1 00:00:00,310 --> 00:00:03,520 [Music] 2 00:00:05,960 --> 00:00:08,480 we're small San Francisco based security 3 00:00:08,480 --> 00:00:09,960 and compliance automation startup I 4 00:00:09,960 --> 00:00:11,880 think you've all seen my slides now for 5 00:00:11,880 --> 00:00:13,200 a little while so thanks for bearing 6 00:00:13,200 --> 00:00:15,080 with us um if you've ever seen 7 00:00:15,080 --> 00:00:16,960 billboards with a llama and the slogan 8 00:00:16,960 --> 00:00:20,320 compliance that doesn't sock too much or 9 00:00:20,320 --> 00:00:21,840 happened upon this great Reddit thread 10 00:00:21,840 --> 00:00:23,920 that's us um as an aside this is my 11 00:00:23,920 --> 00:00:26,599 first ever time at s con um and my 12 00:00:26,599 --> 00:00:28,160 second time in Utah I have to say you 13 00:00:28,160 --> 00:00:29,320 all have it pretty great here it's 14 00:00:29,320 --> 00:00:30,880 beautiful I think I have a favorite new 15 00:00:30,880 --> 00:00:33,160 conference so thank you doubly excited 16 00:00:33,160 --> 00:00:34,960 to be here speaking with all of 17 00:00:34,960 --> 00:00:37,920 you so to introduce myself uh pirate of 18 00:00:37,920 --> 00:00:39,840 anti as part of the security teams at 19 00:00:39,840 --> 00:00:42,399 Robin Hood and Dropbox born hats within 20 00:00:42,399 --> 00:00:43,640 security and privacy engineering 21 00:00:43,640 --> 00:00:45,039 behavioral security engineering and 22 00:00:45,039 --> 00:00:47,280 security culture and it teams so kind of 23 00:00:47,280 --> 00:00:49,559 seen it all um before that I was and I 24 00:00:49,559 --> 00:00:51,120 still am a professional musician I play 25 00:00:51,120 --> 00:00:52,840 the viola I realize that doesn't sound 26 00:00:52,840 --> 00:00:55,199 as cool as some other instruments um and 27 00:00:55,199 --> 00:00:56,840 in real life you'll find me tping my 28 00:00:56,840 --> 00:00:59,280 personal life I've got two young kids um 29 00:00:59,280 --> 00:01:01,399 including a three month old uh and I'm 30 00:01:01,399 --> 00:01:03,680 constantly threat modeling and planning 31 00:01:03,680 --> 00:01:05,239 um and making lots of things on their 32 00:01:05,239 --> 00:01:06,479 Collective 33 00:01:06,479 --> 00:01:08,799 behalf today I'll be talking about V's 34 00:01:08,799 --> 00:01:10,360 approach to defining and scaling our 35 00:01:10,360 --> 00:01:11,840 security culture in an environment where 36 00:01:11,840 --> 00:01:13,759 we're all trying to do more with less as 37 00:01:13,759 --> 00:01:15,360 a small startup we're always TR trying 38 00:01:15,360 --> 00:01:17,040 to tackle things in a way that allows us 39 00:01:17,040 --> 00:01:19,479 to have multiplicative impact um and 40 00:01:19,479 --> 00:01:20,920 from what I've heard so far this week it 41 00:01:20,920 --> 00:01:23,320 sounds like a lot of you are in similar 42 00:01:23,320 --> 00:01:25,360 situations um and so I'll start by 43 00:01:25,360 --> 00:01:27,400 defining security culture providing an 44 00:01:27,400 --> 00:01:29,000 overview of the principles we use to 45 00:01:29,000 --> 00:01:31,360 approach um this atanta and I'll wrap up 46 00:01:31,360 --> 00:01:32,960 with some tips for how to scale your 47 00:01:32,960 --> 00:01:34,280 security culture and yourselves along 48 00:01:34,280 --> 00:01:35,680 the way and share some resources for 49 00:01:35,680 --> 00:01:36,439 getting 50 00:01:36,439 --> 00:01:38,320 started so you might be wondering why 51 00:01:38,320 --> 00:01:40,000 all this matters I'm sure we've all seen 52 00:01:40,000 --> 00:01:43,640 this statistic from the 2023 DB that 74% 53 00:01:43,640 --> 00:01:45,880 of breaches involve the human element 54 00:01:45,880 --> 00:01:47,399 whether through social engineering error 55 00:01:47,399 --> 00:01:50,119 or more we often jump to addressing this 56 00:01:50,119 --> 00:01:52,040 with the usual right simulated fishing 57 00:01:52,040 --> 00:01:53,799 attacks um looking at the rates of 58 00:01:53,799 --> 00:01:55,560 fishing reporting and assigning 59 00:01:55,560 --> 00:01:57,520 remediation training um if someone 60 00:01:57,520 --> 00:01:59,399 interacts with a fishing email and I've 61 00:01:59,399 --> 00:02:01,280 been in this position to crafting 62 00:02:01,280 --> 00:02:03,560 convincing fishes um reporting on 63 00:02:03,560 --> 00:02:06,200 metrics and um even crafting Rules of 64 00:02:06,200 --> 00:02:07,600 Engagement for ensuring that these 65 00:02:07,600 --> 00:02:10,280 fishing campaigns go wonderfully um and 66 00:02:10,280 --> 00:02:11,560 if you're lucky you might be thinking 67 00:02:11,560 --> 00:02:13,400 about how to um hiring someone to 68 00:02:13,400 --> 00:02:15,400 specifically focus on security culture 69 00:02:15,400 --> 00:02:17,599 and awareness for your organization but 70 00:02:17,599 --> 00:02:19,800 what more can we do and differently 71 00:02:19,800 --> 00:02:21,360 especially if you're not someone who has 72 00:02:21,360 --> 00:02:23,120 those resources you don't have that 73 00:02:23,120 --> 00:02:25,000 headcount or you're part of a tiny team 74 00:02:25,000 --> 00:02:28,080 that's trying to do it all oops that was 75 00:02:28,080 --> 00:02:30,440 supposed to show up so what else can we 76 00:02:30,440 --> 00:02:32,720 do to help people exercise good security 77 00:02:32,720 --> 00:02:34,640 judgment and make informed security 78 00:02:34,640 --> 00:02:36,800 related decisions so enter security 79 00:02:36,800 --> 00:02:38,760 culture this matters because people are 80 00:02:38,760 --> 00:02:41,599 our best and strongest defense and in in 81 00:02:41,599 --> 00:02:44,440 today's day and age they may also make 82 00:02:44,440 --> 00:02:45,959 security related decisions in their 83 00:02:45,959 --> 00:02:47,440 personal lives that will impact their 84 00:02:47,440 --> 00:02:49,599 professional lives in addition having a 85 00:02:49,599 --> 00:02:51,680 healthy culture of security helps you do 86 00:02:51,680 --> 00:02:53,440 the things you already do but better and 87 00:02:53,440 --> 00:02:55,480 with more support building a culture of 88 00:02:55,480 --> 00:02:57,000 security actually doesn't take as much 89 00:02:57,000 --> 00:02:59,239 effort as you might be worried about but 90 00:02:59,239 --> 00:03:01,840 it does take deliberate excuse me and 91 00:03:01,840 --> 00:03:03,400 conscious effort to Define it and get it 92 00:03:03,400 --> 00:03:06,200 up and running for 93 00:03:06,200 --> 00:03:08,480 real getting started at a foundational 94 00:03:08,480 --> 00:03:10,440 level at vanta my team defines security 95 00:03:10,440 --> 00:03:12,560 culture as the Norms behaviors and 96 00:03:12,560 --> 00:03:14,680 attitudes around security this can feel 97 00:03:14,680 --> 00:03:16,840 a little bit abstract so we have broken 98 00:03:16,840 --> 00:03:18,280 this down a little bit further into the 99 00:03:18,280 --> 00:03:20,080 following indicators of a strong 100 00:03:20,080 --> 00:03:21,519 security culture with a llama for 101 00:03:21,519 --> 00:03:24,760 dramatic effect first that vtin which is 102 00:03:24,760 --> 00:03:26,319 what we call our employees and staff 103 00:03:26,319 --> 00:03:28,680 care about security that is security is 104 00:03:28,680 --> 00:03:30,239 valued 105 00:03:30,239 --> 00:03:31,879 second that vant understand their 106 00:03:31,879 --> 00:03:33,080 responsibilities when it comes to 107 00:03:33,080 --> 00:03:34,959 keeping the company secure meaning they 108 00:03:34,959 --> 00:03:36,400 actually have the knowledge to make 109 00:03:36,400 --> 00:03:40,080 those decisions and lastly that they 110 00:03:40,080 --> 00:03:41,319 actually reach out when they have 111 00:03:41,319 --> 00:03:42,680 questions and need to make those 112 00:03:42,680 --> 00:03:44,120 informed security related decisions 113 00:03:44,120 --> 00:03:46,040 meaning that they practice the behaviors 114 00:03:46,040 --> 00:03:48,400 that you want to see and you really do 115 00:03:48,400 --> 00:03:49,840 need all three to have a healthy 116 00:03:49,840 --> 00:03:52,360 security culture so for example someone 117 00:03:52,360 --> 00:03:53,959 can care about security and understand 118 00:03:53,959 --> 00:03:55,720 their responsibilities but they make a 119 00:03:55,720 --> 00:03:57,560 misguided decision because they opt to 120 00:03:57,560 --> 00:03:58,920 not ask for guidance at a critical 121 00:03:58,920 --> 00:04:00,920 Junction in their project 122 00:04:00,920 --> 00:04:02,120 an employee who doesn't care about 123 00:04:02,120 --> 00:04:03,879 security probably also doesn't 124 00:04:03,879 --> 00:04:05,159 understand their responsibilities and 125 00:04:05,159 --> 00:04:06,840 definitely will not reach out to you 126 00:04:06,840 --> 00:04:08,159 when they need to ask for security 127 00:04:08,159 --> 00:04:10,280 guidance so a healthy security culture 128 00:04:10,280 --> 00:04:12,799 requires all three operating together 129 00:04:12,799 --> 00:04:14,319 Lance spitzner put together this great 130 00:04:14,319 --> 00:04:15,519 list of what to look for these 131 00:04:15,519 --> 00:04:17,199 indicators for what this looks like 132 00:04:17,199 --> 00:04:18,399 including things like an employee 133 00:04:18,399 --> 00:04:20,440 feeling safe reporting an incident even 134 00:04:20,440 --> 00:04:23,639 if they may have caused it security um 135 00:04:23,639 --> 00:04:24,960 teams feeling comfortable asking the 136 00:04:24,960 --> 00:04:26,880 security team questions and getting the 137 00:04:26,880 --> 00:04:28,880 team involved in projects early on big 138 00:04:28,880 --> 00:04:31,080 win and requests to partner with 139 00:04:31,080 --> 00:04:32,360 security that come from many different 140 00:04:32,360 --> 00:04:34,320 teams across organization not just 141 00:04:34,320 --> 00:04:35,960 specific teams and 142 00:04:35,960 --> 00:04:39,039 more so in short as my teammate Allan 143 00:04:39,039 --> 00:04:40,960 says do you want to be a security team 144 00:04:40,960 --> 00:04:43,120 that people hide from or a team that 145 00:04:43,120 --> 00:04:44,960 they come to not to give it away or 146 00:04:44,960 --> 00:04:46,280 anything but we certainly would like to 147 00:04:46,280 --> 00:04:48,280 be a team that people come 148 00:04:48,280 --> 00:04:50,639 to so to make that happen with a small 149 00:04:50,639 --> 00:04:52,120 team at a fast moving startup here are 150 00:04:52,120 --> 00:04:54,320 three ways we approach this so first 151 00:04:54,320 --> 00:04:55,840 establishing Partnerships with cross 152 00:04:55,840 --> 00:04:57,840 functional teams this allows us to scale 153 00:04:57,840 --> 00:04:59,759 our impact in ways that we otherwise 154 00:04:59,759 --> 00:05:01,800 would not be able to do ourselves we 155 00:05:01,800 --> 00:05:03,240 regularly partner with teams that come 156 00:05:03,240 --> 00:05:05,199 to you know to mind like it or 157 00:05:05,199 --> 00:05:06,639 Enterprise engineering team is what we 158 00:05:06,639 --> 00:05:08,800 call it privacy risk and compliance and 159 00:05:08,800 --> 00:05:10,360 engineering and product dog fooding our 160 00:05:10,360 --> 00:05:12,759 own product but partnering with our 161 00:05:12,759 --> 00:05:14,479 Communications team and our leadership 162 00:05:14,479 --> 00:05:15,960 team have been really effective for 163 00:05:15,960 --> 00:05:17,880 strengthening our security culture an 164 00:05:17,880 --> 00:05:19,960 example of a small ask High leverage 165 00:05:19,960 --> 00:05:22,400 item is something we call 60 seconds of 166 00:05:22,400 --> 00:05:24,400 security it's a regular slot on our 167 00:05:24,400 --> 00:05:26,440 company all hands and we use this slot 168 00:05:26,440 --> 00:05:28,319 to share a security update or a reminder 169 00:05:28,319 --> 00:05:30,199 or a tip either from someone on security 170 00:05:30,199 --> 00:05:31,759 or for more of a splash and honestly 171 00:05:31,759 --> 00:05:33,800 more impact from someone else at the 172 00:05:33,800 --> 00:05:35,680 company honestly it's more like 2 173 00:05:35,680 --> 00:05:37,039 minutes of security it's hard to pack it 174 00:05:37,039 --> 00:05:39,280 into 60 seconds but 60 seconds sounds 175 00:05:39,280 --> 00:05:41,000 much cooler but the real point is that 176 00:05:41,000 --> 00:05:42,520 Hearing security messages that come from 177 00:05:42,520 --> 00:05:44,160 across the company especially from 178 00:05:44,160 --> 00:05:46,280 leadership helps drive home those points 179 00:05:46,280 --> 00:05:47,680 in a way that's even stronger than just 180 00:05:47,680 --> 00:05:50,280 coming from us um and yes that is a 181 00:05:50,280 --> 00:05:51,520 sheep getting Zapped by lightning 182 00:05:51,520 --> 00:05:53,600 because they clearly plugged into USB um 183 00:05:53,600 --> 00:05:55,479 we also issue periodic threat briefings 184 00:05:55,479 --> 00:05:57,520 for any bad actor activity that we see 185 00:05:57,520 --> 00:05:59,120 that may be relevant to our employees or 186 00:05:59,120 --> 00:06:02,400 our company so people aren't left 187 00:06:02,520 --> 00:06:04,880 wondering we also create and use selfs 188 00:06:04,880 --> 00:06:07,240 serve resources and workflows so that 189 00:06:07,240 --> 00:06:09,400 vants can help themselves this then 190 00:06:09,400 --> 00:06:11,120 frees up our team's time for work that's 191 00:06:11,120 --> 00:06:13,479 higher leverage or more urgent or more 192 00:06:13,479 --> 00:06:15,599 impactful so some examples include 193 00:06:15,599 --> 00:06:16,840 building and self- serve Security 194 00:06:16,840 --> 00:06:18,319 workflows in our internal ticketing 195 00:06:18,319 --> 00:06:20,479 system for different types of access and 196 00:06:20,479 --> 00:06:23,039 software requests a team Wiki with 197 00:06:23,039 --> 00:06:24,880 resources tips and frequently asked 198 00:06:24,880 --> 00:06:26,680 questions that apply to different orgs 199 00:06:26,680 --> 00:06:28,599 and different roles and a security team 200 00:06:28,599 --> 00:06:30,440 decision log so we be really consistent 201 00:06:30,440 --> 00:06:32,800 and clear in our guidance we're also 202 00:06:32,800 --> 00:06:34,280 around for Consulting and questions as 203 00:06:34,280 --> 00:06:36,120 needed but having those resources in 204 00:06:36,120 --> 00:06:38,080 place allows our internal teams to take 205 00:06:38,080 --> 00:06:40,120 steps on their own and for us to just be 206 00:06:40,120 --> 00:06:41,960 pulled in when needed and when people 207 00:06:41,960 --> 00:06:43,360 reach out we're really timely we're 208 00:06:43,360 --> 00:06:44,800 human we're supportive with how we 209 00:06:44,800 --> 00:06:46,680 respond and we work to understand each 210 00:06:46,680 --> 00:06:48,199 situation or question and find the best 211 00:06:48,199 --> 00:06:50,599 path forward hand inhand with those 212 00:06:50,599 --> 00:06:52,639 self- serve resources we use a shared 213 00:06:52,639 --> 00:06:54,160 responsibility model for practicing 214 00:06:54,160 --> 00:06:55,479 strong security hygiene and following 215 00:06:55,479 --> 00:06:57,720 our security policies so as a security 216 00:06:57,720 --> 00:06:59,120 company you know this is obviously part 217 00:06:59,120 --> 00:07:00,360 of every team's Charter and 218 00:07:00,360 --> 00:07:02,879 responsibility not only for vanta itself 219 00:07:02,879 --> 00:07:04,120 but more importantly for our customers 220 00:07:04,120 --> 00:07:06,039 and their data but as a team we're 221 00:07:06,039 --> 00:07:07,360 really deliberate about sharing the love 222 00:07:07,360 --> 00:07:09,080 for security and explicitly stay away 223 00:07:09,080 --> 00:07:11,960 from fear-based messaging we also avoid 224 00:07:11,960 --> 00:07:13,360 any messaging that could convey that 225 00:07:13,360 --> 00:07:15,000 security is always watching or that it's 226 00:07:15,000 --> 00:07:17,080 Security's responsibility this could 227 00:07:17,080 --> 00:07:18,319 take away from the agency that 228 00:07:18,319 --> 00:07:19,960 individuals and their teams have over 229 00:07:19,960 --> 00:07:21,560 their security and safety in their own 230 00:07:21,560 --> 00:07:22,599 day-to-day 231 00:07:22,599 --> 00:07:25,080 work and as a security team we primarily 232 00:07:25,080 --> 00:07:27,160 interact with our employees vtin either 233 00:07:27,160 --> 00:07:30,120 in person or um over Slack or tooling or 234 00:07:30,120 --> 00:07:31,840 systems that the security team builds or 235 00:07:31,840 --> 00:07:33,560 maintains so I'll dive into talking 236 00:07:33,560 --> 00:07:35,280 about those human and tooling touch 237 00:07:35,280 --> 00:07:37,599 points 238 00:07:38,039 --> 00:07:40,280 next so let's start with the human 239 00:07:40,280 --> 00:07:42,039 interactions and the principles that we 240 00:07:42,039 --> 00:07:45,039 use behind them one is culture of yes my 241 00:07:45,039 --> 00:07:47,440 team's job is to help Vantin again is 242 00:07:47,440 --> 00:07:49,639 what we call our staff do their jobs in 243 00:07:49,639 --> 00:07:51,720 a way that maintains security privacy 244 00:07:51,720 --> 00:07:53,800 and reliability while feeling supported 245 00:07:53,800 --> 00:07:55,759 and enabled our goal is to nurture a 246 00:07:55,759 --> 00:07:58,039 culture or teams come to us to work 247 00:07:58,039 --> 00:08:00,280 towards Solutions together and where we 248 00:08:00,280 --> 00:08:02,199 understand areas of friction toward um 249 00:08:02,199 --> 00:08:05,039 against security controls and guidance 250 00:08:05,039 --> 00:08:06,919 two is guards are better than Gates um 251 00:08:06,919 --> 00:08:08,400 the experience and productivity ADV 252 00:08:08,400 --> 00:08:10,080 anant is critical to making sure our 253 00:08:10,080 --> 00:08:12,440 systems and processes um are more secure 254 00:08:12,440 --> 00:08:14,319 especially that of our developers and 255 00:08:14,319 --> 00:08:15,440 we're constantly working to create 256 00:08:15,440 --> 00:08:16,840 guardrails that make the right and 257 00:08:16,840 --> 00:08:18,520 secure things super easy to do and 258 00:08:18,520 --> 00:08:20,199 intuitive instead of gates that make 259 00:08:20,199 --> 00:08:22,919 people hide from us three be predictable 260 00:08:22,919 --> 00:08:25,280 and consistent we provide practical and 261 00:08:25,280 --> 00:08:26,720 consistent guidance and we're really 262 00:08:26,720 --> 00:08:28,080 transparent when we don't know where the 263 00:08:28,080 --> 00:08:30,039 right answer is um we want to make sure 264 00:08:30,039 --> 00:08:31,840 folks don't have to guess our position 265 00:08:31,840 --> 00:08:33,679 or go shopping for answers from 266 00:08:33,679 --> 00:08:35,559 different people and the decision log I 267 00:08:35,559 --> 00:08:36,799 mentioned earlier is one way we stay 268 00:08:36,799 --> 00:08:38,200 really consistent and hold ourselves 269 00:08:38,200 --> 00:08:41,080 accountable as a team four security is 270 00:08:41,080 --> 00:08:43,240 accessible so we provide regular updates 271 00:08:43,240 --> 00:08:44,399 to the whole company about what we're 272 00:08:44,399 --> 00:08:46,440 working on a team and and why which 273 00:08:46,440 --> 00:08:47,880 helps partner teams understand what our 274 00:08:47,880 --> 00:08:49,800 priorities are we have missed sending 275 00:08:49,800 --> 00:08:51,120 one out and people were like where is 276 00:08:51,120 --> 00:08:54,320 the update um we create fun and inviting 277 00:08:54,320 --> 00:08:55,519 and accessible ways to learn about 278 00:08:55,519 --> 00:08:57,959 security such as tabletop exercises open 279 00:08:57,959 --> 00:09:00,600 to lots of people CT FS a slack channel 280 00:09:00,600 --> 00:09:01,959 that serves as our lightweight security 281 00:09:01,959 --> 00:09:04,600 reading club and more and five is build 282 00:09:04,600 --> 00:09:06,200 a security mindset from the start so to 283 00:09:06,200 --> 00:09:08,160 help make sure that each Von plays a 284 00:09:08,160 --> 00:09:10,160 role in keeping our company secure we 285 00:09:10,160 --> 00:09:11,920 introduce Security on day one when new 286 00:09:11,920 --> 00:09:14,200 folks on board and during the session we 287 00:09:14,200 --> 00:09:16,519 provide practical Hands-On training and 288 00:09:16,519 --> 00:09:18,079 we regularly provide additional team 289 00:09:18,079 --> 00:09:20,760 trainings as needed so here's a couple 290 00:09:20,760 --> 00:09:22,800 examples I know those are all principles 291 00:09:22,800 --> 00:09:25,079 um so there's you know invites to fund 292 00:09:25,079 --> 00:09:27,160 security learning with optional monthly 293 00:09:27,160 --> 00:09:30,320 ctfs tabletops and events events we make 294 00:09:30,320 --> 00:09:32,279 learning about security and privacy fun 295 00:09:32,279 --> 00:09:34,519 engaging in high quality here are two 296 00:09:34,519 --> 00:09:36,320 images from um screen grabs from our 297 00:09:36,320 --> 00:09:38,279 security training video we also offer 298 00:09:38,279 --> 00:09:40,000 our customers the same exact library of 299 00:09:40,000 --> 00:09:42,079 security and privacy training and then 300 00:09:42,079 --> 00:09:43,480 here are some examples of the type of 301 00:09:43,480 --> 00:09:45,560 security engagement we get in slack 302 00:09:45,560 --> 00:09:47,320 questions that are fueled by curiosity 303 00:09:47,320 --> 00:09:49,040 such as the question in yellow about 304 00:09:49,040 --> 00:09:52,600 ubis care right in purple and 305 00:09:52,600 --> 00:09:54,440 responsibility folks just asking ahead 306 00:09:54,440 --> 00:09:56,040 of time to make sure there's no security 307 00:09:56,040 --> 00:09:57,720 implications or considerations they 308 00:09:57,720 --> 00:10:00,800 should take into account ahead of time 309 00:10:00,800 --> 00:10:02,240 we also run regular surveys I know 310 00:10:02,240 --> 00:10:03,640 there's a lot of skepticism in general 311 00:10:03,640 --> 00:10:05,320 about surveys but the goal here is just 312 00:10:05,320 --> 00:10:06,800 to understand and measure our security 313 00:10:06,800 --> 00:10:08,680 culture and friction against that and 314 00:10:08,680 --> 00:10:10,399 give people an outlet to share their 315 00:10:10,399 --> 00:10:12,519 feedback so here are some examples of 316 00:10:12,519 --> 00:10:14,680 the questions we've asked we run these 317 00:10:14,680 --> 00:10:16,600 twice a year across our whole company 318 00:10:16,600 --> 00:10:18,000 it's a joint survey with our friends on 319 00:10:18,000 --> 00:10:20,160 privacy risk and compliance as well as 320 00:10:20,160 --> 00:10:21,959 our it team a few things that have 321 00:10:21,959 --> 00:10:23,680 helped people are really really busy and 322 00:10:23,680 --> 00:10:25,399 they don't want to take your survey and 323 00:10:25,399 --> 00:10:26,839 so we um you know make sure we 324 00:10:26,839 --> 00:10:29,240 communicate a clear expectation of time 325 00:10:29,240 --> 00:10:31,480 could take survey is optional all 326 00:10:31,480 --> 00:10:33,480 questions are optional and lastly we 327 00:10:33,480 --> 00:10:35,040 have a free response section so people 328 00:10:35,040 --> 00:10:36,920 can share more detail on their feedback 329 00:10:36,920 --> 00:10:38,200 especially if it doesn't fit into an 330 00:10:38,200 --> 00:10:39,800 existing 331 00:10:39,800 --> 00:10:42,240 question and finally I mentioned how um 332 00:10:42,240 --> 00:10:43,720 we introduced security from the start 333 00:10:43,720 --> 00:10:46,120 day one when folks on board we deliver 334 00:10:46,120 --> 00:10:47,519 this through a rotation of folks in our 335 00:10:47,519 --> 00:10:49,800 security and our it teams employee 336 00:10:49,800 --> 00:10:51,440 onboarding is always super busy it's a 337 00:10:51,440 --> 00:10:53,200 critical time and we worked closely with 338 00:10:53,200 --> 00:10:55,200 our people or HR team to get this set up 339 00:10:55,200 --> 00:10:57,600 on day one here are a couple examples of 340 00:10:57,600 --> 00:10:59,279 the interaction interaction Ive 341 00:10:59,279 --> 00:11:01,519 discussions and the exercises we do we 342 00:11:01,519 --> 00:11:03,480 try to keep it as Lively and applied as 343 00:11:03,480 --> 00:11:05,560 possible um you know questions where 344 00:11:05,560 --> 00:11:07,160 people are asked to consider their roles 345 00:11:07,160 --> 00:11:08,800 and the sensitive information they may 346 00:11:08,800 --> 00:11:10,800 have and who might want it it's not a 347 00:11:10,800 --> 00:11:12,000 question that most people have thought 348 00:11:12,000 --> 00:11:13,120 through before they start at your 349 00:11:13,120 --> 00:11:15,800 company and then um in the grid you know 350 00:11:15,800 --> 00:11:17,160 we talk a lot about social engineering 351 00:11:17,160 --> 00:11:18,360 but we really break it down into what 352 00:11:18,360 --> 00:11:20,680 are the emotional tactics at play and 353 00:11:20,680 --> 00:11:22,040 then we go through a couple exercises 354 00:11:22,040 --> 00:11:23,839 where folks are asked identify those 355 00:11:23,839 --> 00:11:25,720 emotional tactics so they can do that in 356 00:11:25,720 --> 00:11:27,639 real life 357 00:11:27,639 --> 00:11:29,920 too moving done to tooling here are a 358 00:11:29,920 --> 00:11:31,279 few principles we keep in mind as a 359 00:11:31,279 --> 00:11:32,959 super small and mighty team one is to 360 00:11:32,959 --> 00:11:35,160 prioritize developer experience so in 361 00:11:35,160 --> 00:11:36,279 order to ensure we have the greatest 362 00:11:36,279 --> 00:11:37,680 adoption of tooling it's important for 363 00:11:37,680 --> 00:11:39,600 us to understand and address those 364 00:11:39,600 --> 00:11:41,800 potential points of friction um and also 365 00:11:41,800 --> 00:11:43,120 to use workflows that our developers 366 00:11:43,120 --> 00:11:45,040 already use as mentioned earlier we 367 00:11:45,040 --> 00:11:47,160 measure friction through that survey um 368 00:11:47,160 --> 00:11:48,800 and we work to reduce this over time and 369 00:11:48,800 --> 00:11:50,399 people see that and they understand that 370 00:11:50,399 --> 00:11:52,279 they can provide really honest feedback 371 00:11:52,279 --> 00:11:54,440 and we will read every single response 372 00:11:54,440 --> 00:11:55,680 in addition we're always working to push 373 00:11:55,680 --> 00:11:57,200 controls closer to the building phase of 374 00:11:57,200 --> 00:11:59,040 the software development process we 375 00:11:59,040 --> 00:12:00,720 champion and we use tools that 376 00:12:00,720 --> 00:12:02,160 prioritize reduction of developer 377 00:12:02,160 --> 00:12:03,279 fatigue and we provide them with 378 00:12:03,279 --> 00:12:05,600 self-served resources such as semrep and 379 00:12:05,600 --> 00:12:07,600 socket um and giving them the agency to 380 00:12:07,600 --> 00:12:10,600 dismiss findings as well U minimizing 381 00:12:10,600 --> 00:12:12,000 alert fatigue we're always working to f- 382 00:12:12,000 --> 00:12:13,519 tune our monitoring and alerting 383 00:12:13,519 --> 00:12:14,959 especially for things that go beyond our 384 00:12:14,959 --> 00:12:17,800 team um to minimize alert fatigue and uh 385 00:12:17,800 --> 00:12:19,639 easy dismissal of alerts that does 386 00:12:19,639 --> 00:12:21,199 create a negative culture of clicking 387 00:12:21,199 --> 00:12:22,399 through security speed bumps and 388 00:12:22,399 --> 00:12:25,160 ultimately ignoring them and lastly um 389 00:12:25,160 --> 00:12:26,680 secure by default right so we want to 390 00:12:26,680 --> 00:12:28,079 build systems and processes that are 391 00:12:28,079 --> 00:12:29,480 secure out of the box 392 00:12:29,480 --> 00:12:30,920 there's no way though that we can 393 00:12:30,920 --> 00:12:32,480 possibly conceive of every need or 394 00:12:32,480 --> 00:12:34,320 requirement so we try to build options 395 00:12:34,320 --> 00:12:36,480 with enough flexibility um so that teams 396 00:12:36,480 --> 00:12:38,399 can use them to make informed decisions 397 00:12:38,399 --> 00:12:39,639 and our goal again is to balance the 398 00:12:39,639 --> 00:12:40,639 right levels of security and 399 00:12:40,639 --> 00:12:42,279 productivity and to provide clear 400 00:12:42,279 --> 00:12:43,560 guidance when 401 00:12:43,560 --> 00:12:45,880 needed so here are a few examples of the 402 00:12:45,880 --> 00:12:47,360 principles behind our tooling touch 403 00:12:47,360 --> 00:12:49,600 points um such as our use of tools like 404 00:12:49,600 --> 00:12:52,320 semrep um we do you know review any new 405 00:12:52,320 --> 00:12:54,000 and dismissed findings and we can jump 406 00:12:54,000 --> 00:12:56,000 in with a code review to manually triage 407 00:12:56,000 --> 00:12:59,000 or address them self- serve guidance for 408 00:12:59,000 --> 00:13:00,519 developers with a good sense of humor 409 00:13:00,519 --> 00:13:02,079 that speaks to all levels of experience 410 00:13:02,079 --> 00:13:04,880 and background we use a ticketing system 411 00:13:04,880 --> 00:13:06,680 to streamline reviews and requests I 412 00:13:06,680 --> 00:13:08,639 mentioned this earlier we have some Auto 413 00:13:08,639 --> 00:13:10,839 approvals for requests and lowrisk apps 414 00:13:10,839 --> 00:13:12,920 that are role-based and then others that 415 00:13:12,920 --> 00:13:14,360 require more levels of review and 416 00:13:14,360 --> 00:13:16,360 approval this kind of system allows 417 00:13:16,360 --> 00:13:18,240 vanton to selfs serve in a secure and 418 00:13:18,240 --> 00:13:20,360 auditable way um with visibility in the 419 00:13:20,360 --> 00:13:22,760 right chain of approvals as 420 00:13:22,760 --> 00:13:24,600 needed and lastly here are some 421 00:13:24,600 --> 00:13:26,040 responses from that friction survey I 422 00:13:26,040 --> 00:13:27,480 mentioned a little bit earlier 423 00:13:27,480 --> 00:13:29,440 specifically from Developers um these 424 00:13:29,440 --> 00:13:30,800 responses definitely made us feel really 425 00:13:30,800 --> 00:13:32,399 relieved I don't know that in my life I 426 00:13:32,399 --> 00:13:34,079 will ever hear someone say I feel really 427 00:13:34,079 --> 00:13:35,600 good about working with security but I 428 00:13:35,600 --> 00:13:37,680 was really happy for that um and don't 429 00:13:37,680 --> 00:13:39,440 worry we did also get plenty of critical 430 00:13:39,440 --> 00:13:40,760 feedback but you can see that people are 431 00:13:40,760 --> 00:13:42,920 fairly honest um and we really 432 00:13:42,920 --> 00:13:45,560 appreciated that 433 00:13:45,680 --> 00:13:47,800 sentiment another example is investing 434 00:13:47,800 --> 00:13:49,240 in building our company's muscle for 435 00:13:49,240 --> 00:13:51,040 threat modeling not something only done 436 00:13:51,040 --> 00:13:53,639 by security so here's an example from a 437 00:13:53,639 --> 00:13:55,199 threat modeling exercise we did with a 438 00:13:55,199 --> 00:13:57,240 product team recently on a new feature 439 00:13:57,240 --> 00:13:59,959 using a super simple template and figma 440 00:13:59,959 --> 00:14:01,320 um and lightweight questions for 441 00:14:01,320 --> 00:14:02,800 discussion we guided them through the 442 00:14:02,800 --> 00:14:04,279 initial portion and then let them threat 443 00:14:04,279 --> 00:14:06,480 model on their own um not only did the 444 00:14:06,480 --> 00:14:08,440 team continue the discussion well beyond 445 00:14:08,440 --> 00:14:10,160 the session itself but they've actually 446 00:14:10,160 --> 00:14:12,279 continued to carry this mindset forward 447 00:14:12,279 --> 00:14:14,240 they'll check in with us um and they've 448 00:14:14,240 --> 00:14:15,720 even had some really good laughs like 449 00:14:15,720 --> 00:14:18,000 along the way this is a type of work 450 00:14:18,000 --> 00:14:20,720 that enables us to scale ourselves by 451 00:14:20,720 --> 00:14:23,519 scaling our security 452 00:14:24,199 --> 00:14:26,360 culture so as we look to apply this to 453 00:14:26,360 --> 00:14:27,839 your organizations and companies I did 454 00:14:27,839 --> 00:14:29,519 promise some tips and resources for 455 00:14:29,519 --> 00:14:31,600 leveling up and here it is I may have 456 00:14:31,600 --> 00:14:33,680 oversimplified this but I think this 457 00:14:33,680 --> 00:14:35,040 could actually be three steps that would 458 00:14:35,040 --> 00:14:37,639 be a short team exercise 30 to 45 459 00:14:37,639 --> 00:14:39,600 minutes depending on how you run 460 00:14:39,600 --> 00:14:42,399 it so step one is all about foundational 461 00:14:42,399 --> 00:14:43,800 questions for designing a security 462 00:14:43,800 --> 00:14:45,839 culture you want to see if you're new to 463 00:14:45,839 --> 00:14:47,440 thinking about security culture these 464 00:14:47,440 --> 00:14:49,440 will be foundational questions but if 465 00:14:49,440 --> 00:14:50,839 you've kind of been there and done that 466 00:14:50,839 --> 00:14:51,959 and thought about these these will be 467 00:14:51,959 --> 00:14:53,480 more reminders and considerations to 468 00:14:53,480 --> 00:14:54,959 keep in mind when you're either refining 469 00:14:54,959 --> 00:14:57,639 or expanding upon it so first take a 470 00:14:57,639 --> 00:14:58,959 step back and ask yourself some 471 00:14:58,959 --> 00:15:00,800 questions to imion what you'd like and 472 00:15:00,800 --> 00:15:02,800 what you could work with so for example 473 00:15:02,800 --> 00:15:04,160 what does a healthy security culture 474 00:15:04,160 --> 00:15:05,800 look like to you and your organization 475 00:15:05,800 --> 00:15:07,399 right another way to think about this 476 00:15:07,399 --> 00:15:08,920 what are the Norms behaviors and 477 00:15:08,920 --> 00:15:10,399 attitudes towards security you would 478 00:15:10,399 --> 00:15:12,680 actually like to see two what are your 479 00:15:12,680 --> 00:15:14,240 areas of security friction currently 480 00:15:14,240 --> 00:15:15,320 where your team could make the most 481 00:15:15,320 --> 00:15:16,800 impact and what could you do to reduce 482 00:15:16,800 --> 00:15:18,959 those could also be current areas of 483 00:15:18,959 --> 00:15:20,440 security confusion if people don't know 484 00:15:20,440 --> 00:15:22,800 how to get help three what are three 485 00:15:22,800 --> 00:15:24,199 things you want to be known for as a 486 00:15:24,199 --> 00:15:26,360 security team um regardless of whether 487 00:15:26,360 --> 00:15:27,839 you're a team of one or if you're a team 488 00:15:27,839 --> 00:15:29,199 of many 489 00:15:29,199 --> 00:15:30,959 four what are your team's interests 490 00:15:30,959 --> 00:15:32,880 skill sets and goals if you're wondering 491 00:15:32,880 --> 00:15:34,319 how this last one is related it's not 492 00:15:34,319 --> 00:15:36,480 really um but it can help you be 493 00:15:36,480 --> 00:15:38,319 creative as you figure out um with your 494 00:15:38,319 --> 00:15:40,000 team how you want to approach being more 495 00:15:40,000 --> 00:15:41,279 deliberate about building your security 496 00:15:41,279 --> 00:15:42,519 culture for example who might want to 497 00:15:42,519 --> 00:15:44,639 hose the tabletop um someone might want 498 00:15:44,639 --> 00:15:46,319 to give an internal talk so on and so 499 00:15:46,319 --> 00:15:48,279 forth answering these questions can help 500 00:15:48,279 --> 00:15:49,240 you understand the shape of your 501 00:15:49,240 --> 00:15:51,040 security culture and paths toward what 502 00:15:51,040 --> 00:15:52,920 you want to 503 00:15:52,920 --> 00:15:55,120 build next if you feel like you're a 504 00:15:55,120 --> 00:15:56,759 security team that people hide from or 505 00:15:56,759 --> 00:15:58,600 even if you're not um here's a practice 506 00:15:58,600 --> 00:15:59,920 practical framework for just 507 00:15:59,920 --> 00:16:01,000 understanding your current state of 508 00:16:01,000 --> 00:16:02,480 security culture and what opportunities 509 00:16:02,480 --> 00:16:04,399 you could tackle I've divided this into 510 00:16:04,399 --> 00:16:05,680 three sections just based on what's 511 00:16:05,680 --> 00:16:07,600 worked well for us at vanta um with 512 00:16:07,600 --> 00:16:09,279 security Partnerships self- serve 513 00:16:09,279 --> 00:16:12,000 resources and strong security hygiene 514 00:16:12,000 --> 00:16:13,519 for security Partnerships think about 515 00:16:13,519 --> 00:16:14,959 what can help you extend your impact 516 00:16:14,959 --> 00:16:16,160 whether it's something like updating a 517 00:16:16,160 --> 00:16:19,000 shared company process um you know to 518 00:16:19,000 --> 00:16:21,240 include a good risk RIS risk assessment 519 00:16:21,240 --> 00:16:22,639 or partnering with another team on a 520 00:16:22,639 --> 00:16:24,440 direct initiative like your workplace or 521 00:16:24,440 --> 00:16:26,279 facilities team on a framework of 522 00:16:26,279 --> 00:16:27,680 physical security controls for Global 523 00:16:27,680 --> 00:16:29,639 office build outs look at the underlying 524 00:16:29,639 --> 00:16:31,399 data you have such as around incidents 525 00:16:31,399 --> 00:16:33,360 or questions and look for patterns to 526 00:16:33,360 --> 00:16:34,839 see if there's any High leverage items 527 00:16:34,839 --> 00:16:37,040 you can tackle first are there any other 528 00:16:37,040 --> 00:16:38,360 opportunities for strengthening your 529 00:16:38,360 --> 00:16:39,680 culture and is there anyone who can 530 00:16:39,680 --> 00:16:41,680 support you and then at larger 531 00:16:41,680 --> 00:16:43,240 organizations it can sometimes help to 532 00:16:43,240 --> 00:16:45,360 have an executive sponsor who helps 533 00:16:45,360 --> 00:16:46,920 Champion your security culture and gets 534 00:16:46,920 --> 00:16:48,120 you additional visibility at that 535 00:16:48,120 --> 00:16:49,959 leadership level um this does help you 536 00:16:49,959 --> 00:16:51,959 multiply your impact and make sure that 537 00:16:51,959 --> 00:16:53,839 the messages getting across to the right 538 00:16:53,839 --> 00:16:56,480 folks self- serve resources do a quick 539 00:16:56,480 --> 00:16:58,680 check of the resources you offer and 540 00:16:58,680 --> 00:17:00,040 identify anything that's net new you 541 00:17:00,040 --> 00:17:02,319 want to create ask yourself if your 542 00:17:02,319 --> 00:17:03,839 employees know how to sound the alarm or 543 00:17:03,839 --> 00:17:05,959 get help with requests um when 544 00:17:05,959 --> 00:17:07,280 something's urgent and whether it's only 545 00:17:07,280 --> 00:17:08,799 certain teams who are reaching out or 546 00:17:08,799 --> 00:17:10,599 whether everybody kind of seems to know 547 00:17:10,599 --> 00:17:12,480 you can even write along with someone or 548 00:17:12,480 --> 00:17:14,439 run a security culture survey to learn 549 00:17:14,439 --> 00:17:16,439 more about their experience um another 550 00:17:16,439 --> 00:17:17,679 thing you could do to scale ourselves is 551 00:17:17,679 --> 00:17:19,199 just look at the questions you get most 552 00:17:19,199 --> 00:17:21,199 at a as a team and the requests and 553 00:17:21,199 --> 00:17:22,799 create an FAQ to address these by 554 00:17:22,799 --> 00:17:24,679 category you it might take you a half 555 00:17:24,679 --> 00:17:26,359 hour an hour and it gets you a lot more 556 00:17:26,359 --> 00:17:28,880 time back and lastly for security h ask 557 00:17:28,880 --> 00:17:31,160 yourself um what your human and tooling 558 00:17:31,160 --> 00:17:32,840 touch points are and how well they're 559 00:17:32,840 --> 00:17:34,799 working what types of trainings do you 560 00:17:34,799 --> 00:17:38,280 provide when why and to whom and what 561 00:17:38,280 --> 00:17:39,400 other trainings do you want to provide 562 00:17:39,400 --> 00:17:41,640 and why finally ask yourself whether the 563 00:17:41,640 --> 00:17:43,840 tone of the um security related messages 564 00:17:43,840 --> 00:17:46,080 sent to your employee reflects the tone 565 00:17:46,080 --> 00:17:49,200 that you want to create um if it doesn't 566 00:17:49,200 --> 00:17:50,480 then figure out what your dos and don'ts 567 00:17:50,480 --> 00:17:52,080 are make sure people know and create a 568 00:17:52,080 --> 00:17:53,280 lightweight guide for how you'll 569 00:17:53,280 --> 00:17:54,760 communicate security related messages 570 00:17:54,760 --> 00:17:56,720 going forward so obviously a lot of 571 00:17:56,720 --> 00:17:58,400 questions but this is just intended to 572 00:17:58,400 --> 00:17:59,799 to help you take a closer look at all 573 00:17:59,799 --> 00:18:01,880 the things you could potentially 574 00:18:01,880 --> 00:18:04,840 tackle finally step three is all about 575 00:18:04,840 --> 00:18:06,360 capturing your answers to the previous 576 00:18:06,360 --> 00:18:07,799 questions in a super lightweight Gap 577 00:18:07,799 --> 00:18:09,880 analysis figuring how you'll get there 578 00:18:09,880 --> 00:18:12,120 so your inputs in the red and yellow 579 00:18:12,120 --> 00:18:13,640 columns for current state and future 580 00:18:13,640 --> 00:18:17,679 state are your answers um to basically 581 00:18:17,679 --> 00:18:20,159 uh you know step one and two here and 582 00:18:20,159 --> 00:18:21,799 your output is an action plan in the 583 00:18:21,799 --> 00:18:23,200 green column that you can prioritize 584 00:18:23,200 --> 00:18:25,559 based on things such as time required 585 00:18:25,559 --> 00:18:27,720 level of effort and impact I know these 586 00:18:27,720 --> 00:18:28,720 sound a little a little bit like 587 00:18:28,720 --> 00:18:30,640 Overkill but spend 30 to 45 minutes 588 00:18:30,640 --> 00:18:31,960 going through them as a team and you'll 589 00:18:31,960 --> 00:18:33,880 come out with three things at least that 590 00:18:33,880 --> 00:18:35,320 you can do strategically to strengthen 591 00:18:35,320 --> 00:18:37,039 your security culture and help you do 592 00:18:37,039 --> 00:18:39,760 the things you're trying to do but 593 00:18:39,760 --> 00:18:42,200 better so to close here's a super 594 00:18:42,200 --> 00:18:44,200 oversimplified list of tips to bring it 595 00:18:44,200 --> 00:18:46,480 back one start by defining the 596 00:18:46,480 --> 00:18:48,200 principles for how the security Team 597 00:18:48,200 --> 00:18:49,880 Works in Partners or even how you'd like 598 00:18:49,880 --> 00:18:51,760 to be known as a 599 00:18:51,760 --> 00:18:54,320 team two identify the folks whose buying 600 00:18:54,320 --> 00:18:55,679 you need to help support the efforts 601 00:18:55,679 --> 00:18:57,280 you'd like to put together again these 602 00:18:57,280 --> 00:18:58,720 can be but they're not limited to your 603 00:18:58,720 --> 00:18:59,640 leadership 604 00:18:59,640 --> 00:19:02,799 team three identify establish and set up 605 00:19:02,799 --> 00:19:04,640 the tools and platforms you'll need for 606 00:19:04,640 --> 00:19:06,320 supporting strong security behaviors the 607 00:19:06,320 --> 00:19:09,039 pass password managers the sem grips Etc 608 00:19:09,039 --> 00:19:11,760 of your world and lastly be sure to 609 00:19:11,760 --> 00:19:13,840 actively listen to and solicit feedback 610 00:19:13,840 --> 00:19:15,360 from across the company on a regular 611 00:19:15,360 --> 00:19:17,799 basis be human identify any areas of 612 00:19:17,799 --> 00:19:20,000 friction and continuously make them 613 00:19:20,000 --> 00:19:22,919 better and less friction 614 00:19:22,919 --> 00:19:25,720 full so that's all I've got thanks for 615 00:19:25,720 --> 00:19:26,760 joining me to learn about how we 616 00:19:26,760 --> 00:19:28,120 approach this atanta does anyone have 617 00:19:28,120 --> 00:19:30,239 any 618 00:19:33,679 --> 00:19:36,000 questions okay I don't see any but I'm 619 00:19:36,000 --> 00:19:37,360 happy to hang around if anyone wants to 620 00:19:37,360 --> 00:19:39,559 come up after thanks so much thank you 621 00:19:39,559 --> 00:19:42,170 st con and excited to chat with more of 622 00:19:42,170 --> 00:19:45,489 [Applause] 623 00:19:45,760 --> 00:19:48,760 you