8% of your employees are going to cause 80% of your security incidents. Employee mistakes are inevitable, no matter how much training you give them. That is why you need to change the way you think about security and plan ahead. Instead of trying to put out fires, prevent them from happening in the first place.
Join Matthew Stephenson as he talks to the President & Co-Founder of Elevate Security, Masha Sedova, about how she manages employee risk. Learn more about her security credit score method of finding out who is a security risk. Find out why training may not even be the best approach to managing these risks. And learn how she applies some behavioral science to her security measures. Start elevating your security right now!
Listen to the podcast here
Masha Sedova: Employee Security Mistakes Are inevitable, Resulting Incidents Aren’t
I know we’re always excited, but I think this might be the most exciting to welcome Masha Sedova to the show. She is the President & Cofounder of Elevate Security, a faculty member at IANS, an advisory board member of Signpost Six and in previous lives, has been a speaker and trainer at Black Hat, a member of the board at the National Cybersecurity Alliance, the Senior Director of Trust Engagement at Salesforce. Fast Company named her one of the most creative business people of 2021. Masha Sedova, after all this time, welcome to the show.
It is a pleasure to be here for so many reasons. One of them is to be able to see the face behind the voice of the show that I’ve been listening to. It’s such an incredible experience to hear the same introduction but coming out with a new face. It’s lovely to be here. It’s great to be doing the show with you.
I have to open with what could be the most important question of this entire show, your bio on the Elevate homepage, the mothership, as it is, ElevateSecurity.com, lover of Circus Arts and Behavioral Science. Should we start with Behavioral Science or Circus Arts?
Let’s start with Behavioral Science. Behavioral Science, after Security, is one of my greatest career passions. I love the study of how and why we make decisions the way we do as human beings. There is such incredible work by behavioral economists that discuss how we think about risks and make decisions. It’s fascinating to read a book around “That’s why that’s a hard decision or that’s an easy one thinking about systems 1 and 2 thinking, etc.”
One of the greatest joys in my career has been weaving together the studies and the findings from Behavioral Science into security, taking the learnings and the strengths of both to improve one or the other. In security, you can measure outcomes that Behavioral Science can learn from. In Behavioral Science, you can understand how people behave so you can influence them for better security outcomes. It’s a perfect marriage. This has brought me a lot of joy over time. That’s the Behavioral Science piece. In Circus Arts, one of the many hobbies that I have picked up over the years is Aerial silk.
None of this is on the internet in the research that I’ve done for this.
Those photos are behind appropriate privacy settings, but we can share them after the fact. Aerial silk is stringing stretchy fabrics from the ceiling. You climb up them, wrap your feet or arms around them, dangle 10 or 20 feet above the air, do stunts and drops, etc. I love it because it’s a combination of a lot of physical strength, but also, there’s a performance aspect of it. There’s also a lot of precision. It’s a fascinating experience in physics and being able to tie the right knot in such a way that it holds your whole body when you hold it at the right angle. When you turn your body from a different angle, the whole thing unwraps because you have to wrap and unwrap basically without the use of your hands. It’s almost a mental game as much as it is a physical one as well. I’ve been doing that for a couple of years.
This is Cirque du Soleil stuff. For people to be dangling multiple feet above the ground by silks, wow.
I’m also in the profession of risk management. By the time you get up above a floor and you’re dangling, you have practiced it 1,000 times. There are crash pads. You know what you’re doing by the time you let go.
It’s the unexpected thing that I will appropriately pepper into some of the questions, the notion of risk management and aerial silks as it applies to cybersecurity. Back to the Behavioral Science bit, we had the great fortune to have Dr. Jessica Barker on a few episodes back. You and she are peers.
I love her. She’s such a powerhouse and a great presenter. If you haven’t had a chance to see any of her presentations, she has a great collection of them. Her RSA talk was phenomenal. I love her stuff.
She came up through city planning, not necessarily a direct study of Behavioral Science, but when you start to look at the idea of what types of studies, science and application can you apply to the work that you are doing at Elevate, that when you first thought about founding Elevate, how far outside the box do you want to go, do you consider going, when you think about, “What can we learn from study X in order to gain more knowledge to apply towards looking at insider behavior in a way to improve security?”
There’s a lot of overlap around what Behavioral Science can add and it’s worth taking a step back. One of the problems with what the security industry, especially the security awareness industry, is doing so far around the problem of employee risk is it focuses on what employees know and not on what they do. It’s not lack of knowledge that gets us in trouble. It’s the actions. People have perfect quiz scores and then proceed to download and execute the malware on their machines. They’re too busy or unaware. The ability to understand track measures influence the behavior of people is where the rubber hits the road here. That’s the place where you’re going to start seeing security teams start to transform their security posture.
When it comes to the problem of employee risk, security needs to focus on what employees do, not what they know.
To your question, “How much of Behavioral Science can you apply?” There’s a significant component of it. There’s the first piece where you have to measure what’s going on and that’s not Behavioral Science. That’s data analytics. There are a lot of interesting things we’ve learned around how to measure behavior effectively. Once you understand what people are doing well and poorly, what do you do with that information? This is exactly where Behavioral Science comes in.
This is why it’s such a hard problem in security because the problem of securing the human element is I think about this as a left and a right brain problem. You have to measure with analytics, data and understand and get visibility into the problem, but then you have a human being with emotions, fears, and children to feed and promotions to attain. You can’t patch that. You can’t just apply a patch to a human being. You have to understand how people rationally make decisions, or probably more accurately, irrationally make decisions. Once you understand someone’s risk posture, Behavioral Science is the right tool for the job in understanding how to apply once you understand the strengths and weaknesses of folks.
Personally, I’m a big sports fan. I like American football and the NBA. Baseball got boring because of it, but there has been a huge focus on analytics to the point where it’s dictating the play calling, shot selection, and who goes in as a substitute for what position for what. When you look at the data collection first, we’ll get into the super hard boring algorithms before we start talking more about the behavioral aspect of it. How much of that type of thing, in your experience, have you seen influence decisions that security makes?
When you talk about the notion that we’ve got children to raise, the definition of chaos, “I’m a parent and I have a four-year-old,” chaos, but when the security team is collecting data on making suggestions of the food chain as to what we should do in order to improve our security posture. When you’re looking at these hard and fast numbers, how do you reconcile the two of those things?
The measurement piece is critical because without it, you’re applying the same tools, the one-size-fits-all approach to every person and that’s not accurate. The analytics piece is so critical because it helps us focus and pinpoint where our energies need to go as security professionals. What I’m explaining is Risk Management 101. We triage the highest-priority incidents. We make sure our top riskiest audit findings are tackled first. We have vulnerability and criticality metrics. When it comes to employees, “They’re fleshy bags of magic,” as Scott Adam says.
That’s where the analytics piece comes in. It allows us to create and pinpoint where the risks are. The coolest thing that we see is that risk isn’t distributed evenly. Eight percent of your employees are going to cause 80% of your incidents. It essentially falls into a bell curve where you have your super high achievers, 10%, 15%, or maybe 20% of your organizations who are always going to do the right thing. That’s probably the majority of your security team right there, and then other folks.
You have your squishy middle, people who can be influenced, trained, motivated, etc. They’re great candidates for Behavioral Science interventions and maybe enhance controls and more corrective actions and then you have your stragglers, your 8%, who are going to need a little bit more bubble wrapping and than your other folks so that they don’t hurt themselves and your organization.
What the analytics piece does is it helps you understand where everyone lies in that bell curve, not with the intention of shaming, punishing, or firing, but with the intention of understanding who needs what kind of support from the security team. Ultimately, what that really means is there’s a small percentage who are going to require most of our attention and a significant percentage that we can let them roam free in the green pastures of our networks because they have a great track record and we can trust them with the keys to a Ferrari. They can go very fast while some people should not be entrusted with expensive and nice things.
Shame, firing, and punishment. Let me also add guilt into that. When you are looking at an organization, whether it’s your own internally or offerings to your clients, your users, pick the word that is most appropriate for this, how much has that been a thing that they have done before? In what Elevate is offering without this being a shameless plug, is that the right way to go?
It won’t be a surprise to you or to most of the readers that historically we call the human element the weakest link. The problem exists between the keyboard and the chair. There are a lot of pretty derogatory ways that we speak about the workforce. We don’t even call them employees. We call them users.
What’s the good word there? I’ve been struggling with this for every episode that we’ve done.
Employees or workforce. There’s not a great term around this. I will sometimes say users because it’s what we’ve agreed to.
It’s either too cold or too squishy, “They’re my teammates and my colleagues,” or they’re users and clients.
Historically, we’ve thought about them being the weakest link, but instead of thinking about the weakest link, the correct way is that they are the primary attack vector and saying that the weakest link is on us because, as security professionals, we have not done an adequate job at protecting this chain in our security. It’s easier to say, “They’re the weakest link,” instead of questioning the status quo and saying, “Maybe it’s us that hasn’t stepped up to the plate and done a better job of securing this part of our defense.”
When it comes to risk, your employees are not the weakest link; they are the primary attack vector.
Why it’s hard and tricky is because it’s not a system you can patch. It requires both the analytics piece and an understanding of human nature, which is a combination of two very different kinds of personas. People who go into Behavioral Science aren’t usually security professionals. Security professionals don’t usually go into Behavioral Science. You are marrying two pieces of opposing ends to start solving this problem. The first step, it’s a rallying cry more than it should be an acceptance of the status quo. If you call it the weakest link, you’re being lazy.
As a security team, you have this problem where you have the weakest link. If you think about it from the perspective of the CISO, the only resource they have had for decades because we have inadequately been solving this problem is training. Training is a waste of everybody’s time, energy and money. I often see CISOs think, “What is the least amount of money and time I can spend on this because it’s a black hole where I don’t see any return on my investment or a reduction in my risk? I am going to give this team and this effort a minimum amount of budget because I don’t know that this is going to move the needle significantly in reducing this risk.”
We haven’t invested in this space. Honestly, it’s because if training had worked as a defense mechanism, it would’ve worked decades ago. We’ve tried doing this for a long time. We keep trying to make it funnier and more engaging with the innovation of the space. A funnier video is not going to stop the workforce risk problem. I’m sorry to burst people’s bubbles, but the reason we make videos funny is because it’s not relevant to most employees. We have to put lipstick on a pig and say, “This is lovely,” when it’s not. It’s not relevant and it doesn’t get to the risk. It’s not a good situation for anybody.
This is a long way of getting to your point, “Why do we shame and punish?” because CISOs are given the choice where, “I can give people more training and keep throwing training at them. It’s not working. What other tool do I have, but firing, termination and getting these people out of my workforce?” Which is where things like shame and punishment come in and step up here. That’s not working for anybody either, especially as we’re moving into an economy.
Security professionals are having a hard time hiring people onto their teams. It’s not like we’ve ever had a plethora of talent and the security industry, to begin with. Firing plenty of good people across the board is not a viable option for us, especially in the economy. All of that said, it’s time for a new approach. It’s time for us to think about a whole different way of getting to the space. You can’t change what you don’t measure. That’s where the analytics piece has to come in. It can’t be surveys. It’s not what people know. It’s what people do. You can’t ask for surveys. It’s not quiz questions. It’s not a simulated environment. You have to start mapping the risk that employees are taking and their actions. That’s one part.
Once you understand what people are doing well and struggling with, you can start tailoring what kind of interventions you want. The best part about this, back to the whole shame and punishment and the Behavioral Science piece, is when you know when people do well, you can reward and reinforce that. When you know people are not doing well, you can give them a bar and say, “This is the bar. Here are three examples of when you didn’t meet the bar. This is what I need you to do differently.” You can start creating incentives. You can gamify it, have reward systems or attach bonuses to it that you can start recognizing when people are doing a great job.
Without the measurement piece, it’s subjective. You have a lot more available to you once you have an understanding of where people’s precise level of risk is because you can start applying cool Behavioral Science techniques like I was mentioning, gamification. I even know one company that ties people’s bonuses to their performance and they see an excellent turnaround in defense.
“You’re going to pay me to get better. I’ll get better.”
You can also apply awesome security tools. It’s not about Behavioral Science. There’s a whole bunch of things we already have at our disposal, step-up authentication or more restrictive browser settings. Certain people need a little bit more bubble wrap. We can figure out who needs a little bit more help from a tooling perspective as one option. It doesn’t need to be shame or punishment.
It doesn’t have to be emotional at all and say, “We see that you browse to sites that are blocked ten times more than your peer group. It looks like you can’t make great judgments around browsing. Let’s add a little bit more bumpers to your experience and we’re going to only restrict it to hide trusted sites or we’ll install an isolation web browser on your machine to make sure that when you do try to download malware, we’re here for you.”
You have a lot more options. You don’t have to resort to shame and punishment, which if you have no other options but training and firing, that’s what we’ll default to. Once you can measure the problem, you have a world available to you of much more gray areas of ways of reinforcing great behavior and helping folks of course correct for bad behavior.
Once you can measure the problem, you have a world available to you—a world with much more gray areas in reinforcing great behavior and helping folks course-correct for bad behavior.
You brought up training earlier in the idea of, “Let’s make it funny.” I have to wonder because I’ve had the good fortune to work directly in-house for some big companies. They had to do these training and we had to do them quarterly or whatever it was. Is that, in your opinion, useful or are we ticking regulatory boxes for whether it’s a publicly traded company or companies that are working inside of a specific industry? Is there real value to those anymore?
You have to understand that training is a tool for an outcome, and you have to understand what outcome you’re trying to drive for. For the majority of organizations, training, first and foremost, the outcome they’re trying to drive for is compliance. If that is the outcome you have, that doesn’t need to be funny. That needs to be a sign on the dotted line here because you acknowledge these best practices. Honestly, that can be short, dry, and sweet, and you can get 100% completion.
“Did you, do it?” “I did.” “Done.”
If you start thinking about training as a risk reduction tool, that is a very different experience. If you understand where people’s strengths and weaknesses are, you say, “I know that Susie has a hard time not downloading executables from the internet. I can then match the appropriate level of training,” knowledge transfer, “To ensure that she understands what she’s doing wrong and differently.” She may be perfectly fine at other aspects of it, sensitive data handling or phishing, but we’re tying her risk to the right level of training. By explaining to her that she’s not meeting the bar and this is a course-corrective action, it no longer needs to be funny. It is highly relevant to her so that she can step up and do her job and probably keep her job around that space.
It’s the same thing for any other kind of behavior. If you can identify the risk and use training to start course correcting for that, that tool is risk reduction. We’ve lost sight of that. With training to be the outcome, when in fact it is one tool in a pretty large toolbox that you have available to you. Sometimes, installing a better control is way better. I hate training on long and secure passwords. I’d rather spend my time telling people how to use a Password Manager because, realistically, that’s going to get to the outcome I want much faster than teaching people how to remember long, complex passphrases because that’s not feasible. Thinking about the toolbox as a whole and training being one piece in it.
Awareness is an end state, and training is a tool.
Passphrases, a veteran of the security industry. Let’s get to one of the questions we had written down. This is the next question I was going to ask after Circus Arts. For those who are not fully versed in what exactly it is that Elevate does, to go back to one of the greatest office movies ever made, Office Space, what would you say you do here?
We’ve been leading up to this a little bit, but essentially, if you and I are in an elevator for 60 seconds, we create a security credit score for employees. We use their past security decisions, good and bad to paint a profile of risk for every individual, then based on that risk, we have playbooks that help course-correct for the areas of risk, improve and up-level those employees. The playbooks involve everything from providing highly tailored feedback to the employee and manager, adapting controls, adapting access, and creating full feedback loops to the organization and the security team around the risk posture of employees.
What this means is I can tell you how risky every person in your company is based on how they’ve handled data, phishing emails, malware browse, their device security, and if they report, they have any data violation, for example, collectively putting all this information together, painting a risk that is dynamic and true to what is happening at the moment. From there, appropriately responding and providing the right level of support and risk reduction for that individual.
Shout out to the founders and also to the marketing department for putting together that spectacular answer to make sure people know exactly what it is that Elevate is doing. Let’s get to the actual founding. This is when the Monolith hit the planet Earth in 2001, A Space Odyssey. You co-founded Elevate with one of your peers from Salesforce at the time, Robert Fly. You guys were with one of the most exciting and dynamic industry-changing companies in the world. What motivated you to step away from this pillar of literally the entire economy, hang out your own shingle and say, “I’ve got something else to do.”
It was terrifying. It felt like jumping off a cliff and hoping that you had wings that would suddenly grow on your way down and they’ll get you right, at least, or someone packed a parachute for you. The short answer is, I couldn’t not. The way that I see it, human risk is the largest unsolved problem in security. We have had iterations and improvements on every other vertical and pillar of security, but the human element remains elusive to us and is our Achilles heel. If you take a look at the Verizon Data Breach Report of 2022, 82% of all breaches were due to the human element. In 2021, 85% and on and on.
We’re getting better.
It is our largest unsolved problem. For all the reasons we were talking about earlier around this, it’s a squishy or hard problem. I knew how to solve it. I know that this is a problem that requires both the analytics piece and an understanding of human nature and between the experience that I had in building and running the team at Salesforce that was focused on security engagement and having an incredible cofounder Robert Fly, who ran every other security team at Salesforce and had visibility, everything from the security tech stack through our detection response.
We both realized there was no bigger problem that we wanted to solve. That’s why I wanted to do this. What ultimately got me to jump off the cliff was realizing that at the end of the day, I will forever regret not knowing what it would have been like to try to solve this. That regret is the worst fate for me than having tried this and failed. I knew that I could not get to the end of my life and wondered what it would have been had I not tried this. It made me realize I had no choice. I had to do it. For me, that was my founding moment.
That’s pretty amazing, given how early you are in your professional career and your life to be looking at the end of your life and being like, “I have to do this if I die before it happens, as someone who likes to hang off the ceiling and silks.”
That is one of my life philosophies. Enough of my affairs in order that, “If I should die tomorrow, would I feel okay about it?” It helps make sure that you say sorry more often. You appreciate and take gratitude around what you do have. It gives you the courage to do crazy things like start your own company. It works for me.
In digging into a little bit more on the existential side, why call it Elevate? You are creating something that is very new and feels pretty radically different from what anybody else is doing. You’re stepping away from a company that is a foundation of business globally, and you’ve got this new thing. You’ve used the word squishy a couple of times, which I appreciate because that’s a word that I’ve used more often. How do you name something like this? How do you communicate what you are doing in a way that people will understand that’s not called Behavioral Sciences LLC?
In founding Elevate Security, there were several things that were important to Robert and myself. One of them is we wanted to up-level security across the board. What I mean by that is, We wanted to solve the biggest unsolved problem. We wanted to elevate security from a risk perspective. We also wanted to do it in a way that started addressing some of the things that we don’t think are great about the security industry. There’s a lot of FUD in how we sell and talk about the risk. It sucks to be a CISO. When you get marketed by vendors, it’s, “You’re hacked. You don’t know it without our product. Half protected. Half not. You’re one click away from the Wall Street Journal.” It’s a hard job already.
You start getting bombarded with all these fear-mongering messages and walk around the RSA or Black Hat floor. All of it is black backgrounds with green logos everywhere. We’re all doom and gloom. That has a toll on us. If you check out the UI we have as a product, website or imagery, everything that we show up from a brand perspective has been very intentional about ensuring that we answer in a different way to helping folks get empowered about solving this problem. Lastly, it’s the people who make this company, and we wanted to make sure that we were approaching security with a group of people that didn’t look like your traditional Israeli cybersecurity startup. Diversity is a board-level metric for us that we report to. We have a primarily female board.
As a company, we have spent a lot of energy and time recruiting for diversity, not females but also people of color, different ages, and demographic backgrounds. We are ensuring that when we think about creating a product and bringing it to market, it reflects the diversity of the customers we serve, the employees who we are trying to protect and that we as a company have hired and created a work environment for people whose differences are our strengths. It’s a different way of up-leveling and elevating security in this industry.
Were there any particular events when the two of you were at Salesforce that got the ball rolling? I’m sure that you were always thinking about what you’re going to do next, but were there some things that you could point at and be like, “We can do this better?” It’s not that they were doing it poorly, but someone can help this situation. Are there some monuments or milestones that you can recall that “It’s time to go do our thing?”
One of the teams that rolled up to Robert was the detection and response team. They are the most well-funded team in security. At that time, the person leading the team came to Robert and said, “It’d be great if we could get more budget. We need to up-level this kind of detection and response.” Robert asked Mike Johnson, who was running the team, and said, “Where are your incidents coming from? What are you going to be doing with this money?” He is like, “The majority of our incidents are user-generated, then they realized we didn’t have the ability to pinpoint specifically like where some of that risk is, where the repeat offenders are.”
That was a light bulb moment. It’s like, “The user element is the reason we keep trying to play this whack-a-mole and we’re constantly cleaning up and trying to put out fires instead of trying to prevent them from happening in the first place.” That was probably light bulb moment number one, where there was realization internally at Salesforce, but also, this is true for almost every security team I’ve talked to since, “We spent so much money on the detection response on the cleanup than we do on the prevention. Installing sprinklers is much more effective than installing fire extinguishers and having the fire department on call.”
Back to the Salesforce story. Robert and I paired together and we looked at the data that the detection response team did have around risky users and began an early prototype of what is now Elevate, and realizing, “If we can create an understanding of where my team’s time and attention needed to go, we can start shifting this whole story. We saw an incredible reduction in phishing and click-throughs, increase in reporting rates and tailgating,” which was an issue for us there at the time. Slowly, we started seeing a significant drop in incidents.
By the time the whole program was in place, we saw an 80% reduction in phishing and click-through rates. An overall reduction in user-generated incidents by close to 50%. We were seeing that there’s an incredible, if you can measure this problem and start tackling it in a very precise and tailored way. Its outcomes were significant. To our earlier point, we realized there was a whole new approach to this that didn’t involve it. It involved more training. We very thoughtfully and articulated, with lots of whiteboard sessions, put together a plan that proved to be quite effective and successful. It gave us the chutzpah to leave our comfortable jobs as security executives to start this company.
Why am I picturing Samuel Jackson’s scene when Mike came to Robert asking for more budget, and he’s like, “How much more budget do you need? We are Salesforce. Let’s go fix the problem.” You have created this company that is doing something that is very different and interesting. Also, calls on people to think outside of the traditional modes of thinking. What kinds of barriers have you run into when you come in to pitch the solution, whether it’s to the C-Suite, or to the board? Are they saying, “There’s more training, technology and this?” What is this behavior that you speak of? Who are these people that you were talking about?
Any startup founder who’s creating a space that isn’t like a new feature or better way of doing something existing is creating a whole new way of tackling a problem.
1.0 as opposed to .1.
It’s a very different conversation because when we talk about Elevate, people lean forward and say, “I get it. The workforce is a huge problem for me and it’s not solved.” This approach makes perfect sense. We’ve seen it modeled and with our credit scores and our insurance. They totally get it. I have to start moving the budget around. I don’t have a person who’s responsible for this. I have someone responsible for my compliance training and cleaning up when that doesn’t work.
There’s no chief behavior officer.
What I keep thinking is like a human risk officer because we’re in security and focusing on risk reduction. There’s no human risk officer. This problem is divided among every single person on the security team. If you’re in security engineering, how do you tailor policies? How do you clean up after incidents if you’re in security operations? If you’re in awareness, how do you train? If you’re in compliance, how do you audit to make sure everyone has appropriate security training from a compliance perspective?
There’s no individual that is responsible for the end-to-end vision of how do we take what we’ve learned from our repeat offenders, and course correct our policies in our identity and access controls and appropriately apply the training to make sure that over time this risk is reduced in the same way that we might have a vulnerability manager for our software, product security or application security. We don’t have anyone.
Security awareness and training, both awareness is an end state, and training is a tool. We don’t have Nessus scanner responsibility. That is a tool, not the outcome you’re trying to achieve. All of this is saying it’s a new wave of how we start approaching security and security teams and getting preventative on this problem and not cleaning up. It takes folks some chewing to figure out, “Where does this live? Who do I give this to?” That’s been a journey over time.
Readers, I’m clasping my hands, prayer hands going, “It is such a great line. Where does this live? Who do we give this to?” That is something that I’ve been fascinated about because I’ve had the good fortune to work with Elevate for a while. We’ve talked about hardcore data analytics. You can keystroke log and all this other big brotherly type stuff, but then you can also record behavior and talk about the notion of behavior and psychology, but then quantify that. When you put those two things together, where does it go? Who gets that information? What is the expectation of actions they can take in order to secure their posture?
This is all part of the CISO organization. You bring in hardcore data on not the hardcore things that are easily trackable and understandable in a traditional sense, but now you are also bringing in the human behavioral aspect of that. How do you quantify that in a way that is actionable? We’ve talked about the credit score. Here are the things that you need to improve. Is it fair to say that there are people who would look at that and would also say squishy in maybe a less positive way than you have used it so far?
My experience here is that transparency and how you come up with a score are critical. The biggest feedback that I hear from any company that has a score is, “Show me how you get to that score.” The way you get ahead of it is through transparency. It’s like, “These are the data sets that we have pulled, the actions that have influence and understanding of why employees particularly are risky.” They navigated to the site. They clicked here and did all this.
Transparency is useful in feedback for the employee, but it’s also clear for the security team. It’s like, “I get why this person is ranked higher risk than others.” In doing so, you build trust and transparency around the data feeds and then you can start doing some awesome forward-leaning things. Behavioral Science, while I think a fascinating and interesting place to go, was one tool. With the things that we already have in place, you can adjust controls, identity and access. Once you can trust that the score is accurate and the data feeds are there, that’s where transparency comes in.
You can start doing incredible things by adapting your security posture to the individual where it stands. That’s one of the fundamental premises of Zero Trust. You can come into this conversation by calling it Adaptive Behavioral Science or you can talk about this as access based on dynamic risk, which is a different language than what we’re talking about. The same thing is creating a tailored experience based on the individual user’s risk level.
Can get into the whole notion of dynamic trust, dynamic risk, Zero Trust, and all that sort of thing. Don’t even get me into the linguistics aspect of it.
Moving on to the leadership corner. We’ve talked a little bit about how you like to hang from the ceilings wrapped up in fantastic silks. What do you do when you’re not doing this? What’s on your playlist? Are you reading anything? Magazines in the bathroom are on the coffee table, books on the table, horrible shows on Hulu or anything like that.
I am a new mom. I have a five-month-old at home. It’s my first kid.
You have no time to do anything.
I still have plenty of audiobooks, but my library is now changed around incorporating your identity as a founder or professional workforce, and as a parent. I’m reading some books. This is an awesome one for readers who are Moms, Motherhood, Marriage and The Modern Dilemma. When it’s not related to parenting, I am reading another incredible book called The Timeless Way of Building. One of my fascinations is interior design and related to that is architecture. It’s an incredible book that talks about how spaces dictate how we move and interact. If we think that we have destiny and agency around how we’re experiencing space, we don’t realize that space has been designed a long time before we ever got there for the specific experience, we’re having in it. It’s an incredibly eye-opening read.
I can almost remember all of it, but the speech that Meryl Streep gives in the Devil Wears Prada about the sweater that Anne Hathaway is wearing turns out was designed exactly for her. That’s when you say, “The space was designed for you when you think you move into it and make it your own.” Any time for music?
I’m an active musician. I play both the harp and piano.
How did this not come up in the Googling? I’m embarrassed by my lack of research already.
I have pretty decent privacy settings, but I leave fun discovery easter eggs so people will read the show like this that you can’t find on the internet about me.
When I’m not raising a five-month-old or founding one of the most interesting security companies. I kick back with my harp.
I’m learning how to jam on the piano. All of my Harper sheet music and my piano skills are now jamming. I’ve been listening to a lot of Beatles and Abbey Road on repeat because I’m trying to learn all those songs on the piano.
Shameless plugs. You are fairly prolific. You appear on a lot of shows. Finally, on this one, you have been known to keynote every once in a while. You tend to write things down and publish them in various spots. You do some linking in and all of that sort of thing. For people that are looking for you, where can we find you?
LinkedIn’s going to be the best hub of all information. Everything that I post and write ultimately gets reposted on my LinkedIn page. Please do follow me there. If you have questions, you’d like or hate anything I talk about, please be respectful, send me a message and let me know what you think. I’d love to have a dialogue with you. That’s a great place to track all the things I’m doing. We’ll be at the upcoming Innovate Conference and probably a few more. RSA is going to be the next biggest one, but that’s bajillion years away. Follow me on LinkedIn and we’ll send you all the places I’m speaking about next.
I got to give you mad love on the notion of saying if you hate anything I say because most of the guests don’t necessarily lean into that. Respect for like, “I’m ready. Let’s go. Let’s have the conversation.” Thank you very much for taking the time. You have no idea what I tossed. You’re like, “Let’s go.” I was like, “She’s been wrapped in bubble wrap since I got here. All of a sudden, she’s available. Let’s go.” We got much more to talk about. I always extend the invitation at the end of these things, but please come back. You’ve done much and are doing many things. We got lots more to talk about. Can we do this again?
That sounds great. I’ll bring my harp next time.
Thank you very much for joining us, but also to the audience, thank you for joining us. For more information on all that’s good in the world is cyber security, make sure you check us out. You can find us on LinkedIn and Facebook and the mothership, ElevateSecurity.com. That’s where you’ve got blogs, videos, links to these episodes if you don’t get them anywhere else and some pretty good stuff for Masha and maybe Robert too.
You can find me at @PackMatt73 across all the socials. Anywhere you go, that’s where we are, Apple, Audible, Gaana and all the fun places. Subscribe, rate and review. Give us five stars. If you join us, I promise you will never miss out on all the important folks who are doing great things in cyber security. Until then, we will see you next time.
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- LinkedIn – Masha Sedova
- Motherhood, Marriage and The Modern Dilemma
- The Timeless Way of Building
- @PackMatt73 – Matt Stephenson
About Masha Sedova
Masha Sedova is an award-winning people-security expert, speaker, and trainer focused on helping companies transform employees from a vulnerability into a key element of defense. She is the co-founder of Elevate Security delivering the leading employee-risk management platform that provides visibility into employee risk while motivating employees to make better security decisions. Before Elevate, Sedova was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners and customers. In addition, she has been a member of the Board of Directors for the National Cyber Security Alliance and regular presenter at conferences such as RSAC, Blackhat, OWASP, and SANS.