Transcript
Hi. Hi. Good to see you again. Welcome. Good to see you. Thank you. How are you? Hi. Great. Thanks for coming up. Appreciate it. Oh, go ahead. Yeah, yeah. Put you there. We'll give ourselves center stage. Won't you introduce yourselves? Actually, we'll start with you. Go ahead. Tell us who you are, what you do at Uber. My name is Yinka Badmus. I am head of global security risk and compliance at Uber. And this is Jason. My name is Jason Harper. I work in engineering security and security risk compliance for Yinka. I'm responsible for a number of teams, including our human risk management team. Great. Okay. So tell us about your project. What was the need? How did you address that need? And what business value did you provide to the company? I'm going to let Jason answer that. Okay. Yeah. He's the mastermind behind that. So I've been a practitioner in security for many years, working for a lot of companies. When I had the opportunity to take this team over, the problem was really clear. And it has a couple of different dimensions to it. The first one is that, by and large, people in the company did not like awareness training. You know, they got it one time a year, it takes them about 40 minutes, they fast forward through the videos. And if it happens early enough in the year, by the time they actually need to make a critical decision about something, say data classification or use of software, it's usually well after they've forgotten what it was that we've told them. And additionally, it's a little overwhelming because there are so many security rules. And they don't typically read policies. They don't really, they know what they have to complete for their job, and they have to get that done fast. So the problem we were trying to solve was, is how do we give the average personnel, both engineering and non-engineering, how do we give them the information at just the right time, so they can make the right decision based on the behavior that they're exhibiting right then? And I think the second part of your question was, how are we showing the value here? We show the value by tracking recidivism. We can see what people are doing. We can track how widely distributed that activity is. We can see who repeat offenders are. And then we can amp up or amp down how we speak to them and the steps we take. And then we can show that to leadership and say, we can show a clear either increase or decrease in what people are doing and how our program, then adapt our program to affect a better result. I love the conversation, recidivism, repeat offenders. I mean, I have had so many conversations on this stage over the last 20 years talking about this issue and the challenge that every business, and it was all the way from, I mean, in the early days, I would poll the audience and say, well, what do you do if you have someone who fails that awareness testing and all the time, yeah, well, you work with them, you help them along. And then around 2017 or 18, there was a click and suddenly it was, well, at some point we have to separate them from the organization, right? Because the determination had been made that the risk became so great that if we can't get them where they need to be, we either move them someplace else where they're not posing that risk, or maybe it's time to go in a different direction. So if I may, I think one of the things that when we looked at our program and we looked at our workforce, we definitely wanted to lead with empathy, because we truly believe that nobody comes to work in a day and say, I want to be the weakest link to allow my company to be fished. I mean, people just don't go about, they're not trying to do the wrong thing. What it is is that they are actively trying to get their job done as swiftly as possible, and they will go down the route that's easiest for them to do whatever it is they need to get done. And if we make security, the security decision, the easiest decision, then it allows our workforce to be secure. And so the whole idea behind this is not only the training, which is mandatory and we do do, but more importantly, at the time that you're making the decision, if you don't make the right decision, do you have information at your fingertips to quickly enable you to either know what the right thing to do is for next time, or prevent you from making a silly mistake? I think I've gone around the security circle many, many times from taking a very strong draconian type approach with violations all the way back to being really helpful. And I think that what I've learned and what we try to execute, you know, Yinka is right, we try to lead with empathy, you know, we realize that the majority of people are not making these mistakes intentionally, they're not purposefully trying to break something, they're just trying to accomplish a very difficult, you know, goal and, you know, suddenly they have to learn everything they need to know about AI in order to execute their job in the most efficient way possible. And so I like to think of it, you know, like cat herding, but on fire. So it's trying to meet everyone where they are. And to tailor what we're doing, it is not a one size fits all operation. And while there are many things that we try to deliver on a global level, we are really moving heavily into more just in time, more behaviorally centric, more this matters to you because of that thing you were doing. Yeah, this has evolved so much over the years. I mean, I think there was a CISO on stage, someone who's retired now, some of the folks in the room know him. But he used to say, well, you know, every now and then you got to hang a skin on the fence to keep the wolves away. His point was, hey, fire somebody, make an example out of them. And, you know, but I think we've kind of moved away from that. At what point did you realize that the kind of that checkbox model, right, that I think we have all used at one time, wasn't just ineffective, but giving you a false sense of security? I mean, for me, it was probably my first corporate job where I had to take the training. And I realized that, I mean, some of them are very fancy. I worked at Microsoft for a while. And it was like, it was like a full soap opera. It was amazing. It was like this Hollywood shot production of this person in it going through all these like, you know, bribery situations. It was really, you know, at Uber, it was, it was, it's feedback. So we actively solicit feedback from people in the org. And we just, we look at the incidents. We look at the security data. We look at the telemetry. We look at the type of problems that people are having. So one way for that, we look at this as Uber is a large engineering orgs. There are a lot of engineering resources there as well as non-engineering. But we can just look at the bugs, right? We can look at the issues and say, hmm, why are we making these mistakes? And what's, what's happening here? Why do people not know pre-mortems and post-mortems show us where we have opportunity to improve. And you know, there are lots of cases where, you know, once you release tools like AI to people, they start really digging in and not just building for themselves, but also building for the company. Yeah. So, but, you know, we, we want to encourage people to do the right thing and really just, like I said, just really target them. Yeah. I think there's a couple of things Jason said is really important. You know, one is, you know, getting that feedback from your workforce. You know, we obviously like anyone else in this room has probably, you know, tracked the numbers. How many people completed the training? What was the average scoring, right, at first attempt of the training? And you know, we found ourselves obviously getting better and better at those numbers. We're a heavily regulated entity. And so, you know, being able to communicate or to report on the numbers of people that were compliant, the number of people that fished, the number of people that reported, that's always important. And we do do that. But then we were also, to Jason's point, from the telemetry side of things, we're still seeing that people were doing the wrong things. And so, you know, our compliance numbers were going up, but then when you looked at the telemetry, it was still down here. So obviously something wasn't clicking. Jason also mentioned another point, you know, you have to know the culture of your organization. Our organization is very engineering forward. And so we've got a lot of people that feel like they're the smartest people in the room. And so we had to come to some type of a balance where the training was relevant to the most technical elements of our business that really a lot of the risk resided in. And so being able to not only just say, you know, you were fished, you know, two months after the fact, but actually at the time that it's being done, in the immediacy of the moment, you're providing them with very specific information as to, you know, what they did and what they could have done differently. That just-in-time piece, Jason, I believe is really, really critical to the value that we've brought with the just-in-time training that we do. Yeah. I mean, for me, this is the first place that I've worked as a professional where we are delivering something just-in-time. So an example would be we might have tools that every organization is different. And so, you know, my first reaction is always, oh, well, you know, we should block this, or we should prevent them. You know, let's not put this in the hands of the individual to make the right decision. But we can't really do that across the board. So we have excellent internal detection services that allow us to see, you know, what's happening. So someone goes to, you know, an external AI SaaS site that we really don't want them to go to. We don't want them putting data on that site. Or they execute a tool on their machine that, you know, either slipped past a filter or it might have been approved before, but it's no longer approved. So this is really the first place where, within just a few minutes of you doing that, we'll send back to the empathy. We'll send a very, very friendly message to that person saying, hey, we saw that, you know, you... I'll pick on Grammarly. You installed Grammarly. We don't support Grammarly. There's a link to a knowledge-based article where you can see all the tools that we use. Here's our policy. And we also have moved to a microtraining environment where a lot of our training now is between two and four minutes. So we'll send you a microtraining on, you know, the dangers of SaaS applications that aren't approved, you know, that kind of thing. And we've seen real improvement here, right, because once... Our belief is, and we think the evidence shows it, that when you catch them right at the moment that something is occurring, then they can make a really smart decision and say, oh, I didn't know that. I didn't realize that. The other thing is, now they realize, oh, you can see that I'm doing this, which I think adds another layer, and we don't really spell that out to people too clearly outside of policy. You know, we don't want to seem... Big brothers. Yeah, exactly. So we're very, very deliberate about how we communicate it and what we were saying. Because while we had all of this data in the background that really showed us what the behaviors were, we didn't want it to appear like we're always watching. And so, you know, the language and the look and feel of the messaging was really important to us in order to, you know, kind of have a more collaborative experience with our workforce as opposed to, you know, we saw you doing this and, you know, shame on you. A lot of people talk about behavioral signals. Now, we've been talking about it today. In your program, what signals mattered and which ones do you think turned out to be more noise than really delivering value? The signals, for me, that matter at the stage that our program is at today is watching where behaviors are improving in the areas that we're interested in. So this would be any places where data is being uploaded, any executables that are being installed on their devices, you know, any sharing of data to parties that we, you know, we would not encourage them to share to. And because of our overarching detection platform, we can then compare results of, you know, are these numbers going down? Are we seeing improvement at a person level, a team level, a group level, a department level? And if we see sort of repeat, you know, if we see people repeating, then we can go and we can ask those folks, hey, why are you doing this? Is there a business process here we didn't know about? Is there a need? You know, we may tell people that, you know, some of the messaging platforms is, you know, maybe we don't allow WeChat. We may not realize that our businesses in that part of the world, you know, maybe they really require it. And so that gives us an opportunity to, you know, add additional risk analysis to it. Maybe there needs to be risk exception or maybe we need to build some sort of enhanced protection services around those for that group of people. So for me, it's all about outcomes and actions. Are we, is what we're doing really driving down the repeated nature of what we're detecting for? We were really intentional about, you know, what came on first in terms of what behaviors we wanted to detect. We have the advantage of having a risk intelligence platform that aggregates a lot of these signals, detections, you know, exceptions, out of SLA issues, all of that, and we pull it all together and we analyze what our top risks are. And then, you know, we did, you know, so once we had that cut, then we went a level down to say, okay, these are the top risks, you know, what are these, from those risks, what can be attributed to humans, right, either by their actions or lack of action. And then from there, we came up with, you know, okay, these are the things, and so let's see if we've got, you know, robust detections that, you know, are attributable, don't have noise, so there's fidelity in those data signals. And then, you know, we looked at how we could operationalize them. So it was really, you know, a very risk-based approach as to how we determine. And in some instances, our top risk, we couldn't identify a signal that was clear enough where we could attribute it to an individual, or, you know, we were very sure that, you know, there was no noise, and so we had to kind of scale back and move to something else. But we definitely were looking at it from a risk-based perspective. Sorry, I just wanted to comment on the, I know I didn't say anything about the noise factor. You know, we rely heavily on our detective capabilities, so the veracity of the detections that are coming in, are they really true positives, you know, before we go to a person and say, okay, we saw this was occurring, or we send them an automated message, we want to make sure the detections are right. So working with the detection team to make sure that we're really getting high-quality results from those, which scopes down the number of things that we really look for, and we roll those out very slowly to make sure that these are high-quality detections. A big part of your model, and you referenced this earlier, is intervening in the moment. You referenced a nudge. What's a good nudge look like in practice, and when does it backfire? So this is really just my personal opinion. I don't have any research on what makes a good nudge, but I'll tell you what makes a bad nudge. So we use an EDR, and at the outset, before we started doing our own JIT nudges, you know, the EDR would pop a message on people's machine and say, this activity is prohibited. Go to jail, go directly to jail. Exactly, right. It didn't tell them anything, and so, again, going on the philosophy that the majority of people are making somewhat innocent mistakes, these humans are making somewhat innocent mistakes, and even if they're somewhat intentional, like, oh, well, they'll never catch me doing this, you know, like, I'm going to sneak through. A good nudge for us has a couple of factors. One is it respects the person being nudged, right? So we don't want to nudge them every 12 minutes all day long, right? So that's really bad, and we get a lot of feedback on the volume of communication that engineering security sends out. It has to tell them how to solve the problem. So hey, we saw that you did a certain thing. Did you know there's a link here you could go to to tell you how you could do this in a way that is compliant with Uber's policies and our rules? And then the third thing is the more information. If you want, you can click here, and you can get more information about why this was a problem, and for a lot of people in this room who already have a really innate understanding of why these things are problematic, you take the junior person in the sales department, they don't know why we would tell them something like this. They don't really understand the full picture, and our goal is not to make them cybersecurity experts, but I feel a little bit of knowledge is really worth the four minutes that they'll spend going through our microtraining, and we use Hawkson to deliver that microtraining. We also use it to deliver the nudges, and response has been really good because we can give them these really short vignettes related to the specific thing that they were doing, and those always end with, if you want more, here's the Slack channel you can go to, you know, thumbs up, thumbs down, that kind of thing, and we do track the behavior there. So you don't smack everyone, hey, dumbass, what did you just do? I mean, the knee-jerk reaction is to do that, but we hold ourselves back, and we make ourselves accountable to help educate our staff on what the right thing to do is, and that is an internal pillar at Uber, which is do the right thing, so that's what we want to do. We want to do the right thing. Now, of course, you know, like all security organizations, if they're really sort of obtuse, or they just keep doing it, then of course we bring the big guns out, and insider threat teams and lawyers and everything, but, you know, we're the friendly face of engineering security. That's what we try to be. That's right. So we've got about five minutes left, and I'd love to get from each of you some feedback on if someone here is still running kind of a traditional awareness program, like probably 90% of the room is, I know we ran it in our own company that way, what's the first thing you suggest they stop doing tomorrow based upon what your experience was going from kind of a traditional to a more modified one? Do you want me to go first? Go ahead. What they should stop doing? Yeah. So I think they should stop, I can't imagine anyone today is still doing this, but they should really just stop relying on that once a year, you know, long form training, some posters in the bathroom. In fact, the funniest thing that I found when I came to Uber was they would put little posters up at the urinals, you know, about, you know, carry your badge or, you know, don't, don't, you know, come in behind someone behind, you know, an entryway. I thought that was really funny. No delegating. Yeah. But, you know, don't rely on your personnel to remember anything you told them in those 40 minutes once a year. You check the box for your compliance and, you know, ISO, and if an auditor comes in, you can say, yes, here's our training percentage, but you really, you have to convince your leadership you need to do more and more, much more frequently. So it's important to get beyond that, like we talked about earlier, that checkbox. I mean, it's just, okay. Yeah. You know, everything that Jason says, I'll echo, I think, I don't know about what you should stop doing, but I think you should start polling your workforce to understand, you know, where they're having friction points in being secure. If you start with the premise. That's good. Yeah. If you start with the premise that people want to do the right thing, they just either don't know how or it's too hard. That gives you, and you, you ask them, you know, in an environment where they can be very truthful with you, that gives you a starting point from, from where, you know, you need to kind of take your, your training, your awareness program, because it'll kind of help you really, really hone in on the areas that need, you know, modification and modernization or, you know, a different way that you communicate. We found that, you know, again, we, we roll out modernization, we roll out, you know, features and functionality, small increments to small groups of people, we query, we poll, we get feedback, we refine, we tune, and then we go back out again. And we found that that is very helpful, because especially when you're dealing with multi-generations, multi-cultures, multi-language, multi-geographies, it just really gets complicated to just roll one thing out, and it's good for everybody, right? So you know, we found that that is very helpful to kind of, you know, be very intentional about rolling things out, query and get some feedback, and then help fine-tune your, you know, what it is that you're trying to do. Can I add one thing? Yeah, please. So one thing that we weren't doing before, or we weren't doing comprehensively enough, was talking to the other security teams about what they're seeing in the environment. So the application security teams are seeing certain things, the incident response teams are seeing things, cybersecurity legal is seeing things, you know, now maybe the AI teams are seeing things, enterprise security, and I think it's up to the human risk management team to really understand what is facing the environment. There's no one sort of formula to do this correctly, but once we had a good understanding, or as we continue to have an improving understanding of what really the users in our company are facing, it becomes a lot easier for us to tailor much more interesting and compelling, you know, either interventions or training or opportunities to inform, and really at the end of the day, that's really all we want to do. We want to inform our folks so that they make, you know, good choices, and that they question the bad choices that are in front of them, and we've found that they really have been, it's been getting a lot better. Yeah. That's good. Anything to add? The only thing I'll say, you know, Jason has heard me say this, you know, a million times, if you can't measure it, then, you know, it doesn't exist. And so, you know, we've been very, very, very specific about, you know, as we're rolling out these programs, you know, starting with the baseline, so we understood exactly where we were with a particular behavior or risk, and then, you know, being very, very cognizant of, you know, how do you truly measure if this is successful, and then, you know, once we all agreed that, okay, you know, these are the things that we can use to measure that this is successful, and it's kind of fitting within, you know, where we feel we need some growth, then we'll go forward with that, and then we measure, and we measure, and we measure, and we measure, and that's really important for you to even begin to understand the value or the success of your program. Yeah. So. Yinka, Jason, congratulations on your award. It's a great program. Thank you. It sounds like. Thanks. Thanks for sharing it with us. Yeah. And if you have more questions for them about their award-winning program, you could chase them down in the hallway or catch them at a networking break or something, they'd be happy to answer more questions about that. So now we're going to get into the big picture, the big story panel. Anthropx Cloud Mythos has mythos, mythos, mythos.