The role of people in cybersecurity: Announcing our investment in Elevate Security

By: Bucky Moore, Principal and Neill Occhiogrosso, Partner at Costanoa Ventures

www.elevatesecurity.com

Popular culture portrays hacking as the act of exploiting technical vulnerabilities. However, real hacking is different. In a recent study, IBM found that 95% of known incidents included a technical and human behavioral exploit. Succumbing to a phishing email is just one of many ways that employees put their companies at risk. Working from a personal device? Reusing passwords? Not using multi-factor authentication? Hackers take advantage of these seemingly harmless behaviors as part of their complex attacks, and the results cost companies billions.

Security leaders spend significant time and money educating employees on how to avoid these mistakes. But, the ROI on most security awareness training remains unclear. The state of the art is underwhelming and is similar to traffic school. It starts with in-person training, followed by a series of online “click-through” exercises. Once complete, compliance says “thank you,” and leaves employees alone until the next audit season. The design and administrative challenges of delivering effective programs remain significant. Thus, many organizations have taken a rudimentary approach and accept mediocre outcomes. This has led to a near industry-wide failure to engage employees and to motivate them to change their behavior.

Forward-thinking security teams are starting to apply innovative thinking to this problem, while on the lookout for better solutions. One notable example is the effectiveness of Salesforce’s awareness training program. After 6 months, their incident response team saw the number of employee emails reporting security issues increase by 350x. Over the same period, more than 20% of known phishing attempts were self-reported. For comparison, Verizon’s 2016 Data Breach Investigations Report cites only a 3% reporting rate across 635,000 phishing emails.

This is why we are thrilled to announce that Costanoa Ventures has led a $2m seed financing in Elevate Security. The company was founded by Masha Sedova and Robert Fly, both of whom were most recently senior members of Salesforce’s security team.

Elevate’s product leverages a variety of data sources to continuously track security behaviors. When high risk behavior occurs, Elevate engages the employee with a personalized, interactive learning experience. Using behavioral science, Elevate helps the individual understand the cost of the wrong behavior and its impact on their organization. The product then uses these same data sources to track and measure change in behavior over time. This provides security leaders with unprecedented visibility into the effectiveness of their program — namely, is collective behavior changing? Elevate’s approach has the potential to transform security awareness training into an engaging and adaptive experience to continuously effect behavioral change at scale.

We are thrilled to be investing alongside Webb Investment Network, as well as an impressive group of Salesforce alums and security industry heavyweights. Masha and Robert’s mission to empower individuals to play a role in improving the security posture of their organization is an important one, and Costanoa is honored to begin this journey alongside them.