Blog

19
Jun

Day of Shecurity Recap

Photo credit: Laura Buitrago   This past Saturday, I was lucky enough to be given the chance to give a talk7 at the Day of Shecurity conference ― what’s a “talk7”? That’s seven 45 minute presentations 😅. While it’s still fresh in my mind, I wanted to jot down my thoughts on the day. It...
Read More
PHISHING DIFFICULTY CALCULATOR Elevate Security
13
Jun

Introducing the Phishing Difficulty Calculator: How Hard Are Your Phishing Tests?

You roll out a brand-new phishing test to your users, the results start to come in…and they’re worse than the last test. What happened? You’ve educated them about phishing, regularly alert them of new attacks, yet it seems they’re still not getting it…or are they? Phishing tests can serve two purposes- education on the latest...
Read More
30
May

How We Hire At Elevate Security

Changing jobs is tough! It’s a high-pressure situation with lots of ambiguity and expectations of the candidate, yet hardly any transparency about what the candidate can expect. I’ve been there, too. I’ve been verbally offered roles right after I interview, and then three weeks later the company hasn’t given me paperwork yet. I’ve had cases...
Read More
simulated learning
23
May

No Breach? No problem! Use Simulated Learning to Influence Employee Security Behaviors

Working as a security practitioner for nearly a decade now,  I’ve been able to talk to employees at all ranks of an organization about the importance of security. In those conversation, I was often struck by how different the discussions with someone who “got security” were as opposed to someone who totally “didn’t get it.”...
Read More
behavioral science security
11
May

Behavioral Science Can Do What Your Security Training Can’t: Change Behaviors

For decades, security awareness programs have been based on the assumption that employees simply don’t know the correct course of action, but with the right training, they will start performing more securely. But does that actually happen in real life? Nope, not even close. The same poor decisions are made because of the same old...
Read More
bad security awareness training
10
May

Iterating on Bad Security Awareness Training: Bad for Employees, Bad for the Company

You know what industry reminds me of security awareness? The coal industry. What? Yeah, coal. The coal industry, despite obvious pollution concerns and better alternatives, has stuck around. It even has new legs with “clean coal” (in the software industry, we’d call it “coal 2.0”, “new school coal” or “modern coal”), which despite tremendous costs...
Read More
security behavior change
02
May

Changing Employee Security Behaviors Starts with Behavioral Science

I’m often asked what it takes to actually get employees to practice better security. Security practitioners have tried for decades to push the latest and greatest training programs on their employees only to see them practicing the same old behaviors. Phishing links still get clicked, passwords are reused across accounts, and laptops remain unlocked in...
Read More
security awareness
24
Apr

The Security Awareness Trap

  In my former life as a CISO and security executive, I really disliked the phrase “security awareness”. I’m close to saying I hated it and I don’t think I’m alone. I’m not entirely sure where it stems from, but I’d guess it’s a combination of a) the bad taste in my mouth from all...
Read More
hacker's mind security awareness training
03
Apr

Announcing Hacker’s Mind:
A Fresh New Take on Security Awareness Training

Here’s the conundrum most CISOs face: despite hours and hours of training, most employees still don’t know how to avoid today’s security threats. In an age of increasingly dangerous attacks, the million-dollar question is — how can you transform your team into real security advocates if training doesn’t work? Our mission is to change the...
Read More