SESSION ID: HUM-T08 Leading Change: Building a Security Culture of Protect, Detect & Respond Lance Spitzner Director, SANS Security Awareness lspitzner@sans.org @lspitzner #RSAC The Problem #RSAC You can‘t patch stupid Go look in the mirror 3 EMET Microsoft Security Essentials Encrypted File System AppLocker Mandatory Integrity Control Windows Service Hardening Bitlocker User Account Control ASDL Security Controls WindowsOS Windows Sandbox Edge Browser Biometrics Credential Guard Windows Defender Malicious Software Removal Tool Data Execution Protection (DEP) Baseline Security Analyzer Firewall Enabled by Default Microsoft Secure Development Lifecycle Automatic Updating HumanOS Software Restriction Policies Trustworthy Computing 2002 2004 2006 2008 2010 2012 2014 2016 2018 2020 #RSAC #RSAC People are not the weakest link, they are the primary attack vector 5 #RSAC 2018 Congressional Report Apache Struts Vulnerability was a symptom of a far greater problem Equifax was far more dysfunctional than thought, biggest issues were people / culture 7 The Solution #RSAC Newtons First Law An object at rest remains at rest, or if in motion, remains in motion at a constant velocity unless acted on by a net external force. F = ma 9 #RSAC Speaking to the Board 1 10 0 #RSAC Know Your Board • Identify who is on your board • Research them on LinkedIn • Talk to a Board Member or senior exec ahead of time to better understand what you are in for. 1 11 1 14 #RSAC Daniel Khaneman A baseball bat and ball cost a total of $1.10 The bat costs $1 more than the ball How much is the ball? 15 #RSAC Motivation Ability #RSAC Start With Why Simon Sinek WHY HOW WHAT AIDA Marketing Model Attention Interest Desire Action #RSAC #RSAC Motivation Ability #RSAC Choice Architect 20