How Salesforce Builds and Measures a Security Awareness Program
Building a robust security awareness program is essential to help manage human risk and create a strong culture of security throughout your organization.
When it comes to securing a business against cyber crime, you probably think first about software solutions and tech departments. But you might be surprised to learn that the vast majority — approximately 68% — of cybersecurity breaches are a result of human error. In fact, employees are often the primary attack vector for cybercriminals due to varying levels of security knowledge, the human tendency to trust certain simple requests, and social behaviors that attackers know all too well.
It’s because of this that building a robust security awareness program is essential to help manage human risk and create a strong culture of security throughout your organization. But what exactly goes into a security awareness program, and how can organizations measure their success?
At Salesforce, we use the SANS Security Awareness Maturity Model as a benchmarking tool to provide guidance on the maturity level of our security awareness program. We continuously strive to reach and maintain sustained “culture change” and “metrics framework” benchmarks. While the SANS maturity model is a good starting point, the Salesforce Security Awareness team has several additional programmatic goals.
Squad goals
- Salesforce is committed to providing the most secure, compliant enterprise cloud on the market. Compliance is paramount to building a culture of trust and security, as well as our ability to legally operate as a business. This includes fulfilling requirements related to standards such as Payment Card Industry Data Security Standard (PCI), Federal Risk and Authorization Management Program (FedRAMP), and Sarbanes–Oxley (SOX).
- Our goals center around addressing incident-related issues, particularly those related to self-inflicted incidents caused by user negligence. These typically involve a set of key security behaviors (both engineering and non-engineering related). This include things like mishandled information, mishandled credentials, configuration errors, coding errors, etc.
- We support the overall strategy of our Security organization. This strategy encompasses building a trust-first culture, which includes doing common things like patching vulnerabilities, detecting and mitigating threats, and educating employees on how to be defenders for security. To raise the security bar, it’s important to recognize that security is an enabler — not a blocker — of business innovation. Attackers are getting more sophisticated every day and Salesforce’s team of exceptional security professionals continually work to stay ahead of tomorrow’s threats.
- We drive behavior change within the company. However, with tens of thousands of employees across the globe, often working in a virtual environment, this robust set of goals can prove difficult to accomplish with one small team. To achieve that “metrics framework” benchmark, we decided to build a dashboard that incorporates various data inputs tied to human risk across the organization. Additionally, leveraging partnerships across the company to help us get there.
It’s a small world of security data, after all
Building a security awareness data dashboard is really all about “who knows what”. We regularly partner with Salesforce incident response (also known as CSIRT) to inform our awareness efforts and help us drive down the number of self-inflicted incidents related to user-negligence. Data from Threat Intelligence helps us get ahead of emerging threats and avoid new incidents that might be on the horizon.
In addition to teams within the Security organization, we partner with our Employee Communications team, which helps us understand the best channels available for campaigns to share our data-driven messaging. Also, we partner with our Employee Success Strategy and Analytics team, which specializes in understanding employee behaviors through data (amongst other things).
These partnerships have helped the Security Awareness team develop a metrics-based approach that guides and measures the success of our program. We have established benchmarks and goals tied to behavior change — including compliance training completion data, phishing simulation data, assessment of insider risk, incident related issues, and overall strategy. We use data provided by various teams and organizations to continue to build-out the Security Awareness Dashboard and display these key metrics for leadership consumption.
Overall, we’re able to use these metrics to better understand where human risk lies across our organization. This is key to providing targeted education to areas with the highest levels of human risk. Today, we’re able to review these metrics for continuous improvement of our program, better prioritize resourcing, and develop more innovative programs through established commonalities across organizations within the company.
Security best practices
