Special Editions 12.5.21
Ep 42 | 12.5.21

Rediscover trust in cybersecurity: A women in cybersecurity podcast.


Jennifer Eiben: Hello everyone. I'm Jennifer Eiben, Senior Producer at the CyberWire and Director of our Women in Cybersecurity Initiative. I'd like to welcome you to this special edition podcast focused on women in cybersecurity. We are joined today by our partners from Code 42, who put together a group of industry leaders to discuss ways that we can rediscover trust in cybersecurity. It's important for employees to be brought into the fold as security's allies, rather than as its adversaries. For cybersecurity teams that operate with an adversarial mindset appropriate for external threats, it can be challenging to approach internal threats differently. You can't treat employees the same way you treat nation state hackers. But, employees play a pivotal role in preventing data leaks, making it important to create a company wide culture of transparency. Transparency feeds trust, which builds a strong foundation for security awareness training to be truly effective.

Jennifer Eiben: Let's begin our examination of rediscovering trust in cybersecurity by introducing our moderator for today: Kathleen Smith. Kathleen is a longtime friend of the CyberWire and especially our Women in Cybersecurity initiative. Kathleen helped us dream up the CyberWire's very first Women in Cybersecurity reception, which began in 2014. Kathleen, we've known each other for quite some time. Kathleen is the Chief Marketing Officer for ClearedJobs.Net, and as I mentioned she's serving as our Moderator today. I'll let Kathleen introduce our panelists. Welcome Kathleen, it's great to have you back.

Kathleen Smith: Jennifer, it's so great to be back on another Women in Cybersecurity podcast. We've covered a wide variety of topics over the years. We've been at the Women in Cybersecurity conference, we've done the Women in Cybersecurity celebration, we've been at many of the different hacker conferences. It's been a long beautiful road and I'm so glad that we're continuing it when many other podcasts focusing on women in cybersecurity, have maybe fallen by the wayside. I really commend the commitment of CyberWire for continuing this initiative and I know that it is a personal passion of yours. So, I really appreciate you, Jennifer, for doing this. I was so excited when I saw the panelists that we have for today's podcast, because not only do we have new friends, but a friend that, gosh, I haven't spoken to in years, and saw one of her first presentations years ago that went off into just a great new venture. And just so proud of the many things that you have done, Masha. So, thank you for joining us. And Sam, you're out there in the community in Saudi Arabia right now, at one of the first conferences, so really appreciate that. And Michelle, it was great to know you and listen to all of your great thoughts.

Kathleen Smith: So, let's get started and have each of you introduce yourselves, because I could definitely not give the right introductions. I'd stumble all over the place, like I do all the time. So, let's kick it off. Who did we decide was gonna kick this off today? Masha. Masha, tell us a little bit about yourself.

Masha Sedova: Thanks so much for having me on this podcast. I'm so excited for this conversation. I'm Masha Sedova. I'm the Co-Founder and President of Elevate Security, a company that focuses on measuring and managing all aspects of human risk. And I have spent my 20 plus career in cybersecurity, focused on a variety of aspects of it, initially starting with forensics and working as a cyber analyst for the DOD, before really beginning to get really fascinated by the human element of security. I had the opportunity to build and run the security engagement team at Sales Force, before starting my own company in 2017, which is off and running and helping redefine how we think about measuring the employee risk element of our organizations.

Kathleen Smith: Great. And Samantha?

Sam Humphries: Hi everyone. I'm also thrilled to be here, so thank you so much for having me on. So, I've been also in cybersecurity for 20 something years. I started as a receptionist a long time ago, and just fell in love with what we do. And as a self confessed nerd from a very young age, I was hooked, and I'm still here way, way into the future from two decades ago, last millennium. Wow. So, my background's been all sorts. I did incident response for too long. I've dyed my hair since, so that's good. And I've helped with products, and now I work at Exabeam doing security strategy for EMEA.

Kathleen Smith: And last but not least, Michelle.

Michelle Killian: Yes, hi, good morning, thanks all for having me and for having us here for this conversation. I'm excited for it. I've been in security, again also a little over 20 years. It's a point of pride, 'cause I feel like I spent much of my life saying like almost 20, almost, and you know, to give myself a little more like acumen. So, it feels good to actually be like no, I'm here and I've been here for a long time. My path to security was also a little roundabout. I raised my hand. It was something that sounded really interesting 20 years ago and I've never looked back and been really glad to be in this industry. Today I am a Director of Information Security at Code 42, and I oversee our risk, incident and TVM programs, our policy and training program, our product security and then our identity and access management programs.

Kathleen Smith: Wonderful. So, there are so many different topics that we can touch upon, you know, now that we're on sort of another side of a global pandemic, a global crisis. And one that really impacted, not only how we live our lives day to day, but how we work and how employers engage with their employees. So, we're almost 20 months past the start of the pandemic and we're taking a time to step back and reflect about this rush to remote work, and all of the technical and technology changes that we had to make in a very short period of time. What do we all think is the biggest impact this has had on security? Michelle.

Michelle Killian: Yeah, I would say for what I've experienced is visibility has really been impacted the most. We were lucky in that we were kind of remote first, or remote focused before the pandemic. So, tools and tech were in place, and so it was just getting our processes up to speed. And so for us, we found a lot of gaps around expectations around alerting and monitoring. There was an eight to five workforce and that really changed when everyone was home and they were juggling working around kid schedules. So, rethinking what potentially suspicious behavior was, became a new exercise for us. I would say, and related to that with visibility, just situational awareness generally. So much of what we do and how we're successful on our security team, is understanding like the context behind something, or the side conversations where you might learn something that you might not have known directly. And that's, a lot of that was lost in those hallway conversations. And I feel like slack has probably become the best base for situational awareness, and while I don't recommend joining all of the channels and paying attention, I feel like it's the best way that we've found to gain that situational awareness and understand what's happening more broadly.

Kathleen Smith: Yeah, I think it's interesting that we talk about visibility, because people don't think that we need to see each other, but this actually really brought home this fact that face to face, even if it's Zoom, maybe not Zoom, but face to face, that one on one connections really does have an impact on security. Sam, what were some of your things that you noticed as an impact on security?

Sam Humphries: Yeah, I think from my side, there's been good things and bad things. Definitely the communication piece has been super tough. And people being in their home bubble rather than being in an office, you kind of, you let your guard down, especially add in all of the distractions, and my goodness, there's been many, and the stress of being in a pandemic, you know, that affects us as humans very much too. So, you know, on the downside, I think it's been tough, you know, security people have had to go home as well, and work remotely, it's harder to collaborate. You can't just tap someone on the shoulder and be like "Hey Sue, I've just seen this thing, like take a look." You know, you've got to then reach out over a different method. So, that's been hard. And it took the cyber criminals minutes to pivot. You know, the first Q1 of last year, I think the top ten phishing emails, apart from the valentines one that we get every single year, everything else had flipped to a topic that was something to do with remote working. So, you know, we're distracted, the cyber criminals, they upped their game immediately. So, that's been really hard, but I do think there's been a positive as well. There have been some really strange positives coming out of the pandemic, but you know, find them where you can, I think.

Sam Humphries: And what I've seen is like the business IT and security collaborate a lot better, through necessity to start with, because for organizations who are very much kind of on prem, to have to then flip to remote working, spinning up cloud apps very, very quickly. The kind of the old adage, I think this is going away generally thank goodness, is, you know, the department of No in security. It's been very much more a department of Yes But, and actually helping the business find the things they need. So, you know, in the olden days, if you'd found some good old shadowIT kicking around, it would be easy to go, well you shouldn't use those, because we have this thing over here, or just don't use it 'cause that's our policy. Whereas now, you know, if you find that 4,000 people in your organization have been using Dropbox and you didn't actually realize, well maybe there's a good conversation to go and have. Either, let's find a sanction service, or understand more about the business needs. And I think the pandemic's kind of forced that conversation more, which is ultimately a good thing for security professionals, 'cause you know, we've got better relationships going on.

Kathleen Smith: Yeah, I really like the concept of turning security from being the department of No, to the department of Yes But, let's look at the business aspect. So, Masha, I know you have some different insights on this and I wanna hear from you on what you saw as some of the security challenges, or opportunities that the pandemic brought us.

Masha Sedova: Yeah, so one thing that Samantha said that really struck me was the change in the role of the CIO and the CISO in the land of work from home in the pandemic. They really became first class citizens in the executive board room, because all of a sudden, they weren't just a call center, they were a business enabler, because it was not a no but, it's a we can't get online if we don't figure this out. And, it's been really interesting to see how that role has very quickly evolved in the last year and a half to become truly a key stakeholder at the table, in a way that, I think, would have taken a decade to get elevated.

Masha Sedova: But as far as the security landscape goes, I think what's really fascinating is that identity is now our new perimeter. Our employees are working from their couches, their coffee shops, now maybe, but before it was, you know, whatever Internet connection you can get, you're using it. And, it's a totally different way of thinking about our ecosystem and how we secure it. What used to be a far away dream, that only Google could get access to, around you know, boundaryless security, now, you know, the idea of zero trust and work from anywhere is something we've all had to embrace. And, the employee is the epicenter of that. Who is logging on and where they are logging on from and what kind of risks they bring with them, is now how we think about security, which is a really exciting time, because it's about as far away as the defense and depth and, you know, the castle and moat model we all started with a couple of decades ago.

Masha Sedova: And so, it's really fascinating to watch how we think about the space and lean into securing it using new frameworks and new technologies that we haven't had a chance to before. And it's really fascinating because I think awareness and training as a topic and as a framework has been around for a couple of decades. It hasn't really progressed us to the place where I think any of us really have wanted to see it. And so, as we take the identity as a perimeter idea that we're seeing evolve, we get to also watch a lot of these secondary frameworks around it like the awareness and training space co-evolve with it to match the risks that both Michelle and Samantha were mentioning earlier as well.

Kathleen Smith: Awesome. And one thing that I think that I love about the cybersecurity community, is their culture. And, you know, we've seen so many different kinds of cultures develop over the years. Sam and I were chatting about all of the Security BSides and, you know, there's that whole culture of we are a community. And it's interesting, when we get on the topic of culture, you know, we talk about the community and then we also talk about a company. So, what do we wanna talk about as far as culture and what advice do we wanna give our listeners on approaching a company wide culture of transparency? Sam.

Sam Humphries: Yeah, I love that you've brought the community bit up, 'cause I think this is huge and I'm at the moment seeing people in real life, sometimes for the first time, you know, I know them from the Internet and now like seeing them in real life is just amazing. And, you know, ultimately security is about people. We've got our businesses and our assets that we care about, but if you don't look after the people, then the whole thing falls down. It always makes me twitch when people say, oh yeah, the users are the weakest link. And it's like it's blaming them rather than embracing them. Security awareness training has been, I think, hit and miss over the years. Some of it has just been, you know, you should watch this video. Have you watched the video? Do the video, video, video, nagging emails. And that doesn't make it a pleasurable experience and you don't feel part of the process.

Sam Humphries: So, I'm, seeing some good shifts. You know, people do lots of different styles now. For some it's cartoony, for some it's literal muppets. The Cyber Maniacs have got some great training. They have actual muppets they use for it. And it just makes it a little more entertaining, but ultimately if it's still just computer based stuff, it's one way. You don't really feel a part of it. So I think, doing more to help individuals understand the part they play, and the importance of the part that they play, giving them good routes to be able to report stuff, if they're worried, and make that a positive experience, rather than saying like why did you click that link? Why did you do that? Why don't you tell us about this? That's how we bring people into the fold better. So, you know, the department of No, we talked about earlier. I think getting the security team out talking to the other folks in the business generally and being face-full, rather than faceless, I guess. And really embracing the humans and making this a positive experience. People are going to come to you more. They just are. They're gonna see you as a human as much as you see them as a human, rather than just being a user, which is basically a login.

Sam Humphries: So, there's more we can do, but transparency, going back to that, you have to explain to people what you're doing and why. And I think generally they'll get it. If you're still talking to them in bits and bites, maybe not, but you know, I think we all have a duty to look after our business. If you're working somewhere and you don't care about the place you work at, then that's not a great feeling. So, you know, ultimately I think this could be a good emotional investment as well for both sides, for the security team and for users.

Kathleen Smith: So, topic of culture. Masha. What advice? I mean you look at culture and you've been looking at culture for quite some time.

Masha Sedova: Yeah. I think a great place to start thinking about this question is how do we define culture? And for me, I think about culture as the things that we do when no one is looking. It's the actions that our employees take and the decisions that they make when security isn't forcing them to do it, right. It's not the quiz question that they answer at the end of their training, but it's what happens when it's time to make a hard decision. Do I ship late and securely my code? Or do I ship on time and just hope that there are no securely bugs? And that's really where culture really meets the day to day business requirements. And so, having the ability to measure culture is a really important thing. And when I think about measuring culture, it's understanding these decisions that employees make on a regular basis, and helping them understand where they stand. What decisions did they make that they're doing a really good job in? And where are they sometimes missing the mark? And, this information is actually available in almost every organization I've worked with, phishing being one of them. But there are so many other data points we can start thinking about, like how do you navigate the web? How do you handle sensitive data? How are you reporting? Do you try to download malicious software accidentally? Of course, right without the blame here, but you know, are you just a more risky driver on the cyber road than your peers?

Masha Sedova: And then the second thing is well what do we do with this information as a security team? How do we help drive culture, knowing this information? And, this is where the part of transparency and accountability comes in. I actually don't think we need to be doing as much as we are around animated videos and humor, when we can treat employees like capable adults and we can have a heart to heart conversation of this is where you are around security behaviors, and this is how you can get better. And the place where we're missing the mark today is that it's a one size fits all. When you say this is good practice, but it doesn't apply to my work, then it's not relevant to me. But if you can show me that I browse the web and navigate the sites that are blocked, you know, three times more frequently than my peers and that introduces a certain amount of risk to my organization, that's a different conversation for me.

Masha Sedova: And so transparency here is actually really important because it helps a security team become a partner with employees and let everybody know where they stand. And then gives them the tools to up level them. And then there's a second piece, which is an understanding that employees, like the rest of us, are human and they're going to make mistakes. A security culture is not one in which everyone is flawless. A security culture is one where there is forgiveness and grace around how we are human as it relates to security, when we make a mistake, how do we individually respond to it, and what are the kind of support structures, technically speaking in this case, that are there to catch my mistakes? You know, if I regularly click on phishing, do I also use MFA and a password manager all the time, for example? Maybe I have a web isolation browser technology that catches my risky browsing habits? And working with security teams to acknowledge where I am on my own security culture journey and matching to where I am related to my riskiness, with the transparency that we were just talking about. I think is a really interesting and exciting new way of thinking about how we evolve security culture, and again treating employees like they're part of the solution, part of the ecosystem and not as we said in the intro, as a APT foreign hacker here.

Kathleen Smith: What I love is, you know, Masha and I have been in the DOD world before, and I remember, you know, 2007, 2008, we were talking about security awareness training and talking about security in general. And, it seemed that it was a widgit, a device, a software, something that was there that would be, as you said earlier, a castle and a moat, sort of technology, and not looking at that it was the individual. And we're now moving, fortunately a little bit faster, into embracing the employee, even the customer into the security discussion. So, Michelle I loved what you were sharing before about what your CISO did as far as embracing security. Want to share a little bit about that?

Michelle Killian: Yeah, definitely. You know, Masha had mentioned earlier how the CIO and CISO are now seen as business enablers through the changes with the pandemic. And, one thing that was exciting coming to Code, we had a traditional security team prior with an actual linked fence around their office, to be funny, but it created a sort of like mood. But so, when our CISO came on board, she created a security brand statement for our team. We're a team of yes, we're trusted experts, we enable the company to be successful and we truly live by that. And what it's done is it's both led the employees within our organization to come to us with questions, because they don't assume that we're just going to shut them down. So, they're more willing to say like "hey, here's this thing I've been thinking about" and get the security conversation started. But just as importantly, it's enabling our team to remember that we're not siloed, that we're not just a security team protecting the organization, but that we're part of the larger org and that the work that we do really is integral to the success of our organization.

Michelle Killian: And then, through that statement, really it's allowed us to encourage our employees to engage with us. We have a really robust risk management process where I would say, you know, a large percentage of what gets reported as risk, comes from people outside of security, because to them they're excited to talk about here's this thing that's keeping me up at night, or here's this thing that makes me feel a little unsettled in the work that I'm doing, stuff that security doesn't always have visibility into, but allows them to be part of that conversation. More importantly we're triaging it and we're talking about remediation and we're reporting it to the executive team. And so these employees who maybe, you know, steps removed from the security team specifically, feel like they're making a positive impact on improving the security of the company.

Kathleen Smith: That's great. And, you know, as a marketing professional at heart, I'm always excited when someone says brand actually has power, and brand actually has a place. It's not just this pretty colored logo or, you know, a teeshirt that a bunch of people wear around. That is actually a part of the culture. It's something that people really embrace. We've all touched upon sort of security awareness training. I mean we all talk about the various different training that we've had from, you know, harassment training to security training, to, you know, that video that everyone has to sit in front of and you literally can only make sure that someone's passed it, if they've sat in front of it and took the quiz. And we all know that that information goes out, you know, out one ear and in the other and vice versa. So, security awareness training fortunately has had some success in areas like phishing, but do we think that there is actually an opportunity to improve and expand on this area? So, Masha this is one of your big areas. Share with us.

Masha Sedova: Yeah. So, the way that I love to think about this problem is what gets measured, gets managed. And so from that place, simulated phishing has been revolutionary, because it's actually given us meaningful metrics around what people do, not just what they know. So, before I tell you the downsides of simulated phishing, I wanted to start with all the benefits of why I think this has been a huge boost to measuring employee mindset, and more importantly employee risk. But one of the things that I've done in my work is put together a research paper that analyzes the security behavior of over 150,000 employees. It's about three million decision points, and I actually got to see how effective is phishing, how effective is training at actually improving people's security posture. And what we found was actually very shocking. The first thing is that both phishing, simulated phishing and training actually have a limited return on investment. So, if you send out more than 11 phishing emails to your employees, it starts to flat line and you're not gonna move the needle anymore. It helps up to a point, and then it flat lines at about five percent. And you can keep phishing your employees till the cows come home and they're going to still click, a subset of them, five percent in fact.

Masha Sedova: Same thing with training. Training follows a U shape curve, where the first three trainings you give to somebody, helps improve their behavior. Training four and five actually become counterproductive and employees who have taken five trainings, perform worse on phishing, detecting and reporting phishing than employees who have never taken any security training to begin with. So, my takeaway from this data is that they are good tools in our tool belt, but up to a certain point, at which point they become counterproductive. And, if we keep going back to the same problem with the same solutions, wishing for a different outcome, that's insanity. And so we actually need to be thinking about our tool belt here in a much more broad way and those are two tools in our tool belt, but what other things can we be introducing aside from these two and firing our employees, which is another tool, but not one that really helps with our brand and our positive imaging in our organizations.

Masha Sedova: But, how do we think about other tools? Involving management and helping with top line support. Creating cultures of positive incentive and positive reinforcement, reward and recognition of really great behavior is another way that I've seen cultures be vastly shifted to the positive direction here. All this is very, very valuable. I do think that the foundation of this, back to some of the things we talked about earlier, really is measurement. You can't reinforce positively, you can't gamify, you can't give people accountability, transparency around how they're working, if you're not measuring what people are doing. So, we really do need to be thinking about how we more effectively measure where we are from a security risk standpoint as it relates to our employee behavior. So that is foundational, but the measurement piece isn't enough. The measurement enables us to create more tools, like being able to pull in secondary technologies to support our riskiest employees.

Masha Sedova: And, we in general need to stop thinking, over relying on one vertical of measurement, which today is simulated phishing, because it really is one dimension out of many that we need to be using to measure this risk in our organization.

Kathleen Smith: Awesome. Sam.

Sam Humphries: Yeah, just to lead on from that, and so much agreement. I think the simulated phishing thing has been bizarre, 'cause some organizations have been really focusing on who clicked the link, not who didn't click the link. So, it's been a negative thing straight off the bat, rather than being like hey, you know, you've done really well, like this is a good thing. So, I like the gamification thing completely. I think there's loads of different ways you can do that within, not just kind of day to day user work, but also with some of the teams that might come to you for help with the security side of things. There's a whole load of different processes that you can put in there to make it like fun and positive. And one of my favorites, and I did one recently that was just so cool, is table top exercises. And really get people involved from outside the security team, to kind of live through, you know, what does it feel like to have a ransomware attack? What does it feel like to have a breach? What can we do? How can we be working together? And not just scare the pants off them, but see how the different teams need to interact and just give them a flavor of some of the things that can happen along the way, which just gives that added benefit of, you know, when it happens, you're better prepared. It's not just a case of well hang on a second, we've got a process somewhere, can we dig it out? Oh no it's no the intranet and our computers are all down.

Sam Humphries: You know, people have had that some degree of experience without it being like as catastrophic as it could be. But they know their part, they may come up with ideas outside of the security side as well. I think you get great creativity from people who aren't in the security team, as how you can solve problems. And it springs everyone together in a really good way.

Kathleen Smith: Awesome, yeah. I think that we've really talked about how, you know, security is moving people more in a positive way rather than a negative way and we've really had so many experiences, even before things are advertised about, you know, how it's all negative. But really, I'm loving this theme that we're having today about, you know, positive and the statement of yes and security impacts all of us. So, Michelle, thoughts on security awareness training.

Michelle Killian: Yeah, again echoing a lot of what's being said, you know, I also run threat and vulnerability management. And so one of the things that makes me go a little bit bonkers is metrics for the sake of metrics, right, which is what Masha was speaking to. And, one of the things that I'm constantly educating on is like just because we got a whole lot of scams coming in, does not mean anything, right. On the surface that's just a number. It's really it's like this layers beyond that. Like what are those numbers telling us? And that's where I feel like we could be a little more resourceful or thoughtful with phishing. It's not necessarily, I mean the click rate is an important metric, especially in an immature program, but when you're working with your employees and that userbase, it's really more like what's the data behind the click? Is it we're clicking more at night? Or is it more that we're more risky with our behavior on our phone versus our endpoint? Or, is it that we're more susceptible to messages that are coming from a specific industry, like retail or health care? Okay, so then I can tailor my messaging to make it a little more impactful. Or, adjust my security controls to try and account for where there might be a little more risk.

Michelle Killian: And then I think, again, this is a theme that I think we're talking to, which is empowering users. So, I want, you know, going back to our brand statement, we're part of an org and the whole org is the security org, right. And so we really have to make sure that we're not being silent in security, that we aren't hoarding the knowledge because we like to know all the things, because we do, right. There's power with knowledge. But that we're making security truly everyone's job, because what we're doing at the office on our computer is the same thing that we're doing at home. We don't have a security team to go to when we're playing in our personal Gmail, or when we're trying to send files with our family, versus with our co-workers. And so, it's really, I think there's more opportunity for us to help our users help themselves, right. So, when they click on that link, do you know about virus total? Or here's this way that you can do some self serving to see if somthing's malicious or not. Or, did you recently interact with a company which would make you more susceptible to get an email from them versus not? So, taking that next level of training and awareness with our employees.

Kathleen Smith: So, since we here in the United States, just got done with one of our major holidays, I remember a panel that I was part of a good 15 years ago, and people said that yes, the security team likes to have all of the knowledge, because we're the most popular people at any of the holidays, because our parents, our grandparents all want us to do the malware and the virus and stuff. And that's the only value and importance we have in our family, is that we can come home and clean everyone's computers. So, it's nice to know that we all have a little bit more knowledge and we can share it, and I'm glad we're sharing it here today. So, employees don't always take an action when their company is hit by a security incident. This is from Kapersky Research. In fact, 40% of the businesses around the world, employees hide an incident when it happens. Hiding an incident may lead to dramatic consequences, therefore increasing the damage that is caused. One unreported event can lead to an extensive breach of the organization's entire infrastructure.

Kathleen Smith: This hide and seek problem seems to be most challenging for larger companies, with 45% of the enterprises of having those large employee numbers, experiencing employees that are hiding a cyber security incident. So, given this risk from insider threats, what can we do about improving culture to lower these risks? Sam.

Sam Humphries: I think this goes back to so much of what we've been talking about. And again, having that positive culture, I think solves a lot of this. I mean ultimately if you're in a company that's got, you know, a reasonably mature security program, they're gonna have ways of finding you anyway and realizing that it was you, and that's not a good place to be. I'd much rather someone came and said like "hey, oops, I've done this, I need to let you know so you can do something about it", than them sitting on their hands and going, "oh maybe I won't get found out. Maybe I'll update my CV, maybe I'll go and live in a cave and this will all blow over." But even with, you know, immature security programs, if you're at a point where it's hit breach level and you've got agencies coming in to assist because you've had to notify them, it's gonna be uncovered somewhere down the line, and it's just, it's not worth it. I would, yeah, if you've got the right routes for people to report, you've got the face of security, you've got this positive brand going on, I think, you know, that goes a lot to reduce these situations, 'cause people know where to go and they know who to talk to and they know where to get help.

Kathleen Smith: Michelle.

Michelle Killian: Yeah, I think really a big piece of this is removing shame from the equation. We, many of us are in security because there's no mastery, there's no like I've learned all of security, full stop, right. Because the minute we know something, it changes. So, we know that in our world, but yet we have this expectation that our employees are just gonna know all the right things to do all of the time. And if we can't establish mastery, our employees can't either. And so really I think it's important to make sure that we're encouraging all of the questions, even the ones we have from the employees where like they ask all the questions all the time. Like we need to encourage that and we need to thank them for asking, because that's how they're going to feel safe enough to report when something's gone wrong, or when they clicked on that link that they weren't sure if it was bad or not. So, I think that's a key piece to encouraging the reporting.

Kathleen Smith: Masha.

Masha Sedova: So, I think the way that we need to get to the route of these statistics is understanding why employees don't report mistakes today. And, one of the best tools I've seen across this is the five whys, which doesn't necessarily stop at security. But finding people who, you know, exhibit this kind of behavior, who don't report after maybe clicking or introducing an incident. And ask them why? Why did this happen? Why did you do this? And keep digging in, not just the top level. And over my career, I have found that it actually falls into one of five categories. They either think it's not their responsibility and that security's all over it, it's their job not mine. They can't be bothered to do it. They're really busy. They're afraid of the punishment, so to Michelle's point, the shame. They didn't detect it at all. They had no idea anything even happened. Or, they didn't think that reporting actually had the ability to change course. It doesn't matter, like what's the point of me reporting? And, all of these root causes have actually a very different solution to them. And it's understanding which cultural blocker is the reason you aren't getting the kind of reporting and open communication that we want to be seeing to get ahead of these incidents, is gonna be really, really important.

Masha Sedova: And, some of it is gonna be skill training, but some of it is reducing shame, and a lot of the time I actually find that it's making it safe to report, making it safe to say hey, I made a mistake and I need your help, and knowing that there aren't negative consequences. In fact there are positive consequences. And, the approach that I have seen to be very effective at solving actually several of these bullet points and root causes, is modeling positive examples of this. When someone has reported successfully and changed the outcome of an incident, modeling that for the company. I know about one defense contractor that would highlight this at their all hands, and it would even, in certain situations with the employees approval, name an employee who stopped an incident because of this reporting capability, and explain what the impact would have been, had they not done so.

Masha Sedova: And so, publicly modeled great behavior so that you're creating examples of, well someone did it and they thought it was their responsibility, they did not get in trouble, they were thoughtful about detecting it and their input actually changed the course of it. And so, by modeling this in such a very public way, you actually overcome a lot of these root causes. And so, I think understanding what's going on in your organization, and then creating safety and positive reinforcement, goes a long way in helping reduce some of the stats that you've just shared at the beginning.

Kathleen Smith: I like that all of us can say easily that we've been in the community for over 20 years, you know, fortunately none of us have gray hair or wrinkles or, you know, anything like that, but what I love is at the beginning of most of our careers, we saw security as this rigid, very negative, very secular kind of industry. And, it is now evolved into something that is actually a living being, and that we can model great behavior that can have a positive impact on an individual on a team and on a company. And I really wanna thank each one of you for sharing your insights on how we can all change our organizations, and change them to have a positive impact on our individual security and our organization security. So, thank you all, Masha, Sam and Michelle, for your great insights today. Jennifer, back to you.

Jennifer Eiben: Thank you Kathleen. I wanna thank you for moderating our panel today with all of your thoughtful questions and your very meticulous preparation. We would not have been able to have this conversation with such depth without you. I also want to echo your thanks to Michelle Killian, Sam Humphries, and Masha Sedova, for sharing your thoughts and experiences with us. This was really great, you guys. Thank you so, so much. I want to thank everyone who helped put this together, and to our listeners for spending the time with us. Our special thanks goes out to our partner and sponsor for this special edition podcast, Code 42. I'd like to encourage all of you to take a quick moment to check out the CyberWire's monthly newsletter called Creating Connections. It's our newsletter that is a collection of works for news focusing on women in cybersecurity, and it highlights the significant contributions that women bring to the industry. It's free for you to subscribe and you can find us on the CyberWire.com. I'm Jennifer Eiben from the CyberWire and it's truly been a pleasure. Thank you all.