Masha Sedova, Co-founder, Elevate Security, sits down with John Furrier at RSA 2020. #RSAC #ElevateSecurity #theCUBE https://siliconangle.com/2020/03/03/cisos-need-look-past-boring-training-videos-motivational-security-stance-rsac-womenintech/ CISOs need to look past boring training videos to a more motivational security stance No security expert would deny there’s a huge problem with data security, or even that human error is a major factor. Yet security solutions are focused on fixing the technology, not the people. When it comes to employee best practices, the same tired training courses and punitive measures are rolled out year after year. “I was given some animated PowerPoints [and] told ‘use this to keep the Russians out of your network,’” said Masha Sedova (pictured), co-founder of Elevate Security Inc. “Which is a practical joke — unless your job is on the line.” Sedova spoke with John Furrier, host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the RSA Conference in San Francisco. They discussed the importance of the human factor to cybersecurity and how complying with security best practices should be a rewarding activity for employees. This week, theCUBE spotlights Masha Sedova in its Women in Tech feature. Grandma was a computer scientist A talent for STEM runs in Sedova’s bloodline. Her grandmother graduated with a degree in computer science back in the 1950s, before women were told programming was a boy’s game. Sedova’s dad taught her to code when she was in sixth grade, and Sedova was a smart child who enjoyed both arts and science. She headed to college early, gaining her first degree from Bard College at Simon’s Rock before going on to be awarded a bachelor’s degree in computer security from The University of Tulsa. After a decade of experience in cybersecurity, which included working for global security company Northrop Grumman Corp. and on the IT Vulnerability Assessment Project at BAE Systems Inc., Sedova joined cloud trailblazer Salesforce Inc. as director of trust engagement. All of these experiences strengthened her enterprise security expertise. “People are the weakest link,” is a well-known security trope. But as Sedova’s PowerPoint experience showed her, the industry often relies on traditional training methods that are far from efficient. “Which is why human error is a huge source of our breaches,” she said. Sedova started to look at integrating solutions from the fields of behavioral science, positive psychology, and game design into security training. In an “aha” moment, she realized that the ways marketing and sales professionals used to engage the human element in their campaigns could equally apply to motivating employees to pay attention to security. “It’s not what people know, but it’s what they do that matters,” she said. She used the example of smokers who know the risks but still choose to light up. “They think that it doesn’t apply to them — same thing with security,” Sedova said. Workers knew the security measures they needed to follow, but they were not motivated to actually do them. She started developing more interactive training sessions for Salesforce employees, and the results were overwhelmingly positive. “[Sedova has] turned the often stodgy and rigid practice of security training into a fun, engaging and entertaining experience,” said Sedova’s Salesforce coworker Warwick Webb. Securing the world through engaging workers Seeing the market need for a security solution that addressed the motivation factor, Sedova and security engineering expert Robert Fly left Salesforce to found Elevate Security. The company’s name came from its goal to “elevate people-powered security.” By adding people to the traditional security solution focus on technology and processes, the Elevate team created a holistic security model that was “people-powered.” “Our expertise is understanding what information people need at what time and under what circumstances that best changes their behavior,” Sedova said. The method works. After playing Elevate’s training game “Hacker’s Mind,” employees were 80% more likely to report potential security issues and 48% more aware of potential phishing schemes and suspicious links. Alongside motivational and fun training methods, chief security officers and security teams have access to a dashboard map that provides visibility into the organizations ongoing security strengths and weaknesses. Monitoring activities that can lead to security breaches, such as phishing, click-throughs, malware installs and others, is used to drive behavior change. The motivational factor is simply showing employees how their security performance compares to their peers ... Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the RSA Conference: