AppSec & DevSecOps

W3-2F. Making Security Fun Again: Building a Proactive Security Culture

Wednesday, June 12, 2024 1:15 PM - 2:15 PM

Room 2F

Description

No, it's not enough to simply satisfy minimal "check the box" compliance requirements, react to incidents, or fix security vulnerabilities after they're in production. Focusing only on the "right side" of the process is a recipe for eventual disaster, and is ultimately costly to pursue. You need to focus on shifting habits and behaviors to proactively address issues long before they reach production. You need to build a culture that is full of security best practices: training, threat modeling, architecture reviews, and so on. But HOW? In this talk, we'll discuss techniques for shifting your culture and motivating your employees to make the right choices by incentivizing and rewarding their behaviors. We'll focus on the "people" side, and use proven techniques from the fields of behavioral science and psychology to bring your awareness and appsec game to the next level. Security takes more than just tech and this is the piece you've been missing to make a lasting difference in your company's security posture.

Learner Objectives

After this session, learner will take away: - An understanding for why proactive security practices are needed and why tech is not enough to make a lasting difference - Techniques for motivating your employees and developers to take action - Ideas for creative rewards and incentives that make a difference - What metrics to collect and report to leadership for the support you need to shift your culture