How Salesforce Builds and Measures a Security Awareness Program
When it comes to securing a business against cyber crime, you probably think first about software solutions and tech departments. But you might be surprised to learn that the vast majority — approximately 82% — of cybersecurity breaches are a result of human error. In fact, employees are often the primary attack vector for cybercriminals due to varying levels of security knowledge, the human tendency to trust certain simple requests, and social behaviors that attackers know all too well.
It’s because of this that building a robust security awareness program is essential to help manage human risk and create a strong culture of security throughout your organization. But what exactly goes into a security awareness program, and how can organizations measure their success?
At Salesforce, we use the SANS Security Awareness Maturity Model as a benchmarking tool to provide guidance on the maturity level of our security awareness program. And we continuously strive to reach and maintain sustained “culture change” and “metrics framework” benchmarks. While the SANS maturity model is a good starting point, the Salesforce Security Awareness team has several additional programmatic goals.
First and foremost, Salesforce is committed to providing the most secure, compliant enterprise cloud on the market. Compliance is paramount to building a culture of trust and security, as well as our ability to legally operate as a business. This includes fulfilling requirements related to standards such as Payment Card Industry Data Security Standard (PCI), Federal Risk and Authorization Management Program (FedRAMP) and Sarbanes–Oxley (SOX).
Next, our goals center around addressing incident-related issues, particularly those related to self-inflicted incidents caused by user negligence. These typically involve a set of key security behaviors (both engineering and non-engineering related) that include things like mishandled information, mishandled credentials, configuration errors, coding errors, etc..
Our third goal is to support the overall strategy of our Security organization. This strategy encompasses building a trust-first culture, doing common things (like patching vulnerabilities, detecting and mitigating threats, and educating employees on how to be defenders for security) uncommonly well, recognizing that security is an enabler — not a blocker — of business innovation, and raising the security bar. Attacks and attackers are getting more sophisticated every day and Salesforce’s team of exceptional security professionals continually work to stay ahead of tomorrow’s threats.
Last but not certainly not least, our fourth goal is to drive behavior change within the company. But with tens of thousands of employees across the globe, often working in a virtual environment, this robust set of goals can prove difficult to accomplish with one small team. To achieve that “metrics framework” benchmark, we decided to build a dashboard that incorporates various data inputs tied to human risk across the organization, leveraging partnerships across the company to help us get there.
It’s a Small World of Security Data, After All
Building a security awareness data dashboard is really all about “who knows what”. We regularly partner with the Salesforce incident response (also known as CSIRT) to inform our awareness efforts and help us drive down the number of self-inflicted incidents related to user-negligence, while data from Threat Intelligence helps us get ahead of emerging threats and avoid new incidents that might be on the horizon.
In addition to teams within the Security organization, we partner with our Employee Communications team, which helps us understand the best channels available for campaigns and share our data-driven messaging. And we partner with our Employee Success Strategy and Analytics team, which specializes in understanding employee behaviors through data (amongst other things).
These partnerships have helped the Security Awareness team develop a metrics-based approach that guides and measures the success of our program. We have established benchmarks and goals tied to behavior change, including compliance training completion data, phishing simulation data, assessment of insider risk, incident related issues, and overall strategy. And we use data provided by various teams and organizations to continue to build-out the Security Awareness Dashboard to display these key metrics for leadership consumption.
In addition, we’re able to use these metrics to better understand where human risk lies across our organization, and to provide targeted education to areas/organizations with the highest levels of human risk. Today, we’re able to review these metrics for continuous improvement of our program, better prioritize resourcing, and develop more innovative programs through established commonalities across organizations within the company.
If you’re interested in building a security-first culture in your organization, the Security Awareness Specialist path on Trailhead can help. Learn in-demand skills, connect with fellow Trailblazers, and build your cybersecurity career.