other major business

play00:31

objective or initiative when we are

play00:33

trying to build a strong security

play00:35

program within our organization we need

play00:37

to focus on three major components and

play00:40

that's going to be the infamous people

play00:41

technology and processes triangle a lot

play00:45

of times though unfortunately we find

play00:46

ourselves as security professionals

play00:48

focusing a lot more on the technology

play00:50

and processes side which puts us at a

play00:53

unbalanced and weak position today we're

play00:56

gonna be talking about what we can do to

play00:58

focus more on the people aspect or

play01:00

component and in this context we're

play01:02

really talking about company culture so

play01:04

a company culture is basically the

play01:06

beliefs and resulting behaviors of the

play01:09

organization so in an organization that

play01:11

has a strong security culture employees

play01:14

have a clear understanding of what's

play01:16

right versus wrong the type of activity

play01:18

that they should report on in terms of

play01:20

being suspicious and who and how to

play01:22

contact the right team so people are a

play01:26

major attack vector the 2017 Verizon DB

play01:29

are showed that 43% of all breaches that

play01:32

they covered started with some type of

play01:33

social attack if we continue to position

play01:36

ourselves in a weak position focus

play01:39

purely on technology and processes we're

play01:41

essentially leaving ourselves vulnerable

play01:43

to an attack vector that accounts for

play01:45

nearly half of all current day breaches

play01:47

and then finally in a in a company that

play01:50

doesn't have a strong security culture

play01:52

security becomes someone else's

play01:54

responsibility and the whole point of a

play01:57

strong security culture is to have a

play01:58

shared sense of ownership and so we know

play02:01

that someone else's responsibility is

play02:02

definitely not where we want to be first

play02:05

and foremost the biggest impact you can

play02:06

make on your company's security culture

play02:08

is to start at the top and get your

play02:10

leadership support and buy-in company

play02:12

culture is absolutely defined from the

play02:14

top leadership brings throughout the

play02:16

organization and just like any other

play02:18

business unit we as security

play02:19

professionals need to do a good job in

play02:21

really communicate where we are in terms

play02:24

of our current company security posture

play02:26

and clearly communicate some of our

play02:28

upcoming security initiatives and this

play02:31

can obviously be done through frequent

play02:33

and reporting however don't just stick

play02:35

to some of the low level security

play02:37

metrics be able to tie it into some

play02:39

larger level objective or initiative

play02:41

that aligns with your company's

play02:43

objectives or clearly states or clearly

play02:46

represents a true risk to the company so

play02:49

for example here at Imperva we start

play02:51

with a high-level security domain

play02:53

dashboard where basically we've broken

play02:55

out our security program into the major

play02:58

security domains that we feel define it

play03:00

and then we score it from a scale of

play03:03

zero to five which essentially is an

play03:06

adoption of the enterprise maturity

play03:08

model each of those scores are then

play03:10

represented or reinforced through

play03:13

supporting metrics and KPIs so that we

play03:15

know where we need to get some of the

play03:19

domains that we report on for example

play03:21

our effective security awareness

play03:22

training with a supporting metric of

play03:24

failed phishing awareness attempts

play03:27

another example would be our defensive

play03:30

posture against account takeover and

play03:32

with a supporting metric of percentage

play03:35

of systems behind multi-factor

play03:37

authentication once you have that

play03:40

leadership buy-in and support make sure

play03:42

you start to move further south into the

play03:44

organization and establish department

play03:46

team champions and these are going to

play03:48

basically be the local teams and the

play03:50

local departments and leaders of those

play03:53

departments that can help provide that

play03:54

feedback once you're rolling out new

play03:56

security initiatives the second

play03:58

component is going to be effective

play04:00

security awareness training simply put

play04:02

you can't have a strong security culture

play04:04

without your employees clearly

play04:06

understanding what's right versus wrong

play04:08

what it is that you're trying to

play04:10

actually protect so your data

play04:12

classification and also how to report

play04:14

suspicious activity and to what team so

play04:18

one way that you can actually build your

play04:19

security awareness training programs is

play04:21

to approach it from a tiered or targeted

play04:24

approach and so as you can see in this

play04:26

triangle as we go up the triangle risk

play04:29

goes up but the exposure there amount of

play04:32

roles within the

play04:33

company decrease so at the bottom level

play04:36

where the triangle is the widest

play04:37

we start with your general security

play04:39

awareness training an example of an

play04:41

element of this training would be your

play04:43

data classification again everyone needs

play04:45

to know what you're trying to actually

play04:47

protect to take that example one step

play04:50

further so for example if you were a

play04:52

software company source code is probably

play04:54

going to be pretty high on that list as

play04:56

you move up though the people that

play04:59

actually have access to that source code

play05:00

or at that intermediate level and so

play05:03

they need to get a little bit more

play05:04

targeted training and then finally the

play05:06

people that are the administrators the

play05:08

ones that actually administer your

play05:09

source code repositories are gonna have

play05:12

that in-depth training because as we go

play05:14

up again the risk goes up and then

play05:16

finally you want to continuously adjust

play05:19

to improve so if there's any new risks

play05:21

or any new roles or business units

play05:24

created within your organization you

play05:26

want to reassess to ensure that this is

play05:27

current and that you're covering all

play05:29

roles within the organization the third

play05:31

component is gonna be to actively test

play05:33

your security posture

play05:35

you can't just simply rely on your

play05:37

passive security awareness training and

play05:38

one way you could clearly do this is

play05:40

through social engineering campaigns or

play05:42

in other words internal phishing

play05:44

campaigns and what this does is it gives

play05:46

your employees the ability to test their

play05:50

knowledge on how to detect suspicious

play05:52

activity and then also how to report it

play05:54

to the right team one of the key

play05:57

differentiators here and biggest impacts

play05:59

you can make though with this component

play06:01

is your remediation instead of punishing

play06:03

your team should take this as an

play06:05

opportunity to educate the employee

play06:09

further so for example if there was a

play06:11

failed phishing attempt the employee

play06:13

that was affected your team should

play06:16

approach them and basically let them

play06:17

know essentially what assets within the

play06:20

organization could have been breached or

play06:22

what path could the malware have taken

play06:25

the fourth component is going to be

play06:28

continuous communications the bottom

play06:30

line here is transparency is key your

play06:33

team needs to be approachable the

play06:35

channels that you've set aside for your

play06:37

employees to contact your security team

play06:39

when they're used they need to be

play06:41

responded to very quickly your employees

play06:44

need to understand that you take their

play06:45

reports very

play06:46

see and that it helps build that shared

play06:49

sense of security ownership also

play06:51

regardless of whether it's an incident

play06:53

or actual incident or false positive

play06:55

reward their behavior so that again

play06:58

you're building that shared sense of

play07:00

security of ownership and finally

play07:02

similar to what we were doing with the

play07:04

leadership reports feel free to

play07:07

distribute internal reports that show

play07:09

the current posture of the company and

play07:11

then also reinforce some of the new

play07:13

initiatives that you're deploying within

play07:15

your organization so if you have a new

play07:17

security awareness training initiative

play07:19

or campaign that show that the

play07:21

improvements or quarter-over-quarter to

play07:23

your employees so that they understand

play07:25

that their efforts are part of a larger

play07:28

initiative thank you for joining today's

play07:30

whiteboard Wednesday

play07:31

I hope the topic that we discussed today

play07:33

helps you build a stronger security

play07:35

culture within your organization we look

play07:37

forward to you joining us in future

play07:39

sessions

play07:43

[Music]

Browse More Related Video

GitLab: DevSecOps: Part 1/12: What is GitLab? The fundamental concepts of a DevSecOps pipeline.

How Tide transitioned to developer-first security with Semgrep

Google Android vs Apple iOS: Which is Better for Privacy and Cybersecurity?

Interview with an Expert - Michael Babischkin: CyberSecurity

CompTIA Security+ SY0-701 Course - 4.7 Explain the Importance of Automation and Orchestration

IT Audit For Beginners: What is an IT Audit? | ACI Learning Audit

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
Security CultureLeadership SupportEmployee AwarenessCybersecurity TrainingPhishing PreventionRisk ManagementCompany CultureSecurity PostureData ProtectionInternal Communications