Elevate Security: How to be the antidote to a category driven by FUD (Fear, Uncertainty, and Doubt)
It may sound obvious, but if you want to get noticed in a category, the clearest way is to do things in a radically different way. That doesn’t mean that you merely offer something that others don’t, but that you take a completely different approach to a problem. This is the path that startup Elevate Security has taken. The company began with the insight that 95% of all enterprise security breaches are caused not by system failure, but by human error. Unfortunately, the industry response has been to try to scare people into more secure practices using FUD — fear, uncertainty, and doubt. Based on their experiences at Salesforce in security roles, Elevate Security Co-Founders, Robert Fly and Masha Sedova, knew this approach didn’t work. Instead, Robert and Masha saw an enormous opportunity to improve enterprise security by using data and behavioral science to change how individual employees think about the topic. But to do so, Elevate Security needed to shift the conversation in an entirely different direction. In this article, we talk with Robert Fly who shares why his company decided to take on that challenge.
Make security everyone’s problem. Most companies sell to CISOs and focus solely on the problems of security organizations. Instead, Elevate uses behavioral science to make every employee at every level engaged in securing the company.
Think beyond technology. The typical approach today is to tackle security compliance with online training programs. Elevate focuses on employees as the asset that can protect an organization by adjusting behaviors based on social proof, gamification, and nudging.
Flip to a positive script. Security companies typically use dark, brooding, industrial palettes and fear-based messaging. Elevate uses friendly design and positive messaging, to make security an accessible topic for everyone.
Enterprise security is a noisy market, and the noise it most often makes is based on fear. Security companies typically have logos with silhouettes of threatening men in hoodies — or green screens with goblins aplenty. The real challenge of securing a company, however, is much more mundane. Ninety-five percent of all breaches are not caused by devious computer thieves, but by human errors that give relatively unsophisticated hackers access. In other words, most problems are preventable if only people understand what risky behavior is and adjust accordingly.
The traditional answer to the people side of security has been training. Companies force their employees to watch videos and then answer questions afterwards to prove they haven’t slept through them. Prior to founding Elevate, Robert Fly was the VP of Security Engineering at Salesforce, where he had experienced firsthand the lack of employee engagement with training and the frustration caused by preventable breaches.
After coming across a new security program based on behavioral science that now Co-Founder Masha Sedova was running, Robert realized that the real opportunity was not in training, but in measuring performance of security programs based on changing behavior. It’s why they founded Elevate.
Make Security Everyone’s Problem
While hackers sometimes utilize sophisticated attacks that don’t require human intervention, the biggest threats to any company are psychologically astute yet technologically simple hackers. Even the most advanced defenses are only as good as the people manning them against such threats. Yet, many traditional security companies try to solve the problem by bypassing the actual user.
Elevate recognized that if everyday employees understood the mindset of the attackers, it created intrinsic motivation to engage in more secure behaviors. Making everyone in a company responsible for security instead of just the security team has been a novel approach.
That’s why the first tool Elevate created was a game called “Hacker’s Mind” which encourages people to play the role of a hacker trying to breach a company. In doing so, employees learn that hackers are not thinking about thwarting firewalls so much as getting inside their own heads. This helps them experience that security is not someone else’s problem, it’s everyone’s.
Think Beyond Technology
Changing behavior can be hard — there IS a difference between saying and doing.
When trying to get people to change their ways, behavioral scientists have developed social solutions to influence behaviors and get results. One of the best-known examples is Opower, a product recently acquired by Oracle, which uses data gathered by electricity companies to assess how Individual households are doing in relation to their neighbors. It places an indicator on every power bill, typically a smiley or not-so-smiley face. If a household is doing better than its neighbors, the bill has a smiley face. If it is doing less well, it gets a not-so-smiley face. While seemingly trivial step, this simple motivational tool proved more effective in changing household energy consumption than just presenting the data or giving rebates for energy efficiency.
This is why Elevate uses the Fogg Behavior Model. The model consists of three steps: ability, motivation, and triggers. They focus on the triggers — like the smiley faces Opower sends — to prompt and reminder doing the right thing on a consistent basis. Elevate might point out a team member isn’t using a password manager — but the boss is. Or they might inform certain employees that their behaviors make them three times more likely to fall for a phishing attack than their peers.
While the nudges are small, taken together, they create collective impact. Elevate recently rolled out the system for a customer with roughly 10,000 employees. The company saw a 60 percent increase in phishing reporting, a 58 percent decrease in clicking on phishing emails, and a 25 percent jump in employees using password managers. The company estimated it saved a thousand hours in unnecessary training.
Flip to a Positive Script
People have come to expect a much higher level of design and usability from every service they use, including security. Leaning away from the security branding norms of threatening messaging, dark colors, and bold fonts, Elevate decided to use continuous positivity, with messaging that is always upbeat and encouraging. This serves two purposes: it helps differentiate the company in its category, and it is also much more effective in motivating people to adopt more secure behaviors.
Being Different Makes a Difference
In a category where so many companies feel similar, being different — in the problem being solved, in how it’s done and in the user experience that communicates that difference — really makes companies stand out. It might seem tempting to look and feel like everyone else, but as Elevate has proven, both attention and results often improve by doing something different.