Building a Culture of Security
#CyberAware
Kelley Bray – Symantec
Agenda
• Memory Lane
– Moving from Compliance to Security
• Culture and our program
– Why “awareness” isn’t enough
• Getting started
– Beginning at the end.
A little bit about me
5 years at TSA/DHS
• Critical Infrastructure
• Security Awareness
• Insider Threat
2.5 years at SYMC
• Global Responsibility
• Employee Trust and CustomerONE
3 kids growing up in the digital world
3
4
Likely..why you are here.
But also… the news isn’t good.
• The number of phishing campaigns went up 55% in 2015.
– Despite the number of emails going down
Copyright © 2014 Symantec Corporation 5
But… • Security Awareness Training is required for everyone, every year.
• So we should be ok, right?
6
Wrong.
Compliance
Awareness
Talking “At”
Security
Change in Behavior
Talking “To”
So why isn’t it working?
CULTURE
Copyright © 2014 Symantec Corporation 8
What is Culture?
A culture is a way of life of a group of people--the behaviors, beliefs, values, and symbols that they
accept, generally without thinking about them, and that are passed along by communication and imitation
from one generation to the next.
Copyright © 2014 Symantec Corporation 9
Buckle Up!
• What does program success look like?
– Good Security Behavior is natural… like wearing a seatbelt.
– Employees identify with the security of the company and do the right thing
– Full program implementation = Human Firewall • Risk profile greatly reduced
10
Fundamental Components
• Consistent Messaging
• Interactive Online Modules
• Short, engaging videos
• Phishing exercises
• Quizzes and Contests
• On Site Training
11
Layering Security into Culture
Copyright © 2014 Symantec Corporation 12
Community
Company Solidarity and
Security
Team Success
Individual Protection
Host a lunch and learn or similar
Compete in the CWG
Complete annual training
Report a phishing email
Author a white paper
Obtain a security certification
Volunteer to support STEM
Deliver outreach presentation
Be a Security Champion
GETTING STARTED
Copyright © 2014 Symantec Corporation 13
Advice from the trenches
• Strategy:
– Decide your best day, and work backwards
– Celebrate security often – not just in October
– Leadership – don’t bother starting without it.
– Be as interactive as possible
• Phishing, contests, FUN.
– Make it Personal
Copyright © 2014 Symantec Corporation 14
Q & A
Thank you!