Last Friday, I shared on LinkedIn some amazing statistics we saw across our customers. That post just scratched the surface and deserves a deeper dive because the underlying lessons learned fly in the face of traditional InfoSec thinking.
Security is a Journey… But to Where?
Before starting Elevate Security, I was a 20+ year practitioner, building world-class security teams and organizations from scratch at Microsoft and Salesforce. There is one conversation I had with Parker Harris, CTO & Cofounder of Salesforce, that sticks with me to this day.
Here’s the slightly hazy recollection of it that still captures the point.
Me: Here are the three key programs we’re driving to improve our security and resiliency.
Parker: That’s great Robert, but you’ve been at Salesforce for several years. Every time you present, there’s great progress and execution, but I can’t help but ask—‘how do we know when we’ve done enough?’
Me: Security is a journey, Parker, not a destination.
Parker: Yes, but at what point does this become Sisyphean? The more tools we buy, the more threats we see. The more threats we see, the more staff we need. The more staff we need, the more tools we buy. Continue that cycle. Push the rock up the hill. Trust is our #1 value, but how do we know if we’re really making a difference?
I was thrown off a bit, but answered the question. Later that day, it hit me as a completely fair question when I put myself in his shoes.
In my history as a practitioner, I’d bought the best email security software. The best endpoint tools. The best gateways. The best identity systems, UEBA, and more.
I tried ‘best of breed’. I tried ‘best of suite’.
But, my teams were still overwhelmed no matter how big the team or my budget was.
Data: The Arbiter of Truth
So rather than continue to hire more people and ask for more budget, we dug into the data we had, to understand where a dollar spent would have the biggest impact on reducing risk.
As we looked at the data, there were lots of insights, but the two that stuck out the most were:
- About 90% of the issues we dealt with were ‘run of the mill’ problems (phishing, malware, and data handling)
- Only about 8% of our employees were causing 80% of the issues we needed to clean up
In fact, most of the things we had to clean up around phishing, email, browsing issues, data handling violations, etc., had a human component to it.
But, looking back, we’d largely ignored the people angle outside of some training content and phishing sims. Most of our energy was spent on devices, networks, applications, and data. Not the people.
Clearly, though, the technology we had purchased to protect our systems (and people) was failing, and that was on us to do better, not to put the blame on employees.
Exploring The Growing Ecosystem Of Evidence
We started Elevate based on this knowledge, because when you know who is risky and why, you now have a tractable problem that’s solvable. You can work with that to help continuously measure and drive down that risk through automated safeguards.
We’re now several years into building out the Elevate platform, and as one F500 customer said, we’re “light years ahead of the competition.” We now have a massive user risk database. I’ve been spending time with our data team to grok what types of trends we’re seeing and what value we’re seeing across customers in this data.
Wow, was I impressed!
We went customer by customer, looking at the most recent 6 months of data and comparing it to the prior 6 months. We looked across behaviors like phishing, data handling, malware, browsing, and more. We looked at workforce context. We looked at how folks were getting attacked. It was bliss for a data nerd like me.
The first customer, a Fortune 500 company we reviewed, had seen a:
- 73% reduction in data handling incidents
- 70% reduction in phishing clicks (email gateways, not sims)
- 373% improvement in employee reporting
The next customer, a large Financial Services company focused on reducing phishing risk, had seen a:
- 210% increase in employee reporting
- 67% decrease in phishing clicks (real world, not sims)
- 200% increase in phishing emails detected (outside their email gateway)
Does Security Really Strengthen by Focusing on People?
We kept going and kept finding similar amazing results. To the point where I began to question the numbers.
“It can’t be this good. There must be something wrong,” I told myself.
Fortunately, we had a solid control group for comparison. Several Elevate customers use us only for monitoring risk, and haven’t yet deployed any interventions or safeguards. Looking into those customers, we saw no statistically relevant changes in results. Beyond minor blips, the average risk profiles of employees month over month stayed the same.
Our control group, which was not using interventions, showed no change in risk, while customers deploying interventions showed massive improvements.
Why does this matter?
The obvious reason is it shows interventions work in reducing risk and your chance of incidents or breaches. Less obvious, these reductions in risk reduce the amount of whack-a-mole your security team has to do. YMMV, but for me, it’s also super important that we did this while maintaining extremely high customer employee satisfaction scores.
Elevate stands out as one of the small number of security products employees actually enjoy!
Along the journey of building Elevate and working with our customers, we’ve learned several key lessons about workforce risk management that are worth sharing for anyone building and managing security teams.
- Employee risk is not one-size-fits-all and neither are solutions
- You have to intelligently (and automatically) manage employee risk
- A gentle nudge can go a long way
We share the details of lessons learned in this related brief which includes customer improvement findings and the benefits of managing employee cyber risk.
Startups are on a Journey Too
We’re continuing to learn every day. Every new customer that joins us becomes part of our mission to better protect against employee risk. This entire space is early in its evolution and as the industry leaders that are “light years ahead” we appreciate any feedback or comments (good or bad) as it helps us and the community learn and challenge our thinking.
Have questions or feedback for us? Get in touch with our team here.