In this episode of the The New Stack Makers podcast, we speak with Masha Sedova, co-founder and Chief Privacy Officer of Elevate Security, one of this year’s winner of CloudNOW’s Top Women in Cloud Innovation award, and the creator of the game Hacker’s Mind.
“It doesn’t matter what people know, it matters what they do,” said Sedova. “We’ve done a good job of telling people that they need to be concerned about security, but we haven’t told them what they need to do about it.”
After seeing really boring (and totally ineffective) security training, she and Elevate co-founder Robert Fly decided to focus on what they call people-powered security. With the explosion of CI/CD pipelines, so much automation is taking place in the areas of QA and testing but security remains one of the last holdouts for integration into the pipeline.
Too many engineers think that security is somebody else’s problem, involving a team of people in another place. They still think all they have to do is throw security issues over to a mystical security team and they will magically disappear.
With security, it doesn’t matter what you know, Sedova said, it matters what you do.
So much of security can and should be integrated into every engineer and developer job. Sedova suggests that we should be teaching developers how to secure the code they write so it’s part of the creation process.
The point of the Hacker’s Mind game is for the player to try to find a way into their own data. Elevate Security pulls data from each user’s company database, so players are looking at the data they are responsible for in the system in which they work every day. Then, they try to find a way into that data. Each game is individualized.
Part of the individualization includes only requiring training modules in which individuals are lacking.
“Let’s train them on what they don’t know.” Why waste time training someone who gets how malware works and never ever opens phishing emails? she asked. The product evaluates their customer’s data and uncovered vulnerabilities, both on a company and individual level. But then it gives actionable suggestions on how to improve. Individual training is targeted to each employee’s skill set and how they behave.
In this Edition:
1:13: The state of the industry and why Elevate Security thinks it’s worth changing.
7:26: Why security checks don’t happen.
12:05: What Elevate Security does for its clients
16:47: What Elevate Security does to move the conversation forward.
18:32: Creating the game “Hacker’s Mind.”
23:31: Connecting the dots about online security and keeping your information safe.