At first glance, I’m an odd person to co-found a security startup focused on people. I’ve led really technical security teams at Microsoft and Salesforce that produced cutting edge innovations and technical research. Many of my team members are now running their own security startups or they’re key technical staff at companies like Facebook, Google, Apple and others. In a nutshell, I built, ran and “graduated” teams of people who solved really hard technical problems — not people problems.
Even more, I was lucky enough to be offered opportunities to be CISO at some of the biggest name startups in the world, but I turned them down. Here’s why.
Technology Will Always Fail
Early in my career, when it came to people, process and technology my approach was to define a process, support it fully by technology and hire security staff (people) to manage it. We relied heavily on technology because technology scales and people don’t.
Except technology failed. Our proxies didn’t catch things when users were off-network.
And then it failed again. It didn’t work on mobile.
And it continued to fail. Users found ways to work around things that were too onerous.
Rinse and repeat.
As I took on higher levels of leadership I realized I’d over-invested in technology and wasn’t engaging the people who could actually achieve the outcomes needed — the 99% of employees that weren’t working on security full-time. Because they were most often the source of incidents, I needed to find ways to engage them (make them part of the solution).
Back To The Future
Soon after I took over the core security team at Salesforce, we were rolling out security training to all of our staff. I was super excited. It was the organization’s first chance to really connect with our employees. Then I saw the training.
It was a sixty minute video with a quiz at the end. It was one size fits all for all users, no matter what their role. It was largely a laundry list of “don’t do this” and “don’t do that”. This was apparently an industry ‘best practice’.
I was no longer excited.
I imagined the look in employees’ eyes when they got the ‘you have 30 days to complete this training’ email. A horror only matched by when they actually started taking the training.
What executive wants to be associated with something their employees hate?
I wanted something engaging that helped shape culture. Something that understood a user’s role and skill. Something that could optimize on the behaviors we cared about and measured whether users were getting better or worse. Something that wasn’t a compliance exercise.
I looked around in the industry to see what solutions existed. Everything available focused on ‘training’ and ‘awareness’, but I wanted measured behavioral change that had sustained influence on security culture. Compliance would be an afterthought and not a goal.
Nothing existed. So I decided to build it.
In January 2017, I started working with Masha Sedova and the rest of the Elevate Security team to build out what I wish I had when I first took over the core security team at Salesforce several years back.
Fighting With All You Have
I don’t need to tell you that there’s billions lost to security breaches every year. Depending on whose statistic you trust, the majority (95%?) of security breaches are due to human error. That’s a massive amount of money lost due to mistakes people make and technology didn’t prevent.
As an industry we need to continuously look at whether our investments in security are aligned with the actual threats. It’s out of balance now. According to the recent Black Hat Survey, security professionals greatest concern is phishing and social engineering, but budgets and effort aren’t aligned with that (h/t Jeremiah).
Since starting Elevate I’ve spoken to hundreds of folks in the industry and almost everyone feels we’ve underinvested in people (in the people, process and technology triad) and that we need to recalibrate how we think about engaging employees and helping them become invested in security.
That’s why we’re building a platform that measures employee security strength, gets them bought in and contributing to security culture by educating them with the right content at the right time. This gives security teams insights into the posture of their organization and allows them to make technology and education decisions based on data they didn’t know they had. It puts human behavior and information at the center of security actions and technology: a human-centric security platform.
What would be different if your employees were your strongest security asset?
Join Us On Our Journey
If you’re curious to hear more or would love to contribute to what we’re building, hit us up at firstname.lastname@example.org.